Zero-down on threats with Log360's precise model of ML-based adaptive threshold

Current network security tools and SIEM solutions aid security analysts in gaining an overall visibility of enterprise networks and defending against cyberthreats. However, as the scale and volume of network logs, incidents, and threats grow exponentially, it has become inevitable for SOC teams to deal with the following pain points:

Manual handling

Analysis, configuration, and periodical revisions for multiple threat cases.

False alerts

Sifting through 1,000s of notifications from security tools to find one or two critical alerts.

As we transition to more advanced and automated threat detection systems to resolve these concerns,

ManageEngine Log360 has stepped into the world of a true next-gen SIEM by introducing
the industry's first adaptive threshold capability for real-time alerting.

Explore what the feature offers:

How does Smart Threshold work

The Smart Threshold functionality is a part of Log360's Vigil IQ, the threat detection, investigation, and response (TDIR) module of Log360, which works with the real-time event response console, and user entity behavior analytics (UEBA).
Utilizes the exponential moving average (EMA) algorithm to automatically analyze and fix a baseline count for events and anomalies occurring within a specific timeframe.
Updates the baseline threshold periodically for every 15 data sets.

Events aggregated from across your network with with Log360's centralized log management system.

Log360 collects, parses, and analyzes logs from 750+ log sources, providing real-time records of all the events occurring in your network.

Detecting anomalous events and patterns with alerting modules.

The SIEM alerting module uses 100s of prebuilt criteria specific to different log sources to detect malicious activities from the recorded events.

The UEBA capability uses ML-based behavior analytics and pattern detection to trigger anomaly alerts.

Precision tuning to filter true alert cases with adaptive threshold.

The alert generation is further fine-tuned using the adaptive threshold functionality to precisely notify you when there is a deviation from the usual occurrence of events or anomalies.

Why should you consider adopting Smart Threshold?

Automation
Threat detection
Accuracy over time
Count-based anomalies

Automation

Setting thresholds for specific timeframes, based on the log sources and alert criteria, is one of the advanced configurations offered in SIEM solutions to reduce alert noise. Log360's adaptive threshold feature automates this functionality and aids SOC teams in enabling multiple alert profiles required for their environment, without the hassles of manual configuration.

Dual-layered model for precise threat detection

While the UEBA module accurately finds anomalies, precise threat detection is also needed to avoid working on low priority, non-threat events, or false positives. The Smart Threshold layer along with the UEBA module will contextually enrich the anomaly feeds and precisely identifies real threats. While the first layer of the prebuilt anomaly detection in UEBA finds deviations from established patterns and prioritizes them based on risk score, the second layer creates a baseline threshold for the frequency of deviations to spot anomalies that are real threats.

Improved accuracy over time with dynamic adaptation

With Log360's Smart Threshold, there's constant learning and fine-tuning of the threat detection process. The dynamic ML model of EMArevises the threshold baseline for every 15 data sets based on the changes in the network such as:

Evolving user behavior
Increase or decrease in the amountof log sources
Configurational changes, such as an updated firewall rule, that might start allowing more traffic
Modifications in the SIEM alert criteria and anomaly rules.

Early detection of count-based anomalies and remediation

Count-based anomaly detection is configured for commonly occurring network events to help capture important indicators of compromise early on, before threat patterns of ransomware attacks, and advanced persistent threats fully develop. The table below provides examples of some count-based anomalies that can be early indicators of known attacks.

Count-based anomalies	Early indicators of compromise
Logon	Brute-force attack Credential compromise
Abnormal spikes in new outbound or inbound connections	Command and control channel compromise, data exfiltration
Increase in DNS redirect events	Pharming attacks, botnets
New files popping up, increases in resource utilization and application crashes	Malware

Log360's adaptive threshold helps find significant spikes in these events without a constant trigger of false alarms. The early detection IoCs also facilitates immediate response and remediation of threats, gradually reducing the mean time to discover (MTTD) and mean time to respond (MTTR).

Alerts in Log360

Add log sources and criteria
Manual vs smart threshold
Remediation workflow
Manage alerts in a central dashboard

Add log sources and criteria

Manual vs smart threshold

Remediation workflow

Manage alerts in a central dashboard

Why Log360?

