{"id":13685,"date":"2025-08-21T16:08:52","date_gmt":"2025-08-21T13:08:52","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=13685"},"modified":"2025-08-21T16:08:52","modified_gmt":"2025-08-21T13:08:52","slug":"ueba-rules-in-kaspersky-siem","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/ueba-rules-in-kaspersky-siem\/13685\/","title":{"rendered":"SIEM sistemindeki UEBA kurallar\u0131"},"content":{"rendered":"<p>G\u00fcn\u00fcm\u00fcz\u00fcn siber sald\u0131rganlar\u0131, k\u00f6t\u00fc ama\u00e7l\u0131 faaliyetlerini normal s\u00fcre\u00e7ler gibi g\u00f6stermek i\u00e7in \u00e7ok \u00e7al\u0131\u015fan, k\u0131l\u0131k de\u011fi\u015ftirme ustalar\u0131d\u0131r. Me\u015fru ara\u00e7lar kullan\u0131rlar, kamu hizmetleri arac\u0131l\u0131\u011f\u0131yla komuta ve kontrol sunucular\u0131yla ileti\u015fim kurarlar ve k\u00f6t\u00fc ama\u00e7l\u0131 kodlar\u0131n \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131n\u0131 normal kullan\u0131c\u0131 eylemleri gibi g\u00f6sterirler. Bu t\u00fcr etkinlikler geleneksel g\u00fcvenlik \u00e7\u00f6z\u00fcmleri taraf\u0131ndan neredeyse g\u00f6r\u00fcnmez; ancak belirli kullan\u0131c\u0131lar\u0131n, hizmet hesaplar\u0131n\u0131n veya di\u011fer varl\u0131klar\u0131n davran\u0131\u015flar\u0131 analiz edilerek baz\u0131 anormallikler ortaya \u00e7\u0131kar\u0131labilir. Bu, UEBA (Kullan\u0131c\u0131 ve Varl\u0131k Davran\u0131\u015f Analiti\u011fi) olarak adland\u0131r\u0131lan bir tehdit alg\u0131lama y\u00f6nteminin temel kavram\u0131d\u0131r. Biz de bu y\u00f6ntemi SIEM sistemimizin en son s\u00fcr\u00fcm\u00fc olan Kaspersky Unified Monitoring and Analysis Platform\u2019da uygulad\u0131k.<\/p>\n<h2>UEBA, SIEM sistemi i\u00e7inde nas\u0131l \u00e7al\u0131\u015f\u0131r?<\/h2>\n<p><a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/ueba\/\" target=\"_blank\" rel=\"noopener\">Tan\u0131m\u0131<\/a> gere\u011fi UEBA, bir bilgi sistemindeki kullan\u0131c\u0131lar\u0131n, cihazlar\u0131n, uygulamalar\u0131n ve di\u011fer nesnelerin davran\u0131\u015flar\u0131n\u0131 analiz ederek tehditleri tan\u0131mlayan bir siber g\u00fcvenlik teknolojisidir. Prensip olarak bu teknoloji herhangi bir g\u00fcvenlik \u00e7\u00f6z\u00fcm\u00fcyle kullan\u0131labilir, ancak bize g\u00f6re en etkili sonu\u00e7lar\u0131 SIEM platformuna entegre edildi\u011finde verir. UEBA alg\u0131lama kurallar\u0131yla donat\u0131lm\u0131\u015f bir SIEM sistemi; makine \u00f6\u011frenimi yoluyla bir kullan\u0131c\u0131 veya nesnenin davran\u0131\u015f\u0131na (bilgisayar, hizmet veya ba\u015fka bir varl\u0131k) ili\u015fkin normal bir temel olu\u015fturarak, tipik davran\u0131\u015flardan sapmalar\u0131 analiz edebilir. Bu, APT\u2019lerin, hedefli sald\u0131r\u0131lar\u0131n ve i\u00e7eriden gelen tehditlerin zaman\u0131nda tespit edilmesini sa\u011flar.