[Use case] Detecting suspicious software installations

[Use case] Detecting suspicious software installations

Hello all,
In this series of posts, we'll share various product use cases, their importance, and how the product can be used to solve them. In this post, we look at the correlation rule to detect suspicious software installations.

Rule name: Suspicious software installed

What the rule detects: This correlation rule allows you to detect potentially malicious software installed within your organization.

Why the rule is useful: Since organizations use hundreds of applications, it's very easy for an isolated software on a single device to go unnoticed. If a hacker from any point of the globe is able to access your organization's VPN, they can easily gain entry to a device on your network and install malicious software on it. This software can be used to send confidential data back to the hacker or even infect other devices on your network. So, it's important to watch out for unauthorized software installation.
How the rule works: The EventLog Analyzer component of Log360 first looks for brute-force access to your organization's VPN by checking for several failed VPN logons, followed by a successful VPN logon. If this activity is followed by a successful logon to a device on your network and a software installation on the same device, EventLog Analyzer connects the dots and alerts you via email or SMS about this potentially unauthorized software installation.