Home/Verstehen/Die 10 wichtigsten SIEM-Anwendungsfälle

Top 10 SIEM Anwendungsfälle

Mit der wachsender Nachfrage nach SIEM Lösungen steigt auch das Interesse von Organisationen, die Antworten auf Sicherheits- und Unternehmensherausforderungen, die im alltäglichen Geschäft aufkommen, zu bekommen.

Hier sind die Top 10 SIEM Anwendungsfälle und Verhalten, die LogPoint in Ihrer Infrastruktur aufdecken kann. Falls Sie mehr Informationen über einen der Anwendungsfälle möchten oder einer besonders relevant für Sie ist, nehmen Sie Kontakt mit uns auf. Wir würden uns freuen, von Ihnen zu hören!

01 Authentifizierungsaktivitäten

Authentifizierungsaktivitäten mit zusätzlichem Kontext, wie zum Beispiel Logins in kritischen Systemen oder fehlgeschlagene Login Versuche, die über einen definierten Schwellenwert liegen.

Top 10 Successful Logins LogPoint SIEM Dashboard

Erfolgreiche Logins

norm_id=* label=User label=Login label=Successful -user=*$ host IN CRITICAL_SYSTEM | chart count() by host, user order by count() desc limit 10

Top 10 Successful Logins LogPoint SIEM Dashboard
Failed Logins Above Threshold LogPoint Dashboard

Fehlgeschlagene Logins über einem Schwellenwert

norm_id=* label=User label=Login label=Fail -user=*$ user=* | chart count() as "Count" by user order by "Count" desc limit 10 | search "Count">50

02 Account-Management

Überwachung der Erstellung von User Accounts, Löschung oder anderer Aktivitäten, um Ressourcen und Systemzugriffsberechtigungen nachzuverfolgen.

LogPoint SIEM Dashboard User Account Creation

User Account Erstellung

norm_id=WinServer* label=User label=Account label=Management label=Create -target_user=*$ -user=*$ | chart count() by log_ts, domain, user, action, target_user order by count() desc limit 10

LogPoint SIEM Dashboard User Account Creation
User Account Deletion LogPoint Dashboard

User Account Löschung

norm_id=WinServer* label=User label=Account label=Management (label=Delete OR label=Remove) -target_user=*$ -user=*$ | chart count() by log_ts, domain, user, action, target_user order by count() desc limit 10

User Account Enabled LogPoint Dashboard

User Account Aktivierung

norm_id=WinServer* label=User label=Account label=Management label=Enable -target_user=*$ -user=*$ | chart count() by log_ts, domain, user, action, target_user order by count() desc limit 10

User Account Enabled LogPoint Dashboard

03 Verbindungsaktivitäten

Überwachung der Verbindungsaktivitäten um einen Überblick über Netzwerkverbindungen anhand deren Status, Ursprung und Richtung zu erhalten. Dadurch wird definiert ob Verbindungen erlaubt oder verweigert werden, der Hostname, Ländername der Quellen sowie der Destination und Richtung.

Top 10 Allowed Inbound Connection by Location LogPoint Dashboard

Erlaubte eingehende Verbindungen basierend auf dem Standort

label=Connection label=Allow -source_address IN HOMENET source_address=* destination_address IN HOMENET | process geoip(source_address) as country | chart count() by country order by count() desc limit 10

Top 10 Allowed Outbound Connection by Location LogPoint Dashboard

Erlaubte abgehende Verbindungen basierend auf dem Standort

label=Connection label=Allow source_address IN HOMENET destination_address=* -destination_address IN HOMENET | process geoip(destination_address) as country | chart count() by country order by count() desc limit 10

Top 10 Allowed Outbound Connection by Location LogPoint Dashboard
Top 10 Denied Inbound Connection by Location LogPoint Dashboard

Verweigerte eingehende Verbindungen basierend auf dem Standort

label=Connection label=Deny -source_address IN HOMENET source_address=* destination_address IN HOMENET | process geoip(source_address) as country | chart count() by country order by count() desc limit 10

Top 10 Denied Outbound Connection by Location LogPoint Dashboard

Verweigerte abgehende Verbindungen basierend auf dem Standort

label=Connection label=Deny source_address IN HOMENET destination_address=* -destination_address IN HOMENET | process geoip(destination_address) as country | chart count() by country order by count() desc limit 10

Top 10 Denied Outbound Connection by Location LogPoint Dashboard
Top 10 Internal Denied Internal Connection by IP LogPoint Dashboard

Verweigerte interne Verbindungen basierend auf IP/Hostname

norm_id=* label=Connection label=Deny source_address=* destination_address=* source_address in HOMENET destination_address in HOMENET | chart count() by source_address, destination_address order by count() desc limit 10

04 Regelbasierte Aktivitäten

Überwachung und Erkennung von Regeländerungen, wie zum Beispiel Audits, Authentifizierung, Autorisierung, Filterung und vieles mehr.

