Security Information and Event Management (SIEM) solutions are an important tool in a modern day security team’s arsenal, providing visibility into suspicious activity and attack attempts.
They help teams continually assess an organization’s security posture and identify areas of focus to fortify defenses. SIEM monitoring and event correlation bubble up suspicious activity for investigation. SIEM rules developed to fulfill the required Use Cases. We can define a Use Case as a business requirement or a (security) problem that needs to be solved.
A modern Next-Generation SIEM Use Cases can be categorized as
1. Core Use Cases
2. Advanced Use Cases
3. Profiler/ML Based (Intelligent) Use Cases
Not all SIEM correlation rules, use cases are created equal and it is hard to find a SIEM that supports both core, advanced and intelligent use cases with an affordable price. SureLog SIEM supports all of those use cases [1].
Sample SIEM Core Use Cases:
• Detect brute force attack
• Detect pass the hash
• Detect golden ticket
• Detect failed logins above a threshold
• Monitor user account creation
• Monitor user account deletion
• Monitor user account enabled
• Monitor allowed inbound connections by location (using threat intelligence)
• Monitor allowed inbound connections by location (white/black list)
• Monitor allowed outbound connections by location (using threat intelligence)
• Monitor allowed outbound connections by location (white/black list)
• Monitor denied outbound connections by location (using threat intelligence)
• Monitor denied outbound connections by location (white/black list)
• Monitor denied internal connections by ip/hostname
• Detect same user authentication from multiple sources
• Identify threat indicators
• Detect failed malware cleaning
• Monitor inbound data usage
• Monitor outbound data usage
• Monitor data usage by application
• Detect SSHD authentication on Linux
• Detect successful authentication after brute force
• Detect repeated login failure
• MySQL authentication bypass through a zero-length password
• Account deletion after DoS attack
• Detect attempts to compromise user credentials
• Detect self escalation
• Detects-lived accounts
• Detect instances of denial of service such as abnormal number of requests from multiple ports or the same ip address
• Suspicious file type download (executable, DLL, archive file, …)
• Suspicious mail headers (Intel based)
• Mismatched HREF attribute
• Concurrent logins from Multiple Locations
• Account activity from Blacklisted Locations
• Disabled account Logins
• Multiple account Lockouts
• Excessive authentication Failures
• Outbound traffic observed from Severs to Internet
• Outbound traffic involving Database
• Detection of virtual machine start/stop/resume/reboot
• Probable SQL injection attack observed
Core SIEM use cases are supported nearly by all of the SIEM solutions.
Sample SIEM Advanced Use Cases:
• Warn if Powershell command with base64 format and more than 100 characters appears
• Password changes for the same user more than 3 within 45 days
• If there are more than 10 DNS requests within 5 minutes which have the same domain but different subdomains, notify. Example: xxx.domian.com , yyy.domian.com
• Misuse of an account
• Lateral movement
• Executive only asset accessed by non-executive user
• Multiple vpn accounts failed login from single ip
• First access to critical assets
• User access from multiple hosts
• User account created and deleted in a short period of time
• Monitor privileged accounts for suspicious activity
• Chained RDP connections
• RDP with unusual charset
• Multiple RDP from same host in short time
• Lateral movement following an attack
Advanced use cases are also supported by most of the SIEM solutions. SureLog SIEM supports those use cases [1].
Profiler/ML(Intelligent) Use Cases use both advanced correlation, profiler and ML techniques to identify malicious behavior such as data staging, infected host or account misuse.
There’s a common “myth” today that event correlation is no longer effective or necessary—that rules don’t have a place in the SIEM/SOC anymore. But that’s not necessarily the case. When done in real-time, correlation gives you important context about the relationship between events and remains an effective way to quickly identify and respond to known threats. Profiler/ML SIEM use cases utilize both rules, profiler and ML.
Sample SIEM Profiler/ML(Intelligent) Use Cases:
• Returns days where a user accessed more than his 95th percentile number of assets
• Look for a user whose HTTP to DNS protocol ratio is %300 more than %95 of the other users for the last four-week ratio for 4th day of week [1],
• If a user number of failed authentication ratio to number of successful authentication is %10, alert
• Data loss detection by monitoring all endpoints for an abnormal volume of data egress
• Measures the similarity between well-known process names with the running ones using Levenshtein distance in real-time and detect process masquerade [2]
• DGA detection [3]
• Detect attack Tools [4]
• Detect malwares [5]
• Detect suspicious/malicious processes [5]
• Detect suspicious/malicious files [5]
• Detect suspicious/malicious services [5]
• Detect abnormal port used in outbound network connection from an asset [1]
• Abnormal number of assets logged on [1]
• Failed logon to an asset that a user has previously never logged on to [6]
• first time a user saves files to a USB drive
• first time user is performing an activity from a country
• First VPN connection from a device for a user
• First connection from a source IP
• First access to a device for a user
• First access to database MSSQL for peer group HR
• First access to database MSSQL for user
• First mail to/from a domain for the organization
• First access to this web domain which has been identified as risky by a reputation feed
• First execution of a process on a host
• First access to object fdghsdydhas
• First access from a host to a database for a user
• First access from source zone Atlanta office to a database for a user
• Suspicious temporary account activity
• Abnormal account administration
• Unusual account privilege escalation
• Unusual file modifications
• Abnormal password activity
Intelligent use cases supported by only advanced, next-gen SIEM solutions, most of the SIEM solutions do not support intelligent use cases.
SureLog SIEM [1] supports both
1. Core Use Cases
2. Advanced Use Cases
3. Profiler/ML(Intelligent) Based Use Cases
References
1. http://www.anet-canada.ca/
2. http://anet-canada.ca/2019/10/12/hunting-critical-process-masquerade-using-surelog-siem/
3. http://anet-canada.ca/2019/10/05/domain-generation-algorithm-dga-detection-in-surelog/
4. http://anet-canada.ca/2019/11/02/detecting-top-4-tools-used-by-cyber-criminals-recently-with-surelog/
5. http://anet-canada.ca/2019/10/22/hunting-malware-and-viruses-by-detecting-random-strings-using-surelog-siem/
6. https://medium.com/@eakbas/never-seen-before-type-of-rules-with-surelog-siem-cb3c0a7dc0c3