Every day, Alert Logic® Machine Learning Log Review analyzes several logs that focus on compliance and security. This article defines the events and activities analyzed in the Log Review service and describes how anomalies are detected.
Note: For details on Log Review anomalies and alerts detected in your environment, schedule the Monthly Log Review Details report in the Alert Logic console at > Validate > Reports > Threats > Log Review Analysis > Monthly Log Review Details > Schedule This Report.
Log Anomalies
The Machine Learning Log Review process detects anomalies based on user-level and host-level trends. These trends are based on computed machine learning models with access to a history of customer log message patterns and data. Machine learning-detected log anomalies are tailored to an individual customer’s log pattern and trends. Anomalies are detected based on unusual counts of certain events, unique users accessing a host, unusual or suspicious usernames, and suspicious commands. All daily anomaly observations from customer logs are rolled up into a summary informational incident. Incident evidence allows customers to drill down into any additional details of interest around anomalous user and hosts details.
Machine Learning log anomaly detection incorporates automation of all anomaly-based detection for Windows, UNIX/Linux, AWS, Azure, Network, and database logs and rule-based detection for Windows and UNIX/Linux logs. Examples of log data that Alert Logic reviews include:
- Windows: Failed logins, changes to privileges, changes to accounts, Active Directory global catalog changes, and others
- UNIX/Linux: Sudo access, SSH failed logins, switched user common success/fails, and others
- AWS: MFA, security group changes, IAM, EC2, S3 changes, user account and access changes, network control changes, and others
- Azure: Backup, user file access, user login activity, user network security events, OAuth2 grant activity, object access, user role modification activity, service principal activity, user file access, user group modification.
Log Alerts
Alert Logic generates log alerts based on pattern matching and rule-based detection for unusual behavior. These include the following behavior patterns:
- Active Directory Global Catalog Changes
- AWS Root Role Policy Changes
- AWS Network Access Control List Changes
- AWS Root Console Login Without MFA
- AWS Root Internet Gateway Changes
- AWS Root Network Access Control List Changes
- AWS Internet Gateway Changes
- AWS Security Group Changes
- Database Failed Logins
- Excessive Windows Account Lockouts
- Window Account Changes
- Excessive Windows Failed Logins
- Network Device Failed Logins
- Unix Account Changes
- Unix Failed Logins
- Unix SSH Failed Logins
- Unix Sudo Access
- Unix Switch User Command Success
- Windows Account Changes
- Windows Group Changes
- Windows Remote Failed Logins
Host-Level Log Anomalies
Host-level anomalies roll up to the anomalies identified for a certain host; different types of anomaly findings are listed under each host-level anomaly observations associated to high message count, unusual location, or other detection techniques.
User-Level Log Anomalies
User-level anomalies roll up to the anomalies identified for a certain user; different types of anomaly findings are listed under each user-level anomaly observations associated to high message count, unusual location, or other detection techniques. User-based anomaly detection summarizes log messages regarding activities by both privileged and non-privileged users. High log message count for a given user, as compared to the baseline for that user, can indicate scan or brute-force attacks against that user account. An unusually named user is one that does not follow the normal naming convention used by the customer and can indicate rogue user accounts having been created by an attacker.
Inactive Reports
The following reports have been replaced by anomaly findings in Machine Learning Log Review Summary incidents. Before March 2021, Alert Logic analysts reviewed the below list of pre-defined reports daily and escalated to customers when anomalies were detected.
Windows Server - 2012, 2012 R2, 2008, 2008 R2, 2003
Excessive Windows Account Lockouts
This report is generated when a threshold of two log messages has been exceeded. The messages indicate that Windows user accounts have been locked out.
Excessive Windows Failed Logins
This report is generated to identify and display excessive Windows login failure log messages received from all monitored hosts with a threshold greater than five messages.
Windows Remote Failed Logins
This report is generated when log messages indicate that accounts have failed to successfully log into SSH, IIS, and FTP.
Windows Account Changes
This report is generated when log messages indicate that user and Active Directory computer accounts have been created, changed, enabled, or deleted.
Windows Group Changes
This report is generated when log messages indicate that a user group has been created, changed, or deleted or when users have been added or removed from groups.
Suspicious Service Installed
This report is generated when Windows PowerShell is called with encoded command flags to obfuscate activity.
UNIX/Linux
Failed UNIX Switch User Command
This report provides details of all recorded failed users of the UNIX switch user (su) command.
UNIX Failed Logins
This report is generated when log messages indicate that local and FTP accounts have failed to successfully logged in.
