//Top 10 des cas d’usage SIEM

Le Top 10 des cas d’usage SIEM

Avec la demande croissante de solutions SIEM, les entreprises souhaitent avoir à portée de main les réponses à un certain nombre de problèmes de sécurité qui surgissent au cours de leurs opérations quotidiennes.

Voici les 10 principaux cas d’utilisation et de comportements que le SIEM LogPoint peut détecter dans votre infrastructure.

Si vous souhaitez davantage d’information concernant l’un de ces cas ou si vous recensez un cas que vous jugez pertinent, n’hésitez pas à nous contacter.

01 Authentication activities

Authentication activities with added context, such as logins in critical systems and failed login attempts greater than a given threshold.

Top 10 Successful Logins LogPoint SIEM Dashboard

Successful logins

norm_id=* label=User label=Login label=Successful -user=*$ host IN CRITICAL_SYSTEM | chart count() by host, user order by count() desc limit 10

Top 10 Successful Logins LogPoint SIEM Dashboard
Failed Logins Above Threshold LogPoint Dashboard

Failed logins above a threshold

norm_id=* label=User label=Login label=Fail -user=*$ user=* | chart count() as "Count" by user order by "Count" desc limit 10 | search "Count">50

02 Account management

Monitoring of user account creation, deletion and other activities to monitor resource and system access privileges.

User account creation

norm_id=WinServer* label=User label=Account label=Management label=Create -target_user=*$ -user=*$ | chart count() by log_ts, domain, user, action, target_user order by count() desc limit 10

User Account Deletion LogPoint Dashboard

User account deletion

norm_id=WinServer* label=User label=Account label=Management (label=Delete OR label=Remove) -target_user=*$ -user=*$ | chart count() by log_ts, domain, user, action, target_user order by count() desc limit 10

User Account Enabled LogPoint Dashboard

User account enabled

norm_id=WinServer* label=User label=Account label=Management label=Enable -target_user=*$ -user=*$ | chart count() by log_ts, domain, user, action, target_user order by count() desc limit 10

User Account Enabled LogPoint Dashboard

03 Connection activities

Monitoring of connection activities to provide an overview of the network connections by status, origin and direction. This defines whether connections are allowed/denied, the host name, country name of source, and destination and direction.

Top 10 Allowed Inbound Connection by Location LogPoint Dashboard

Allowed inbound connections by location

label=Connection label=Allow -source_address IN HOMENET source_address=* destination_address IN HOMENET | process geoip(source_address) as country | chart count() by country order by count() desc limit 10

Top 10 Allowed Outbound Connection by Location LogPoint Dashboard

Allowed outbound connection by location

label=Connection label=Allow source_address IN HOMENET destination_address=* -destination_address IN HOMENET | process geoip(destination_address) as country | chart count() by country order by count() desc limit 10

Top 10 Allowed Outbound Connection by Location LogPoint Dashboard
Top 10 Denied Inbound Connection by Location LogPoint Dashboard

Denied inbound connections by location

label=Connection label=Deny -source_address IN HOMENET source_address=* destination_address IN HOMENET | process geoip(source_address) as country | chart count() by country order by count() desc limit 10

Top 10 Denied Outbound Connection by Location LogPoint Dashboard

Denied outbound connections by location

label=Connection label=Deny source_address IN HOMENET destination_address=* -destination_address IN HOMENET | process geoip(destination_address) as country | chart count() by country order by count() desc limit 10

Top 10 Denied Outbound Connection by Location LogPoint Dashboard
Top 10 Internal Denied Internal Connection by IP LogPoint Dashboard

Denied internal connections by IP/hostname

norm_id=* label=Connection label=Deny source_address=* destination_address=* source_address in HOMENET destination_address in HOMENET | chart count() by source_address, destination_address order by count() desc limit 10

04 Policy-related activities

Monitoring and detecting policy changes such as audit, authentication, authorization, filtering and many more.

Password Ageing by User LogPoint Dashboard

Password ageing by user

Table AD_Users pwdLastSet=* -pwdLastSet=0 | process current_time(a) as time | chart max((time - (pwdLastSet/10000000 - 11644473600))/60/60/24) as number_of_days, max(pwdLastSet/10000000 - 11644473600) as pwdLastSet_ts by sAMAccountName | search number_of_days>30

Password Ageing by User LogPoint Dashboard
Users Authentication from Multiple Sources LogPoint Dashboard

Users authentication from multiple sources

norm_id=* label=User (label=Login OR label=Authenctication) source_address=* -user=*$ user=* | chart distinct_count(source_address) as UniqueSource by user order by UniqueSource desc limit 10 | search UniqueSource>1

05 Threat, malware, and vulnerability detection

Activities related to threats, such as indicators of compromise, malware infections and identification of vulnerable systems.

LogPoint Identification of Threat Actors Dashboard

Identification of threat indicators

norm_id=* source_address=* -source_address in HOMENET | process ti(source_address) | rename et_category as category,cs_category as category, et_score as score,cs_score as score| chart count() by source_address, category, score order by score desc limit 10

LogPoint Identification of Threat Actors Dashboard

Identification of vulnerable sources

(col_type=qualys_fetcher OR col_type=tenablesecuritycenter_fetcher OR norm_id=VulnerabilityManagement) severity=4 or severity=5 source_address=* | rename title as vulnerability |chart count() by source_address, vulnerability order by count() desc

Failed Malware Cleaning LogPoint Dashboard

Failed malware cleaning

norm_id=* label=Malware label=Clean label=Fail malware=* | chart count() by host, malware order by count() desc limit 10

Failed Malware Cleaning LogPoint Dashboard

06 Operational insights

Activities related to monitoring day-to-day operational activities, such as inbound and outbound data usage or data usage by specific applications.