Technical OverviewUBA Behavior Profiling UBA user and entity behavior analytics analyze user...

All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 1

Technical Overview


Contents OBELUS SIEM .....................................................................................................................................................................5

OBELUS PRODUCT FEATURES & DESCRIPTIONS: ....................................................................................................................................7

DEPLOYMENT OPTIONS ......................................................................................................................................................................9

Single Installed Collector ...........................................................................................................................................................9

Multiple Installed Collectors......................................................................................................................................................9

Cloud or Data Center Deployment ......................................................................................................................................... 10

LOG ON-BOARDING ......................................................................................................................................................... 10

Collector and Source Installation and Configuration ............................................................................................................. 10

Agent Installation and Configuration ..................................................................................................................................... 11

SOURCE CONFIGURATION ................................................................................................................................................................. 11

Manual Configuration: ........................................................................................................................................................... 11

Download Configuration from OBLEUS UI ............................................................................................................................. 11

FIELD EXTRACTION .......................................................................................................................................................................... 13

Create Field Extraction Rule ................................................................................................................................................... 13

Edit Field Extraction Rules ...................................................................................................................................................... 15

EVENT AND ALERT CREATION ........................................................................................................................................... 16

CREATE EVENT ............................................................................................................................................................................... 16

CREATE ALERT ............................................................................................................................................................................... 18

EVENT CORRELATION FILTER ............................................................................................................................................................. 19

CUSTOM FILED ............................................................................................................................................................................... 19

NOTIFICATIONS .............................................................................................................................................................................. 19

Configure Alerts by Email Notification ................................................................................................................................... 20

Configure Alerts by Notable Notification ............................................................................................................................... 20

Configure Alerts by Ticket Notification .................................................................................................................................. 21

DASHBOARDS .................................................................................................................................................................. 22

Edit Widget Configuration ..................................................................................................................................................... 24

Create Dashboard .................................................................................................................................................................. 24

REAL-TIME ALERT MONITORING ...................................................................................................................................... 26

ASSET MANAGEMENT ...................................................................................................................................................... 28

Adding Asset Manually .......................................................................................................................................................... 28

Edit Asset................................................................................................................................................................................ 29

Delete Asset ........................................................................................................................................................................... 30

LOG STORAGE/RETENTION .............................................................................................................................................. 31

OBELUS SIEM SUPPORTS DEVICES AND LOG TYPES: ........................................................................................................................... 31

OBELUS SIEM SUPPORTS OUT OF THE BOX (OOTB) LOGS TYPES: ......................................................................................................... 32

MANAGED SECURITY SERVICE PROVIDERS (MSSP) ............................................................................................................ 33


Create organization ............................................................................................................................................................... 33

Provision Organization ........................................................................................................................................................... 34

ROLE BASED ACCESS CONTROL (RBAC) ............................................................................................................................. 35

ROLE CAPABILITIES ......................................................................................................................................................................... 35

CREATE ROLE ................................................................................................................................................................................. 38

CREATE USERS ............................................................................................................................................................................... 39

EDIT USERS ................................................................................................................................................................................... 39

INCIDENT RESPONSE PLAN ............................................................................................................................................... 40

CASE MANAGEMENT ....................................................................................................................................................... 41

Creating a case for incident: .................................................................................................................................................. 41

INVESTIGATION GRAPH ................................................................................................................................................... 44

USE CASE: PHISHING E-MAIL ........................................................................................................................................................... 44

Attack Execution .................................................................................................................................................................... 44

Configure Events .................................................................................................................................................................... 44

Configured Notable Events/ Rules ......................................................................................................................................... 47

Investigation for Alert ............................................................................................................................................................ 47

REPORT GENERATION TOOL ............................................................................................................................................................. 50

THREAT INTELLIGENCE ..................................................................................................................................................... 53

What OSINT: .......................................................................................................................................................................... 53

Why OSINT: ............................................................................................................................................................................ 53

Configured OSINT Feed: ......................................................................................................................................................... 53

Create Threat Feed:................................................................................................................................................................ 54

Edit Threat Feed: .................................................................................................................................................................... 56

Delete Threat Feed: ................................................................................................................................................................ 57

MANAGE INDICATOR OF COMPROMISE... ........................................................................................................................................... 58

What Is Indicators of Compromise (IOC): ............................................................................................................................... 58

Create Indicator: .................................................................................................................................................................... 58

Whitelisting: ........................................................................................................................................................................... 59

Bulk White/Blocklist Indicator:............................................................................................................................................... 59

Bulk Upload Indicator: ........................................................................................................................................................... 60

THREAT INTEL DASHBOARD .............................................................................................................................................................. 61

THREAT HUNTING ............................................................................................................................................................ 61

Threat Hunting Methodologies: ............................................................................................................................................. 61

Hypothesis-driven investigation: ............................................................................................................................................ 62

Investigation based on known Indicators of Compromise or Indicators of Attack: ............................................................... 62

Advanced analytics and machine learning investigations: .................................................................................................... 62

HISTORIC LOG SEARCH ..................................................................................................................................................... 62

UBA ................................................................................................................................................................................ 64


OBELUS UBA Platform ............................................................................................................................................................ 64

Create Use Case for Successful User Logon attempts: ........................................................................................................... 65


HIGHLIGHTS ✓ Real-time Security Monitoring

✓ Deliver Real-Time Operational Intelligence

✓ Proactively detect and investigate security incidents

✓ Behavior Profiling to understand trends & patterns of activity

✓ Detect & Respond to threat before they impact your business

✓ Visual Incident Response Plan with Customization

✓ Investigation by Graph (Internal & External)

✓ Auto Scalability & Reliability

✓ Threat Hunting (MITRE ATT&CK)

✓ Compliance Monitoring & Reporting

Delivering Combined End-to-End Solution

Collect, Index& Store OBELUS SIEM can collect and index any machine data from virtually

any source, format or location in real time. Data streaming from all

kind of log sources such packaged and custom applications,

application servers, web servers, databases, network devices, virtual

machines, operating systems, Endpoints sensors, mainframes and

much more.

Real-time Monitoring and Alerting Real-time alerts monitoring based on threshold, conditions defined and Auto configure alerts to send notifications emails.

Advance Analytics with OBELUS-SIEM Threat detection with user behavior Analytics and MITRE ATT&CK Monitoring and create actionable Intelligence of known and unknown risks.

Incident Response Platform Inbuilt Incident Response Plans to help Security Analyst respond to cyber threats faster and more efficient.

Threat Intelligence & Collaboration Proactively detect and mitigate threats in your environment with Real-time insight into indicators of compromise (IOC).

