Preset security policies - SearchInform

SearchInform security information and event management:

Real-time threat detection

PRESET SECURITY POLICIES

SearchInform SIEM does not require intensive preliminary configuration. The solution incorporates predefined universal security policies. Preset security policies are based on a selection of common tasks that SearchInform clients have to tackle.

The principle of the system operation: taking practical tasks and solving them with SIEM. We have gathered opinions, practices, and needs of SearchInform clients and generated the policies. The system will be developed in the same way: when there are new sources of data, client will get a set of rules.

EXAMPLES OF PRESET POLICIES OF SEARCHINFORM SIEM FOR*:

  • Active Directory domain controller

    Temporary renaming of a user account
    Password-guessing
    Multiple accounts on a single computer
    Password set by domain administrator
    Obsolete passwords
    • Logon statistics
    One account on multiple computers
    Temporary enablement of account
    Temporary addition of account to group
    Obsolete AD account becoming active
    Temporary assignment of AD permissions
    Creation of temporary user accounts
    Operations on accounts
    Change of membership in critical user groups
    Use of service accounts
    User-initiated event log clearing
    Audit policy change

  • file operations

    Temporary granting of file/folder permissions
    Access to critical resources
    Large number of users working with a file
    Operations on specific file types
    Statistics of changes of access rights to files/folders

  • MS SQL

    Temporary creation of MS SQL accounts.
    Temporary enablement of MS SQL accounts
    Statistic changes of access rights to MS SQL
    Temporary inclusion of users in DB security role
    SQL account password set by DB administrator
    Temporary renaming of MS SQL account

  • Kaspersky Antivirus

    Software execution blocked by antivirus self-protection
    Antivirus self-protection disabled
    Antivirus protection components disabled
    Failure to perform an administrative management task
    Change of membership in the administrator group
    Blocked and infected programs
    Virus outbreak detected

  • Exchange

    Change of audit parameters of administrator
    Change of management roles
    Granting mail access
    Owner of mail box was changed
    Groups of management roles were changed
    Access to mail box by another user

  • user activity

    Activity out of working hours
    Long-absent user activity

  • Syslog

    Custom Syslog rules
    Kernel events
    User-level events
    Mail systems events
    System daemons events
    Security and authorization events
    Internal Syslog events
    Line printer subsystems events
    Network news subsystems events
    UUCP subsystems events
    Clock daemons events
    FTP daemons events
    NTP subsystems events
    Log audit events
    Log alert events
    Scheduling daemon events
    SearchInform DLP events

*relevant for SIEM 1.5.0.6 released on 30.03.2017

TRY FOR FREE
Subscribe to get helpful articles and white papers. We discuss industry trends and give advice on how to deal with data leaks and cyberincidents.