Password Ageing by User LogPoint Dashboard

Passwort Alterung per User

Table AD_Users pwdLastSet=* -pwdLastSet=0 | process current_time(a) as time | chart max((time - (pwdLastSet/10000000 - 11644473600))/60/60/24) as number_of_days, max(pwdLastSet/10000000 - 11644473600) as pwdLastSet_ts by sAMAccountName | search number_of_days>30

Password Ageing by User LogPoint Dashboard
Users Authentication from Multiple Sources LogPoint Dashboard

User Authentifizierung von verschiedenen Quellen

norm_id=* label=User (label=Login OR label=Authenctication) source_address=* -user=*$ user=* | chart distinct_count(source_address) as UniqueSource by user order by UniqueSource desc limit 10 | search UniqueSource>1

05 Bedrohung, Malware, und Schwachstellenerkennung

Aktivitäten im Zusammenhang mit Bedrohungen, wie zum Beispiel Indizien von Gefährdungen, Malware Ansteckungen, und Identifizierung von gefährdeten Systemen.

LogPoint Identification of Threat Actors dashboard

Identifizierung von Bedrohungslagen

norm_id=* source_address=* -source_address in HOMENET | process ti(source_address) | rename et_category as category,cs_category as category, et_score as score,cs_score as score| chart count() by source_address, category, score order by score desc limit 10

LogPoint Identification of Threat Actors dashboard
LogPoint SIEM Dashboard Identification of Vulnerable Sources

Identifizierung von gefährdeten Quellen

(col_type=qualys_fetcher OR col_type=tenablesecuritycenter_fetcher OR norm_id=VulnerabilityManagement) severity=4 or severity=5 source_address=* | rename title as vulnerability |chart count() by source_address, vulnerability order by count() desc

Failed Malware Cleaning LogPoint Dashboard

Bereinigung von fehlgeschlagener Malware

norm_id=* label=Malware label=Clean label=Fail malware=* | chart count() by host, malware order by count() desc limit 10

Failed Malware Cleaning LogPoint Dashboard

06 Betriebliche Erkenntnisse

Aktivitäten bezüglich der Überwachung von alltäglichen betrieblichen Aktivitäten, wie zum Beispiel ein- und abgehende Datennutzung oder Datennutzung per spezifischen Applikationen.

LogPoint SIEM use cases Inbound Data Usage

Eingehende Datennutzung

norm_id=* source_address=* -source_address in HOMENET destination_address IN HOMENET received_datasize=* -source_address=176.161*| timechart sum((sent_datasize+received_datasize)/1000/1000) as TotalMB, sum(sent_datasize/1000/1000) as SentMB, sum(received_datasize/1000/1000) as ReceivedMB

Outbound Data Usage LogPoint Dashboard

Ausgehende Datennutzung

norm_id=* destination_address=* source_address in HOMENET -destination_address IN HOMENET received_datasize=* | timechart sum((sent_datasize+received_datasize)/1000/1000) as TotalMB, sum(sent_datasize/1000/1000) as SentMB, sum((received_datasize)/1000/1000) as ReceivedMB

Outbound Data Usage LogPoint Dashboard
Data Usage by Application LogPoint Dashboard

Datennutzung per Applikation

norm_id=* (label=Connection OR label=Traffic) application=* sent_datasize=* received_datasize=* | chart sum((sent_datasize+received_datasize)/1000/1000) as TotalMB, sum(sent_datasize/1000/1000) as SentMB, sum((received_datasize)/1000/1000) as ReceivedMB by application order by TotalMB desc

07 Ungewöhnliches Verhalten

Entity-basierte Profile, die maschinelles-Lernen-Technologien nutzen, um schädliche Verhalten, wie zum Beispiel unangebrachte Datenbereitstellung, infizierte Hosts oder Kontomissbrauch, zu erkennen.