Ease of configuring alerts

Build your alert profiles with ease by using Log360's real-time alerts dashboard that offers:

A variety of log sources, including a wide range of network devices, applications, vulnerability scanners, and more.
Over 500 prebuilt criteria for different usecases
Advanced configuration with automated adaptive threshold
Single console to monitor alerts, filter them based on severity, and create tickets
Integrated workflow activation for alert profiles

Advanced threat intelligence

Log360 also ingests STIX/TAXII and Alienvalult OTX threat feeds for contextual threat detection along with offering rule-based pattern detection with real-time event correlation and implementation of threat modelling framework MITRE ATT&CK.

A complete suite of integrated tools

Level up your TDIR game by deploying a comprehensive SIEM solution like Log360 with UEBA, CASB and integrated DLP capabilities that brings all your security needs into single console, and helps you precisely detect threats with automated features like adaptive alert threshold.

Frequently Asked Questions

What is adaptive threshold?

In the context of SIEM solutions, adaptive threshold is a mechanism that dynamically analyzes the occurrence of events in the monitored network to create a baseline that differentiates normal behavior and true anomaly cases. Adaptive threshold dynamically adjusts to the changing environments and uses statistical ML models to achieve this.

What is a layered threat detection system?

Threat detection modules discover malicious patterns in a network, find abnormal spikes in flow of events, and use rule-based and signature-based methods to detect threats. Sequencing multiple methods of anomaly detection produces a layered threat detection system.

In Log360, count-based filtering using adaptive threshold is layered on top of behavioral-based anomaly detection. Here's an example to understand how it proves effective with precise threat detection:

Layer 1 behavioral pattern - Generate anomaly if important work files are accessed during non-working hours.

Context: Consider an enterprise environment with 1000s of employees. Employee A is a malicious insider, who is about to leave the company. He/she has been suddenly accessing multiple files during non-working hours. The above mentioned pattern will generate alerts for this behavior. But the issue is, this true alert will be buried in 100s of similar false alerts. There can be multiple genuine reasons for user behavior deviations in an enterprise with huge number of employees.

Layer 2: Smart Threshold - if a particular user account generates multiple anomalies within a specific timeframe that deviates from the usual count, generate alert.

A layer 2 of filtering with count based adaptive threshold, will cut down the alert noise for the 100 other users who usually have a few anomalies normal to their behaviour. But it will single out employee A's activities by generating alert, since it crosses the threshold.

Listen to those who transformed security with Log360

Log4j

Auditors and regulators frequently ask for reports that show Active Directory activities such as user lockouts, access removal for terminated users, users created, etc. AD Audit Plus has helped us do that easily and with minimal overhead.

Kelvin Chung

System administrator.
Paradyn's MSSP services

Thanks to ManageEngine Log360, we averted a potential data breach caused by a disgruntled ex-employee. The system alerted us to unauthorized access and authentication failures, allowing us to swiftly address the issue. Log360 played a vital role in safeguarding our sensitive files and maintaining the integrity of our data.

Edward McGrainor

SOC engineer.
Phishing email

Choosing Log360 as our SIEM solution was a game-changer for Calgon Carbon's security. When facing a phishing incident, Log360's real-time monitoring and threat detection capabilities proved invaluable. It swiftly alerted our security team, enabling immediate action to mitigate risks and prevent further compromise.

Ryan Kemp

IT Security analyst II.
CTC

Log360 has truly transformed our security operations. Its advanced correlation capabilities and user-friendly design addressed the challenges we faced with Splunk. The solution not only aligns well with our network events but also ensures compliance with CMMC requirements, protecting our Controlled Unclassified Information. Log360's out-of-the-box features and customizable options have significantly reduced the workload for our IT team, allowing us to focus on critical data analysis and enhancing our security posture.

Danielle Gerko

Cybersecurity manager.

Try Log360 for free

Experience the extensive capabilities of unified SIEM utilizing Log360

Download now

Walkthrough with experts

Schedule a one-on-one call with our solution experts to explore Log360

Schedule demo

Calculate ROI

Considering the return on investment for your Log360 deployment?

Log360's ROI

Pricing

Request a personalized quote for Log360

Get quote