2021-08-10T10:22:00Z
Chiheb Chebbi - PeerSpot reviewer
Defender with 501-1,000 employees
  • 7
  • 2479

What are the top use cases to implement after deploying a SIEM?

Hi community,

Once a SIEM is deployed successfully, what are the top use cases you'd recommend to implement for the Microsoft environment? 

Thank you in advance!

8
PeerSpot user
8 Answers
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at ASPL INFO Services
Real User
ExpertModerator
2021-08-10T14:35:41Z
Aug 10, 2021

Some of the use cases that are important and a good start would be:


- Authentication activities


- Account management


- Connection activities


- Policy-related activities

Search for a product comparison in Security Information and Event Management (SIEM)
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at ASPL INFO Services
Real User
ExpertModerator
2021-08-17T14:34:28Z
Aug 17, 2021

Some of the Top use cases for SIEM: 


1. Authentication activities


Security use cases should ensure that only legitimate users have access to the network. Implement use cases to detect attacks such as Brute Force attacks that target user credentials. Monitor the frequency of failed and successful logins to critical systems and report failed login attempts above the set threshold.


Other activities to monitor would include logins attempted at strange hours, multiple logins from the same IP address, and modifications to system files.


Raise alerts and generate reports as soon as suspicious authentication activity is detected. Having timely and detailed information about the attack helps security officers determine the impact of a compromised account and prevent additional damage.


2. Account management


Attackers know that privileged user credentials will give them greater access to sensitive data and important corporate resources. Account management security use cases should provide full visibility on privileged accounts and detect activities that indicate account misuse.


Monitor user account creation, and deletion, and activities related to system and resource access. Keep an eye out for sudden activity on inactive accounts and increased activity around sensitive data.


Use cases should also flag the unusual escalation of privileges, unauthorized access to shared folders, and any unusual behavior that points to stolen user credentials like employees trying to access data or systems they rarely use.


3. Connection activities


As remote work environments become the norm, it’s crucial to pay closer attention to connection activities related to routers, ports, wireless access points, etc. across the company network.


Your use cases should ensure that remote connections are coming from the expected locations and send alerts for suspicious locations or concurrent VPN connections. Identify and report on connections, both allowed and denied, and provide detailed information on connection attempts such as hostname, source country, destination country, and direction.


4. Policy-related activities


Regulatory bodies such HIPAA, GDPR, and PCI-DSS require specific procedures related to data integrity and confidentiality. These procedures are usually well documented, making it easy to create use cases based on the rules and regulations outlined.


Create use cases that monitor the underlying security controls that enforce compliance. Monitor log files, changes to credentials and events related to personal data, and policy changes related to audits, authentication, authorization, etc. Flag unauthorized changes to configuration files and deleted audit trails.


5. Threat, malware, and vulnerability detection


SIEM is a vital part of threat detection. Use cases created should detect indicators of compromise, malware infections, and system vulnerabilities. Look for activities that suggest malware like unusual network traffic spikes and traffic queries to known malware domains and IP addresses.


Forensic analysis of historical data and threat intelligence feeds can also identify patterns that can expose past or ongoing threat behavior. SIEM use cases can also test for known risks using aggregated data from the SIEM system.

Real User
Top 5
2021-08-24T13:54:36Z
Aug 24, 2021

There are 26 base use cases every SIEM should run that find Indicators of Compromise (IOCs) on machines. 


They follow two basic patterns - Everything Counts in Large Amounts and Do Any Two Things Wrong, Go to the Top of the List. 


Success After Fail is another common pattern. Most vendor content overcomplicates the rules and has too many that can be detected by these simple rules with 90+% fidelity.


Most of the use cases and the links to the reference papers are on Wikipedia under SIEM here: https://en.wikipedia.org/wiki/...


You can also find four SANS Gold Papers under my name at sans.org/rr that cover compliance, reporting, continuous improvement, etc...and have the full list of the use cases and their triggers.

































































Repeat Attack - Firewall
Repeat Attack - IDS
Repeat Attack - HIPS
Repeat Attack - Failed Login - Source
Repeat Attack - Failed Login - Account
Repeat Attack - WCF/Proxy
Repeat Attack - FIM
Repeat Attack - Foreign Source
Possible Outbreak - Excessive Connections
Suspicious Event - Security Log Cleared
Suspicious Event - Executable Post to Web Server
Virus or Spyware Detected
Malicious Source Detected IP or URL (FireEye, Damballa…)
Known Attacker in Network
Traffic to Known Attacker
Successful Login After Multiple Failed Logins
Firewall Allow after Repetitive Drops
System Monitor - Log Source Stopped Sending Events
High Threat Attack on Vulnerable Asset
Possible Outbreak - Multiple Infected Hosts
Repeat Attack - Multiple Detection Sources

Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Community Manager
Aug 25, 2021

@David Swift thank you very much for this meaningful answer and for sharing it with our community members, after commenting on LI earlier.

PeerSpot user
SA
Consultant at a tech services company with 11-50 employees
Real User
Top 5
2022-08-03T15:04:30Z
Aug 3, 2022

It really depends on your environment.


