SearchInform security information and event management:
Real-time threat detection
PRESET SECURITY POLICIES
SearchInform SIEM does not require intensive preliminary configuration. The solution incorporates predefined universal security policies. Preset security policies are based on a selection of common tasks that SearchInform clients have to tackle.
The principle of the system operation: taking practical tasks and solving them with SIEM. We have gathered opinions, practices, and needs of SearchInform clients and generated the policies. The system will be developed in the same way: when there are new sources of data, client will get a set of rules.
EXAMPLES OF PRESET POLICIES OF SEARCHINFORM SIEM FOR*:
-
Active Directory domain controller
• Temporary renaming of a user account
• Password-guessing
• Multiple accounts on a single computer
• Password set by domain administrator
• Obsolete passwords
• Logon statistics
• One account on multiple computers
• Temporary enablement of account
• Temporary addition of account to group
• Obsolete AD account becoming active
• Temporary assignment of AD permissions
• Creation of temporary user accounts
• Operations on accounts
• Change of membership in critical user groups
• Use of service accounts
• User-initiated event log clearing
• Audit policy change -
file operations
• Temporary granting of file/folder permissions
• Access to critical resources
• Large number of users working with a file
• Operations on specific file types
• Statistics of changes of access rights to files/folders -
MS SQL
• Temporary creation of MS SQL accounts.
• Temporary enablement of MS SQL accounts
• Statistic changes of access rights to MS SQL
• Temporary inclusion of users in DB security role
• SQL account password set by DB administrator
• Temporary renaming of MS SQL account -
Kaspersky Antivirus
• Software execution blocked by antivirus self-protection
• Antivirus self-protection disabled
• Antivirus protection components disabled
• Failure to perform an administrative management task
• Change of membership in the administrator group
• Blocked and infected programs
• Virus outbreak detected -
Exchange
• Change of audit parameters of administrator
• Change of management roles
• Granting mail access
• Owner of mail box was changed
• Groups of management roles were changed
• Access to mail box by another user -
user activity
• Activity out of working hours
• Long-absent user activity -
Syslog
• Custom Syslog rules
• Kernel events
• User-level events
• Mail systems events
• System daemons events
• Security and authorization events
• Internal Syslog events
• Line printer subsystems events
• Network news subsystems events
• UUCP subsystems events
• Clock daemons events
• FTP daemons events
• NTP subsystems events
• Log audit events
• Log alert events
• Scheduling daemon events
• SearchInform DLP events
*relevant for SIEM 1.5.0.6 released on 30.03.2017
TRY FOR FREE