2021-08-10T10:22:00Z

What are the top use cases to implement after deploying a SIEM?

CC
  • 6
  • 3727
PeerSpot user
8

8 Answers

SA
Real User
Top 5
2022-08-03T15:04:30Z
Aug 3, 2022

It really depends on your environment.


As none of us knows what Azure services you are using, it's hard to come up with hard/direct answers to your question.


In general, however, it’s always a good idea to monitor identities and the security policies around identities i.e. sign-in/audit logs from Azure Active Directory.


Also, keep in mind not every log type is super important to run through a SIEM solution.


Also, I would recommend you start out slow/small.


Is it Microsoft Sentinel you have implemented? If that’s the case enable UEBA and Analytic Rules that require those specific log types.


From my perspective, the SIEM is 1st move towards the more clever SOAR “approach”.

EB
Community Manager
Aug 4, 2022

@Soren
cc: @Chiheb Chebbi ​ 

Thanks for your answer regarding SIEM. 

As to your last sentence regarding SOAR, I have a question: do you think the next step is to move to SOAR (and not an XDR tool), if the company's budget permits?

Also, do you know whether a separate SOAR product will still be required in the case of an XDR solution? 

Thanks.

PeerSpot user
Search for a product comparison in Security Information and Event Management (SIEM)
Robert Cheruiyot - PeerSpot reviewer
Real User
Top 5Leaderboard
2022-08-02T12:48:18Z
Aug 2, 2022

-Detect unusual/suspicious logins. For example, you can count the number of failed login attempts within a given time.


 -Detect abnormal traffic which might indicate potential C2 traffic

-Detect attempts to access your systems/network from unusual locations / IPs


-Monitor and detect unusual behaviors of user accounts - to dig out potential insider threats, abuse of orphan accounts or system accounts 


- Detect phishing attacks by identifying user accounts that communicate with malicious domains. 


Threat intelligence comes in handy in this aspect. 

SA
Real User
Top 5
2022-08-14T09:12:48Z
Aug 14, 2022

My expertise is based on Microsoft products: Defender 365 (the Defender suite) and Microsoft Sentinel (SIEM/SOAR).


I would never leave the “automated response” approach (SOAR), but I also see XDR and SOAR as tools, that complement each other.


It’s actually a tough question to answer, but there is a rather good article here (hopefully, you will find it helpful)https://www.crowdstrike.com/cybersecurity-101/what-is-xdr/xdr-vs-siem-vs-soar/

NavcharanSingh - PeerSpot reviewer
Real User
Top 5
2022-09-15T11:51:51Z
Sep 15, 2022

Use cases for SIEM Deployment:



1. Detecting compromised user credentials


2. Tracking system changes


3. Detecting unusual behavior on privileged accounts


4. Secure cloud-based applications


5. Phishing detection


6. Monitoring loads and uptimes


7. Log Management


8. SIEM for GDPR, HIPAA, or PCI compliance


9. Threat Hunting


10. SIEM for automation



Ace Managed SIEM  provides real-time security alerts and in-depth network visibility with a state-of-the-art dashboard. Your environment is protected with 24/7 monitoring and AI-powered forensic analysis.

Shibu Babuchandran - PeerSpot reviewer
Real User
ExpertModerator
2021-08-10T14:35:41Z
Aug 10, 2021

Some of the use cases that are important and a good start would be:


- Authentication activities


- Account management


- Connection activities


- Policy-related activities

Shibu Babuchandran - PeerSpot reviewer
Real User
ExpertModerator
2021-08-17T14:34:28Z
Aug 17, 2021

Some of the Top use cases for SIEM: 


1. Authentication activities


Security use cases should ensure that only legitimate users have access to the network. Implement use cases to detect attacks such as Brute Force attacks that target user credentials. Monitor the frequency of failed and successful logins to critical systems and report failed login attempts above the set threshold.


Other activities to monitor would include logins attempted at strange hours, multiple logins from the same IP address, and modifications to system files.


Raise alerts and generate reports as soon as suspicious authentication activity is detected. Having timely and detailed information about the attack helps security officers determine the impact of a compromised account and prevent additional damage.


2. Account management


Attackers know that privileged user credentials will give them greater access to sensitive data and important corporate resources. Account management security use cases should provide full visibility on privileged accounts and detect activities that indicate account misuse.


Monitor user account creation, and deletion, and activities related to system and resource access. Keep an eye out for sudden activity on inactive accounts and increased activity around sensitive data.


Use cases should also flag the unusual escalation of privileges, unauthorized access to shared folders, and any unusual behavior that points to stolen user credentials like employees trying to access data or systems they rarely use.


3. Connection activities


As remote work environments become the norm, it’s crucial to pay closer attention to connection activities related to routers, ports, wireless access points, etc. across the company network.


