SecOps Security Monitoring

The SecOps app provides security event detection and categorization across multiple security domains. It analyzes log messages from firewalls, intrusion detection systems, endpoint security tools, authentication systems, and other security infrastructure to identify and tag security-relevant events.

App Function

The SecOps app uses a high-performance three-gate filtering pipeline to:

• Detect security events across multiple categories
• Tag events with relevant security classifications
• Enable rapid threat identification and response
• Provide unified security monitoring across diverse log sources

Security Categories

The app categorizes security events into five primary areas:

1. Exfiltration Detection - Data theft and unauthorized transfers
2. Authentication Failures - Failed login attempts and access denials
3. Attack Surface Reduction - Security hardening and patching activities
4. Security Events - General security alerts and incidents
5. Attack Patterns - Known attack techniques and exploit attempts

How It Works

Three-Gate Pipeline

The app uses an optimized three-stage filtering process for maximum performance:

Gate 1: Program Filter Checks if the log source program matches the category allowlist. This fast substring check eliminates most irrelevant events immediately.

Gate 2: Seed Terms Scans the message for category-specific seed terms using literal substring matching. Only messages containing relevant keywords proceed to pattern matching.

Gate 3: Pattern Matching Uses an optimized first-character lookup table to efficiently match against category-specific security patterns.

This pipeline achieves approximately 3.5 microseconds per event (~280,000 events per second) on typical hardware.

Supported Log Sources

The app recognizes security events from a wide range of sources:

Network Security

Note: For product-related log sources, you must enable the associated app in the LogZilla App Store for each log source to be detected.

• Firewalls: pfsense, Fortigate, WatchGuard, Juniper, Meraki Firewall
• IDS/IPS: snort, Meraki IDS, Zeek
• Proxies: squid

Endpoint Security

• EDR/Monitoring: sysmon, defender
• Antivirus: defender

Authentication & Access

• SSH: sshd
• VPN: openvpn, Meraki VPN, Prisma-Auth
• Directory Services: krb5kdc (Kerberos), slapd (LDAP)
• Windows: MSWin Security-Auditing, MSWin TerminalServices
• Network Auth: Meraki Auth Events
• Brute Force Protection: fail2ban

Web Security

• WAF: modsecurity

System Security

• Audit: auditd
• Firewall: iptables
• Web Server: nginx

Configuration Management

• Automation: ansible
• Windows Updates: wuauserv
• Windows Services: MSWin System, MSWin Service_Control_Manager

Cloud & SDN

• Prisma: Prisma, Prisma-Auth
• Meraki: Meraki Flow, Meraki URLs, Meraki Content Filter, Meraki Wireless

User Tags Generated

The app generates the following user tags based on detected security events:

Events can receive multiple tags if they match criteria for multiple categories.

Integration with Other Apps

The SecOps app runs at rule priority 900, which means it executes after most vendor-specific apps. This allows it to leverage normalized program names set by other apps:

• ms_windows app sets MSWin Security-Auditing, MSWin TerminalServices
• cisco_meraki app sets Meraki IDS, Meraki Firewall, Meraki VPN
• fortigate app sets Fortigate
• zeek app sets Zeek
• paloalto_prisma app sets Prisma-Auth

Install relevant vendor apps alongside SecOps for optimal security monitoring coverage.

Dashboard

The app includes a detailed security overview dashboard featuring:

• Real-time security event rates (EPS/EPD)
• Threat level distribution and scoring
• Authentication failure tracking
• Attack pattern analysis
• Geographic attack source/destination mapping
• Security events by program and severity
• Exfiltration detection metrics
• Attack surface reduction tracking