Advanced Threat Analytics
Modern security teams cannot rely only on the logs data to find out potential attacks. We need more information than just what error was triggered, and internal logs will not provide that data for us. The Advanced Threat Analytics (ATA) feature in Log360 Cloud pulls data about malicious IPs, URLs, and domains that have an assigned reputation score and uses that to alert the administrators of any suspicious IP tries to connect to your network.
To enable Advanced Threat Analytics, follow the steps below:
- Login to the Log360 Cloud application with Admin permissions.
- Go to the Settings tab → Admin → Management → AdvancedThreatAnalytics.
- Log360 Cloud provides you with two options to choose from,
Default Threat Server
When Enabled, Log360 Cloud correlates the information available in AlienVault OTX to trigger alerts if there's a match. This option only fetches data on the blacklisted IPs.
Note: All Log360 Cloud customers get access to this basic Threat Intelligence feature.
Advance Threat Analytics
This option allows Log360 Cloud to provide more context about the potential attack by correlating crucial data such as the first and last time it was detected, reputation score, etc from the threat feed.
Note: This feature is available as an add-on for all Log360 Cloud customers. You can purchase the ATA add-on either from the Threat Configuration page or through the License page.
Setting Alerts for External Threats
- From the Alerts tab, go to Manage Profiles -> Add Alert Profile.
- When required to select an alert, choose Threat Analytics as the Alert Log Type and select the External Threat radio button and click Save.
- Log360 Cloud will send an alert whenever a malicious IP tries to connect with your network.
- An alert profile with the name "External Threat" will be automatically created on enabling default threat or advanced threat analytics, or when ATA add-on is purchased during license upgrade.
- Enabling "Auto add new devices" will automatically activate the alert profile for all newly added devices.
Clicking on the icon displays information on the source, the severity of the threat, geo location, and so on.
Reporting malicious logs
- Navigate to the Reports tab and select Threats from the drop-down list box.
- From here you can view all the logs that are flagged as threats.
The ATA add-on lets you access more information about the log. Click on the View button next to the respective log, to open the Advanced Threat Analytics popup. This shows more information such as reputation score, geographical info, along with recommendations to prevent further damage.