Threat Hunting with MITRE ATT&CK Improve proactive and post compromise detection of adversaries in enterprises by illustrating the actions that an attacker may have taken.

UBA Platform Is an incredibly powerful tool to detect compromise early, mitigate risk, and stop an attacker from exfiltrating an organizations data.

Case Management Platform Case Management Platform is fully integrated into advance analytics enabling you to optimize and document analysis.

Threat Investigation Platform Help security teams quickly and efficiently investigate potential cybercrime threats by providing analysts with a holistic view.

Compliance Reporting & Dashboards Having a SIEM is a core part of a number of compliances regimes, such as PCI-DSS, HIPAA, GDPR and ISO 27001.

Asset Management: Platform that helps to track all the registered devices and allow/deny from sending logs to SIEM.

ABOUT OBELUS SIEM

OBELUS SIEM

OBELUS Combined Security Management (CSM) delivers a unified, simple and affordable solution for Security information and Event management (SIEM), Incident Response, Threat detection, Threat analysis, and compliance. Powered by the latest [TMCL] Labs Threat Intelligence and the Global Threat Intelligence from most trusted source for threat intelligence exchange, CSM enables organizations to defend against modern threats proactively. Techno Minds SIEM Platform (OBELUS) combines user and entity behavior analytics (UBA); Threat Intelligence (TI), MITRE ATT&CK and Incident response (IR); Case Management (CM) in a single end-to-end solution OBELUS -Security Information and Event Management (SIEM), equipped to detect cyber threats in real time by using Powerful, scalable, and efficient SIEM Solution and which is built on low latency high throughput platform.


Figure 1: OBELUS Log Collection and Processing.

Security and Log Management With Effective logging and monitoring helps Organization to

protect confidential information and to perform careful trend

analysis, identify significant improvements to their security

management programs.

Log Management (LM) Log collection is the heart and soul of a SIEM, OBELUS collects and

stores log files from operating systems and applications, across

various hosts and systems. OBELUS Platform is designed to scale

without difficulty or costs providing secure data storage at a

reasonable price. This helps you in long-term storage, analysis,

manipulation, and reporting on logs and security records.

Security Event Management (SEM) This focuses on real-time monitoring, correlating events, providing

comprehensive console views, and customizing notifications,

enhance your incident reports and improves your investigations

using security and non-security data collected from across your

organizational infrastructure.

Security Information Management (SIM) OBELUS-SIEM with Combined Security Management (CSM) platform

that provides real-time analysis of security alerts and improves threat

detection and response capabilities in your Organization. Which also

provides long-term storage, analysis, manipulation, and reporting on

logs and security records.

Security Event Correlation (SEC) Which tracks and alerts security analysts, when an abnormal series of

events occurs, such as three failed login attempts under the same user

name on different machines. Improve security operations and

streamline investigations by using ad hoc searches in addition to static,

dynamic and visual correlations.

Log Test Simulator The inbuilt Log simulator in OBELUS - SIEM is a utility tool which allows

its users to simply build real-time events and generate real time logs for

testing. The Log Simulator also allows user to create log templates and

schedule real time logs or on demand which helps users to get events

directly in OBELUS - SIEM, thus helping users to reduce time and efforts

in getting real time logs before integrating any device log.


Figure 2: OBELUS Security Posture Dashboards.

OBELUS Product Features & Descriptions:

OBELUS Product Features & Descriptions

Features Definitions

Indexing Volume Scales to hundreds of terabytes per day

Data On boarding Wizard-based workflow to simplify on boarding of any data source

Auto Scalability & Reliability Ability to support the burst rate of logs generated by the devices at given point of time

UBA Behavior Profiling UBA user and entity behavior analytics analyze user activity from logs to identify malicious behaviors

Visual Incident Response Plan Instructions to help IT staff detect, respond to, and recover from network security incidents

Customizable Incident

Response Plans (IRP) Option to customize the Incident Response Plans according to your needs

Historic Search Ad hoc search across real-time and historical data

Monitoring and Alerting Real-Time Monitor and alerting for individual and correlated real-time events

Reporting Ad hoc and pre-defined reports across real-time and historical data

Dashboards Highly customizable and Inbuilt dashboards for real-time machine data

Customization of Events Customize the events that relevant and correlate based on the events

Data Model Used to define consistent relationships in machine data

Pivot Drag-and-drop UI to explore, manipulate and visualize machine data

Anomaly and Pattern

Detection Automatically discovers patterns, commonalities and anomalies in your data with a single click


PDF Delivery Scheduled and automated PDF generation and delivery of reports and dashboards

Access Control & Single Sign-

On

Integrated role-based access control and user authentication with LDAP, Active Directory and single

sign-on via SAML

Compliance Monitoring &

Reporting Support and fulfill the compliance needs with Inbuilt platform and reports

Threat Intelligence Threat Intelligence (OSINT & Commercial) & Feed Management

Threat Hunting (MITRE

ATT&CK) Covers APT3 TTP’s that are used by Adversaries

Log Parsing Tool onboard any

log Ease of logs parsing for the devices that needs additional field extractors

Case Management Manage security alerts by creating cases, assigning, documenting artifacts, performing investigation

and tracking resolution.

Asset Management Manage your devices that are On Boarded & reporting logs to OBELUS

WHY OBELUS SIEM

OBELUS Combined Security Management (CSM) delivers a unified, simple and affordable solution that gives you real-time

visibility into all the activities on your IT systems, networks, databases, and applications.


✓ Real Time Monitoring (Low Latency)

✓ Auto scalable platform.

✓ Automated Threat Context.

✓ Highly Customizable.

✓ No scripting or coding skills required.

✓ Custom Report Generation.

✓ OOTB – (Case Management, Threat Intel, Threat Hunting)

HOW IT WORKS

OBELUS receives the logs from various devices via agents, Syslog servers and other forwarders and translates them in Real

Time to meaningful and normalized events and executes configured rules and raises alerts if they match.

Deployment Options You can install agents and configure sources on any mix of OS i.e. Windows, Linux and Mac hosts in your environment. When

deciding where to install agents, consider your network topology, available bandwidth, and domains or user groups.

Single Installed Collector An agent can be installed on any standard server that you use for log aggregation or other network services. For example, you

might decide to centralize collection with just one Collector installed on a dedicated machine, especially if all of your data can

be accessed from a single network location.

Figure 4 a: Single Agent Deployment.

Multiple Installed Collectors If you have a distributed network topology, you can install multiple agents on multiple machines and set up any combination of

sources to collect from your infrastructure.


Figure 4 b: Multi Agent Deployment.

