We received an alert informing of anomalous activity from OSCAR. In this article you will see how we identified what caused the alert. Thankfully OSCAR makes identifying anomalous activity extremely simple.
By looking at the alert email, we knew that the occurrence was between 9:00 and 10:00 am on a Monday morning. We also knew which firewall logged the event, and the total number of events that occurred in that timeframe. This happens to be a fairly large deviation from what is normal. The count was 24,589 events when the Same Day / Same Hour event is 5,124.
With one click we were able to launch OSCAR, and after entering the log-in credentials, were brought to the Query Tool, which is used to research the logs.
By looking at the graphs on the left of the query tool, we saw an obvious difference between all destinations IPs as well as the source IPs.
Simply hovering over the biggest piece of the source IPs, brings up a box showing the IP address and the percentage it holds over the rest of the sources. Now the offending IP has been identified.
The same can be done for the destination IPs. Once identified, the Query Tool can be filtered to show only the offending source IP. Again, filtering can be done with the destination IP if desired.
Now that the Query Tool is filtered, a right click over a destination IP will bring up a menu with a variety of options.
- Show Raw Event
- Show Port Information
- Show Hostname
- Show IP Information
By choosing Show IP Information, another box will appear with the option of looking up the source or destination IP. When the destination is selected OSCAR will request a reverse lookup and display a map with hostname information.
Using this tool enables a user to dig deeper and to see if someone was on a malicious website, or if their computer was infected by malware trying to call home.
So we spent a couple minutes tracking down what happened. John Verry, Security Sherpa at Pivot Point Security, thought that it may be a tool crawling the Internet so he came over to my desk and said “Are you running a new keyword analysis tool?”
We verified that the source IP matched my machine and that at the exact times OSCAR showed in the Query Tool, I was testing a new tool.
OSCAR is designed to simplify log management for all users. Yes, OSCAR alerts on anomalous activity and has a query tool for drilling down into log events. But, as in the example above, OSCAR even helped management improve security awareness since it was a matter of minutes before the activity was identified and verified as a non-issue.
OSCAR really is Security Event Management, Simplified.