Your use cases should ensure that remote connections are coming from the expected locations and send alerts for suspicious locations or concurrent VPN connections. Identify and report on connections, both allowed and denied, and provide detailed information on connection attempts such as hostname, source country, destination country, and direction.


4. Policy-related activities


Regulatory bodies such HIPAA, GDPR, and PCI-DSS require specific procedures related to data integrity and confidentiality. These procedures are usually well documented, making it easy to create use cases based on the rules and regulations outlined.


Create use cases that monitor the underlying security controls that enforce compliance. Monitor log files, changes to credentials and events related to personal data, and policy changes related to audits, authentication, authorization, etc. Flag unauthorized changes to configuration files and deleted audit trails.


5. Threat, malware, and vulnerability detection


SIEM is a vital part of threat detection. Use cases created should detect indicators of compromise, malware infections, and system vulnerabilities. Look for activities that suggest malware like unusual network traffic spikes and traffic queries to known malware domains and IP addresses.


Forensic analysis of historical data and threat intelligence feeds can also identify patterns that can expose past or ongoing threat behavior. SIEM use cases can also test for known risks using aggregated data from the SIEM system.

Find out what your peers are saying about Microsoft, Splunk, Wazuh and others in Security Information and Event Management (SIEM). Updated: March 2024.
765,234 professionals have used our research since 2012.
Real User
2021-08-24T13:54:36Z
Aug 24, 2021

There are 26 base use cases every SIEM should run that find Indicators of Compromise (IOCs) on machines. 


They follow two basic patterns - Everything Counts in Large Amounts and Do Any Two Things Wrong, Go to the Top of the List. 


Success After Fail is another common pattern. Most vendor content overcomplicates the rules and has too many that can be detected by these simple rules with 90+% fidelity.


Most of the use cases and the links to the reference papers are on Wikipedia under SIEM here: https://en.wikipedia.org/wiki/...


You can also find four SANS Gold Papers under my name at sans.org/rr that cover compliance, reporting, continuous improvement, etc...and have the full list of the use cases and their triggers.

































































Repeat Attack - Firewall
Repeat Attack - IDS
Repeat Attack - HIPS
Repeat Attack - Failed Login - Source
Repeat Attack - Failed Login - Account
Repeat Attack - WCF/Proxy
Repeat Attack - FIM
Repeat Attack - Foreign Source
Possible Outbreak - Excessive Connections
Suspicious Event - Security Log Cleared
Suspicious Event - Executable Post to Web Server
Virus or Spyware Detected
Malicious Source Detected IP or URL (FireEye, Damballa…)
Known Attacker in Network
Traffic to Known Attacker
Successful Login After Multiple Failed Logins
Firewall Allow after Repetitive Drops
System Monitor - Log Source Stopped Sending Events
High Threat Attack on Vulnerable Asset
Possible Outbreak - Multiple Infected Hosts
Repeat Attack - Multiple Detection Sources

EB
Community Manager
Aug 25, 2021

@David Swift thank you very much for this meaningful answer and for sharing it with our community members, after commenting on LI earlier.

PeerSpot user
JR
Consultant
2021-08-16T09:27:18Z
Aug 16, 2021

That's excellent, @Chiheb Chebbi.


Now you would want to see if all your Windows environments have been configured to send all the logs, especially on the endpoint level. Ensure you get all the authentication logs at the very least. You could opt to get the OS level audit logs to help with a further advanced use case, such as Threat Hunting.


If you are using Office 365, ensure you have enabled the integration for the account activities, including fine grain audit logs for all your file-sharing activities.


Very good and impactful use cases would be the following ones:
1. User Behaviour Analysis 


Monitoring your employees' access behaviour and see if there are any probes for brute force by identifying the high amount of authentication failures.


2. Data Leak Prevention Analysis


Monitoring if your file sharing is controlled for internal activities and which one is set for public sharing (outside organization)


3. Threat Hunting Analysis


Understanding several key attack indicators which leverage Windows-specific utility such as SMB protocol, RDP and privilege escalation on your Windows OS. 

If you have vulnerability assessment tools and you could integrate the result into your SIEM, ensure that your SIEM helps with the proactive patch management, identifying the CVE landscapes of your specific Windows environment and correlating them with the potential attack logs and patch them accordingly to prevent a cyber attack. 

Security Information and Event Management (SIEM)
A Security Information and Event Management (SIEM) system gives security managers a holistic overview of multiple security systems.
Download Security Information and Event Management (SIEM) ReportRead more

Related Q&As

Security Information and Event Management (SIEM) experts

Prateek Agarwal - PeerSpot reviewer
Nagendra Nekkala. - PeerSpot reviewer
Olajide Olusegun - PeerSpot reviewer
Nagendra Nekkala - PeerSpot reviewer
Shashank N - PeerSpot reviewer
Shaamil Ashraff - PeerSpot reviewer
Derrick Brockel - PeerSpot reviewer
JA