Cloud or Data Center Deployment Agents can be deployed across a cloud or data center wherein, agents on each machine report to OBELUS independently,

sending distinct log data so that you can query against any virtual machine or server in your deployment.

Log On-boarding

An Installed Agent is a GO agent that sends logs and metrics from its Sources and then encrypts, compresses, and sends the

data to the Obelus service. As its name implies, an Installed Agent is installed in your environment, as opposed to a Hosted Log

Collector, which resides on the Obelus service. After installing an Agent, you add Sources, to which the Log Collector connects

to obtain data to send to the Obelus service.

An Obelus Source is an object, configured for a specific Log Collector that scans a particular target periodically and sends newly

available data to the Log Collector. There are a number of Source types in Obelus that work with Installed Agents. Examples

include:

File Sources—Local and Remote File Sources collect logs from selected directories on the Collector host, or a remote one.

Windows Event Log Sources—Local and Remote Windows Event Log Sources collect Windows events from the

Collector host or a remote one.

Windows Performance Monitor Log Sources—Local and Remote Windows Performance Monitor Log

Sources collect Windows performance data from the Collector host, or a remote one.

Docker Sources—Docker Sources collect Docker container logs, events, and stats from Docker.

Collector and Source Installation and Configuration


This section is an overview of the multiple methods Obelus provides for installing and configuring Agents and Sources.

Agent Installation and Configuration Before installing agent, you need to add the IP address, Mac-address, hostname of device where the agent is going to install.

OBELUS provides multiple methods for installing a Collector:

The following options are available to install Agent

1. Command line installation for windows

2. Rpm/Binary based installation for Linux and Mac OS.

Source configuration

Manual Configuration: You can set up as many as 1,000 Sources on a given Agent. A Source should be configured to collect similar data types. For

example, you might set up three Local File Sources to collect router activity logs from three locations, and another Local File

Source to collect logs from a web application.

Each Source is tagged with its own metadata, like log_type, log_device. The more Sources you set up, the easier it is to isolate

one of the Sources in a search since each Source can be identified by its metadata.

When you configure Sources that read from log files, you specify a path expression that defines what files to scan. You can

optionally configure a blacklist of files to exclude from collection.

You can create Sources using the OBELUS web app at any time after Collector installation. For source-specific instructions, see

the topics below Sources for Installed Collectors.

Alternatively, you can define Sources for an Installed Collector in a UTF-8 encoded JSON file, in which case you must provide the

file when starting the Collector for the first time. For more information, see Use JSON to Configure Sources. Note that if you

provide the Sources configuration in a JSON file, you can no longer manage the Sources through the OBELUS web app.

Download Configuration from OBLEUS UI

Optionally you download the configuration from UI as well.

• Logon to OBLEUS

• Navigate to Settings

• Click on Data Input

• Select the Log Shippers menu

• Select the device that you on board

• Click on Configuration Wizard


• Select log device, log type and click on create YML button.

Figure 5: OBELUS OOTB log source support.

Figure 6: Windows Collector


Field Extraction

Field extractions allow you to parse fields from your log messages at the time the messages are ingested, which eliminates the

need to parse fields at the query level. With Field Extraction Rules (FERs) in place, users can use the pre-parsed fields for ad-

hoc searches, scheduled searches, real-time alerts, and dashboards. In addition, field extraction rules help standardize field

names and searches, simplify the search syntax and scope definition, and improve search performance.

You need the Manage field extraction rules role capability to create a field extraction rule.

Figure 7: Extract Fields

The Settings > Configuration > Extract Fields page displays the following information:

• Rule name,

• Log Device,

• Log Type

• Create date and time by user

• Last modified date and time by user

On the Settings > Configuration > Extract Fields page you can:

• Create a Field Extraction Rule

• Search Field Extraction Rules

• Edit a Field Extraction Rule

• Delete a Field Extraction Rule

• See Details of a Field Extraction Rule

Create Field Extraction Rule 1. To create a Field Extraction Rule:

2. Go to Manage Data > Settings > Field Extraction Rules.

3. Click Add.

4. Enter the following options:

https://help.sumologic.com/Manage/Fields


• Parser Name. Type a name that makes it easy to identify the rule.

• Parser Description. Type description for more information

• Log Device: Select the log device that you want to apply parser

• Log Type: Select the log type that you want apply parser.

• Parser Type: Select the Parser type like JSON, Delimiter and Regex.

5. Search existing log messages by selecting time range and search query option

Figure 8: Log Messages

6. Select Log message to apply rule

7. Expand Regex and Select the Field to apply Regex.

Figure 9: Expand Regex


8. Select and click the field value in the message, to be extracted as a new field.

9. Provide a name for this field. Specify the prefix and suffix to the field value.

10. Click Create Show Patterns to generate a parser rule or regex (regular expression) pattern. it will show possible regular

expressions or you can add your own regular expression as well

11. Click on apply to generate regular expression for selected log message

12. You can add optionally add condition that specific to rules.

13. In the below case it will apply rule only when message contains 83.149.9.216 IP Address.

Figure 10: Applying rule

Edit Field Extraction Rules Changes to Field Extraction Rules are implemented immediately. Additionally, you can save a copy of a rule and make edits to

the new version of the rule without making any changes to the original rule.

1. Go to Manage Data > Settings > Field Extraction Rules. 2. Click on view details link

Figure 11: Field Extraction Rules


Figure 12: Extract Fields

3. Click on Edit Parser Button

Figure 13: Extract Fields Edit Parse

4. Change any text for Rule Name, Parser Name, or Log Device or Log Type or Parser Expression. Click Save.

Event and Alert Creation Events provide information about the systems that produce the metadata. The term event data refers to the contents of an

OBELUS index.

Create Event 1. Create a new event From the OBELUS Main page in the Settings > Configuration,

2. Select New events> Events. Right Click>Select New Category (Example: New Node name the Event category)

3. Right Click>New Category> New Event

4. New Event > Event Information


5. From the Event Information page add the following event information to configure the new event.

• Enter an Event Name

• Enter a Description for the event that describes why you created the event.

• (Optional) Select a Log Device

• (Optional) Select a Severity

• (Optional) Select a Category

• (Optional) Select a Tags

• (Optional) Select Data Enrichment

• (Optional) Select Event Fields

• (Optional) Select Event Filter

• Select required Fields


Event Filter > Add rule with AND/ OR conditions.

• Select Log Field

• Fields related to events

• Value can be any thing

The above following steps are the same for Add group with AND OR conditions. Save the work.

