Highlighted
arcsight.analys1 Absent Member.
Absent Member.
1161 views

Anti-virus correlated use cases

Jump to solution

Hi All,

I have come across many use cases related to Antivirus but none of them are heavy correlated use cases which go beyond usual alerting.

Some of the prominent one's are

  • Admin login failure on Antivirus
  • Port Scan detected by Antivirus
  • Potential Risk Found
  • Security Risk Found
  • Virus Activity
  • Virus Definition not updated In an Device
  • Uninstalling Antivirus Management Client
  • virus detected but not cleaned or Deleted

Has anyone tried any new use case like -

  • Increase in netflow traffic after virus detected and not cleaned
  • Increase in login failure where source ip is virus detected and not cleaned... a malware might be brute forcing account

Any more ideas??? need some brainstorming on this!!!!!

Regards,

Sujay

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Acclaimed Contributor.. balahasan.v1 Acclaimed Contributor..
Acclaimed Contributor..

Re: Anti-virus correlated use cases

Jump to solution

Hi Sujay,

It depends, we have Trendmicro AV. In addition to the above basic set of use cases, We have

Use cases:

AV Malware Breakout Identified across multiple machines on same Subnet/ Different Subnet

AV Malware Infection Identified

AV Malware Infection Identified (Not quarantined/cleaned/deleted/moved)

Multiple AV Malware Infection Identified from Same Host

Multiple Sources accessing the same Malware URL

Multiple Types of AV Malware Infection Identified from Same Host

Multiple re-occurance of same Infection identified from same machine (AL and Trend - Historical)

Multiple re-occurance of unique Infection identified from same machine (AL and Trend - Historical)

Data traffic monitoring using the Query viewer from Bluecoat, VPN, Forward/Reverse Proxy (AL and Trend - Real Time)

Blacklist Domain/IP Addresses monitoring of traffic emerging to/from the Infected machine (AL and Trend - Real Time)

BruteForce/port or host scan/privilege elevation access attempt from the Infected machine (AL and Trend - Real Time)

Attempt to restart AV service or process, AV modules from Infected machine.

Access to critical file share,network path, SSH or Remote RDP attempt from the Infected Host.

And So on...

Since we don't have DLP, IPDS, FIM, IDAM, VPN, Exchange, Packet capture tools.We are limited to cross correlation.But with multiple security solution the AV gives you plenty of options

1 Reply
Acclaimed Contributor.. balahasan.v1 Acclaimed Contributor..
Acclaimed Contributor..

Re: Anti-virus correlated use cases

Jump to solution

Hi Sujay,

It depends, we have Trendmicro AV. In addition to the above basic set of use cases, We have

Use cases:

AV Malware Breakout Identified across multiple machines on same Subnet/ Different Subnet

AV Malware Infection Identified

AV Malware Infection Identified (Not quarantined/cleaned/deleted/moved)

Multiple AV Malware Infection Identified from Same Host

Multiple Sources accessing the same Malware URL

Multiple Types of AV Malware Infection Identified from Same Host

Multiple re-occurance of same Infection identified from same machine (AL and Trend - Historical)

Multiple re-occurance of unique Infection identified from same machine (AL and Trend - Historical)

Data traffic monitoring using the Query viewer from Bluecoat, VPN, Forward/Reverse Proxy (AL and Trend - Real Time)

Blacklist Domain/IP Addresses monitoring of traffic emerging to/from the Infected machine (AL and Trend - Real Time)

BruteForce/port or host scan/privilege elevation access attempt from the Infected machine (AL and Trend - Real Time)

Attempt to restart AV service or process, AV modules from Infected machine.

Access to critical file share,network path, SSH or Remote RDP attempt from the Infected Host.

And So on...

Since we don't have DLP, IPDS, FIM, IDAM, VPN, Exchange, Packet capture tools.We are limited to cross correlation.But with multiple security solution the AV gives you plenty of options

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.