<\/p>\n<p>Bu nedenle SIEM sistemimizi; kimlik do\u011frulama s\u00fcre\u00e7leri, a\u011f etkinli\u011fi ve Windows tabanl\u0131 i\u015f istasyonlar\u0131 ve sunuculardaki s\u00fcre\u00e7lerin y\u00fcr\u00fct\u00fclmesi s\u0131ras\u0131ndaki anormallikleri tespit etmek i\u00e7in \u00f6zel olarak tasarlanm\u0131\u015f bir UEBA kural paketi ile donatt\u0131k. Bu, sistemimizin; normal korelasyon kurallar\u0131, imzalar veya g\u00fcvenlik ihlali g\u00f6stergeleriyle tespit edilmesi zor olan yeni sald\u0131r\u0131lar\u0131 daha ak\u0131ll\u0131 bir \u015fekilde bulmas\u0131n\u0131 sa\u011flar. UEBA paketindeki her kural, kullan\u0131c\u0131lar\u0131n ve nesnelerin davran\u0131\u015flar\u0131n\u0131n profillenmesine dayan\u0131r. Kurallar iki ana kategoriye ayr\u0131l\u0131r:<\/p>\n<ul>\n<li>Ge\u00e7erli davran\u0131\u015f verilerine dayal\u0131 olarak anormallikleri tan\u0131mlamak i\u00e7in <a href=\"https:\/\/tr.wikipedia.org\/wiki\/%C3%87eyrekler_a%C3%A7%C4%B1kl%C4%B1%C4%9F%C4%B1\" target=\"_blank\" rel=\"nofollow noopener\">\u00e7eyrekler aras\u0131 aral\u0131\u011f\u0131 <\/a>kullanan istatistiksel kurallar.<\/li>\n<li>Bir hesap veya nesnenin ge\u00e7mi\u015f etkinli\u011fini analiz ederek belirlenen normal davran\u0131\u015ftan sapmalar\u0131 alg\u0131layan kurallar.<\/li>\n<\/ul>\n<p>Tarihsel normdan veya istatistiksel beklentiden bir sapma tespit edildi\u011finde, sistem bir uyar\u0131 olu\u015fturur ve ilgili nesnenin (kullan\u0131c\u0131 veya ana bilgisayar) risk puan\u0131n\u0131 art\u0131r\u0131r. (SIEM \u00e7\u00f6z\u00fcm\u00fcm\u00fcz\u00fcn risk puanlamas\u0131 i\u00e7in yapay zekay\u0131 nas\u0131l kulland\u0131\u011f\u0131 hakk\u0131nda daha fazla bilgi edinmek i\u00e7in <a href=\"https:\/\/www.kaspersky.com\/blog\/ai-technology-in-kaspersky-siem\/53238\/\" target=\"_blank\" rel=\"noopener nofollow\">bu makaleyi<\/a> okuyabilirsiniz.)<\/p>\n<h2>UEBA kural paketinin yap\u0131s\u0131<\/h2>\n<p>Bu kural paketi i\u00e7in, UEBA teknolojisinin; hesap korumas\u0131, a\u011f etkinli\u011fi izleme ve g\u00fcvenli kimlik do\u011frulama gibi en iyi \u015fekilde \u00e7al\u0131\u015ft\u0131\u011f\u0131 alanlara odakland\u0131k. UEBA kural paketimiz \u015fu anda a\u015fa\u011f\u0131daki b\u00f6l\u00fcmleri i\u00e7ermektedir:<\/p>\n<h3>Kimlik do\u011frulama ve izin kontrol\u00fc<\/h3>\n<p>Bu kurallar; ola\u011fand\u0131\u015f\u0131 oturum a\u00e7ma y\u00f6ntemlerini, kimlik do\u011frulama hatalar\u0131ndaki ani art\u0131\u015flar\u0131, farkl\u0131 bilgisayarlarda yerel gruplara eklenen hesaplar\u0131 ve normal \u00e7al\u0131\u015fma saatleri d\u0131\u015f\u0131nda yap\u0131lan kimlik do\u011frulama giri\u015fimlerini alg\u0131lar. Bu sapmalar\u0131n her biri i\u015faretlenir ve kullan\u0131c\u0131n\u0131n risk puan\u0131n\u0131 art\u0131r\u0131r.<\/p>\n<h3>DNS profili olu\u015fturma<\/h3>\n<p>Kurumsal a\u011fdaki bilgisayarlar taraf\u0131ndan yap\u0131lan DNS sorgular\u0131n\u0131n analizine adanm\u0131\u015f olan bu b\u00f6l\u00fcmdeki kurallar; bilinmeyen kay\u0131t t\u00fcrleri i\u00e7in sorgular, a\u015f\u0131r\u0131 uzun etki alan\u0131 adlar\u0131, ola\u011fand\u0131\u015f\u0131 b\u00f6lgeler veya atipik sorgu s\u0131kl\u0131klar\u0131 gibi anormallikleri belirlemek i\u00e7in ge\u00e7mi\u015f verileri toplar. Ayr\u0131ca DNS arac\u0131l\u0131\u011f\u0131yla geri g\u00f6nderilen veri hacmini de izler. Bu t\u00fcr sapmalar potansiyel tehditler olarak kabul edilir ve bu nedenle ana bilgisayar\u0131n risk puan\u0131n\u0131 art\u0131r\u0131r.