Top 10 use cases to implement2018-07-24T10:25:22+00:00
//Top 10 use cases to implement

Top 10 SIEM use cases to implement

With the growing demand for SIEM solutions, companies would like to have at their fingertips the answers to any number of security and business challenges that pop up during their day-to-day operations.

These are the top 10 SIEM use cases and behaviors that LogPoint can detect in your infrastructure. If you’d like more information about any of these use cases or have any use cases you find particularly relevant, please reach out. We’d love to hear from you!

Authentication activities

Abnormal authentication attempts or off-hour authentication attempts, for example, using data from Windows, Unix and any other authentication applications.

Shared accounts

Multiple sources (internal or external) making session requests for a user account during a given timeframe, using login data from sources like Windows, Unix and others.

Session activities

Session duration and inactive sessions using data related to session logins, specifically from the Windows server.

Connections details

Suspicious behavior such as connection attempts on closed ports, blocked internal connections, connections made to bad destinations and using data from firewalls, network devices or flow data. External sources can be used to discover the domain name, country and geographical origin of the threat.

Abnormal administrative behavior

Monitoring inactive accounts, accounts with unchanged passwords and abnormal account management activities using data from AD account management-related activities.

Information theft

Data exfiltration attempts and information leakage through emails using data from sources such as mail servers or file sharing applications.

Vulnerability scanning and correlation

Identification and correlation of security vulnerabilities detected by applications against other suspicious events.

Statistical analysis

Monitoring relations like ratio of inbound to outbound bandwidth usage, data usage per application or response time comparison.

Intrusion detection and infections

Can be accomplished using data from IDS/IPS, antivirus, anti-malware applications and others.

System change activities

Can be executed using data for configuration changes, audit configuration changes, policy changes, policy violations, etc.