3 Investigating and Analyzing Threats Based on Correlation Rule
With Oracle Security Monitoring and Analytics, you can investigate unusual user activity, and analyze threats and anomalies found throughout your enterprise.
Investigate and Analyze Threats in Response to an Alert Notification
You can investigate and analyze threats starting with an alert notification.
TargetedAccountAttack
), severity level, and the time stamp of the occurrence.
Note that you must configure alert rules first. For details, see Create a Security Alert Rule.
Investigating Threats Detected by Correlation Rule
After you receive the alert notification, you want to identify and learn more about the threat details related to the user activity. You want to find out the nature of the threat, the threat category it falls under, how many users were involved, and so on.
These investigation steps quickly uncovered the following details:
-
Asset
finance1.host.oracle.com
was affected. -
A single user was involved.
-
The duration of the threat was approximately 6 seconds.
-
This threat is categorized as
infiltration
. -
It was generated because of multiple failed account logins (according to the correlation rule
TargetedAccountAttack
).
Investigating and Analyzing Users Associated with Threats
After you collect security details about the threat, you can start investigating and analyzing the associated users.
You proceed with your investigation by collecting more security-based details about this group of users. After completing this task, you’ll be able to identify which users are involved and what organizations they belong to, understand their unusual activity patterns and associations with other threats or anomalies, and so on.
It’s assumed that you know (from the notification email):
-
Threat ID
-
Time of occurrence
Isolate Risky Users Associated with Threats
You can analyze user activity by isolating users based on criteria required by your particular investigation or type of analysis.
For example, after receiving a notification email and learning more about the threat detected, you want to find out if this user (or users) is on the Top Risky Users list. Then, you want to gather a list of users based on the organization that contains the most risky users, and, within this organization, generate a list of users (and identify the asset) that were part of the highest threat attack on a single asset.
To quickly find the top 5 risky users, look at the Top Risky Users By Threats tile in the Users dashboard.
The pie chart is made up of slices that represent the top affected user organizations based on the number of risky users. You also learn that the user from the notification email is part of the top risky users by looking at the Top Risky Users by Threats tile.
Isolate Assets Associated with Threats
You can investigate asset activity and analyze assets by isolating affected assets.
For example, after receiving a notification email and learning more about the threat detected, you want to find out if these assets are part of the Top Risky Assets list. You also want to gather a list of individual assets based on the asset type that had the highest number of threat attacks, or you want to generate a list of individual threats that made up the highest number of threat attacks on assets grouped by asset type (for example, asset type Linux Servers).
In the Assets dashboard, you can quickly find the top 5 risky assets in the Top Risky Assets By Threats tile.
To start narrowing down on the threat attacks, click the largest pie slice in the Risky Assets By Asset Type chart.
The dashboard refreshes and shows data that pertains to risky assets according to your latest selection.