<\/p>\n<h3>A\u011f etkinli\u011fi profili olu\u015fturma<\/h3>\n<p>A\u011f i\u00e7indeki ve harici kaynaklara ba\u011fl\u0131 bilgisayarlar\u0131n aras\u0131ndaki ba\u011flant\u0131lar\u0131n izlendi\u011fi bu b\u00f6l\u00fcmde kurallar; yeni portlara ilk kez yap\u0131lan ba\u011flant\u0131lar\u0131, \u00f6nceden bilinmeyen ana bilgisayarlara yap\u0131lan ba\u011flant\u0131lar\u0131, ola\u011fand\u0131\u015f\u0131 giden trafik hacimlerini ve y\u00f6netim hizmetlerine eri\u015fimi i\u015faretler. Normal davran\u0131\u015flardan sapan t\u00fcm eylemler uyar\u0131lar olu\u015fturur ve risk puan\u0131n\u0131 y\u00fckseltir.<\/p>\n<h3>S\u00fcre\u00e7 profili olu\u015fturma<\/h3>\n<p>Bu b\u00f6l\u00fcm, Windows sistem klas\u00f6rlerinden ba\u015flat\u0131lan programlar\u0131 izler. Belirli bir bilgisayarda System32 veya SysWOW64 dizinlerinden yeni bir y\u00fcr\u00fct\u00fclebilir dosya ilk kez \u00e7al\u0131\u015ft\u0131r\u0131ld\u0131\u011f\u0131nda, bu durum bir anormallik olarak i\u015faretlenir. Bu, i\u015flemi ba\u015flatan kullan\u0131c\u0131n\u0131n risk puan\u0131n\u0131 y\u00fckseltir.<\/p>\n<h3>PowerShell profili olu\u015fturma<\/h3>\n<p>Bu b\u00f6l\u00fcm, PowerShell komut dosyas\u0131 y\u00fcr\u00fctmelerinin kayna\u011f\u0131n\u0131 izler. Bir komut dosyas\u0131; Program Files, Windows veya ba\u015fka bir ortak konum olmayan standart d\u0131\u015f\u0131 bir dizinden ilk kez \u00e7al\u0131\u015ft\u0131r\u0131l\u0131rsa, eylem \u015f\u00fcpheli olarak i\u015faretlenir ve kullan\u0131c\u0131n\u0131n risk puan\u0131 artar.<\/p>\n<h3>VPN izleme<\/h3>\n<p>Bu; kullan\u0131c\u0131n\u0131n profilinde daha \u00f6nce ili\u015fkili olmayan \u00fclkelerden yap\u0131lan oturum a\u00e7ma i\u015flemleri, co\u011frafi olarak imkans\u0131z seyahatler, VPN \u00fczerinden ola\u011fand\u0131\u015f\u0131 trafik hacimleri, VPN istemcisi de\u011fi\u015fiklikleri ve birden fazla ba\u015far\u0131s\u0131z oturum a\u00e7ma denemesi gibi \u00e7e\u015fitli olaylar\u0131 riskli olarak i\u015faretler. Bu olaylar\u0131n her biri, kullan\u0131c\u0131n\u0131n hesab\u0131n\u0131n risk puan\u0131n\u0131n y\u00fckselmesine neden olur.<\/p>\n<p>Bu UEBA kurallar\u0131n\u0131 kullanmak, davran\u0131\u015f ba\u011flam\u0131n\u0131 analiz ederek sofistike sald\u0131r\u0131lar\u0131 tespit etmemize ve yanl\u0131\u015f pozitifleri azaltmam\u0131za yard\u0131mc\u0131 olur. Bu, analizlerimizin do\u011frulu\u011funu \u00f6nemli \u00f6l\u00e7\u00fcde art\u0131r\u0131r ve g\u00fcvenlik analistlerinin i\u015f y\u00fck\u00fcn\u00fc azalt\u0131r. UEBA ve AI kullanarak bir nesneye risk puan\u0131 atamak, olaylar\u0131 daha do\u011fru bir \u015fekilde \u00f6nceliklendirerek her analistin tepki s\u00fcresini h\u0131zland\u0131r\u0131r ve iyile\u015ftirir. Tipik davran\u0131\u015f temel de\u011ferlerinin otomatik olarak olu\u015fturulmas\u0131yla birle\u015ftirildi\u011finde, bu, g\u00fcvenlik ekiplerinin genel verimlili\u011fini \u00f6nemli \u00f6l\u00e7\u00fcde art\u0131r\u0131r. Onlar\u0131 rutin g\u00f6revlerden kurtar\u0131r ve tehdit alg\u0131lama ve yan\u0131t i\u00e7in daha zengin, daha do\u011fru davran\u0131\u015f ba\u011flam\u0131 sa\u011flar.