Security Information and Event Management (SIEM) helps organizations in collecting, correlating, and analyzing log data from a wide range of systems connected to their IT infrastructure. Based on the results, a SIEM solution assists an organization in detecting threats and suspicious activity on their IT infrastructure. If you are already using a SIEM platform such as Logsign, you would know the importance of SIEM reports.
In this article, we will be looking at the five most important SIEM reports shortlisted by our experts, based on their interaction with our clients and prospective customers. While shortlisting the list of essential reports, our experts have focused on discussing the reports that have the highest likelihood of suspicious activity with minimum false positives. Before we discuss specific report type, please navigate to the Reports section on the Logsign platform.
1. User Authentication
By referring to user authentication reports, your organization can detect if there have been any attempts to gain access to its IT infrastructure through any existing account(s). Failed user attempts are a clear indication that a malicious user is attempting to get access to a system. If a large number of login requests are denied in a short period, this indicates that it is a brute force attack.
This report will be useful for system and network administrators who are responsible for maintaining access to resources. To generate User Authentication reports, the following dropdowns are relevant:
- Vendor-specific Identity Events (Fortigate/Checkpoint)
- Linux Auth Events
- Microsoft Account Management Events
Under the dropdowns for vendor-specific identity events, you will see a report option called Source of IP Login Deny – Top 50. This report lists down top 50 IP addresses from where login attempts have been denied.
On the reports page, you can use search filter, perform time and group analyses, along with configuring the duration for which the results should be shown. You can export this report in PDF, Excel, and HTML file formats. For more information, you can also check All Identity Events report in the vendor identity events dropdown.
Under the Linux Auth Events, you can check All Identity Events or All User Activities. You can export this report in Excel or HTML as required.
From the Windows Account Management Events dropdown, All Create/Delete User Events and All Password Change Events are recommended. The former report gives you information about all the user accounts that have been either created or deleted. In contrast, the latter report contains information about password change events and attempts to change the password.
2. File Access Attempts
A log entry for failed file access is an indication that an attacker is trying to gain access to a file for which either they do not have access, or it does not exist. Such attempts can be an early identifier of an attacker running scans or probs on your IT infrastructure. To access the relevant report, go to the Windows File Share Events and open the All Shared File Messages report. Alternatively, you can also check the Unauthorized File Change Attempts or Permission Change Activities report from the Windows File Activity Events dropdown.
3. Changes to Users, Groups, and Services
If you observe that changes to users, groups, and services have been made without authorization, it means that the system has been compromised. It is common for an attacker to create a user account with high-level permissions after successfully compromising a system. For finding this information, open the Windows Account Management Events dropdown and look out for the following reports: Create Group/Add Group Members Events, Create Group/Add Group Members Analysis, Created Users, Changed Users and Groups Names, and Created Users.
4. Threat/Security Events
This report gives you insights about events that Logsign SIEM identified as a threat to the IT infrastructure. There can be false positives in this report as a certain activity might have been classified as malicious activity. This report can be accessed by selecting All Threat Events report from the PaloAlto Firewall Threat Events dropdown.
5. Attack Events
The Logsign SIEM platform classifies possible attack events in this dropdown for generating the reports. Go to the FortiGate Attack Events dropdown and select the All Attack Events option.
Did you face any issues while generating these reports for your organization? Get help from our support team today!