We changed our name from IT Central Station: Here's why

What are the top use cases to implement after deploying a SIEM?

Hi community,

Once a SIEM is deployed successfully, what are the top use cases you'd recommend to implement for the Microsoft environment? 

Thank you in advance!

ITCS user
45 Answers

author avatar
ExpertModeratorReal User

Some of the use cases that are important and a good start would be:

- Authentication activities

- Account management

- Connection activities

- Policy-related activities

author avatar
ExpertModeratorReal User

Some of the Top use cases for SIEM: 

1. Authentication activities

Security use cases should ensure that only legitimate users have access to the network. Implement use cases to detect attacks such as Brute Force attacks that target user credentials. Monitor the frequency of failed and successful logins to critical systems and report failed login attempts above the set threshold.

Other activities to monitor would include logins attempted at strange hours, multiple logins from the same IP address, and modifications to system files.

Raise alerts and generate reports as soon as suspicious authentication activity is detected. Having timely and detailed information about the attack helps security officers determine the impact of a compromised account and prevent additional damage.

2. Account management

Attackers know that privileged user credentials will give them greater access to sensitive data and important corporate resources. Account management security use cases should provide full visibility on privileged accounts and detect activities that indicate account misuse.

Monitor user account creation, and deletion, and activities related to system and resource access. Keep an eye out for sudden activity on inactive accounts and increased activity around sensitive data.

Use cases should also flag the unusual escalation of privileges, unauthorized access to shared folders, and any unusual behavior that points to stolen user credentials like employees trying to access data or systems they rarely use.

3. Connection activities

As remote work environments become the norm, it’s crucial to pay closer attention to connection activities related to routers, ports, wireless access points, etc. across the company network.

Your use cases should ensure that remote connections are coming from the expected locations and send alerts for suspicious locations or concurrent VPN connections. Identify and report on connections, both allowed and denied, and provide detailed information on connection attempts such as hostname, source country, destination country, and direction.

4. Policy-related activities

Regulatory bodies such HIPAA, GDPR, and PCI-DSS require specific procedures related to data integrity and confidentiality. These procedures are usually well documented, making it easy to create use cases based on the rules and regulations outlined.

Create use cases that monitor the underlying security controls that enforce compliance. Monitor log files, changes to credentials and events related to personal data, and policy changes related to audits, authentication, authorization, etc. Flag unauthorized changes to configuration files and deleted audit trails.

5. Threat, malware, and vulnerability detection

SIEM is a vital part of threat detection. Use cases created should detect indicators of compromise, malware infections, and system vulnerabilities. Look for activities that suggest malware like unusual network traffic spikes and traffic queries to known malware domains and IP addresses.

Forensic analysis of historical data and threat intelligence feeds can also identify patterns that can expose past or ongoing threat behavior. SIEM use cases can also test for known risks using aggregated data from the SIEM system.

author avatar
Top 5LeaderboardConsultant

That's excellent, @Chiheb Chebbi.

Now you would want to see if all your Windows environments have been configured to send all the logs, especially on the endpoint level. Ensure you get all the authentication logs at the very least. You could opt to get the OS level audit logs to help with a further advanced use case, such as Threat Hunting.

If you are using Office 365, ensure you have enabled the integration for the account activities, including fine grain audit logs for all your file-sharing activities.

Very good and impactful use cases would be the following ones:
1. User Behaviour Analysis 

Monitoring your employees' access behaviour and see if there are any probes for brute force by identifying the high amount of authentication failures.

2. Data Leak Prevention Analysis

Monitoring if your file sharing is controlled for internal activities and which one is set for public sharing (outside organization)

3. Threat Hunting Analysis

Understanding several key attack indicators which leverage Windows-specific utility such as SMB protocol, RDP and privilege escalation on your Windows OS. 

If you have vulnerability assessment tools and you could integrate the result into your SIEM, ensure that your SIEM helps with the proactive patch management, identifying the CVE landscapes of your specific Windows environment and correlating them with the potential attack logs and patch them accordingly to prevent a cyber attack. 

author avatar
Top 5Real User

There are 26 base use cases every SIEM should run that find Indicators of Compromise (IOCs) on machines. 

They follow two basic patterns - Everything Counts in Large Amounts and Do Any Two Things Wrong, Go to the Top of the List. 

Success After Fail is another common pattern. Most vendor content overcomplicates the rules and has too many that can be detected by these simple rules with 90+% fidelity.

Most of the use cases and the links to the reference papers are on Wikipedia under SIEM here: https://en.wikipedia.org/wiki/...

You can also find four SANS Gold Papers under my name at sans.org/rr that cover compliance, reporting, continuous improvement, etc...and have the full list of the use cases and their triggers.

Repeat Attack - Firewall
Repeat Attack - IDS
Repeat Attack - HIPS
Repeat Attack - Failed Login - Source
Repeat Attack - Failed Login - Account
Repeat Attack - WCF/Proxy
Repeat Attack - FIM
Repeat Attack - Foreign Source
Possible Outbreak - Excessive Connections
Suspicious Event - Security Log Cleared
Suspicious Event - Executable Post to Web Server
Virus or Spyware Detected
Malicious Source Detected IP or URL (FireEye, Damballa…)
Known Attacker in Network
Traffic to Known Attacker
Successful Login After Multiple Failed Logins
Firewall Allow after Repetitive Drops
System Monitor - Log Source Stopped Sending Events
High Threat Attack on Vulnerable Asset
Possible Outbreak - Multiple Infected Hosts
Repeat Attack - Multiple Detection Sources

author avatarEvgeny Belenky
Community Manager

@David Swift thank you very much for this meaningful answer and for sharing it with our community members, after commenting on LI earlier.

Find out what your peers are saying about Splunk, IBM, Devo and others in Security Information and Event Management (SIEM). Updated: January 2022.
564,143 professionals have used our research since 2012.