Security use cases should ensure that only legitimate users have access to the network. Implement use cases to detect attacks such as Brute Force attacks that target user credentials. Monitor the frequency of failed and successful logins to critical systems and report failed login attempts above the set threshold.
Other activities to monitor would include logins attempted at strange hours, multiple logins from the same IP address, and modifications to system files.
Raise alerts and generate reports as soon as suspicious authentication activity is detected. Having timely and detailed information about the attack helps security officers determine the impact of a compromised account and prevent additional damage.
2. Account management
Attackers know that privileged user credentials will give them greater access to sensitive data and important corporate resources. Account management security use cases should provide full visibility on privileged accounts and detect activities that indicate account misuse.
Monitor user account creation, and deletion, and activities related to system and resource access. Keep an eye out for sudden activity on inactive accounts and increased activity around sensitive data.
Use cases should also flag the unusual escalation of privileges, unauthorized access to shared folders, and any unusual behavior that points to stolen user credentials like employees trying to access data or systems they rarely use.
3. Connection activities
As remote work environments become the norm, it’s crucial to pay closer attention to connection activities related to routers, ports, wireless access points, etc. across the company network.
Your use cases should ensure that remote connections are coming from the expected locations and send alerts for suspicious locations or concurrent VPN connections. Identify and report on connections, both allowed and denied, and provide detailed information on connection attempts such as hostname, source country, destination country, and direction.
4. Policy-related activities
Regulatory bodies such HIPAA, GDPR, and PCI-DSS require specific procedures related to data integrity and confidentiality. These procedures are usually well documented, making it easy to create use cases based on the rules and regulations outlined.
Create use cases that monitor the underlying security controls that enforce compliance. Monitor log files, changes to credentials and events related to personal data, and policy changes related to audits, authentication, authorization, etc. Flag unauthorized changes to configuration files and deleted audit trails.
5. Threat, malware, and vulnerability detection
SIEM is a vital part of threat detection. Use cases created should detect indicators of compromise, malware infections, and system vulnerabilities. Look for activities that suggest malware like unusual network traffic spikes and traffic queries to known malware domains and IP addresses.
Forensic analysis of historical data and threat intelligence feeds can also identify patterns that can expose past or ongoing threat behavior. SIEM use cases can also test for known risks using aggregated data from the SIEM system.
There are 26 base use cases every SIEM should run that find Indicators of Compromise (IOCs) on machines.
They follow two basic patterns - Everything Counts in Large Amounts and Do Any Two Things Wrong, Go to the Top of the List.
Success After Fail is another common pattern. Most vendor content overcomplicates the rules and has too many that can be detected by these simple rules with 90+% fidelity.
You can also find four SANS Gold Papers under my name at sans.org/rr that cover compliance, reporting, continuous improvement, etc...and have the full list of the use cases and their triggers.
Repeat Attack - Firewall
Repeat Attack - IDS
Repeat Attack - HIPS
Repeat Attack - Failed Login - Source
Repeat Attack - Failed Login - Account
Repeat Attack - WCF/Proxy
Repeat Attack - FIM
Repeat Attack - Foreign Source
Possible Outbreak - Excessive Connections
Suspicious Event - Security Log Cleared
Suspicious Event - Executable Post to Web Server
Virus or Spyware Detected
Malicious Source Detected IP or URL (FireEye, Damballa…)
Known Attacker in Network
Traffic to Known Attacker
Successful Login After Multiple Failed Logins
Firewall Allow after Repetitive Drops
System Monitor - Log Source Stopped Sending Events
Consultant at a tech services company with 11-50 employees
Real User
2022-08-03T15:04:30Z
Aug 3, 2022
It really depends on your environment.
As none of us knows what Azure services you are using, it's hard to come up with hard/direct answers to your question.
In general, however, it’s always a good idea to monitor identities and the security policies around identities i.e. sign-in/audit logs from Azure Active Directory.
Also, keep in mind not every log type is super important to run through a SIEM solution.
Also, I would recommend you start out slow/small.
Is it Microsoft Sentinel you have implemented? If that’s the case enable UEBA and Analytic Rules that require those specific log types.
From my perspective, the SIEM is 1st move towards the more clever SOAR “approach”.
