Top 10 Use Cases for SIEM


Top 10 Use Cases for SIEM

By Prabhat Pokharel, KB Lead Architect, LogPoint - June 10th, 2016.

With the growing use of SIEM solutions, business houses are keen on solving a number security and business use cases seen during their day-to-day operations. In this post, we will go through the top 10 use cases with an overview of how you can use LogPoint to detect any such behavior in your infrastructure (click on the images to see them in a larger size).

The following are the top 10 use cases: 

1. Authentication Activities

Abnormal authentication attempts, off hour authentication attempts etc, using data from Windows, Unix and any other authentication application.

Authentication activities

2. Shared Accounts

Multiple sources(internal/external) making session requests for a particular user account during a given time frame, using login data from sources like Windows, Unix etc. 

shared accounts

3. Session Activities

Session duration, inactive sessions etc, using login session related data specifically from Windows server.

Session activities

4. Connections Details

Connections can be genuine or bogus. Suspicious behavior may include connection attempts on closed ports, blocked internal connections, connection made to bad destinations etc, using data from firewalls, network devices or flow data. External sources can further be enriched to discover the domain name, country and geographical details.

connection details

5. Abnormal Administrative Behavior

Monitoring inactive accounts, accounts with unchanged passwords, abnormal account management activities etc, using data from AD account management related activities.

Abnormal Administrative Behavior

6. Information Theft 

Data exfiltration attempts, information leakage through emails etc, using data from mail servers, file sharing applications etc.

Information Theft

7. Vulnerability Scanning and Correlation

Identification and correlation of security vulnerabilities detected by applications like Qualys against other suspicious events. 

Vulnerability Scanning and Correlation

8. Statistical Analysis

Statistical analysis can be done to study the nature of data. Functions like average, median, quantile, quartile etc can be used for the purpose. Numerical data from all kind of sources can be used to monitor relations like ratio of inbound to outbound bandwidth usage, data usage per application, response time comparison etc.

Statistical Analysis

Statistical Analysis2

9. Intrusion Detection and Infections

This can be done by using data from IDS/IPS, antivirus, anti-malware applications etc.

Intrusion Detection and Infections

10. System Change Activities 

This can be done by using data for changes in configurations, audit configuration changes, policy changes, policy violations etc.

System Change Activities

If you want more information about any of these use cases, you are of course welcome to get in touch. Do you have any use case that you find are particularily relevant? We would love to hear from you!

Why LogPoint?

With LogPoint, you will discover a full enterprise SIEM solution. 

LogPoint is EAL 3+ certified and the solution is tailored to solve the specific security management challenges of your business - whether the goal is compliance, forensics or operational insight.

And the best part..? We have the most predictable licensing model in the industry.