10 SIEM Scenarios With Very Low False-Positive Rates and Mostly Unique
2 min readMar 4, 2023
- Warn if a user does something they’ve never done before
- Warn if a user who has not had a VPN for at least 15 days (20,30,40…265 days) has remote interactive logon on more than one (1) workstation in a short time.
- No Activity for more than 60 Days:- This account has not logged in for over 60 days
- Warn if a user has visited the malicious categories on the proxy at least once a day for a week. (Bot Networks, Uncategorized, Malware, Spyware, Dynamic DNS, Encrypted Upload)
- If there is port usage, which is very rare (like under %3)
- Password changes for the same user more than three within 45 days
- Detect the ratio of login success versus failure per user anomaly.
- Monitor all access and logins during non-working hours. Checks the geolocation to find unusual behavior (Never seen before)
- Warn if the time between two logins failed events of the same user is less than one minute.
- Mail Masquerade Detection: Alert, if an e-mail was received from e-mail addresses similar to the original e-mail address like: ali.veli@citibank.com and ali.veli@citibαnk.com