Create Alert

You can manually create a notable event from Existing events. From the OBELUS Main page in the Settings,

1. Select New events> Notable Events. Right Click> Select New Category

2. (Egg: New Node name the Notable Event category)

3. Right Click>New Category> New Event

4. New Event > Notable Event Information

5. Enter an Event Name


6. Enter a Description for the event that describes why you created the notable event or what needs to be investigated.

7. (Optional) Select a Severity

8. (Optional) Select a Category

9. (Optional) Select a Tags

10. Select required Fields

Event Correlation Filter OBELUS comes with inbuilt use cases based on the events and also supports event correlation

1. Select related Event

2. Select Aggregation Type calculates an approximate count of distinct values or such as count of unique

values

3. (Optional) Select an Aggregation Fields

4. (Optional) Select an Operator (greater than/less than/equal)

5. (Optional) Select a value

6. (Optional) Select a Time

7. (Optional) Select a Time Unit (Days/Hours/Minutes/Seconds)

Custom Filed You can add many more Custom fields by Add Row and drop down more custom fields in Key, values.

Notifications You can configure the alert notification with below options.


• Configure alert Notification

• Configure alerts by Email notification

• Configure alerts by Notable notification

• Configure alerts by Ticket notification

Configure Alert Notification

• Specify conditions for triggering the alert-based on number of result counts.

• Set number results meets the trigger conditions like greater than, less than or equal.

• Specify an optional field values to trigger an alert in real time.

Configure Alerts by Email Notification

Send an email notification to specified recipients when an alert trigger. Email notifications can include information of alert

triggering. You can set up an email notification action from the Notable event page.

1. Click Notifications and select Email

2. Type a comma-separated list of to email recipients.

3. (Optional) Provide the email Subject and Message

Configure Alerts by Notable Notification


1. Enter a Title of Notable event


3. Enter a message of alert described across your network applications, systems, and devices.

4. Enter Drill-down name of alert data received from a specific input.

5. Enter Drill-down can perform the actions for fields, tags, and event segments.

6. (Optional) Select an IRP (Incident Response Plan)

Configure Alerts by Ticket Notification

1. Enter a Title of Ticket


3. (Optional) Select a Priority

4. Enter Assignee search of user Email-Id.

5. To save the new notable event Click on Create Event.


Dashboards Dashboards are powerful forensic tool to create searches and view search results based on data available through a search.

• If you’re having problems with your systems or network, you can easily move backward in time to pinpoint exactly

when the problems occurred, and analyze additional search results to uncover the root cause.

• Reports and long-term trend analysis provide historical context and are useful in any situations in which live data isn’t

as relevant as historical data.

• Dashboards populate completely every time you launch them and backfill data as needed. This means there will be a

delay before you see all the data. If you change a time range, the data panels will rerun the search.

• In Live Mode, dashboards provide a real-time view of your system, continually updating as data comes in.


Dashboards contain a collection of panels:

• Widgets provide a graphical representation in the form of a chart of your organization's data.

• Text and Title Panels allow you to add context to the data in the dashboard.

Below are the steps to create the widgets.

1. Go to Settings > Widgets > New Widget.

2. Enter the title of widget

3. Choose the events or rules or cases or alerts


Figure 14: Manage Widgets

4. Click on Preview button and following options will be displayed a. Expand fields to do aggregation for selected logs

b. Select the chart type that you want to display

c. Drag selected the log fields in order to display data on chart

d. Drag log field to value field in order to perform the aggregation on selected field

5. Click on Preview button to preview widget

6. Click on Submit to save the widget

Edit Widget Configuration

• Go to Settings > Widgets > Edit Widget option in Table.

• Enter the title of widget

• Click on Preview button and following options will be displayed

• Expand fields to do aggregation for selected logs

• Select the chart type that you want to display

• Drag selected the log fields in order to display data on chart

• Drag log field to value field in order to perform the aggregation on selected Field

• Click on Preview button to preview widget

• Click on Submit to save the widget

Create Dashboard

1. Go to Settings > Dashboards


2. Right click on the category and Click on New Category Link

Figure 15: Create Dashboard

3. Click on the pencil icon right top corner 4. Enter title of the Dashboard 5. Select Permission Type 6. Select Category of Dashboard 7. Choose required permission for dashboard visibility.

Figure 16: Dashboard Visibility

8. Click on Close Button 9. Click on Plus sign to choose available widgets 10. Click on Tick sign button to save changes.


Figure 17: Widgets

Real-Time Alert Monitoring

OBELUS SIEM capable in detecting threats and raising Real Time alerts if analysis shows that an activity runs against

predetermined rule sets and thus indicates a potential security issue.

1. Login with Valid Username & Password 2. Click on the “Alerts ” tab on the header bar 3. Select the time range accordingly to view alerts 4. Alerts are group by rule/alert name, select the alert you wish to investigate 5. Click (>) drill down option to view the individual alert 6. Click the checkbox to see the events details 7. Click on Event Count value to view the fields such as username, src IP etc 8. Search option can be used for faster searching alerts by priority, category, timestamp etc 9. Analyst can add additional fields from the filter tab if required during analysis 10. If Analyst wants to investigate the alert he/she can create case by clicking the “Add To Case” 11. If Analyst wants to perform deep dive investigation, he/she can create Investigation by clicking the “Add To

Investigation”


Figure 18: OBELUS Real-Time Threat Monitoring Console.


Asset Management

Assets and asset profiles that are created for servers and hosts in your network provide important information to assist you in resolving security issues. Using the asset data, you can connect offenses that are triggered in your system to physical or virtual assets to provide a starting point in a security investigation.

The Assets tab OBELUS provides a unified view of the known information about the assets in your network. As OBELUS discovers more information, the system updates the asset profile and incrementally builds a complete picture about the asset.

Asset profiles are built dynamically from identity information that is passively absorbed from event data that OBELUS actively looks for during a vulnerability scan. You can also import asset data or edit the asset profile manually.

This Assert information will also be helpful to maintain the licenses as well.

Sources of asset data:

• Asset data is received from several different sources in your OBELUS deployment.

Asset data is received from several different sources in your OBELUS deployment.

Asset data is written to the asset database incrementally, usually 2 or 3 pieces of data at a time. With exception of updates from network vulnerability scanners, each asset update contains information about only one asset at a time.

Asset data usually comes from one of the following asset data sources:

• Events

Event payloads, such as those created by DHCP or authentication servers, often contain user logins, IP addresses, host names, MAC addresses, and other asset information. This data is immediately provided to the asset database to help determine which asset the asset update applies to.

Events are the primary cause for asset growth deviations.

