SureLog SIEM User Behavior Monitoring Rules — List

Monitoring user behaviors with SureLog SIEM is easy and manageable.

Example of those kind of rules:

• Monitor multiple VPN Accounts Logged In From Single IP,
• Monitor if a VPN Accounts Logged in a machine and if there is a request from this machine to a DB which holds PI data,
• Monitor logins against terminated employee .
• Alert when a user is still logged on but someone else logs on with a different IP using the same username to any machine

As a development sample:

We want to get alert “when a user is still logged on but someone else logs on with a different IP using the same username to any machine”

We will implement this rule with SureLog SIEM. The order of rules (steps) important and managed by “Rule Priority” parameter by SureLog

Step 1: Create a rule to alert when user is still logged on but someone else logs on with a different IP using same username.

There are special operators related to list management in SureLog like “Key in List With Different Data”

Step 2: Add USER:DSTIP:SRCIP (key1, key2,value) to the list if both USER:DSTIP:SRCIP is not in the list .

Step 3: Remove the user from the list when user logs off.