Top 10 SIEM use cases to implement
With the growing demand for SIEM solutions, companies would like to have at their fingertips the answers to any number of security and business challenges that pop up during their day-to-day operations.
These are the top 10 SIEM use cases and behaviors that LogPoint can detect in your infrastructure. If you’d like more information about any of these use cases or have any use cases you find particularly relevant, please reach out. We’d love to hear from you!
Abnormal authentication attempts or off-hour authentication attempts, for example, using data from Windows, Unix and any other authentication applications.
Multiple sources (internal or external) making session requests for a user account during a given timeframe, using login data from sources like Windows, Unix and others.
Session duration and inactive sessions using data related to session logins, specifically from the Windows server.
Suspicious behavior such as connection attempts on closed ports, blocked internal connections, connections made to bad destinations and using data from firewalls, network devices or flow data. External sources can be used to discover the domain name, country and geographical origin of the threat.
Abnormal administrative behavior
Monitoring inactive accounts, accounts with unchanged passwords and abnormal account management activities using data from AD account management-related activities.
Data exfiltration attempts and information leakage through emails using data from sources such as mail servers or file sharing applications.
Vulnerability scanning and correlation
Identification and correlation of security vulnerabilities detected by applications against other suspicious events.
Monitoring relations like ratio of inbound to outbound bandwidth usage, data usage per application or response time comparison.
Intrusion detection and infections
Can be accomplished using data from IDS/IPS, antivirus, anti-malware applications and others.
System change activities
Can be executed using data for configuration changes, audit configuration changes, policy changes, policy violations, etc.