Detecting Unusual Activities Using a Next Generation SIEM -Use Cases Part 2

This article is part of a series. Check out the full series Part1 [1]. The efficiency and effectiveness of security monitoring are directly related to the appropriate implementation and optimization of the right use cases on the right security monitoring tools [2].

SureLog SIEM use cases:

• An alert will be triggered when the total number of authentication events increase of 50 % is detected in the last 1 hour (Ex. between 18:30–17:30) compared to 1 week ago at the same time (Ex. 7 days before between 18:30–17:30)
• An alert will be triggered when the total number of authentication events increase of 50 % is detected in the last 1 hour compared to 1 week ago.
• An alert will be triggered when an outlier detected for the hourly total number of authentication events.
• An alert will be triggered when a user’s total number of authentication events increase of 50 % is detected in the last 1 hour (Ex. between 18:30–17:30) compared to 1 week ago at the same time (Ex. 7 days before between 18:30–17:30)
• An alert will be triggered when a user’s total number of authentication events increase of 50 % is detected in the last 1 hour compared to 1 week ago.
• An alert will be triggered when an outlier detected for the hourly total number of a user’s authentication events.
• Suspicious file rename/archival transaction
• Endpoint accessed at unusual time of the day
• Email from previously uncommunicated domains
• Traffic to rare domains
• Traffic to possible Algorithmically Generated Domains
• Suspicious process execution detection
• Possible beaconing — detection of robotic traffic pattern
• Detect web uploads anomaly
• Detect suspicious failed logins with different user accounts from a single source system within 24 hours
• Look for a user whose HTTP to DNS protocol ratio is %300 more than %95 of the other users for
• Detect service account access to an unauthorized device
• Detect a user is connected from a source country where organization has no presence
• Detect a user ‘s VPN duration is different from avg of his group
• Detect if a user with no failed login event during normal working hours creates a failed login event for two consecutive days at lunchtime
• Detect concurrent VPN from Multiple Locations
• Detect when a user is trying to modify any critical file.
• Detect if the same malware occurs on multiple systems
• Detect if there are reoccurring infections on the same host
• Detect process launching without parent process or services
• Detect traffic with periodicity (e.g. traffic to the same URL at the same interval every day)
• Detect core windows process with name path anomalies
• Detect core windows process started in the wrong user context
• Detect core windows process with the wrong parent process
• Detect off-hour malware detection alert from security devices
• Detect when a user last hour logon count is two or more standards of deviation away from their mean’ or %100 more than the same user’s maximum logon count
• if a user last hour logon count is more than “mean plus two times the standard deviation” of all users or %100 more than the same user’s maximum logon count, then notify.
• Detect If a request was blocked via WAF from an IP address, within 2 minutes after this block action a request from the same IP address was seen in the WEB Server (IIS) logs
• Detect a user switches from their normal account to a privileged one, then performs an abnormal data transfer to or from an external service.
• Detect a user logs in remotely at 3 a.m. (usually only doing so locally during normal business hours), then makes repeated attempts to connect to a production database as an administrator.
• If a user failed to authenticate a server, and at the same time, the same user authenticates to another server, then notify.
• If a user accesses sensitive files, and at the same time, the same user has a connection to file sharing sites, then notify.
• If there is authentication failure from the user interface (Oracle Management Studio) and console (SQL*Plus) at the same time, notify
• Detect File Storage / WeTransfer actions
• Detect multiple login failure from same user where user has not changed the account password in last 3 days.
• Detect the ratio of login success versus failure per IP address anomaly.
• Phishing attack detection by similarity check. For example, many average users would likely accept that jon@fed3x.com is an employee at FedEx. Why? The address looks enough like the legitimate domain, fedex.com
• Rare executable detected in web-request
• Detect traffic to rare domains
• Detect traffic to possible Algorithmically Generated Domains
• Suspicious process execution detection
• Detect possible beaconing — detection of robotic traffic pattern
• Detect Web Uploads anomaly
• Cryptomining detected
• Detect spike in SSH client sessions
• Detect data hoarding
• Detect If no other devices in the network had been observed connecting to that host with RDP
• Detect suspicious file download
• Detect unauthorised device
• Detect downloading HTML content at a rate which is too high for human consumption -Abnormal Web Activity -
• Detect Outbound Port Sweep -An internal host is generating many more unsuccessful attempts to connect to external services than successful ones
• Detect new connectivity for hour
• Detect rare domain
• Detect script from Rare External,
• Detect CertUtil External Connection
• Detect sbnormal VPN connections from the user
• Detect sbnormal VPN session duration
• Detect first VPN connection from an unknown device
• Detect VPN connection from an anonymous proxy
• Detect sbnormal amount of data uploaded during a VPN session
• Detect increase of company-related data files access
• Detect MFA from a new device for a user
• Detect physical badge access after VPN access
• Detect too many failed VPN logins
• Detect VPN access from a disabled account
• Detect source IP from unauthorized location
• Detect abnormal emails to countries from a user/group/organization
• Detect multiple accounts are attempting to authenticate to a single, unusual location.
• Detect a domain account has attempted to access several new assets in a short period of time.
• Detect a user has accessed the network from multiple external organizations too quickly.

References

Copyright © 2020 by Ertuğrul AKBAŞ. All Rights Reserved

Originally published at https://www.peerlyst.com on May 12, 2020.