Lateral Movement LogPoint Dashboard

Seitenbewegungen und Datenexfiltration

With LogPoint UEBA, lateral movement can be easily detected so you are able to restrict unauthorized movement within your environment. Get real time alerts about unauthorized data transfer within your network, regardless of whether the transfer is manual or automated.

Lateral Movement LogPoint Dashboard

08 Alarmierung und Vorfallsreaktionen

Jede potenzielle verdächtige Situation löst einen Alarm aus und leitet anschließend den Prozess für Vorfallsmanagement ein.

LogPoint SIEM Dashboard Facilitate Incident Response Mechanism

Ermöglichung des Vorfallsreaktionsmechanismus

LogPoint’s Incident Response integrations provide automated workflows for business context enrichment, Threat Intelligence and correlation of log data with network data to gather evidence, remediate and respond to incidents effectively.

09 Compliance, Regulierungen und Audits

Regulative Compliance- und Auditierungsanforderungen, wie zum Beispiel ISO27001, DSGVO, PCI DSS, HIPAA und viele mehr

File Integrity Monitoring for PCI DSS LogPoint Dashboard

Überwachung der Dateienintegrität

norm_id=IntegrityScanner label=Change (label=File or label=Registry) | rename registry as object, file as object | chart count() by log_ts, host, action, object, prev_hash, hash order by count() desc limit 10

File Integrity Monitoring for PCI DSS LogPoint Dashboard

10 Fortgeschrittene Korrelation und Anreicherung der Daten

Joinund followed by Queries werden durch mathematische Vorgänge und Anhäufungen erweitert, um Zusammenhänge basierend auf fortgeschrittenen Analysen zu erkennen

Correlation Between Multiple Data Sources LogPoint Dashboard

Zusammenhänge zwischen verschiedenen Datenquellen

[norm_id=PaloAltoNetworkFirewall label=Threat source_address IN HOMENET -destination_address IN HOMENET destination_address=* | process ti(destination_address)] as s1 join [(col_type=qualys_fetcher OR col_type=tenablesecuritycenter_fetcher OR norm_id=VulnerabilityManagement) source_address=* severity>4] as s2 on s1.source_address=s2.source_address | rename s1.et_ip_address as DestinationAddress, s1.cs_ip_address as DestinationAddress, s2.source_address as SourceAddress, s1.et_category as ThreatCategory, s1.cs_category as ThreatCategory, s1.et_score as ThreatScore, s1.cs_score as ThreatScore, s2.title as VulnerabilityPresent | chart max(ThreatScore) as ThreatScore by SourceAddress, VulnerabilityPresent, DestinationAddress, ThreatCategory order by ThreatScore desc limit 10

LogPoint SIEM use cases Potential Brute Force Attempt

Potenzielle Brute-Force-Attacken

10 label=Login label=Fail having same user] as s1 followed by [label=Login label=Successful] as s2 on s1.user=s2.user | chart count() by user order by count() desc

LogPoint SIEM use cases Potential Brute Force Attempt
Incomplete Sessions LogPoint Dashboard

Unvollständige Sitzungen

[ label=Login label=Successful] as s1 left join [label=Logoff] as s2 on s1.logon_id=s2.logon_id | search -s2.logon_id=* | rename s1.user as user, s1.log_ts as log_ts | fields log_ts, user

Average Session Duration of Completed Sessions LogPoint Dashboard

Durchschnittliche Sitzungslänge vollständiger Sitzungen

[ label=Login label=Successful] as s1 join [label=Logoff] as s2 on s1.logon_id=s2.logon_id | rename s1.user as user | chart avg(s2.log_ts-s1.log_ts) as duration by user order by duration desc

Average Session Duration of Completed Sessions LogPoint Dashboard
Incomplete Session Duration LogPoint Dashboard

Unvollständige Sitzungslänge

[ label=Login label=Successful] as s1 left join [label=Logoff] as s2 on s1.logon_id=s2.logon_id | search -s2.logon_id=* | rename s1.user as user, s1.log_ts as log_ts | process current_time(a) as time | process diff(time,log_ts) as duration | chart sum(duration)as duration by log_ts, user order by duration desc