Advanced Threat Analytics
Modern security teams cannot rely only on the logs data to find out potential attacks. We need more information than just what error was triggered, and internal logs will not provide that data for us. The Advanced Threat Analytics (ATA) feature in Log360 Cloud pulls data about malicious IPs, and domains that have an assigned reputation score and uses that to alert the administrators of any suspicious IP tries to connect to your network.
To enable Advanced Threat Analytics, follow the steps below:
- Login to the Log360 Cloud application with Admin permissions.
- Go to the Settings → Admin → Management → Threat Management → Advanced Threat Analytics.
- Log360 Cloud provides you with two options to choose from,
Default Threat Server
When Enabled, Log360 Cloud correlates the information available in AlienVault OTX to trigger alerts if there's a match. This option only fetches data on the blacklisted IPs.
Note: All Log360 Cloud customers get access to this basic Threat Intelligence feature.
Advanced Threat Analytics
Overview
This option allows Log360 Cloud to provide more context about the potential attack by correlating crucial data such as the first and last time it was detected, reputation score, etc from the threat feed.
Note: This feature is available as an add-on for all Log360 Cloud customers. You can purchase the ATA add-on either from the Threat Configuration page or through the License page.
- Log360 Cloud supports the following vendors for the Advanced Threat Analytics data:
- Log360 Cloud Threat Analytics
Default integration from Log360 Cloud suite. This can be accesed once the add-on is purchased.
- Constella Intelligence
When you purchase Advanced Threat Analytics, you gain access to Dark Web Monitoring. You can configure Dark Web Monitoring using your licensed domain to monitor potential threats associated with your organization.
- VirusTotal
Third-party threat feed integration. This follows the Bring Your Own Key(BYOK) model. If you have bought VirusTotal access separately, you can use your API key and get the threat analytics information in Log360 Cloud.
- Access
- Investigation: The Threat Analytics information can be accessed through the External Threat report and the Incident Workbench for investigations.
- Detection: The Default Threat alert criteria detects interaction with external threat sources. Once the Advanced Threat Analytics add-on is applied, the alerts will be accurately fine tuned to reduces false positives.
External Threat report
Navigation: Log360 Cloud home > Reports > Select Threats from the drop-down in the top left corner > Threat Analytics > External Threat
The External Threat report contains the information on the source of the threat, severity, reputation score, and more.
- View reports of Top Attacked Hosts and Threats by Category for the selected period.
- Click on IPs in the Threat Source column and select Go To Incident Workbench to get contextual risk data from the integrated threat feeds
Setting Alerts for External Threats
- From the Alerts tab, go to Manage Profiles -> Add Alert Profile.
- When required to select an alert, choose Threat Analytics as the Alert Log Type and select the External Threat radio button and click Save.
- Log360 Cloud will send an alert whenever a malicious IP tries to connect with your network.
Note:
- An alert profile with the name "External Threat" will be automatically created on enabling default threat or advanced threat analytics, or when ATA add-on is purchased during license upgrade.
- Enabling "Auto add new devices" will automatically activate the alert profile for all newly added devices.
Log360 Cloud Threat Analytics
Note: Once you purchase the Advanced Threat Analytics add-on, the Log360 Cloud Threat Analytics will be enabled by default.
Analysis
The Log360 Cloud Threat Analytics is available in the Incident Workbech. Learn how to invoke the Incident Workbench from different dashboards of Log360 Cloud.
Select any IP or Domain to analyze in the Workbench. You can access the following data:
- Info
This section contains the Reputation Score of the Threat Source on a scale of 0-100.
Note: The risk factor is inversely proprtional to the Reputation Score.
You can also view the Reputation Score Trend chart, Status of the Threat Source( whether it's actively part of the threat list), Category, Number of occurences on threat list, and when the source has been released from the threat list.
- Geo Info
The Geo Info contains location details of the Threat Source such as city, state, region and the Whois information of the domain.
- Related Indicators
This section contains the risk profile of the related indicators of IPs and Domains.