As to your last sentence regarding SOAR, I have a question: do you think the next step is to move to SOAR (and not an XDR tool), if the company's budget permits?
Also, do you know whether a separate SOAR product will still be required in the case of an XDR solution?
Now you would want to see if all your Windows environments have been configured to send all the logs, especially on the endpoint level. Ensure you get all the authentication logs at the very least. You could opt to get the OS level audit logs to help with a further advanced use case, such as Threat Hunting.
If you are using Office 365, ensure you have enabled the integration for the account activities, including fine grain audit logs for all your file-sharing activities.
Very good and impactful use cases would be the following ones: 1. User Behaviour Analysis
Monitoring your employees' access behaviour and see if there are any probes for brute force by identifying the high amount of authentication failures.
2. Data Leak Prevention Analysis
Monitoring if your file sharing is controlled for internal activities and which one is set for public sharing (outside organization)
3. Threat Hunting Analysis
Understanding several key attack indicators which leverage Windows-specific utility such as SMB protocol, RDP and privilege escalation on your Windows OS.
If you have vulnerability assessment tools and you could integrate the result into your SIEM, ensure that your SIEM helps with the proactive patch management, identifying the CVE landscapes of your specific Windows environment and correlating them with the potential attack logs and patch them accordingly to prevent a cyber attack.
Find out what your peers are saying about Splunk, Microsoft, Wazuh and others in Security Information and Event Management (SIEM). Updated: November 2024.
3. Detecting unusual behavior on privileged accounts
4. Secure cloud-based applications
5. Phishing detection
6. Monitoring loads and uptimes
7. Log Management
8. SIEM for GDPR, HIPAA, or PCI compliance
9. Threat Hunting
10. SIEM for automation
Ace Managed SIEM provides real-time security alerts and in-depth network visibility with a state-of-the-art dashboard. Your environment is protected with 24/7 monitoring and AI-powered forensic analysis.
Some of the use cases that are important and a good start would be:
- Authentication activities
- Account management
- Connection activities
- Policy-related activities
Some of the Top use cases for SIEM:
1. Authentication activities
Security use cases should ensure that only legitimate users have access to the network. Implement use cases to detect attacks such as Brute Force attacks that target user credentials. Monitor the frequency of failed and successful logins to critical systems and report failed login attempts above the set threshold.
Other activities to monitor would include logins attempted at strange hours, multiple logins from the same IP address, and modifications to system files.
Raise alerts and generate reports as soon as suspicious authentication activity is detected. Having timely and detailed information about the attack helps security officers determine the impact of a compromised account and prevent additional damage.
2. Account management
Attackers know that privileged user credentials will give them greater access to sensitive data and important corporate resources. Account management security use cases should provide full visibility on privileged accounts and detect activities that indicate account misuse.
Monitor user account creation, and deletion, and activities related to system and resource access. Keep an eye out for sudden activity on inactive accounts and increased activity around sensitive data.
Use cases should also flag the unusual escalation of privileges, unauthorized access to shared folders, and any unusual behavior that points to stolen user credentials like employees trying to access data or systems they rarely use.
3. Connection activities
As remote work environments become the norm, it’s crucial to pay closer attention to connection activities related to routers, ports, wireless access points, etc. across the company network.
Your use cases should ensure that remote connections are coming from the expected locations and send alerts for suspicious locations or concurrent VPN connections. Identify and report on connections, both allowed and denied, and provide detailed information on connection attempts such as hostname, source country, destination country, and direction.
4. Policy-related activities
Regulatory bodies such HIPAA, GDPR, and PCI-DSS require specific procedures related to data integrity and confidentiality. These procedures are usually well documented, making it easy to create use cases based on the rules and regulations outlined.
Create use cases that monitor the underlying security controls that enforce compliance. Monitor log files, changes to credentials and events related to personal data, and policy changes related to audits, authentication, authorization, etc. Flag unauthorized changes to configuration files and deleted audit trails.
5. Threat, malware, and vulnerability detection
SIEM is a vital part of threat detection. Use cases created should detect indicators of compromise, malware infections, and system vulnerabilities. Look for activities that suggest malware like unusual network traffic spikes and traffic queries to known malware domains and IP addresses.
Forensic analysis of historical data and threat intelligence feeds can also identify patterns that can expose past or ongoing threat behavior. SIEM use cases can also test for known risks using aggregated data from the SIEM system.
