Log360 Cloud Threat Analyticss

• Configuration
• Analysis

Configuration

1. Get the Access Key

   For users with a Log360 Cloud account

   • Navigate to https://log360feeds.manageengine.com/
   • Copy the Advanced Threat Analytics Feed Server access key.

   For users who do not have a Log360 Cloud account.

   • Navigate to https://log360feeds.manageengine.com/
   • Create a Log360 Cloud account and sign in using the valid credentials.
   • You can find the Advanced Threat Analytics Feed Server access key on the page displayed.
   • Copy the Advanced Threat Analytics Feed Server access key.
2. Add the Access Key in EventLog Analyzer and Configure
   • In EventLog Analyzer, navigate to Settings → Threat Management → Advanced Threat Analytics→ Log360 Cloud Threat Analytics → Integrate

   

   • Paste the Access Key in the Access Key box

   

   • The scheduler will be enabled automatically. To change the frequency in which the feeds are populated, click the edit button next to Interval.

   

Analysis

The Log360 Cloud Threat Analytics is available in the Incident Workbech. Learn how to invoke the Incident Workbench from different dashboards of EventLog Analyzer.

Select any IP, URL, or Domain to analyze in the Workbench. You can access the following data:

• Info

  This section contains the Reputation Score of the Threat Source on a scale of 0-100.

  Note: The risk factor is inversely proprtional to the Reputation Score.

  You can also view the Reputation Score Trend chart, Status of the Threat Source( whether it's actively part of the threat list), Category, Number of occurences on threat list, and when the source has been released from the threat list.

  

  

• Geo info

  The Geo Info contains location mapping details of the Threat Source such as city, state, region and the Whois information of the domain.

  

• Related Indicators

  This section contains the risk profile of the related indicators of IPs, URLs and Domains.

  Here are the related indicators:

  IP:

  • hosted_urls
  • asn
  • hosted_files
  • hosted_apps

  URL/ Domain:

  • virtuallyhosted
  • sub_domains
  • hosted_files
  • hosted_apps
  • hosting_ips
  • common_registrant

  

Threat Evidences

This section contains eveidences produced by the security vendor for different attacks attempted from the threat source.