AWS CloudTrail - Threat Hunting in AWS CloudTrail Logs
As more companies move their IT operations from physical data centers to the cloud, SOCs need to develop new ways to analyze cloud operations and services for risks and threats. LogicHub has developed a playbook to hunt for risks in the logs of a popular cloud solution: AWS CloudTrail. This LogicHub playbook conducts seven investigations in parallel to identify risks within the CloudTrail logs.
By automating threat hunting in AWS CloudTrail logs with LogicHub you quickly and easily detect attackers and threats otherwise easily missed in the mountains of data. SOC teams are able to improve their productivity and response times, while minimizing false positives and false negatives.
Code Repositories (GitHub)
LogicHub for GitHub is an automated threat detection solution that continually monitors your source code repositories for suspicious behavior and vulnerabilities to help protect your intellectual property.
Installed without having to deploy agents and set up with just a few clicks, LogicHub immediately begins analyzing millions of GitHub log events to identify any malicious or unauthorized behavior. It uses a sophisticated threat ranking engine to automatically prioritize potential threats and provides a high quality feed of security alerts.
LogicHub is designed for teams of all sizes, is very cost effective, and scales easily to support very large deployments.
LogicHub for Salesforce provides out-of-the-box threat detection. It continuously monitors your feed of Salesforce Audit events to detect any unusual behavior or pattern, and provides you with a high quality feed of relevant alerts.
With LogicHub’s powerful Threat Ranking engine, you can make sure that the alert feed you are getting is free of noise and false positives, while ensuring that you are always notified of suspicious activity.
Automated Threat Hunting in Web Proxy Logs
When attacks deliver files and processes to a target, those files and processes often check in regularly with a remote Command and Control server, which delivers instructions and collects exfiltrated data. To detect these attacks, it’s helpful to examine web proxy logs for anomalous behavior. But those logs can be vast and the signs of attack subtle.
The LogicHub playbook for web proxy threat hunting combines automated steps for data collection, data enrichment, threat analysis, and threat remediation in a fast, efficient, easy-to-customize format. Using this playbook is an easy way to get started with the LogicHub SOAR+ platform.
IOC Search & Event Enrichment
Many LogicHub customers use the LogicHub SOAR+ platform to automate searching for Indicators of Compromise (IOCs) from various third-party sources.
Automating the search and enrichment of threat intelligence helps the SOC identify potentially compromised machines and identify gaps in the environment’s security. This particular use case does not make any changes to the environment that could cause potential outages or block legitimate business processes, but instead provides insight to help with those changes.
Customers Tell Our Story Best
SOAR+ is the product of customer feedback. LogicHub would not be here if it wasn’t for our customers and our community of thought leaders that help us every day make our platform the best it can be. We could not ask for more loyal and generous community.