There are 26 base use cases every SIEM should run that find Indicators of Compromise (IOCs) on machines.
They follow two basic patterns - Everything Counts in Large Amounts and Do Any Two Things Wrong, Go to the Top of the List.
Success After Fail is another common pattern. Most vendor content overcomplicates the rules and has too many that can be detected by these simple rules with 90+% fidelity.
Most of the use cases and the links to the reference papers are on Wikipedia under SIEM here: https://en.wikipedia.org/wiki/...
You can also find four SANS Gold Papers under my name at sans.org/rr that cover compliance, reporting, continuous improvement, etc...and have the full list of the use cases and their triggers.
@David Swift thank you very much for this meaningful answer and for sharing it with our community members, after commenting on LI earlier.
It really depends on your environment.
As none of us knows what Azure services you are using, it's hard to come up with hard/direct answers to your question.
In general, however, it’s always a good idea to monitor identities and the security policies around identities i.e. sign-in/audit logs from Azure Active Directory.
Also, keep in mind not every log type is super important to run through a SIEM solution.
Also, I would recommend you start out slow/small.
Is it Microsoft Sentinel you have implemented? If that’s the case enable UEBA and Analytic Rules that require those specific log types.
From my perspective, the SIEM is 1st move towards the more clever SOAR “approach”.
@Soren
cc: @Chiheb Chebbi
Thanks for your answer regarding SIEM.
As to your last sentence regarding SOAR, I have a question: do you think the next step is to move to SOAR (and not an XDR tool), if the company's budget permits?
Also, do you know whether a separate SOAR product will still be required in the case of an XDR solution?
Thanks.
-Detect unusual/suspicious logins. For example, you can count the number of failed login attempts within a given time.
-Detect abnormal traffic which might indicate potential C2 traffic
-Detect attempts to access your systems/network from unusual locations / IPs
-Monitor and detect unusual behaviors of user accounts - to dig out potential insider threats, abuse of orphan accounts or system accounts
- Detect phishing attacks by identifying user accounts that communicate with malicious domains.
Threat intelligence comes in handy in this aspect.
That's excellent, @Chiheb Chebbi.
Now you would want to see if all your Windows environments have been configured to send all the logs, especially on the endpoint level. Ensure you get all the authentication logs at the very least. You could opt to get the OS level audit logs to help with a further advanced use case, such as Threat Hunting.
If you are using Office 365, ensure you have enabled the integration for the account activities, including fine grain audit logs for all your file-sharing activities.
Very good and impactful use cases would be the following ones:
1. User Behaviour Analysis
Monitoring your employees' access behaviour and see if there are any probes for brute force by identifying the high amount of authentication failures.
2. Data Leak Prevention Analysis
Monitoring if your file sharing is controlled for internal activities and which one is set for public sharing (outside organization)
3. Threat Hunting Analysis
Understanding several key attack indicators which leverage Windows-specific utility such as SMB protocol, RDP and privilege escalation on your Windows OS.
If you have vulnerability assessment tools and you could integrate the result into your SIEM, ensure that your SIEM helps with the proactive patch management, identifying the CVE landscapes of your specific Windows environment and correlating them with the potential attack logs and patch them accordingly to prevent a cyber attack.
My expertise is based on Microsoft products: Defender 365 (the Defender suite) and Microsoft Sentinel (SIEM/SOAR).
I would never leave the “automated response” approach (SOAR), but I also see XDR and SOAR as tools, that complement each other.
It’s actually a tough question to answer, but there is a rather good article here (hopefully, you will find it helpful): https://www.crowdstrike.com/cybersecurity-101/what-is-xdr/xdr-vs-siem-vs-soar/
Use cases for SIEM Deployment:
1. Detecting compromised user credentials
2. Tracking system changes
3. Detecting unusual behavior on privileged accounts
4. Secure cloud-based applications
5. Phishing detection
6. Monitoring loads and uptimes
7. Log Management
8. SIEM for GDPR, HIPAA, or PCI compliance
9. Threat Hunting
10. SIEM for automation
Ace Managed SIEM provides real-time security alerts and in-depth network visibility with a state-of-the-art dashboard. Your environment is protected with 24/7 monitoring and AI-powered forensic analysis.