Tag: siem

Here are some very practical suggestions on the basic steps needed to develop SIEM related use cases.

Also see: part 2 and part 3

• Create a list of all your available logs (see ‘next step’ below for a long list of suggested logs)
• Configure your SIEM to collect those logs.
• Create your ‘use cases’, with whatever tools you have in your SIEM.

• Note that all logs are not created equal. The type of log will determine the options for the use cases. Generally speaking you’ll find the following types of logs in your environment.

1. login activity
2. configuration changes
3. errors
4. network traffic
5. threats

• Before considering correlations/alerts, create search queries to validate what information exists in the logs. Here’s a high level list of search queries to make for most log sources:

1. AUDIT – Basic queries that present the most important fields in the log. eg: date,username, source, destination, action
2. HUNT – More advanced queries designed to search for a specific pattern, eg. login denies, high severity intrusions
3. INVESTIGATE – Queries to search for more details on a given ‘entity’ – eg. search all events for a given username or hostname.

Here’s a good range of detections that any SIEM should have:

Use Case Examples

• Endpoint Detections (EDR logs – endpoint detect and response)
• Network Intrusion Detections
• DNS threats (eg. Cobalt Strike Beacon Detection to known IPs)
• Firewall threats (eg. high rate of denies by source, destination)
• Unauthorized Changes (to roles, resources, assets, etc)
• Policy Violations (eg. detected those detected by Microsoft Defender for Cloud)
• Suspicious/Risky User Activity (eg. Defender for Identity agent on Domain Controllers)
• Threat Intelligence (eg. outbound traffic to known bad IP)
• Endpoint and Identity alerts on sensitive assets (eg. maintain a list of sensitive/critical assets)
• Alerts for sensitive users (maintain a list of sensitive/critical/privileged users)
• Command and Control alerts (from EDR logs)
• Lateral Movement alerts (Threat based alerts like EDR and unusual traffic across network zones – eg. port scan from workstation zone to server zone)

Next Step Suggestions

• Apply ‘meta’ information to your use cases by creating lists of information such as:
  • Administrators
  • Privileged Users
  • Critical Assets
  • Risky users

• Identify gaps in your log collection, based on a ‘master list’ of desired log sources, acquire these missing sources and build more use cases to improve your attack surface monitoring.

Example log source gap list:

5G Wireless WAN
App
App Gateway
Application/COTS/Custom
AV/Anti-Malware
Call Management
CASB
Cloud Audit
Cloud Infrastructure Security
Cloud Resource Management
Data Management (Labeling & Protection)
Database
Database Monitoring
DDoS
Decoy
DHCP
Diagnostics & Monitoring
DLP
DNS
DNS Security
eCommerce
EDR
Email Protection
Email Server/Mail gateway
Enterprise Risk / Data Lake
External/Internal TI Feed
Fiber Switch
File Integrity Monitor (FIM)
Firewall/IDS
Honeypot
Identity & SSO
Identity Management
Identity Protection
IoT
Key Storage
Load Balancer/VPN
MDM
NAC
NetFlow
Network Traffic
NIDS
NIDS/NIPS
Privileged Access Management (PAM)
Remote Access and VPN
Router/Switch
SaaS
SAN
Security Configuration Management
Servers
Streaming Data Storage (Revenue Accounting)
System (OS)
UBA/Threat Analytics
Virtual Machines
Vulnerability scanner
WAF
WAF/Web Proxy/Web Content Filtering
Web
WebApp Scanner
Wireless Access
WirelessLAN

Need more ideas?

Simply search for ‘siem use cases’ and you’ll likely find a lot.

Some suggestions:

blueteamblog.com/siem-use-case-writing-guide

Microsoft Sentinel Analytic Rules