Home/Understand/Top 10 use cases to implement

Top 10 SIEM use cases to implement

With the growing demand for SIEM solutions, companies would like to have at their fingertips the answers to any number of security and business challenges that pop up during their day-to-day operations.

These are the top 10 SIEM use cases and behaviors that LogPoint can detect in your infrastructure. If you’d like more information about any of these use cases or have any use cases you find particularly relevant, please reach out. We’d love to hear from you!

01 Authentication activities

Authentication activities with added context, such as logins in critical systems and failed login attempts greater than a given threshold.

LogPoint SIEM Top 10 Successful Logins

Successful logins

norm_id=* label=User label=Login label=Successful -user=*$ host IN CRITICAL_SYSTEM | chart count() by host, user order by count() desc limit 10

LogPoint SIEM Top 10 Successful Logins
LogPoint SIEM Failed Logins Above Threshold

Failed logins above a threshold

norm_id=* label=User label=Login label=Fail -user=*$ user=* | chart count() as "Count" by user order by "Count" desc limit 10 | search "Count">50

02 Account management

Monitoring of user account creation, deletion and other activities to monitor resource and system access privileges.

LogPoint SIEM User Account Creation

User account creation

norm_id=WinServer* label=User label=Account label=Management label=Create -target_user=*$ -user=*$ | chart count() by log_ts, domain, user, action, target_user order by count() desc limit 10

LogPoint SIEM User Account Creation
LogPoint SIEM User Account Deletion

User account deletion

norm_id=WinServer* label=User label=Account label=Management (label=Delete OR label=Remove) -target_user=*$ -user=*$ | chart count() by log_ts, domain, user, action, target_user order by count() desc limit 10

LogPoint SIEM User Account Enabled

User account enabled

norm_id=WinServer* label=User label=Account label=Management label=Enable -target_user=*$ -user=*$ | chart count() by log_ts, domain, user, action, target_user order by count() desc limit 10

LogPoint SIEM User Account Enabled

03 Connection activities

Monitoring of connection activities to provide an overview of the network connections by status, origin and direction. This defines whether connections are allowed/denied, the host name, country name of source, and destination and direction.

LogPoint SIEM Top 10 Allowed Inbound Connection by Location

Allowed inbound connections by location

label=Connection label=Allow -source_address IN HOMENET source_address=* destination_address IN HOMENET | process geoip(source_address) as country | chart count() by country order by count() desc limit 10

LogPoint SIEM Top 10 Allowed Outbound Connection by Location

Allowed outbound connection by location

label=Connection label=Allow source_address IN HOMENET destination_address=* -destination_address IN HOMENET | process geoip(destination_address) as country | chart count() by country order by count() desc limit 10

LogPoint SIEM Top 10 Allowed Outbound Connection by Location
LogPoint SIEM Top 10 Denied Inbound Connection by Location

Denied inbound connections by location

label=Connection label=Deny -source_address IN HOMENET source_address=* destination_address IN HOMENET | process geoip(source_address) as country | chart count() by country order by count() desc limit 10

LogPoint SIEM Top 10 Denied Outbound Connection by Location

Denied outbound connections by location

label=Connection label=Deny source_address IN HOMENET destination_address=* -destination_address IN HOMENET | process geoip(destination_address) as country | chart count() by country order by count() desc limit 10

LogPoint SIEM Top 10 Denied Outbound Connection by Location
LogPoint SIEM Top 10 Internal Denied Internal Connection by IP

Denied internal connections by IP/hostname

norm_id=* label=Connection label=Deny source_address=* destination_address=* source_address in HOMENET destination_address in HOMENET | chart count() by source_address, destination_address order by count() desc limit 10

04 Policy-related activities

Monitoring and detecting policy changes such as audit, authentication, authorization, filtering and many more.

LogPoint SIEM Password Ageing by User

Password ageing by user

Table AD_Users pwdLastSet=* -pwdLastSet=0 | process current_time(a) as time | chart max((time - (pwdLastSet/10000000 - 11644473600))/60/60/24) as number_of_days, max(pwdLastSet/10000000 - 11644473600) as pwdLastSet_ts by sAMAccountName | search number_of_days>30

LogPoint SIEM Password Ageing by User
LogPoint SIEM Users Authentication from Multiple Sources

Users authentication from multiple sources

norm_id=* label=User (label=Login OR label=Authenctication) source_address=* -user=*$ user=* | chart distinct_count(source_address) as UniqueSource by user order by UniqueSource desc limit 10 | search UniqueSource>1

05 Threat, malware, and vulnerability detection

Activities related to threats, such as indicators of compromise, malware infections and identification of vulnerable systems.

LogPoint Identification of Threat Actors widget

Identification of threat indicators

norm_id=* source_address=* -source_address in HOMENET | process ti(source_address) | rename et_category as category,cs_category as category, et_score as score,cs_score as score| chart count() by source_address, category, score order by score desc limit 10

LogPoint Identification of Threat Actors widget
LogPoint SIEM Identification of Vulnerable Sources

Identification of vulnerable sources

(col_type=qualys_fetcher OR col_type=tenablesecuritycenter_fetcher OR norm_id=VulnerabilityManagement) severity=4 or severity=5 source_address=* | rename title as vulnerability |chart count() by source_address, vulnerability order by count() desc

LogPoint SIEM Failed Malware Cleaning

Failed malware cleaning

norm_id=* label=Malware label=Clean label=Fail malware=* | chart count() by host, malware order by count() desc limit 10

LogPoint SIEM Failed Malware Cleaning

06 Operational insights

Activities related to monitoring day-to-day operational activities, such as inbound and outbound data usage or data usage by specific applications.