UNIX Account Changes
This report is generated when log messages indicate that a UNIX account was created or changed or when a UNIX group has been created.
UNIX SSH Failed Logins
This report is generated to identify and display UNIX SSH login failure log messages received from all monitored hosts.
UNIX Sudo Access
This report is generated when a user has executed the UNIX sudo command.
UNIX Switch User Command Success
This report is generated when log messages indicate that a user has successfully executed the UNIX switch user (SU) command.
Microsoft Active Directory
Active Directory Global Catalog Change
The Microsoft Active Directory (AD) Global Catalog provides searchable information about every object controlled within your AD forest. Additionally, it provides the ability to search across multiple different domains without being required to access the AD for each domain directly. This report details all changes to the AD Global Catalog that are recorded as log messages.
Active Directory Global Catalog Demotion
This report provides log message details each time a domain controller in your AD forest has been demoted and can no longer serve the global catalog.
Oracle and SQL Databases
Database Failed Logins
This report is generated to identify and display network device login failure log messages received from all monitored hosts.
Network Devices
Network Device Failed Logins
This report is generated to identify and display network device login failure log messages received from all monitored hosts.
Network Device Policy Change
This report is generated when a policy is added, changed, or removed on network devices.
Amazon Web Services CloudTrail
Amazon S3 Bucket Activity
This report monitors for CloudTrail logs indicating that an Amazon S3 API call has been made to PUT or DELETE bucket policies, bucket life cycles, bucket replications, or to PUT a bucket Access Control List (ACL).
Security Group Configuration Changes
This report monitors CloudTrail logs pertaining to configuration changes of EC2 Security Groups.
Network ACL Changes
This report monitors for CloudTrail logs indicating changes to Network ACLs.
Network Gateway Changes
This report monitors for CloudTrail logs related to changes to Network Gateways.
Amazon VPC Cloud Changes
This report monitors for CloudTrail logs related to Virtual Private Cloud (VPC) creation, definition, relationships, and deletion.
EC2 Large Instance Changes
This report monitors for CloudTrail logs related to running instances of EC2 resources, focusing on unusual activity to larger instances.
CloudTrail Changes
This report monitors for changes in an account’s CloudTrail logging capabilities.
IAM Management Policy Changes
This report monitors for changes to Identity and Access Management (IAM) user, role, and group policies.
Console Login Without Multi-Factor Authentication
This report monitors for console log-in activity. Analysts focus on failure activity and successfully log-in without multi-factor authentication (MFA).
AWS User Access Modified
This report monitors for changes related to access keys and signing certificates for users.
AWS User Account Modified
This report monitors for user changes.
AWS User Group Modified
This report monitors for changes related to security groups and the user associations.
Compliance Overview
Log Review directly or indirectly addresses requirements for multiple regulations and industry security standards. The following list identifies how Log Review maps to the specific requirements, rules, or guidelines in some of the most popular standards. Details for each requirement or mandate are available from the respective regulatory or standards bodies.
Log Review Compliance Matrix
Requirement | SOX 404 (COBIT 5) | HIPAA Subpart C | PCI DSS | ISO 27001/27002 |
Must provide a policy for Log Review | DSS05.05 | 164.308(a)(1)(i) | 10.6 | 5.1.1 6.1.1 |
Must provide a defined process for Log Review | DSS05.02 DSS05.05 |
164.308(a)(1)(ii)(D) | 10.2 10.3 10.6 |
12.4.1 |
Must review logs within a specified time period | DSS05.02 | 164.308(a)(1)(ii)(D) | 10.6.1 | 12.4.1 12.4.3 |
Review access events | DSS05.07 | 164.308(a)(5)(ii)(C) 164.308(a)(6)(1) |
10.2.2 10.2.4 |
9.4.2 9.4.4 12.4.1 12.4.3 |
Review change events | DSS05.04 | 164.312(b) | 10.2.2 10.2.5 10.2.7 |
9.2.1 9.2.2 9.2.3 12.4.1 12.4.3 |
Maintain logs and audit trail for extended durations | 164.316(b)(2)(i) | 10.7 | 12.4 16.1.7 |
Additional Standards Mappings
Mappings to the following specific requirements of other security standards are available upon request by opening a ticket with Alert Logic Support:
- AICPA SOC2 Trust Services Criteria (TSP Section 100)
- Control Objectives for Information and Related Technology (COBIT)
- Family Educational Rights and Privacy Act (FERPA)
- Federal Financial Institutions Examination Council (FFIEC)
- Financial Industry Regulatory Authority (FINRA)
- National Institute of Standards and Technology (NIST)
Comments
0 comments
Please sign in to leave a comment.