Detecting Unusual Activities Using a Next Generation SIEM -Use Cases Part 2

  • An alert will be triggered when the total number of authentication events increase of 50 % is detected in the last 1 hour (Ex. between 18:30–17:30) compared to 1 week ago at the same time (Ex. 7 days before between 18:30–17:30)
  • An alert will be triggered when the total number of authentication events increase of 50 % is detected in the last 1 hour compared to 1 week ago.
  • An alert will be triggered when an outlier detected for the hourly total number of authentication events.
  • An alert will be triggered when a user’s total number of authentication events increase of 50 % is detected in the last 1 hour (Ex. between 18:30–17:30) compared to 1 week ago at the same time (Ex. 7 days before between 18:30–17:30)
  • An alert will be triggered when a user’s total number of authentication events increase of 50 % is detected in the last 1 hour compared to 1 week ago.
  • An alert will be triggered when an outlier detected for the hourly total number of a user’s authentication events.
  • Suspicious file rename/archival transaction
  • Endpoint accessed at unusual time of the day
  • Email from previously uncommunicated domains
  • Traffic to rare domains
  • Traffic to possible Algorithmically Generated Domains
  • Suspicious process execution detection
  • Possible beaconing — detection of robotic traffic pattern
  • Detect web uploads anomaly
  • Detect suspicious failed logins with different user accounts from a single source system within 24 hours
  • Look for a user whose HTTP to DNS protocol ratio is %300 more than %95 of the other users for
  • Detect service account access to an unauthorized device
  • Detect a user is connected from a source country where organization has no presence
  • Detect a user ‘s VPN duration is different from avg of his group
  • Detect if a user with no failed login event during normal working hours creates a failed login event for two consecutive days at lunchtime
  • Detect concurrent VPN from Multiple Locations
  • Detect when a user is trying to modify any critical file.
  • Detect if the same malware occurs on multiple systems
  • Detect if there are reoccurring infections on the same host
  • Detect process launching without parent process or services
  • Detect traffic with periodicity (e.g. traffic to the same URL at the same interval every day)
  • Detect core windows process with name path anomalies
  • Detect core windows process started in the wrong user context
  • Detect core windows process with the wrong parent process
  • Detect off-hour malware detection alert from security devices
  • Detect when a user last hour logon count is two or more standards of deviation away from their mean’ or %100 more than the same user’s maximum logon count
  • if a user last hour logon count is more than “mean plus two times the standard deviation” of all users or %100 more than the same user’s maximum logon count, then notify.
  • Detect If a request was blocked via WAF from an IP address, within 2 minutes after this block action a request from the same IP address was seen in the WEB Server (IIS) logs
  • Detect a user switches from their normal account to a privileged one, then performs an abnormal data transfer to or from an external service.
  • Detect a user logs in remotely at 3 a.m. (usually only doing so locally during normal business hours), then makes repeated attempts to connect to a production database as an administrator.
  • If a user failed to authenticate a server, and at the same time, the same user authenticates to another server, then notify.
  • If a user accesses sensitive files, and at the same time, the same user has a connection to file sharing sites, then notify.
  • If there is authentication failure from the user interface (Oracle Management Studio) and console (SQL*Plus) at the same time, notify
  • Detect File Storage / WeTransfer actions
  • Detect multiple login failure from same user where user has not changed the account password in last 3 days.
  • Detect the ratio of login success versus failure per IP address anomaly.
  • Phishing attack detection by similarity check. For example, many average users would likely accept that jon@fed3x.com is an employee at FedEx. Why? The address looks enough like the legitimate domain, fedex.com
  • Rare executable detected in web-request
  • Detect traffic to rare domains
  • Detect traffic to possible Algorithmically Generated Domains
  • Suspicious process execution detection
  • Detect possible beaconing — detection of robotic traffic pattern
  • Detect Web Uploads anomaly
  • Cryptomining detected
  • Detect spike in SSH client sessions
  • Detect data hoarding
  • Detect If no other devices in the network had been observed connecting to that host with RDP
  • Detect suspicious file download
  • Detect unauthorised device
  • Detect downloading HTML content at a rate which is too high for human consumption -Abnormal Web Activity -
  • Detect Outbound Port Sweep -An internal host is generating many more unsuccessful attempts to connect to external services than successful ones
  • Detect new connectivity for hour
  • Detect rare domain
  • Detect script from Rare External,
  • Detect CertUtil External Connection
  • Detect sbnormal VPN connections from the user
  • Detect sbnormal VPN session duration
  • Detect first VPN connection from an unknown device
  • Detect VPN connection from an anonymous proxy
  • Detect sbnormal amount of data uploaded during a VPN session
  • Detect increase of company-related data files access
  • Detect MFA from a new device for a user
  • Detect physical badge access after VPN access
  • Detect too many failed VPN logins
  • Detect VPN access from a disabled account
  • Detect source IP from unauthorized location
  • Detect abnormal emails to countries from a user/group/organization
  • Detect multiple accounts are attempting to authenticate to a single, unusual location.
  • Detect a domain account has attempted to access several new assets in a short period of time.
  • Detect a user has accessed the network from multiple external organizations too quickly.

--

--

--

Entrepreneur,Security Analyst,Research.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Dig Dug — DNS Enumeration on THM

GDPR SIEM Requirements

{UPDATE} Water Pipe Hack Free Resources Generator

Navigating Compliance When Extracting Web Scraped Alternative Financial Data

{UPDATE} София Прекрасная Disney Журнал Hack Free Resources Generator

Windows, SSH, and HashiCorp Vault

The Best Open Source Intelligence (OSINT) Tools and Techniques

Robotdogdao 35 million RDOG tokens airdrop program

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ertugrul Akbas

Ertugrul Akbas

Entrepreneur,Security Analyst,Research.

More from Medium

Vulnerability Management without auto-deduplication is inefficient

BTLO: Log Analysis — Compromised WordPress

OSCD: Threat Detection Sprint #1, results (EN)

Figures for 6 of December 2019, when final PR from OSCD to Sigma master branch has been created

Important Resources for Threat Detection Research and Development