Detecting and alerting user login events after office hour

This is one of most common alerts and is easily done with use of Energy Logserver. Even more – such alert is already predefined and placed in installation package by default. For Windows users we detect night logons.

This has been applied in our previous deployments for Linux users or users from dedicated services which are not related to specific operating system.

Such rule configuration can hardly be simpler:

More than that we can add to calendar option to every alert, so such alert will be triggered based on crontab format, for example:

calendar:
  schedule: "* 0-8,16-23 * * mon-fri"

 

Detecting and alerting Abnormal Network Traffic Pattern

For monitoring anomalies in traffic we are using multiple approaches. Of course we can support Energy Logserver with dedicated network probe, which is equipped with Netflow Analazing module and is detecting anomalies by default. Such probes is receiving netflow from selected span port and can be also used as virtual appliance.

Other than that we often move back to our alerting module, where we choose proper approach.

For some customers we are using metric aggregation type, where we set threshold for sent/received data.

But Energy Logserver has also set of predefined alerts and among them is: Netflow - DNS traffic abnormal of type Spike. This rule is comparing actual timeframe to previous one and calculate difference between them. By doing so we detect sudden spike of chosen pattern.

Another approach is to monitor new, unseen values in selected field (like new url address in our logs) per user, source or other parameter.

 

Energy Logserver is capable of connecting multiple alerts together in one, correlated by field and condition alert with types of Chain or Logical.