<\/p>\n<p>SIEM sistemimizin kullan\u0131labilirli\u011fini s\u00fcrekli olarak iyile\u015ftiriyoruz. Kaspersky Unified Monitoring and Analysis Platform ile ilgili g\u00fcncellemeler i\u00e7in <a href=\"https:\/\/www.kaspersky.com.tr\/enterprise-security\/unified-monitoring-and-analysis-platform?icid=tr_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">resmi \u00fcr\u00fcn sayfas\u0131n\u0131<\/a> takipte kal\u0131n.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"mdr\"><input type=\"hidden\" class=\"placeholder_for_banner\" data-cat_id=\"mdr\" value=\"13478\">\n","protected":false},"excerpt":{"rendered":"<p>Siber tehditleri tespit etmek i\u00e7in kullan\u0131c\u0131lar\u0131n, cihazlar\u0131n, uygulamalar\u0131n ve di\u011fer varl\u0131klar\u0131n davran\u0131\u015flar\u0131ndaki anormallikleri kullanma.<\/p>\n","protected":false},"author":2757,"featured_media":13686,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1726,1194,1727],"tags":[1425,1936,2800],"class_list":{"0":"post-13685","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-enterprise","8":"category-business","9":"category-smb","10":"tag-ai","11":"tag-siem","12":"tag-ueba"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/ueba-rules-in-kaspersky-siem\/13685\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/ueba-rules-in-kaspersky-siem\/29363\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/ueba-rules-in-kaspersky-siem\/24478\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/ueba-rules-in-kaspersky-siem\/12724\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/ueba-rules-in-kaspersky-siem\/29314\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/ueba-rules-in-kaspersky-siem\/28426\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/ueba-rules-in-kaspersky-siem\/29992\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/ueba-rules-in-kaspersky-siem\/40250\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/ueba-rules-in-kaspersky-siem\/54060\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/ueba-rules-in-kaspersky-siem\/23087\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/ueba-rules-in-kaspersky-siem\/32571\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/ueba-rules-in-kaspersky-siem\/29542\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/ueba-rules-in-kaspersky-siem\/35230\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/ueba-rules-in-kaspersky-siem\/34877\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/siem\/","name":"siem"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/13685","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/2757"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=13685"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/13685\/revisions"}],"predecessor-version":[{"id":13688,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/13685\/revisions\/13688"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/13686"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=13685"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=13685"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=13685"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}