Usage of proper SIEM Use Cases is critical in setting up the security operations center (SOC) operations. A use case can consist of multiple technical rules within the SIEM tool, or can be a mix of actions from multiple rules, based on the requirements. It converts business threats into SIEM technical rules, which then detect possible threats and send alerts to the SOC. Building and defining the correct use cases helps tell false positives from real ones. It also recommends action based on current or historical activity that could be part of an ongoing or future attack.
|1||DMZ Jumping||This rule will fire when connections seemed to be bridged across the network’s DMZ.|
|2||DMZ Reverse Tunnel||This rule will fire when connections seemed to be bridged across the network’s DMZ through a reverse tunnel.|
|3||Excessive Database Connections||Rule detects an excessive number of successful database connections.|
|4||Excessive Firewall Accepts Across Multiple Hosts||Reports excessive Firewall Accepts across multiple hosts. More than 100 events were detected across at least 100 unique destination IP addresses in 5 minutes.|
|5||Excessive Firewall Accepts From Multiple Sources to a Single Destination||Reports excessive Firewall Accepts to the same destination from at least 100 unique source IP addresses in 5 minutes.|
|6||Excessive Firewall Denies from Single Source||Reports excessive firewall denies from a single host. Detects more than 400 firewall deny attempts from a single source to a single destination within 5 minutes.|
|7||Long Duration Flow Involving a Remote Host||Reports a flow for communicating to or from the Internet with a sustained duration of more than 48 hours. This is not typical behavior for most applications. We recommend that you investigate the host for potential malware infections.|
|8||Long Duration ICMP Flows||Detection of ICMP packets between hosts that last a long time. This is rare and shouldn’t ever occur.|
|9||Outbound Connection to a Foreign Country||Reports successful logins or access from an IP address known to be in a country that does not have remote access right. Before you enable this rule, we recommend that you configure the activelist: Countries with no Remote Access building block.|
|10||Potential Honeypot Access||Reports an event that was targeting or sourced from a honeypot or tarpit defined address. Before enabling this rule, you must configure the Activelist: Honeypot like addresses building block and create the appropriate sentry from the Network Surveillance interface|
|11||Remote Access from Foreign Country||Reports successful logins or access from an IP address known to be in a country that does not have remote access right. Before you enable this rule, we recommend that you configure the Activelist: Countries with no Remote Access building block.|
|12||Remote Inbound Communication from a Foreign Country||Reports traffic from an IP address known to be in a country that does not have remote access right. Before you enable this rule, we recommend that you configure the Activelist: Countries with no Remote Access building block. SMTP and DNS have been removed from this test as you have little control over that activity. You may also have to remove WebServers in the DMZ that are often probed by remote hosts with web scanners|
|13||Single IP with Multiple MAC Addresses||This rule will fire when a single IP’s MAC address changes multiple times over a period of time.|
|14||Systems using many different protocols||Local system connecting to the internet on more than 50 DST ports in one hour. Connections must be successful. This rule can be edited to also detect failed communications which may also be useful.|
|15||Authentication: Login Failures Followed By Success to the same Destination IP||Reports multiple log in failures to a single host, followed by a successful log in to the host.|
|16||Authentication: Login Failures Followed By Success to the same Source IP||Reports multiple log in failures to a single host, followed by a successful log in to the host.|
|17||Authentication: Login Failures Followed By Success to the same Username||Reports multiple log in failure followed by a successful login from the same user.|
|18||Authentication: Login Failure to Disabled Account||Reports a host login message from a disabled user account. If the user is no longer a member of the organization, we recommend that you investigate any other received authentication messages from the same user.|
|19||Authentication: Login Failure to Expired Account||Reports a host login failure message from an expired user account known. If the user is no longer a member of the organization, we recommend that you investigate any other received authentication messages|
|20||Authentication: ogin Successful After Scan Attempt||Reports a successful log in to a host after recon has been performed against the network.|
|21||Authentication: Multiple Login Failures for Single Username||Reports authentication failures for the same username.|
|22||Authentication: Multiple Login Failures from the Same Source||Reports authentication failures on the same source IP address more than three times, across more than three destination IP addresses within 10 minutes.|
|23||Authentication: Multiple Login Failures to the Same Destination||Reports authentication failures on the same destination IP address more than ten times, from more than 10 source IP addresses within 10 minutes.|
|24||Authentication: Multiple VoIP Login Failures||Reports multiple log in failures to a VoIP PBX.|
|25||Authentication: No Activity for 60 Days||This account has not logged in for over 60 days|
|26||Authentication: Possible Shared Accounts||Detection of Shared Accounts. You will need to add in additional false positive system accounts to the and NOT when the event username matches the following …”. “|
|27||Authentication: Repeat Non-Windows Login Failures||Reports when a source IP address causes an authentication failure event at least 7 times to a single destination within 5 minutes.|
|28||Authentication: Repeat Windows Login Failures||Reports when a source IP address causes an authentication failure event at least 9 times to a single Windows host within 1 minute.|
|29||VPN Sneak Attack||Check from where remote users are connecting, and what they are accessing. A VPN connection access can be misused to gain access to the intranet.|
|30||Anomalous Ports, Services and Unpatched Hosts or Network Devices||Unusual traffic is identified as a potential intrusion; no signatures are involved in the process, so it is more likely to detect new attacks for which signatures are yet to be developed.|
|31||Brute Force Attack||Check for attempts to gain access to a system by using multiple accounts with multiple passwords.|
|32||Privileged user abuse||Monitor misuse of access of privileged user access such as admin or root access to perform malicious activities.
Advanced Use Cases
Unauthorized application access
- Which systems have suspicious access/application activity?
- Are terminated accounts still being used?
- Which accounts are being used from suspicious locations?
- High risk user access monitoring
- Privileged user monitoring
Worm/malware propagation monitoring
- Malware beacon monitoring
- CnC access monitoring
- CnC Termination monitoring
- Malware/Worm propagation monitoring
- Anti-virus status/infection trends
- Who is attacking me and where are they attacking from?
- Which of my internal systems are they attacking?
VPN Sneak Attack
Anomalous Ports, Services and Unpatched Hosts/Network Devices
Brute Force Attack
Privileged User Abuse