SIEM Use Cases
There are many standard SIEM use cases like:
- Detect SSHD authentication on Linux
- Successful authentication after brute force
- Repeated login failure
- MySQL Authentication bypass through a zero-length password
- Account deletion after DoS attack
- Attempts to compromise user credentials
- Self escalation
- Short-lived accounts
- Instances of Denial of Service such as abnormal number of requests from multiple ports or the same IP address
Those standard use cases supported by most of the SIEM solutions.
There are some advanced use cases (rules) like:
- Warn if Powershell command with base64 format and more than 100 characters appears
- Password changes for the same user more than 3 within 30 days
- If there are more than 10 DNS requests within 5 minutes which have the same domain but different subdomains, notify. Example: xxx.domian.com , yyy.domian.com
- Misuse of an account
- Lateral movement
Some SIEM solutions support some of those use cases. But not all of them.
There are use cases specific to next-gen SIEM solutions like:
- Returns days where a user accessed more than his 95th percentile number of assets
- Look for a user whose http to dns protocol ratio is %300 more than %95 of the other users for the last four-week ratio for 4th day of week
- If a user number of failed authentication ratio to number of successful authentication is %10, alert
- Data loss detection by monitoring all endpoints for an abnormal volume of data egress
Besides those next-gen use cases, a modern SIEM should leverage machine learning to detect
- Suspicious/Malicious Processes
- Suspicious/Malicious Files
- Suspicious/Malicious services
- Malwares
Also a modern SIEM should measures the similarity between well-known process names with the running ones using Levenshtein distance in real-time and detect process masquerade.
DGA detection using entropy is another next-gen SIEM feature.
Real-time detection is critical for SIEM. Use cases such as unauthorized changes to configs or deletion of audit trails are very crucial. These should be escalated immediately to stop the damage and minimize further risks. All next-gen SIEM has the capability of real time detection.
References