• User interface

Users who have the Assets role can import or provide asset information directly to the asset database. Asset updates that are provided directly by a user are for a specific asset.

Adding Asset Manually

1. Go to Settings > Assets > Assets. 2. Assets page will display with IP Address, Host Name, Mac Address


Figure 19: Assets

3. Click on New Asset Button

Figure 20: New Asset

4. Enter Source IP 5. Enter Hostname 6. Mac Address 7. Click save button to confirm changes.

Edit Asset

1. Go to Settings > Assets > Assets. 2. Assets page will display with IP Address, Host Name, Mac Address 3. Select the table row that you want to edit.


–

Figure 21: Edit Asset

4. Click on Edit button and enter the update source IP, hostname, Mac address 5. Click on the save button to persists changes.

Delete Asset

1. Go to Settings > Assets > Assets. 2. Assets page will display with IP Address, Host Name, Mac Address 3. Select the table row that you want to delete 4. Click on delete button to delete the selected rows


Log Storage/Retention

The following table shows the default storage configuration

Default storage configurations for OBELUS Components

OBELUS Storage configuration

Short Term Store <= 30 days SSD

Mid Term Storage >= 30 <= 365 days S3 Buckets

Long Term Storage > 1 Year Glacier

OBELUS SIEM Supports Devices and Log Types:

Vendor Name Device Type Log Type

Check Point Check Point Firewall OPSEC

Amazon CloudTrail Generic API

Apple Inc. Mac OS X Applications/Host/Server/ Operating Systems/Web Content/Filtering/Proxies Syslog

Barracuda Networks Web Application Firewall Security Appliances/UTMs Syslog

Web Filter Security Appliances/UTMs Syslog

Spam Firewall Security Appliances/UTMs Syslog

Blue Coat ProxySG Web Content/Filtering/Proxies Syslog

Bro Network Security Monitor

Bro Network Security Monitor

Network Security Syslog

Cisco DDoS Mitigator IDS/IPS Syslog

Identity Services Engine Other Syslog

IOS Firewall Firewall/Network Switches and Routers Syslog

IOS IDS IDS/IPS/Network Switches and Routers Syslog

Iron Port Email Security Email Security Syslog

Iron Port Web Security Appliance

Web Content/Filtering/Proxies Syslog

Open TACACS+ Authentication Syslog

PIX IDS IDS/IPS/Network Switches and Routers Syslog

PIX/ASA/FWSM Firewall/IDS/IPS Syslog

Secure ACS IDS/IPS Syslog

NetScaler Web Content/Filtering/Proxies Syslog

Secure Gateway Web Content/Filtering/Proxies Syslog

CyberArk Enterprise Password Vault Application Syslog

Privileged Identity Management Suite -CEF

Application Syslog

Privileged Threat Analytics UBA Syslog

Cyberoam Cyberoam UTM and NGFW UTM/Firewall Syslog

Cylance Cylance PROTECT Antivirus Syslog

Dell Sonic WALL SonicOS Firewall Syslog


FireEye FireEye Malware Protection Antivirus/Malware Syslog

Fidelis Fidelis Network Security Appliance Syslog

Fortinet FortiGate Antivirus Antivirus Syslog

FortiGate Firewall Firewall Syslog

FortiGate IDS IDS/IPS Syslog

Imperva WAF Web Content Syslog

Juniper Networks NetScreen Firewall Firewall Syslog

NetScreen IDP IDS/IPS Syslog

JUNOS Router Network Switches and Routers Syslog

Kaspersky Malware Protection Antivirus SQL

Malwarebytes Malware Protection Antivirus SQL

Microsoft Microsoft Active Directory All Type WMI

Microsoft Exchange Server 2010 WMI

MicrosoftSQLServer All Type WMI

Oracle Oracle Database Syslog

Oracle Audit Database Syslog

Palo Alto Networks Firewall Firewall Syslog

Proofpoint Email Security Gateway Application Syslog

OBELUS SIEM Supports Out of the Box (OOTB) logs types: OBELUS SIEM has robust out-of-the-box functionality to support logs as listed in diagram.

Figure 22: OBELUS OOTB log source support.


Managed Security Service Providers (MSSP)

The use of managed security service providers (MSSP) continues to see an upward trend as demands for external support

invariably grows. Smaller to mid-sized organizations can now keep up with the dynamic threat landscape, while larger

enterprises are using managed security services to maximize their capabilities. Motivation to seek third-party support includes

lack of internal resources to manage a SIEM deployment and to perform real-time alert monitoring, or lack of expertise to

expand into new use cases.

Obelus has capability to on board multiple clients on single platform.

Following instruction to create or edit organizations.

Create organization

1. Go Settings > Users & Authentication > Manage Users

2. Click on Organizations tab. You can list of child organizations under your Organizations

3. Click on New Organization to create new Organization.

4. Enter the Name, Upload logo

5. Click on save button to create Organization.

Figure 23: Create Organization


Provision Organization

1. Go Settings > Users & Authentication > Manage Users 2. Click on Organizations tab. You can list of child organizations under your Organizations 3. Select Organization that you want provision. 4. Click on Provision Button 5. Once Provision was completed. The users that are assigned to Company will able to login and perform their operations

Figure 24: Manage Users


Role Based Access Control (RBAC)

Role-based access control provides flexible and effective tools that you can use to protect OBELUS data.

OBELUS masks data to the user much like the way a relational database manages role-based access control. In some cases total segmentation of data may be necessary. In other cases, controlling the searches and results at the presentation layer may meet your security needs.

Consider your use cases when deciding how to set up your configurations and whether role-based access might fit your needs. For example:

• For extremely sensitive data, where even allowing access to a system that might have sensitive data incurs legal risk, consider installing and configuring more than one instance of OBELUS, and then configuring each instance with the data for the appropriate audience.

1. When intentionally or unintentionally exposing sensitive data to the wrong user might incur legal ramifications, and then consider creating indexes specifically for privileged and non-privileged accounts and assigning them to roles created for each level of access.

• When there are security concerns but not so much legal risk, you can restrict access using Apps. For example, you can create an App with static dashboards and assign roles with lower clearance to those dashboards, limiting the type of information the user assigned to the role may access.

• Field encryption (optional feature), search exclusions, and field aliasing to redacted data are also great ways to tighten up a limited search case. If you have a limited search case and only able to search some specific data from a shared index, you can restrict shared reports to restrict ad hoc searches and funneling summary indexing into an index that is secured.

By Default, OBELUS will provide the Two Roles

1. Administration – Administration which will have access all the organizations and he has permission to enable or disable some features to Organizations.

