Top 10 SIEM use cases to implement
With the growing demand for SIEM solutions, companies would like to have at their fingertips the answers to any number of security and business challenges that pop up during their day-to-day operations.
These are the top 10 SIEM use cases and behaviors that LogPoint can detect in your infrastructure. If you’d like more information about any of these use cases or have any use cases you find particularly relevant, please reach out. We’d love to hear from you!
01 Authentication activities
Authentication activities with added context, such as logins in critical systems and failed login attempts greater than a given threshold.
Successful logins
norm_id=* label=User label=Login label=Successful -user=*$ host IN CRITICAL_SYSTEM | chart count() by host, user order by count() desc limit 10
Failed logins above a threshold
norm_id=* label=User label=Login label=Fail -user=*$ user=* | chart count() as "Count" by user order by "Count" desc limit 10 | search "Count">50
02 Account management
Monitoring of user account creation, deletion and other activities to monitor resource and system access privileges.
User account creation
norm_id=WinServer* label=User label=Account label=Management label=Create -target_user=*$ -user=*$ | chart count() by log_ts, domain, user, action, target_user order by count() desc limit 10
User account deletion
norm_id=WinServer* label=User label=Account label=Management (label=Delete OR label=Remove) -target_user=*$ -user=*$ | chart count() by log_ts, domain, user, action, target_user order by count() desc limit 10
User account enabled
norm_id=WinServer* label=User label=Account label=Management label=Enable -target_user=*$ -user=*$ | chart count() by log_ts, domain, user, action, target_user order by count() desc limit 10
03 Connection activities
Monitoring of connection activities to provide an overview of the network connections by status, origin and direction. This defines whether connections are allowed/denied, the host name, country name of source, and destination and direction.
Allowed inbound connections by location
label=Connection label=Allow -source_address IN HOMENET source_address=* destination_address IN HOMENET | process geoip(source_address) as country | chart count() by country order by count() desc limit 10
Allowed outbound connection by location
label=Connection label=Allow source_address IN HOMENET destination_address=* -destination_address IN HOMENET | process geoip(destination_address) as country | chart count() by country order by count() desc limit 10
Denied inbound connections by location
label=Connection label=Deny -source_address IN HOMENET source_address=* destination_address IN HOMENET | process geoip(source_address) as country | chart count() by country order by count() desc limit 10
Denied outbound connections by location
label=Connection label=Deny source_address IN HOMENET destination_address=* -destination_address IN HOMENET | process geoip(destination_address) as country | chart count() by country order by count() desc limit 10
Denied internal connections by IP/hostname
norm_id=* label=Connection label=Deny source_address=* destination_address=* source_address in HOMENET destination_address in HOMENET | chart count() by source_address, destination_address order by count() desc limit 10
04 Policy-related activities
Monitoring and detecting policy changes such as audit, authentication, authorization, filtering and many more.
Password ageing by user
Table AD_Users pwdLastSet=* -pwdLastSet=0 | process current_time(a) as time | chart max((time - (pwdLastSet/10000000 - 11644473600))/60/60/24) as number_of_days, max(pwdLastSet/10000000 - 11644473600) as pwdLastSet_ts by sAMAccountName | search number_of_days>30
Users authentication from multiple sources
norm_id=* label=User (label=Login OR label=Authenctication) source_address=* -user=*$ user=* | chart distinct_count(source_address) as UniqueSource by user order by UniqueSource desc limit 10 | search UniqueSource>1
05 Threat, malware, and vulnerability detection
Activities related to threats, such as indicators of compromise, malware infections and identification of vulnerable systems.
Identification of threat indicators
norm_id=* source_address=* -source_address in HOMENET | process ti(source_address) | rename et_category as category,cs_category as category, et_score as score,cs_score as score| chart count() by source_address, category, score order by score desc limit 10
Identification of vulnerable sources
(col_type=qualys_fetcher OR col_type=tenablesecuritycenter_fetcher OR norm_id=VulnerabilityManagement) severity=4 or severity=5 source_address=* | rename title as vulnerability |chart count() by source_address, vulnerability order by count() desc
Failed malware cleaning
norm_id=* label=Malware label=Clean label=Fail malware=* | chart count() by host, malware order by count() desc limit 10
06 Operational insights
Activities related to monitoring day-to-day operational activities, such as inbound and outbound data usage or data usage by specific applications.
Inbound data usage
norm_id=* source_address=* -source_address in HOMENET destination_address IN HOMENET received_datasize=* -source_address=176.161*| timechart sum((sent_datasize+received_datasize)/1000/1000) as TotalMB, sum(sent_datasize/1000/1000) as SentMB, sum(received_datasize/1000/1000) as ReceivedMB
