Overview
Security Use Case: Botnet Detection
Description: A computer has been setup to forward spam or viruses to other computers on the internet without the owner of that computer knowing about it.
Security Type: User, Network, Application, Endpoint, APT
Threat Actors: Insiders, Commodity Malware Groups
Threat Actors' Goals: Financial Gain, Notoriety
Your Task: Using LogRhythm's Web Console Dashboards and Analyzer Grid, locate any logs that may be an indication of suspicious activity.
- Data to look out for might include network traffic to an outbound address along with suspicious attack type activity.
- Work the incident through the Threat Lifecycle Management process and document your findings as you go.
There is a generic technique for using the LogRhythm Web Console for threat hunting. You need to familiarize yourself with the log data in your environment by looking at the Web Console, dashboards, alarms, reports, and running searches. This helps you discover things that should not be occurring in your environment abnormal and usually rare. Some of the best tools in the Web Console for discovering threats are:
- The time range filter
- Alarms
- Top Classification
- Top Common Events
- Top Log Source Type widgets
Once you have discovered a threat, you need to decide whether you actually need to do something about it. This is known as qualifying the threat. Then you can investigate the threat using pivots, drilldowns, searches, reports, and cases. Next we neutralize the threat; we stop the problem from getting worse. Lastly, we recover. We determine how we will prevent this and similar types of things from happening again.