Detecting and alerting user login events after office hour

This is one of most common alerts and is easily done with use of Energy Logserver. Even more – such alert is already predefined and placed in installation package by default. For Windows users we detect night logons.

This has been applied in our previous deployments for Linux users or users from dedicated services which are not related to specific operating system.

Such rule configuration can hardly be simpler:

More than that we can add to calendar option to every alert, so such alert will be triggered based on crontab format, for example:

calendar:
  schedule: "* 0-8,16-23 * * mon-fri"

 

Detecting and alerting Abnormal Network Traffic Pattern

For monitoring anomalies in traffic we are using multiple approaches. Of course we can support Energy Logserver with dedicated network probe, which is equipped with Netflow Analazing module and is detecting anomalies by default. Such probes is receiving netflow from selected span port and can be also used as virtual appliance.

Other than that we often move back to our alerting module, where we choose proper approach.

For some customers we are using metric aggregation type, where we set threshold for sent/received data.

But Energy Logserver has also set of predefined alerts and among them is: Netflow - DNS traffic abnormal of type Spike. This rule is comparing actual timeframe to previous one and calculate difference between them. By doing so we detect sudden spike of chosen pattern.

Another approach is to monitor new, unseen values in selected field (like new url address in our logs) per user, source or other parameter.

 

Energy Logserver is capable of connecting multiple alerts together in one, correlated by field and condition alert with types of Chain or Logical.

Detecting and alerting DDoS attacks in Energy Logserver

DDoS attack can be detected with Energy Logserver by few approaches, which we did in previous deployments with multiple customers. In all scenarios we are interested in getting notification or taking specific action based on detection, that is why we are using alerting. We can either integrate with firewall software, which is capable of detecting such attack OR we can create such detection independently.

In one approach alert type for this use case is frequency. We look for indicator of connection and count it by source ip. If there are more than 100 connections by 1 IP In 5 minutes – alert will be triggered

We can create same kind of alert per website with defined threshold of max visit.

 

Other option is to have both of those alerts created without notification and create correlation between them with usage of Logical alert type.