Analytics & Use Cases
After Logpoint ingests your logs, you can:
Access and view events in real time through Dashboards.
Enable Alerts
Setup Reports
Unix Dashboards
Dashboards give you log source data visualization updated in real-time. Out-of-the-box dashboards included with the integration are termed Vendor Dashboards.
Unix has 4 Vendor Dashboards
LP_Unix Overview
Widget Name
Description
Top 10 Process Running
The top ten Unix processes running in the Logpoint for the administrator to see what is running, the resources that processes are using, how the system is affected by the load and how memory is being used.
Events Timetrend
A time trend of the Unix events generated based on event severity or event type to analyze the performance of Logpoint over time.
Top 10 Commands Used
The top ten most used Unix commands, such as sudo allowing direct communication with the Logpoint via a terminal, hence being very interactive and giving the user direct control over the Logpoint resources.
Top 10 Sudo Commands
The top ten sudo commands allow you to run programs with the security privileges of another user (by default, as the superuser).
Top 10 Sources in Denied Connection
The top ten denied source addresses from accessing Unix networks to protect your system.
Top 10 Users in Successful Logins
The top ten users who successfully logged in allowing the administrator to view the user account name, date and login time.
Top 10 Users in Failed Logins
The top ten users who failed to log in indicated invalid login attempts, forgot their password or mistyped it.
Top 10 Sources in Successful User Logins
The top ten source addresses in successful user logins.
Top 10 Sources in Failed User Logins
The top ten source addresses in failed user logins.
User Login Status
The user login status may be a successful or failed login.
LP_Unix Privilege Escalation
Widget Name
Description
Session Duration
The session duration from when a user arrives, interacts and exits a Unix system.
Root Privilege Command Execution
The commands executed that require permissions not granted to a standard UNIX user account. These commands include root session start timestamp, root session end timestamp, user, command execute timestamp and command.
Top 10 Users in Privilege Escalation
The top ten users who gained unauthorized admin or root level privileges in a Unix system. It enables the administrator to discover opportunities to improve the Unix privilege management and security to reduce the risk of a cyber attack.
Top 10 Command Executed
The top ten executed Unix commands that administrators check for successful execution.
LP_Unix:Authentication
Widget Name
Description
Top 10 Successful Administrative Logins
The top ten successful administrative logins with rights to control or restrict the activity of other users. You need a list of ADMINS to run this query.
Top 10 Users in Successful Login
The top ten users with valid credentials successfully logged in to gain access to the Unix system.
Users in Successful Login - List
The list of successful users logins using valid user credentials, action and source address.
Top 10 Users in Failed Login
The top ten users with invalid or expired credentials failed to login so administartor can trace the source of the login attempts and a sign of brute force attack.
Users in Failed Login - List
The list of failed user logins by a user, action and source address.
Top 10 Failed Administrative Logins
The top ten administrative users (ADMINS, root or administrator) failed login attempts as the Unix system didn’t recognize the authentication details. You need a list of ADMINS to run this query.
Top 10 User Login Activities
The top ten successful or failed login activities so the administrator better determines which user behavior is legitimate to prevent brute force attacks in the Unix system.
LP_Unix:User Account Management
Widget Name
Description
Created Accounts - List
The list of created accounts to access the Unix system or any service running on the Unix system for an administrator to authenticate, trace, log and monitor its services.
User Accounts Created
The created user accounts with a user name and password and assigned permission levels.
User Accounts Deleted
The deleted user accounts barred from accessing data, services, systems and network resources.
Activities in User Account Management
The activities in the user account management, such as user adds or group adds. It allows administrators to group users and define flexible access policies.
Activities in User Account Management - List
The list of activities in user account management by user and action.
Top 10 Actions in User Account Management
The top ten actions performed in the user account management.
User Account Password Change
The changed user account password to ensure account security, prevent the default password problem and for the administrator to authenticate the user.
Locked User Account
The locked user account when the number of incorrect password entries exceeds the maximum number allowed by the account password policy.
User Account Unlocked
Accounts reset by an administrator.
User Account Locked/Unlocked - Status
The locked or unlocked user account’s status by user, action and object.
Newly Created Group - List
The list of a newly created group in Unix.
Deleted Group - List
The list of deleted groups from Unix.
Group User Deletion - List
The users deleted or removed from a group in Unix.
User Added in Group
The users added to a group in Unix.
Adding the Unix Dashboards
Unix Reports
The available report templates are:
LP_Unix: User Privilege Escalation
LP_Unix: User Account Management
LP_UNIX: AUTHENTICATION
Generating Unix Reports
Step 6
Click Submit.
You can view the reports being generated under Report Jobs and download them. Click PDF under Download to get .pdf formatted reports.
For more information on scheduling, see: Report Documentation
You can analyze the data using a report’s graphs, time trends, lists, and text. Report data summarizes incidents during a specific period, such as the past 24 hours or the past five minutes. While generating a report, you can also customize the calendar period.
Unix Alerts
Alerts available in Unix include the following examples.
LP_Unix Possible Bruteforce Attack
Trigger Condition: An account is not present but is used repeatedly to login. This may be a brute force attack by a bot, malware or threat agent.
ATT&CK Category: Credential Access
ATT&CK Tag: Brute Force
ATT&CK ID: T1110
Minimum Log Source Requirement: Unix
Query:
LP_Unix Kernel Logging Stopped
Trigger Condition: Unix Kernel stops logging that may violate the audit compliance of the organization.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Impair Defenses, Indicator Blocking
ATT&CK ID: T1562, T1562.006
Minimum Log Source Requirement: Unix
Query:
LP_Unix User Deleted
Trigger Condition: A user account is deleted.
ATT&CK Category: Impact
ATT&CK Tag: Account Access Removal
ATT&CK ID: T1531
Minimum Log Source Requirement: Unix
Query:
LP_Unix Password Expiry Changed for User
Trigger condition: Information on password expiry information is changed for a user.
Minimum Log Source Requirement: Unix
Query:
LP_Unix User Account Unlocked
Trigger condition: Unlocked user account detected.
Minimum Log Source Requirement: Unix
Query:
LP_Unix Excessive Denied Connection
Trigger condition: An excessive denied connection from the same source is detected i.e., 100 denied connections within two minutes.
Minimum Log Source Requirement: Unix
Query:
LP_Unix Possible DNS Server Modified
Trigger condition: Unauthorized default Application Layer Protocol and DNS server modification is detected.
Minimum Log Source Requirement: Unix
Query:
LP_Unix Group Deleted
Trigger condition: A group is deleted.
Minimum Log Source Requirement: Unix
Query:
LP_Unix User Session Alert
Trigger condition: Authentication for a user is successful and session of a previous user is exited.
Minimum Log Source Requirement: Unix
Query:
LP_Unix User Removed from Privileged Group
Trigger condition: A user account is removed from the privileged group.
Minimum Log Source Requirement: Unix
Query:
Unix Report Templates
There are three Unix Report Templates:
LP_Unix: User Privilege Escalation — incident summary report with statistics on session duration, commands executed, users in privilege escalation, and root privilege command execution in graphs and lists.
LP_Unix: User Account Management — incident summary report with statistics on created/deleted accounts, activities, locked/unlocked accounts, group changes, and account status in graphs or lists.
LP_Unix: Authentication — incident summary report with statistics on successful/unsuccessful administrative logins and user login activities in graphs or lists.
Using Unix Report Templates
We do our best to ensure that the content we provide is complete, accurate and up to date. Logpoint makes no representations or warranties of any kind, express or implied about the documentation. We update it on a best-effort basis.
Last updated
Was this helpful?