I have an assignment in which I have three logs from a network. One for control, from which I can define a typical behaviour pattern, one in which I have strange behaviour from accesses within the network, and a third one from accesses outside the network. I don't have experience in that kind of analysis, so I'd like to know how to do it. What kind of anomalous behaviours are more common? And if you have any references for good material on how to do that data analysis, it would be deeply appreciated. I also need to define SIEM rules to prevent those found behaviours.
The data I have in each log is in the form:
timestamp src_ip dst_ip proto port up_bytes down_bytes explanation
1512449 192.168.103.17 192.168.103.235 tcp 443 14426 169304
And there are hundreds of thousands of lines per file. How do you do that analysis in bulks? Maybe analyzing the graphics formed from the data?