Here are the related indicators:
IP:
- ASN
- Hosted files
- Hosted apps
Domain:
- Virtually hosted
- Subdomains
- Hosted files
- Hosted apps
- Hosted IPs
- Common registrant
Threat Evidences
This section contains evidences recorded by the security vendor for different attacks attempted from the threat source.
Constella Intelligence Integration
Overview
Constella Intelligence specializes in digital risk protection, including monitoring the dark web and other online channels, to mitigate threats like fraud, cybercrime, and brand abuse. Integration with Log360 Cloud enhances threat detection, provides a comprehensive view of digital risks, enables proactive brand protection, ensures regulatory compliance, and facilitates efficient incident response.
Configuring dark web threat feeds:
- Login to the Log360 Cloud application with Admin permissions.
- Go to the Settings → Admin → Management → Threat Management → Advanced Threat Analytics. Proceed to configure the respective feeds to access the threat analytics data.
- Configure the Dark Web Threat feeds by clicking on Configure shown in the image below.
- After clicking configure, a pop-up will prompt you to enter an email domain to monitor for dark web exposure. Once entered, provide a valid email address of the domain for verification.
Note: Configuring an email domain requires a matching license. Please ensure the configured domain is associated with a purchased license.
- An OTP will be sent to the entered email address. Upon successful verification of the OTP, your domain will be configured for dark web breaches.
- Upon successful configuration, you will see a confirmation page indicating the successful configuration of your domain for dark web breaches.
- To reconfigure another domain for monitoring, click on Re-Configure . A configuration popup will appear; follow the same steps that you followed during Initial Domain Configuration
- To disable Darkweb Threat Feeds, uncheck the checkbox. A prompt will appear; select 'Yes' to disable dark web monitoring.
- Log360 Cloud's Threat Analytics and Dark Web Monitoring are independent features. They can be enabled or disabled individually.
Breach reports
Email analysis
Note: The retention period for Constella Intelligence logs is the same as the storage retention period.
Features provided:
- Threat analytics dashboard tab: Conveniently locate breaches that have occurred within the configured domain.
- Breach reports: Access detailed reports on breaches.
- Predefined alert for supply chain breach: Receive alerts for supply chain breaches.
VirusTotal
Note: VirusTotal is one of the largest live threat feeds that consolidates risk scores of IPs, Domains, and files from a wide range of security vendors. This integration in Log360 Cloud follows the Bring Your Own Key(BYOK) model. If you have bought VirusTotal access separately, you can use your API key and analyze threat sources in Log360 Cloud.
Configuration
To get the VirusTotal API key:
- Visit https://www.virustotal.com and sign up for a VirusTotal account.
- Sign in to VirusTotal and find your API key and go to your Username→ Settings→API Key.
- Use the API Key provided by VirusTotal for integrating with Log360 Cloud.
Once you have purchased the Advanced Threat Analytics add-on and applied the license, head to the Advanced Threat Analytics page.
Navigation: Settings → Admin → Management → Threat Management→ Advanced Threat Analytics → VirusTotal → Integrate
Paste the API key and click on Connect to finish configuring VirusTotal.
Analysis
In Log360 Cloud, users can access the data from VirusTotal through the Incident Workbech. Learn how to invoke the Incident Workbench from different dashboards of Log360 Cloud.
Select any IP or Domain to analyze in the Workbench. You can access the following data:
- VirusTotal Info
This section contains the Detection Score of the Threat Source, which is the number of security vendors who have flagged the source as risky out of all the security vendors. Along with this, the basic details and the geo info of the Threat Source are also available.
- Security Vendor Analysis
This section contains the individual analysis of all the security vendors.
Click on the search icon in the top left corner to filter based on Security Vendor, Analysis Category, and Analysis Result.
Here are the Analysis Categories:
- Malicious
- Suspicious
- Harmless
- Undetected
- Timeout
- Whois Info
This section contains the Whois information of the threat source domain.
- SSL Certificate
This section contains details of the SSL certificate issued to the Threat Source and who issued it.
- Related files
This section maps the relationship of the files to the IP address in following ways:
- Files communicating with the IP address
- Files downloaded from the IP address
- Files containing the IP address
- Resolutions
This section ists the past and current IP resolutions for a particular domain.