LogPoint SIEM Inbound Data Usage

Inbound data usage

norm_id=* source_address=* -source_address in HOMENET destination_address IN HOMENET received_datasize=* -source_address=176.161*| timechart sum((sent_datasize+received_datasize)/1000/1000) as TotalMB, sum(sent_datasize/1000/1000) as SentMB, sum(received_datasize/1000/1000) as ReceivedMB

LogPoint SIEM Outbound Data Usage

Outbound data usage

norm_id=* destination_address=* source_address in HOMENET -destination_address IN HOMENET received_datasize=* | timechart sum((sent_datasize+received_datasize)/1000/1000) as TotalMB, sum(sent_datasize/1000/1000) as SentMB, sum((received_datasize)/1000/1000) as ReceivedMB

LogPoint SIEM Outbound Data Usage
LogPoint SIEM Data Usage by Application

Data usage by application

norm_id=* (label=Connection OR label=Traffic) application=* sent_datasize=* received_datasize=* | chart sum((sent_datasize+received_datasize)/1000/1000) as TotalMB, sum(sent_datasize/1000/1000) as SentMB, sum((received_datasize)/1000/1000) as ReceivedMB by application order by TotalMB desc

07 Anomalous behavior

Entity based profiles using ML techniques to identify malicious behavior such as data staging, infected host or account misuse.

LogPoint SIEM Lateral Movement

Lateral movement and data exfiltration

With LogPoint UEBA, lateral movement can be easily detected so you are able to restrict unauthorized movement within your environment. Get real time alerts about unauthorized data transfer within your network, regardless of whether the transfer is manual or automated.

LogPoint SIEM Lateral Movement

08 Alerting and incident response

Any potential suspicious situations triggering alerts and subsequently, the incident management process.

LogPoint SIEM Facilitate Incident Response Mechanism

Facilitate incident response mechanism

LogPoint’s Incident Response integrations provide automated workflows for business context enrichment, Threat Intelligence and correlation of log data with network data to gather evidence, remediate and respond to incidents effectively.

09 Compliance, regulation, and audit

Regulatory compliance and audit requirements such as ISO27001, GDPR, PCI DSS,HIPAA and many more.

LogPoint SIEM FIM File Integrity Monitoring for PCI DSS

File Integrity Monitoring

norm_id=IntegrityScanner label=Change (label=File or label=Registry) | rename registry as object, file as object | chart count() by log_ts, host, action, object, prev_hash, hash order by count() desc limit 10

LogPoint SIEM FIM File Integrity Monitoring for PCI DSS

10 Advanced correlation and enrichment

Join and followed by queries, extended by mathematical operations and aggregations for correlation based advanced analytics.

LogPoint SIEM Correlation Between Multiple Data Sources

Correlation between multiple data sources

[norm_id=PaloAltoNetworkFirewall label=Threat source_address IN HOMENET -destination_address IN HOMENET destination_address=* | process ti(destination_address)] as s1 join [(col_type=qualys_fetcher OR col_type=tenablesecuritycenter_fetcher OR norm_id=VulnerabilityManagement) source_address=* severity>4] as s2 on s1.source_address=s2.source_address | rename s1.et_ip_address as DestinationAddress, s1.cs_ip_address as DestinationAddress, s2.source_address as SourceAddress, s1.et_category as ThreatCategory, s1.cs_category as ThreatCategory, s1.et_score as ThreatScore, s1.cs_score as ThreatScore, s2.title as VulnerabilityPresent | chart max(ThreatScore) as ThreatScore by SourceAddress, VulnerabilityPresent, DestinationAddress, ThreatCategory order by ThreatScore desc limit 10

LogPoint SIEM Potential Brute Force Attempt

Potential brute force attempt

10 label=Login label=Fail having same user] as s1 followed by [label=Login label=Successful] as s2 on s1.user=s2.user | chart count() by user order by count() desc

LogPoint SIEM Potential Brute Force Attempt
LogPoint SIEM Incomplete Sessions

Incomplete sessions

[ label=Login label=Successful] as s1 left join [label=Logoff] as s2 on s1.logon_id=s2.logon_id | search -s2.logon_id=* | rename s1.user as user, s1.log_ts as log_ts | fields log_ts, user

LogPoint SIEM Average Session Duration of Completed Sessions

Average session duration of completed sessions

[ label=Login label=Successful] as s1 join [label=Logoff] as s2 on s1.logon_id=s2.logon_id | rename s1.user as user | chart avg(s2.log_ts-s1.log_ts) as duration by user order by duration desc

LogPoint SIEM Average Session Duration of Completed Sessions
LogPoint SIEM Incomplete Session Duration

Incomplete session duration

[ label=Login label=Successful] as s1 left join [label=Logoff] as s2 on s1.logon_id=s2.logon_id | search -s2.logon_id=* | rename s1.user as user, s1.log_ts as log_ts | process current_time(a) as time | process diff(time,log_ts) as duration | chart sum(duration)as duration by log_ts, user order by duration desc