Once a SIEM is deployed successfully, what are the top use cases you'd recommend to implement for the Microsoft environment? Thank you in advance!
Some of the use cases that are important and a good start would be:
- Authentication activities
- Account management
- Connection activities
- Policy-related activities
Some of the Top use cases for SIEM:
1. Authentication activities
Security use cases should ensure that only legitimate users have access to the network. Implement use cases to detect attacks such as Brute Force attacks that target user credentials. Monitor the frequency of failed and successful logins to critical systems and report failed login attempts above the set threshold.
Other activities to monitor would include logins attempted at strange hours, multiple logins from the same IP address, and modifications to system files.
Raise alerts and generate reports as soon as suspicious authentication activity is detected. Having timely and detailed information about the attack helps security officers determine the impact of a compromised account and prevent additional damage.
2. Account management
Attackers know that privileged user credentials will give them greater access to sensitive data and important corporate resources. Account management security use cases should provide full visibility on privileged accounts and detect activities that indicate account misuse.
Monitor user account creation, and deletion, and activities related to system and resource access. Keep an eye out for sudden activity on inactive accounts and increased activity around sensitive data.
Use cases should also flag the unusual escalation of privileges, unauthorized access to shared folders, and any unusual behavior that points to stolen user credentials like employees trying to access data or systems they rarely use.
3. Connection activities
As remote work environments become the norm, it’s crucial to pay closer attention to connection activities related to routers, ports, wireless access points, etc. across the company network.
Your use cases should ensure that remote connections are coming from the expected locations and send alerts for suspicious locations or concurrent VPN connections. Identify and report on connections, both allowed and denied, and provide detailed information on connection attempts such as hostname, source country, destination country, and direction.
4. Policy-related activities
Regulatory bodies such HIPAA, GDPR, and PCI-DSS require specific procedures related to data integrity and confidentiality. These procedures are usually well documented, making it easy to create use cases based on the rules and regulations outlined.
Create use cases that monitor the underlying security controls that enforce compliance. Monitor log files, changes to credentials and events related to personal data, and policy changes related to audits, authentication, authorization, etc. Flag unauthorized changes to configuration files and deleted audit trails.
5. Threat, malware, and vulnerability detection
SIEM is a vital part of threat detection. Use cases created should detect indicators of compromise, malware infections, and system vulnerabilities. Look for activities that suggest malware like unusual network traffic spikes and traffic queries to known malware domains and IP addresses.
Forensic analysis of historical data and threat intelligence feeds can also identify patterns that can expose past or ongoing threat behavior. SIEM use cases can also test for known risks using aggregated data from the SIEM system.
That's excellent, @Chiheb Chebbi.
Now you would want to see if all your Windows environments have been configured to send all the logs, especially on the endpoint level. Ensure you get all the authentication logs at the very least. You could opt to get the OS level audit logs to help with a further advanced use case, such as Threat Hunting.
If you are using Office 365, ensure you have enabled the integration for the account activities, including fine grain audit logs for all your file-sharing activities.
Very good and impactful use cases would be the following ones:1. User Behaviour Analysis
Monitoring your employees' access behaviour and see if there are any probes for brute force by identifying the high amount of authentication failures.
2. Data Leak Prevention Analysis
Monitoring if your file sharing is controlled for internal activities and which one is set for public sharing (outside organization)
3. Threat Hunting Analysis
Understanding several key attack indicators which leverage Windows-specific utility such as SMB protocol, RDP and privilege escalation on your Windows OS.
If you have vulnerability assessment tools and you could integrate the result into your SIEM, ensure that your SIEM helps with the proactive patch management, identifying the CVE landscapes of your specific Windows environment and correlating them with the potential attack logs and patch them accordingly to prevent a cyber attack.
There are 26 base use cases every SIEM should run that find Indicators of Compromise (IOCs) on machines.
They follow two basic patterns - Everything Counts in Large Amounts and Do Any Two Things Wrong, Go to the Top of the List.
Success After Fail is another common pattern. Most vendor content overcomplicates the rules and has too many that can be detected by these simple rules with 90+% fidelity.
Most of the use cases and the links to the reference papers are on Wikipedia under SIEM here: https://en.wikipedia.org/wiki/...
You can also find four SANS Gold Papers under my name at sans.org/rr that cover compliance, reporting, continuous improvement, etc...and have the full list of the use cases and their triggers.
@David Swift thank you very much for this meaningful answer and for sharing it with our community members, after commenting on LI earlier.
Hi SOC analysts and other infosec professionals,
Which standard/custom method do you use to decide about the alert severity in your SOC?
Is it possible to avoid being too subjective? How do you fight the "alert fatigue"?
Which SIEM for small/medium-sized companies do you consider the most economical?
Splunk, Security Onion, UTMStack, other? What do you like about it vs other ones?