2. Company Admin – Company Admin can be admin for his organization and his sub organization and he can’t enable or disable features to Organizations.

Role Capabilities

Capability Description.

Add User Permission to create user

View User Permission to view user

Delete User Permission to delete user

Update User Permission to update user

Add Groups Permission to Add Groups


Update Groups Permission to Update Groups

View Groups Permission to View Groups

Delete Groups Permission to delete Groups

Add Roles Permission to add Roles

Update Roles Permission to update Roles

View Roles Permission to view Roles

Delete Roles Permission to delete Roles

Add Dashboards Permission to add Dashboards

Update Dashboards Permission to update Dashboards

View Dashboards Permission to view Dashboards

Delete Dashboards Permission to delete Dashboards

Add Visualizations Permission to add Visualizations

Update Visualizations Permission to update Visualizations

View Visualizations Permission to view Visualizations

Delete Visualizations Permission to delete Visualizations

Search Console Permission to View Historical Search

Add Rules Permission to add Rules

Update Rules Permission to update Rules

View Rules Permission to view Rules

Delete Rules Permission to delete Rules

Add Events Permission to add Events

Update Events Permission to update Events


View Events Permission to view Events

Delete Events Permission to delete Events

Manage Field Extraction Rules Permission to Create/View/Update/Delete Log Parsers

Add Asset Permission to add Asset

View Asset Permission to view Asset

Update Asset Permission to update Asset

Delete Asset Permission to delete Asset

Enable/Disable Agents Permission to enable/disable Agents

Add Organization Permission to add Organization

Update Organization Permission to update Organization

Delete Organization Permission to delete Organization

View Organization Permission to view Organization

Create Case Permission to Create Case

View Case Permission to View Case

Update Case Permission to Update Case

Reopen Case Permission to Reopen Case

Create Global Space Permission to Create Public Space

View Global Space Permission to View Public Space

Update Global Space Permission to Update Public Space

Delete Global Space Permission to Delete Public Space

Promote Space Permission to Promote Space from private to public


Create Role

1. Go to Settings > Users & Authentication > Manage Users 2. Click on Roles tab. You can see list of Roles under your Organizations

Figure 25: Manage Users create role

3. Click on New Roles

Figure 26: Create Role

4. Enter Role name, select permissions from left side 5. Select Granted To either Users to Groups 6. Select list of users or groups to add to that role


7. Click on save button to persist changes

Create Users

1. Go to Settings > Users & Authentication > Manage Users 2. Click on Users tab 3. Click on New User button and enter Email, First Name, Middle Name, Last Name, Default Company and Assign Company. 4. Click on Save Changes button to persist changes

Edit Users

1. Go to Settings > Users & Authentication > Manage Users 2. Click on edit link from user table 3. Edit the first name, last name and company details. 4. Click on save changes button to persist changes.


Incident Response Plan

OBELUS comes with Inbuilt Incident Response Plans to help Security Analyst respond to cyber threats faster and more

efficient. These platforms also allow you to customize and edit the response plan according to requirements.

1. Login with Valid Username & Password 2. Click on the settings option right side 3. Select Incident Response Plan from left panel

Figure 27: Incident Response Plan

4. To create a new IRP plan click on “New IRP” or Select the dotted option to View, Clone or Edit existing one. 5. Use the right and left panel to create the template, flow, design, colour etc and save your work.

Figure 28: Incident Response Plan


Case Management

Our Case Management platform is fully integrated into Advanced Analytics enabling you to optimize and document analysis and

artifacts. This also allows Analysts in collecting, distributing and analyzing security alerts which are associated with events or

incidents more effectively and efficiently thus helping in closing incident investigation with right data, artifacts and analysis.

1. Login with Valid Username & Password

2. Click on the “Cases” search tab on the header bar

3. View the cases by time, status, age and priority

4. To open a case, select the case and click in “Case Title”

Creating a case for incident: 1. Analysts can create case for incidents that needs further investigation directly from Alert Tab.

2. Select the alert and click on “Add to Case” option at your right.

Figure 30: Add Alert to Case

Figure 29: Cases Dashboard.


3. You can add the alert to existing case or create a new case.

Figure 31: Create New Case

4. Or create a new case by filling case details.

5. Once case is created click on the “Cases tab” to view your case and Click on “Case Title” to open the case.

6. You can view the Case Details, Age, Evidence, IRP, Alerts, Assignee, Owner, Attachment etc on the page.


Figure 32: Case Detail Page

7. Every Alert/case has IRP (Incident Response associated with it) which helps analyst to investigate incident

effectively and efficiently.


Investigation Graph

Investigation Graph helps Analysts to triage/analyze the alerts with click of nodes using the graph built using correlated

information and threat context. Below is one such scenario explained to showcase how this feature helps to analyze the alert.

Use Case: Phishing E-Mail

Phishing is a type of online scam where attackers send an email that appears to be from a legitimate company and ask you to

provide sensitive information. This is usually done by including a link that will appear to take you to the company’s website to

fill in your information – but the website is a clever fake and the information you provide goes straight to the crooks behind the

scam.

The term ’phishing’ is a spin on the word fishing, because criminals are dangling a fake ’lure’ (the email that looks legitimate, as

well as the website that looks legitimate) hoping users will ’bite’ by providing the information the criminals have requested –

such as credit card numbers, account numbers, passwords, usernames, and more.

Attack Execution Below are the steps how this attack will be executed:

• User receives an email that has a link in it.

• User clicks the link.

• User connects to the URL with default browser

• Other actions are performed (file download, running malicious code).

Configure Events Following events were created to detect this kind of attack.

• Email Download by PowerShell (Which will check if any content was downloaded from PowerShell Exe)

• Network Connection (Establishes network connection from process)

• File Created (Monitories any new file was created)

• File Create Stream (It generates events that log the hash of the contents of the file to which the stream is assigned)


Configured Notable Events/ Rules The following notable event was created to detected phishing use case. This rule will check for any PowerShell command process

run to download any file from internet, preceded by network connection, preceded by file creation. If all conditions met, then

it will raise alert.

Investigation for Alert 1. Analysts can create investigation for incidents that needs further investigation directly from Alert Tab.

2. Select the alert and click on “Add to Investigation” option at your right.


Figure 33: Investigation Graph

3. You can add alert to the investigation by filling case details.

Figure 34: Configure New Investigation

4. Select the investigation created from the “Investigation Tab”.

5. The investigation shows the attacker path and what actions a particular adversary performed.


6. Right Panel displays the Indicators and Observables.

Figure 35: Investigation Graph

The above attacker path clearly mentions that 65536.exe file was downloaded from PowerShell and from 101.99.77.132 IP

which was Threat IP from threat Intel sources. This graph was clearly gives the information about threat IP and any passive dns

were attached to IP or any malware hashes are associated to this IP.

