SIEM Use Cases

How to Detect Unauthorized Access to the Shared Folders

Windows file server acts as a file and folder storage that can be accessed by many users. Even though a working environment based on cooperation has many benefits, it may be difficult to prevent unauthorized access by monitoring the authorizations to shared folders. In order for the users to access the shared folders only, which they use while working, the managers need detailed authorization reports of all shared folders in IT media. These reports indicate whether any user has extreme authorization levels that may cause them to become an insider threat. In big corporations with many users and a workload that continually increases, it may be difficult for a manager to monitor the access authorization for any user account by using local methods.

How to detect unauthorized access to shared folders

Logsign USO Platform can detect the access activities towards the shared folders on Windows systems by correlating them. Access control logs and process creation logs are used during the detection process. Cyber attacker is detected by means of the findings obtained as a result of the analysis of the logs.
1.

Access control logs on Windows, process tracking logs, Network Access Control (NAC), Endpoint Protection Platform (EPP), and Endpoint Protection Response (EDR) logs are shared with Logsign USO Platform and subjected to relevant correlation.

2.

Behavioral analysis is conducted with correlation processes, and the user is tagged as Attacker, Victim, or Suspicious.

3.

Following the first activity started by the attacker on the side of the user, behavioral analysis is conducted with the logs received from the sources, and logs are enriched. Log activities formed with the activities conducted by the attacker are correlated and displayed on the relevant dashboard panels.

4.

Malicious access demands detected by the Logsign correlation motor can be identified by the Logsign USO Platform. They are shared with the relevant IT managers via SMS and email, enabling visibility and analysis.

5.

By centralizing and correlating security event data, it streamlines efficient incident response workflows. Integrated with ticketing systems and other incident response tools, it enables security teams to automate the incident response process. Logsign can trigger automated actions, such as quarantining a compromised host or blocking malicious IP, Username, URL, Domain, and Hash information, to reduce response times and minimize the impact of security incidents.

Other SIEM Use Cases