Modern security teams cannot rely only on the logs data to find out potential attacks. We need more information than just what error was triggered, and internal logs will not provide that data for us. The Advanced Threat Analytics (ATA) feature in Log360 Cloud pulls data about malicious IPs, and domains that have an assigned reputation score and uses that to alert the administrators of any suspicious IP tries to connect to your network.
To enable Advanced Threat Analytics, follow the steps below:
When Enabled, Log360 Cloud correlates the information available in AlienVault OTX to trigger alerts if there's a match. This option only fetches data on the blacklisted IPs.
Overview
This option allows Log360 Cloud to provide more context about the potential attack by correlating crucial data such as the first and last time it was detected, reputation score, etc from the threat feed.
Default integration from Log360 Cloud suite. This can be accesed once the add-on is purchased.
Third-party threat feed integration. This follows the Bring Your Own Key(BYOK) model. If you have bought VirusTotal access separately, you can use your API key and get the threat analytics information in Log360 Cloud.
The External Threat report contains the information on the source of the threat, severity, reputation score, and more.
The Log360 Cloud Threat Analytics is available in the Incident Workbech. Learn how to invoke the Incident Workbench from different dashboards of Log360 Cloud.
Select any IP or Domain to analyze in the Workbench. You can access the following data:
This section contains the Reputation Score of the Threat Source on a scale of 0-100.
You can also view the Reputation Score Trend chart, Status of the Threat Source( whether it's actively part of the threat list), Category, Number of occurences on threat list, and when the source has been released from the threat list.
The Geo Info contains location details of the Threat Source such as city, state, region and the Whois information of the domain.
This section contains the risk profile of the related indicators of IPs and Domains.
Here are the related indicators:
IP:
Domain:
This section contains evidences recorded by the security vendor for different attacks attempted from the threat source.
Once you have purchased the Advanced Threat Analytics add-on and applied the license, head to the Advanced Threat Analytics page.
Paste the API key and click on Connect to finish configuring VirusTotal.
In Log360 Cloud, users can access the data from VirusTotal through the Incident Workbech. Learn how to invoke the Incident Workbench from different dashboards of Log360 Cloud.
Select any IP or Domain to analyze in the Workbench. You can access the following data:
This section contains the Detection Score of the Threat Source, which is the number of security vendors who have flagged the source as risky out of all the security vendors. Along with this, the basic details and the geo info of the Threat Source are also available.
This section contains the individual analysis of all the security vendors.
Click on the search icon in the top left corner to filter based on Security Vendor, Analysis Category, and Analysis Result.
Here are the Analysis Categories:
This section contains the Whois information of the threat source domain.
This section contains details of the SSL certificate issued to the Threat Source and who issued it.
This section maps the relationship of the files to the IP address in following ways:
This section ists the past and current IP resolutions for a particular domain.