If you Click on any indicator, it will tell you the Geo Location, IP reputation and WHO IS


Report Generation Tool

Generate reports based in the requirements and business needs, Inbuilt reports helps users and analyst save time and generated

On-Demand and customize the template as per the requirement.

1. Login with Valid Username &Password 2. Click on the “Reports” tab on the header bar 3. Click on the “Create Report Template”

4. Enter the following info to create Report in Report Template and select compliance type from drop down 5. Scroll down the window to give Graphs & Filter Condition 6. Click on Create button, So Created report will be saved 7. To Generate the Report for Preview, Click on Generate Report button 8. To take Printout of Report Click on Print button


Figure 36: OBELUS SIEM Sample Report.

9. To edit the report, Click on Edit Report option


10. Click on Schedule Reports to schedule


Threat Intelligence

The Threat Intelligence framework is a mechanism for consuming and managing threat feeds, detecting threats, and alerting.

The framework consists of modular inputs that collect and sanitize threat intelligence data, lookup generation searches to

reduce data to optimize performance, searches to correlate data and alert on the results, and data modeling to accelerate and

store results. This framework also includes a number of audit dashboards that allow introspection into threat intelligence

retrieval, normalization, persistence, and analysis.

What OSINT: OSINT stands for open source intelligence, which refers to any information that can legally be gathered from free, public

sources about an individual or organization. In practice, that tends to mean information found on the internet, but technically

any public information falls into the category of OSINT whether it’s books or reports in a public library, articles in a newspaper

or statements in a press release.

Why OSINT:

By gathering publicly available sources of information about a particular target an attacker – or friendly penetration tester –

can profile a potential victim to better understand its characteristics and to narrow down the search area for possible vulnerabilities.

Without actively engaging the target, the attacker can use the intelligence produced to build a threat model and develop a plan of

attack. Targeted cyber-attacks, like military attacks, begin with reconnaissance, and the first stage of digital reconnaissance is passively

acquiring intelligence without alerting the target.

Gathering OSINT on yourself or your business is also a great way to understand what information you are gifting potential attackers.

Once you are aware of what kind of Intel can be gathered about you from public sources, you can use this to help you or your security

team develop better defensive strategies. What vulnerabilities does your public information expose? What can an attacker learn that

they might leverage in a social engineering or phishing attack?

Configured OSINT Feed: These are the configured OSINT feeds in OBELUS

Feed Name Feed Type Indicator Type

abuseFree_zeustrackerdomain URL DOMAIN

abuseFree_zeustrackerDOMAIN_domain URL DOMAIN

banjori-domlist URL DOMAIN

botvrij.eu URL DOMAIN

dshield.org URL DOMAIN

dshield.org_domain URL DOMAIN

gist.githubusercontent_domain URL DOMAIN

malc0de.com_domain URL DOMAIN

malwaredomainlist_domain URL DOMAIN

ransomwaretracker_domain URL DOMAIN

abuseFree_zeustrackerIP_ip URL IP


bambenekconsulting-ip URL IP

binarydefense-ip URL IP

dan.me.uk_ip URL IP

danger.rulez.sk_ip URL IP

emergingthreats-ip URL IP

feodotracker.abuse.ch_ip URL IP

lists.blocklist.de URL IP

New Feed URL IP

sblam.com-ip URL IP

spamhaus_DROP_ip URL IP

spamhaus_DROPV6_ip URL IP

spamhaus_EDROP_ip URL IP

threatcrowd-ip URL IP

extra feed API SHA1

openphis_url URL URL

vxvault_url URL URL

The Following steps to view create and update feeds.

Create Threat Feed: 1. Go to Manage Data > Settings >Feeds > Manage Feeds.

2. Click on Configure Feed.

3. Select the owner of the feed.

4. Enter Feed name

5. Select indicator type


6. Select type feed like URL, API, FILE, and TAXII. This will tell you source of the feed.

7. Click on Next Button.

8. Enter the URL of the feed.

9. Enter Feed trust score. It will tell level of trust that given to feed.

10. Enter Unique Source Name


11. Enter Delimiter like CSV, json

12. Select Feed scheduler frequency like run for everyone hour or s0

13. Click on the Next Button.

14. Enter tags for unique identification.

15. Select TLP.

16. Click on save button to persist changes.

Edit Threat Feed: 1. Go to Manage Data > Settings >Feeds > Manage Feeds.

2. Click on edit button from table that you want edit Feed.

3. Change the owner, Feed Name, Indicator and Feed Type.

4. Change the URL if you needed.

5. Change the Feed Trust Score, Source Name


6. Click on next button to change tags or TLP


Delete Threat Feed: 1. Go to Manage Data > Settings >Feeds > Manage Feeds.

2. Click on Delete button from table that you want Delete Feed


Manage Indicator of Compromise...

What Are Indicators of Compromise (IOC): Indicators of Compromise (IOC) are pieces of forensic data, such as data found in system log entries or files that identify

potentially malicious activity on a system or network.

Examples of an IOC include unusual network traffic, unusual privileged user account activity, login anomalies, increases in

database read volume, suspicious registry or system file changes, unusual DNS requests and Web traffic showing non-human

behavior. These and other unusual activities allow security teams monitoring the systems and networks to spot malicious

actors earlier in the intrusion detection process.

Documenting IOC and their associated threats allows the industry to share this information and improve incident response

and computer forensics. For this reason, efforts are being made by groups like OpenIOC, STIX and TAXII among others to

standardize IOC documentation and reporting.

The following steps to create/update/upload IOC’s.

Create Indicator: 1. Go to Manage Data > Settings >Feeds > Indicators.

2. Feed Name, Type, First Seen, Last Seen, Feed Source, Indicator, Status

3. Click on Create Button

4. Select Type (Whitelist/Blocklist)

5. Select Indicator Type (IP, Domain,Hash,Email)

6. Enter indicator value

7. Enter Feed trust score


8. Enter Reason.


Whitelisting: In more and more environments, IOC's are used as a blacklist system and security tools can block access to resources based on

the IP addresses, domains, file hashes, etc). But all security control implements also “Whitelist” systems to prevent (as much

as possible) false positives

IP Whitelisting:

IP Whitelisting allows you to create lists of trusted IP addresses or IP ranges from which your users can access your domains.

