Not all security information and event management (SIEM) use cases are equally important. The most important feature of SIEM is use cases. These are the samples of SIEM use cases and behaviors that SureLog can detect in your infrastructure.
SureLog Use Cases:
• Warn if Powershell command with base64 format and more than 100 characters appears
• Detect password changes for the same user more than 3 times within 30 days
• If there are more than 10 DNS requests within 5 minutes which have the same domain but different subdomains, notify. Example: xxx.domian.com , yyy.domian.com
• Returns days where a user accessed more than his 95th percentile number of assets
• Look for a user whose http to dns protocol ratio is %300 more than %95 of the other users for the last four-week ratio for 4th day of week
• Detect DGA
• If a user number of failed authentication ratio to number of successful authentication is %10, alert
• Detect process masquerade
• Detect malwares (*)
* http://anet-canada.ca/2019/10/22/hunting-malware-and-viruses-by-detecting-random-strings-using-surelog-siem/
