Help Document

Advanced Threat Analytics

Modern security teams cannot rely only on the logs data to find out potential attacks. We need more information than just what error was triggered, and internal logs will not provide that data for us. The Advanced Threat Analytics (ATA) feature in Log360 Cloud pulls data about malicious IPs, and domains that have an assigned reputation score and uses that to alert the administrators of any suspicious IP tries to connect to your network.

To enable Advanced Threat Analytics, follow the steps below:

  1. Login to the Log360 Cloud application with Admin permissions.
  2. Go to the Settings → Admin → Management → Threat Management → Advanced Threat Analytics.
  3. Log360 Cloud provides you with two options to choose from,

Advanced Threat Analytics

Default Threat Server

When Enabled, Log360 Cloud correlates the information available in AlienVault OTX to trigger alerts if there's a match. This option only fetches data on the blacklisted IPs.

Note: All Log360 Cloud customers get access to this basic Threat Intelligence feature.

Advanced Threat Analytics

Overview

This option allows Log360 Cloud to provide more context about the potential attack by correlating crucial data such as the first and last time it was detected, reputation score, etc from the threat feed.

Note: This feature is available as an add-on for all Log360 Cloud customers. You can purchase the ATA add-on either from the Threat Configuration page or through the License page.

Advanced Threat Analytics

  1. Log360 Cloud supports the following vendors for the Advanced Threat Analytics data:
    • Log360 Cloud Threat Analytics

      Default integration from Log360 Cloud suite. This can be accesed once the add-on is purchased.

    • VirusTotal

      Third-party threat feed integration. This follows the Bring Your Own Key(BYOK) model. If you have bought VirusTotal access separately, you can use your API key and get the threat analytics information in Log360 Cloud.

  2. Access
    • Investigation: The Threat Analytics information can be accessed through the External Threat report and the Incident Workbench for investigations.
    • Detection: The Default Threat alert criteria detects interaction with external threat sources. Once the Advanced Threat Analytics add-on is applied, the alerts will be accurately fine tuned to reduces false positives.

External Threat report

Navigation: Log360 Cloud home > Reports > Select Threats from the drop-down in the top left corner > Threat Analytics > External Threat

The External Threat report contains the information on the source of the threat, severity, reputation score, and more.

  • View reports of Top Attacked Hosts and Threats by Category for the selected period.
  • Advanced Threat Analytics

  • Click on IPs in the Threat Source column and select Go To Incident Workbench to get contextual risk data from the integrated threat feeds
  • Advanced Threat Analytics

    Advanced Threat Analytics

Setting Alerts for External Threats

  1. From the Alerts tab, go to Manage Profiles -> Add Alert Profile.
  2. When required to select an alert, choose Threat Analytics as the Alert Log Type and select the External Threat radio button and click Save.
  3. Log360 Cloud will send an alert whenever a malicious IP tries to connect with your network.
Note:
  • An alert profile with the name "External Threat" will be automatically created on enabling default threat or advanced threat analytics, or when ATA add-on is purchased during license upgrade.
  • Enabling "Auto add new devices" will automatically activate the alert profile for all newly added devices.

Advanced Threat Analytics

Log360 Cloud Threat Analytics

Note: Once you purchase the Advanced Threat Analytics add-on, the Log360 Cloud Threat Analytics will be enabled by default.

log360cloud-threat-analytics

Analysis

The Log360 Cloud Threat Analytics is available in the Incident Workbech. Learn how to invoke the Incident Workbench from different dashboards of Log360 Cloud.

log360cloud-threat-analytics

Select any IP or Domain to analyze in the Workbench. You can access the following data:

  • Info

    This section contains the Reputation Score of the Threat Source on a scale of 0-100.

  • Note: The risk factor is inversely proprtional to the Reputation Score.

    You can also view the Reputation Score Trend chart, Status of the Threat Source( whether it's actively part of the threat list), Category, Number of occurences on threat list, and when the source has been released from the threat list.

    log360cloud-threat-analytics

    log360cloud-threat-analytics

  • Geo Info

    The Geo Info contains location details of the Threat Source such as city, state, region and the Whois information of the domain.

  • log360cloud-threat-analytics

  • Related Indicators

    This section contains the risk profile of the related indicators of IPs and Domains.

    Here are the related indicators:

  • IP:

    • ASN
    • Hosted files
    • Hosted apps

    Domain:

    • Virtually hosted
    • Subdomains
    • Hosted files
    • Hosted apps
    • Hosted IPs
    • Common registrant

    log360cloud-threat-analytics

Threat Evidences

This section contains evidences recorded by the security vendor for different attacks attempted from the threat source.

log360cloud-threat-analytics

VirusTotal

Note: VirusTotal is one of the largest live threat feeds that consolidates risk scores of IPs, Domains, and files from a wide range of security vendors. This integration in Log360 Cloud follows the Bring Your Own Key(BYOK) model. If you have bought VirusTotal access separately, you can use your API key and analyze threat sources in Log360 Cloud.

Configuration

To get the VirusTotal API key:

  1. Visit https://www.virustotal.com and sign up for a VirusTotal account.
  2. Sign in to VirusTotal and find your API key and go to your Username→ Settings→API Key.
  3. Use the API Key provided by VirusTotal for integrating with Log360 Cloud.

Once you have purchased the Advanced Threat Analytics add-on and applied the license, head to the Advanced Threat Analytics page.

Navigation: Settings → Admin → Management → Threat Management→ Advanced Threat Analytics → VirusTotal → Integrate

Paste the API key and click on Connect to finish configuring VirusTotal.

VirusTotal

Analysis

In Log360 Cloud, users can access the data from VirusTotal through the Incident Workbech. Learn how to invoke the Incident Workbench from different dashboards of Log360 Cloud.

VirusTotal

Select any IP or Domain to analyze in the Workbench. You can access the following data:

  • VirusTotal Info

    This section contains the Detection Score of the Threat Source, which is the number of security vendors who have flagged the source as risky out of all the security vendors. Along with this, the basic details and the geo info of the Threat Source are also available.

  • VirusTotal

  • Security Vendor Analysis

    This section contains the individual analysis of all the security vendors.

  • VirusTotal

    Click on the search icon in the top left corner to filter based on Security Vendor, Analysis Category, and Analysis Result.

    VirusTotal

    Here are the Analysis Categories:

    • Malicious
    • Suspicious
    • Harmless
    • Undetected
    • Timeout

    VirusTotal

  • Whois Info

    This section contains the Whois information of the threat source domain.

  • VirusTotal

  • SSL Certificate

    This section contains details of the SSL certificate issued to the Threat Source and who issued it.

  • VirusTotal

  • Related files

    This section maps the relationship of the files to the IP address in following ways:

    • Files communicating with the IP address
    • Files downloaded from the IP address
    • Files containing the IP address
  • VirusTotal

  • Resolutions

    This section ists the past and current IP resolutions for a particular domain.

  • VirusTotal