IP Whitelist is a security feature often used for limiting and controlling access only to trusted users. IP Whitelisting can be set

via Good Data API

Bulk White/Blocklist Indicator:

1. Go to Manage Data > Settings >Feeds > Indicators

2. Select the indicators that you want white or block list indicators

3. Click on the White or block list button


Bulk Upload Indicator: 1. Go to Manage Data > Settings >Feeds > Indicators

2. Click on the Add file button and upload the csv file to upload.


Threat Intel Dashboard

Threat Hunting

Threat hunting is the practice of proactively searching for cyber threats that are lurking undetected in a network. Cyber threat

hunting digs deep to find malicious actors in your environment that have slipped past your initial endpoint security defenses.

After sneaking in, an attacker can stealthily remain in a network for months as they quietly collect data, look for confidential

material, or obtain login credentials that will allow them to move laterally across the environment.

Once an adversary is successful in evading detection and an attack has penetrated an organization’s defenses, many

organizations lack the advanced detection capabilities needed to stop the advanced persistent threats from remaining in the

network. That’s why threat hunting is an essential component of any defense strategy.

Threat Hunting Methodologies: Threat hunters assume that adversaries are already in the system, and they initiate investigation to find unusual behavior that

may indicate the presence of malicious activity. In proactive threat hunting, this initiation of investigation typically falls into

three main categories:


Hypothesis-driven investigation: Hypothesis-driven investigations are often triggered by a new threat that’s been identified through a large pool of crowd

sourced attack data, giving insights into attackers’ latest tactics, techniques, and procedures (TTP). Once a new TTP has been

identified, threat hunters will then look to discover if the attacker’s specific behaviors are found in their own environment.

Investigation based on known Indicators of Compromise or Indicators of Attack: This approach to threat hunting involves leveraging tactical threat intelligence to catalog known IOCs and IOAs associated with

new threats. These then become triggers that threat hunters use to uncover potential hidden attacks or ongoing malicious

activity.

Advanced analytics and machine learning investigations: The third approach combines powerful data analysis and machine learning to sift through a massive amount of information in

order to detect irregularities that may suggest potential malicious activity. These anomalies become hunting leads that are

investigated by skilled analysts to identify stealthy threats.

OBELUS will preconfigure with all Miter Based Tactics and Techniques which will be used for threat Hunting.

Historic Log Search

OBELUS SIEM allows searching, viewing and interacting with the logs, as well as performing data analysis and visualizing the logs

in a variety of charts, tables and maps. Analyst can search logs faster and more effectively without having to write complex

query statements.

1. Login with Valid Username &Password 2. Click on the “Historical” search tab on the header bar

https://www.crowdstrike.com/epp-101/threat-intelligence/

https://www.crowdstrike.com/blog/indicators-attack-vs-indicators-compromise/


3. Select “Time range” option and choose the duration of your search on right corner 4. Select the Add a filter option and provide value to be search and hit search option 5. Add fields and drill down you result to investigate further 6. User “Auto Refresh” option to set your current window refreshes time 7. To clear search click “New”, “Clear Query” or “Delete Filter”

1. Save search and share reports of trend or logs.

Figure 37: Historic Log search.


UBA User behavior analytics (UBA) is the tracking, collecting and assessing of user data and activities using monitoring systems.

UBA technologies analyze historical data logs -- including network and authentication logs collected and stored in log

management and SIEM. UBA systems are primarily intended to provide cyber security teams with actionable insights.

OBELUS UBA Platform Identify security incidents using statistical analysis and predefined correlation rules. UBA can detect suspicious behavior with

no predefined patterns or rules.

OBELUS UBA Platform effectively addresses all of the top 10 security use cases described below:

1. Compromised User Credentials

User account credentials are keys to legitimate access, and stolen credentials are the number one vector for data

breaches.

2. Privileged-user Compromise

A privileged user has authorized access to high-value resources, such as a sensitive data or an authentication

system. When a hacker obtains privileged-user credentials, the attack can directly exploit high-value assets.

3. Executive Assets Monitoring


Monitoring activities on the executive computing assets such as the CEO’s or CFO’s laptop and help in building

asset and behavior models to identify unusual activities.

4. Compromised System/Host/Device Detection

It is very common for attackers to take control of systems, hosts or devices within an organizational network. The

UBA platform helps monitor several vectors, including user accounts; servers; network devices, non-trusted

communication sources, insecure protocols, and other signs of malicious behavior.

5. Insider Access Abuse

Detect when a user (privileged or not) is performing risky activities that are outside of their normal baseline.

6. Lateral Movement Detection

Behavioral analysis to connect the dots between “unrelated” activities such as privilege escalation, suspicious

security rights for normal user account.

7. Data Exfiltration Detection

Data exfiltration happens when sensitive data is illicitly transferred outside an organization. UBA monitors for

unusual amounts of network traffic over protocols that facilitate large data transfer compared to the baseline of a

user or machine transferring the data.

8. Account Lockouts

An account lockout disallows access to a user. This security feature aims to protect an account from anyone or

anything trying to guess the username and password.UBA use case helps to automate the risk assessment process

and quickly notify on account risk.

9. Service Account Misuse

A service account is used instead of a normal system account to run specific application services. By employing its

behavioral analytics capabilities, The UBA solution will automatically identify service accounts and notify any

abnormal behavior.

10. Security Alert Investigation

UBA Dashboard and Real-time alert can dramatically improve the productivity of SOC analysts along with modern

security information and event management solution such as OBELUS, OBELUS uses machine-built timelines to

offer a better interface for threat hunting, Investigation and Incident Response Plan.

Create Use Case for Successful User Logon attempts:

1. Refer Log-On-boarding for shipping logs.


2. Go to Manage Data > Settings > New Events > Events > Right click for New Event

3. New Events > Notables Events > Right click for New Event


4. If the notable correlation filters condition matches with event fields then alert will be triggered.

5. Go to Manage Widget > Click New Widget > Enter Title & Choose the Events, Rules, Alerts, Cases > Click Preview. 6. Drag and drop required Fields > Select Widget type > Click on Preview.


7. Click on the Submit button to save widget. 8. Go to Dashboards page >Right click for New Dashboard > Click on Edit Icon > Click Add icon to add Various Widgets.

9. UBA Dashboard


For queries and support:

India:Hi-Tech City Main Road, Gachibowli,Hyderabad 500032

USA: 4 Beacon Way, Jersey City, New Jersey, USA 07304

Contact/Email: +91 8309506180 [email protected]

Technical OverviewUBA Behavior Profiling UBA user and entity behavior analytics analyze user...

Documents

Transcript of Technical OverviewUBA Behavior Profiling UBA user and entity behavior analytics analyze user...