Open in app

Sign in

Write

Sign in

What is a SIEM Use Case? How to Compare SIEM Use Cases? Breaking Down the SIEM Use Cases

Ertugrul Akbas
2 min readJan 21, 2020

--

Not every SIEM is the same SIEM. 80% of the value of a SIEM solution comes from the correlation ability.

There are many differences between the correlation capabilities of SIEM products. Not all SIEM correlation rules, use cases are created equal. To understand the differences between SIEM solutions, we need to understand and analyze use cases deeply. Otherwise, all SIEM solutions are the same. If we do not analyze correlation capabilities, we have to decide a SIEM solution just looking to log management capabilities, which is incorrect.

An example use case to analyze:

“Detect if any user logs in to a machine that has not logged in for the past 5 weeks.” [1]

There are sometimes comments in the projects we are working on in this scenario that it can be done with a rule from the IBM Qradar UBA library.

“An account that UBA has seen at least one event from in the past but has not seen any new events during the dormant account threshold time period [2].”

Very detailed analysis is needed to understand the big difference between the two scenarios.

The definition of “dormant account” in the Qradar library is defined as no event for a certain period of time.

But in the scenario “Detect if any user logs in to a machine that has not logged in for the past 5 weeks.”, the user is only interested in detecting users who have never logged in to any machine while logging on to other machines and generating other events.

A very subtle difference. Perhaps 99% of SIEM users don’t even notice the difference. It’s a good example of how scenario analysis has done and its importance.

By running a scenario analysis, CTO’s can immediately see if deciding a SIEM to another one would be better for their bottom-line.

They can quickly see if selecting a SIEM solution with better use case capabilities would offer an advantage.

References

http://anet-canada.ca/2020/01/18/never-seen-before-type-of-rules-with-surelog-siem/ https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.0/com.ibm.UBAapp.doc/c_Qapps_UBA_dormant_accounts.html

Originally published at https://www.peerlyst.com on January 21, 2020.

Siem
Use Cases
Rules
Correlation
Compare

--

--

Ertugrul Akbas
Ertugrul Akbas

Written by Ertugrul Akbas

460 Followers
8 Following

Entrepreneur,Security Analyst,Research.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams