Security Information and Event Management (SIEM) helps organizations in collecting, correlating, and analyzing log data from a wide range of systems connected to their IT infrastructure. Based on the results, a SIEM solution assists an organization in detecting threats and suspicious activity on their IT infrastructure. If you are already using a SIEM platform such as Logsign, you would know the importance of SIEM reports.
In this article, we will be looking at the five most important SIEM reports shortlisted by our experts, based on their interaction with our clients and prospective customers. While shortlisting the list of essential reports, our experts have focused on discussing the reports that have the highest likelihood of suspicious activity with minimum false positives. Before we discuss specific report type, please navigate to the Reports section on the Logsign platform.
Figure 1: Reports Section on the Logsign SIEM platform
By referring to user authentication reports, your organization can detect if there have been any attempts to gain access to its IT infrastructure through any existing account(s). Failed user attempts are a clear indication that a malicious user is attempting to get access to a system. If a large number of login requests are denied in a short period, this indicates that it is a brute force attack.
This report will be useful for system and network administrators who are responsible for maintaining access to resources. To generate User Authentication reports, the following dropdowns are relevant:
Under the dropdowns for vendor-specific identity events, you will see a report option called Source of IP Login Deny – Top 50. This report lists down top 50 IP addresses from where login attempts have been denied.
Figure 2: Source of IP Login Deny - Top 50 (FortiGate)
On the reports page, you can use search filter, perform time and group analyses, along with configuring the duration for which the results should be shown. You can export this report in PDF, Excel, and HTML file formats. For more information, you can also check All Identity Events report in the vendor identity events dropdown.
Under the Linux Auth Events, you can check All Identity Events or All User Activities. You can export this report in Excel or HTML as required.
Figure 3: Linux Auth Events: All User Activities
From the Windows Account Management Events dropdown, All Create/Delete User Events and All Password Change Events are recommended. The former report gives you information about all the user accounts that have been either created or deleted. In contrast, the latter report contains information about password change events and attempts to change the password.
Figure 4: Windows Account Management Events: All Password Change Events
A log entry for failed file access is an indication that an attacker is trying to gain access to a file for which either they do not have access, or it does not exist. Such attempts can be an early identifier of an attacker running scans or probs on your IT infrastructure. To access the relevant report, go to the Windows File Share Events and open the All Shared File Messages report. Alternatively, you can also check the Unauthorized File Change Attempts or Permission Change Activities report from the Windows File Activity Events dropdown.
Figure 5: Windows File Share Events: All Shared File Messages Report
If you observe that changes to users, groups, and services have been made without authorization, it means that the system has been compromised. It is common for an attacker to create a user account with high-level permissions after successfully compromising a system. For finding this information, open the Windows Account Management Events dropdown and look out for the following reports: Create Group/Add Group Members Events, Create Group/Add Group Members Analysis, Created Users, Changed Users and Groups Names, and Created Users.
Figure 6: Windows Account Management Events: Create Group/Add Group Members Analysis
This report gives you insights about events that Logsign SIEM identified as a threat to the IT infrastructure. There can be false positives in this report as a certain activity might have been classified as malicious activity. This report can be accessed by selecting All Threat Events report from the PaloAlto Firewall Threat Events dropdown.
Figure 7: Palo Alto Firewall Threat Events: All Threat Events
The Logsign SIEM platform classifies possible attack events in this dropdown for generating the reports. Go to the FortiGate Attack Events dropdown and select the All Attack Events option.
Figure 8: FortiGate Attack Events: All Attack Events
Did you face any issues while generating these reports for your organization? Get help from our support team today!