As none of us knows what Azure services you are using, it's hard to come up with hard/direct answers to your question.


In general, however, it’s always a good idea to monitor identities and the security policies around identities i.e. sign-in/audit logs from Azure Active Directory.


Also, keep in mind not every log type is super important to run through a SIEM solution.


Also, I would recommend you start out slow/small.


Is it Microsoft Sentinel you have implemented? If that’s the case enable UEBA and Analytic Rules that require those specific log types.


From my perspective, the SIEM is 1st move towards the more clever SOAR “approach”.

Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Community Manager
Aug 4, 2022

@Soren
cc: @Chiheb Chebbi ​ 

Thanks for your answer regarding SIEM. 

As to your last sentence regarding SOAR, I have a question: do you think the next step is to move to SOAR (and not an XDR tool), if the company's budget permits?

Also, do you know whether a separate SOAR product will still be required in the case of an XDR solution? 

Thanks.

PeerSpot user
Robert Cheruiyot - PeerSpot reviewer
IT Security Consultant at Microlan Kenya Limited
Real User
Top 5Leaderboard
2022-08-02T12:48:18Z
Aug 2, 2022

-Detect unusual/suspicious logins. For example, you can count the number of failed login attempts within a given time.


 -Detect abnormal traffic which might indicate potential C2 traffic

-Detect attempts to access your systems/network from unusual locations / IPs


-Monitor and detect unusual behaviors of user accounts - to dig out potential insider threats, abuse of orphan accounts or system accounts 


- Detect phishing attacks by identifying user accounts that communicate with malicious domains. 


Threat intelligence comes in handy in this aspect. 

John Rendy - PeerSpot reviewer
CTO at Systema Global Solusindo
Consultant
Top 5Leaderboard
2021-08-16T09:27:18Z
Aug 16, 2021

That's excellent, @Chiheb Chebbi.


Now you would want to see if all your Windows environments have been configured to send all the logs, especially on the endpoint level. Ensure you get all the authentication logs at the very least. You could opt to get the OS level audit logs to help with a further advanced use case, such as Threat Hunting.


If you are using Office 365, ensure you have enabled the integration for the account activities, including fine grain audit logs for all your file-sharing activities.


Very good and impactful use cases would be the following ones:
1. User Behaviour Analysis 


Monitoring your employees' access behaviour and see if there are any probes for brute force by identifying the high amount of authentication failures.


2. Data Leak Prevention Analysis


Monitoring if your file sharing is controlled for internal activities and which one is set for public sharing (outside organization)


3. Threat Hunting Analysis


Understanding several key attack indicators which leverage Windows-specific utility such as SMB protocol, RDP and privilege escalation on your Windows OS. 

If you have vulnerability assessment tools and you could integrate the result into your SIEM, ensure that your SIEM helps with the proactive patch management, identifying the CVE landscapes of your specific Windows environment and correlating them with the potential attack logs and patch them accordingly to prevent a cyber attack. 

Find out what your peers are saying about Splunk, IBM, Microsoft and others in Security Information and Event Management (SIEM). Updated: November 2022.
654,218 professionals have used our research since 2012.
SA
Consultant at a tech services company with 11-50 employees
Real User
Top 5
2022-08-14T09:12:48Z
Aug 14, 2022

My expertise is based on Microsoft products: Defender 365 (the Defender suite) and Microsoft Sentinel (SIEM/SOAR).


I would never leave the “automated response” approach (SOAR), but I also see XDR and SOAR as tools, that complement each other.


It’s actually a tough question to answer, but there is a rather good article here (hopefully, you will find it helpful)https://www.crowdstrike.com/cybersecurity-101/what-is-xdr/xdr-vs-siem-vs-soar/

NavcharanSingh - PeerSpot reviewer
Senior Seo Executive at Real Time Data Services
Real User
Top 20
2022-09-15T11:51:51Z
Sep 15, 2022

Use cases for SIEM Deployment:



1. Detecting compromised user credentials


2. Tracking system changes


3. Detecting unusual behavior on privileged accounts


4. Secure cloud-based applications


5. Phishing detection


6. Monitoring loads and uptimes


7. Log Management


8. SIEM for GDPR, HIPAA, or PCI compliance


9. Threat Hunting


10. SIEM for automation



Ace Managed SIEM  provides real-time security alerts and in-depth network visibility with a state-of-the-art dashboard. Your environment is protected with 24/7 monitoring and AI-powered forensic analysis.

Related Questions
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at ASPL INFO Services
Nov 17, 2022
Hi community,  I am a Service Delivery Manager at a medium-sized tech services company. I am researching PSIM (Physical Security Information Management). What are the main use cases and benefits of products that fall under this category? Thank you for your help.
See 1 answer
IA
Principal Consultant Cyber Security at Servian
Nov 17, 2022
Physical security of an information management system assures security by implementing protective controls to a location that hosts your most confidential data. For example, when you access data centers physically to access servers, storage, routers, switches, etc. Similarly, when you are accessing the location (warehouse, IT department, finance or HR department) with malicious intentions to discover the possibility of a targeted attack which could be by inserting the infected USB drive, stealing confidential documents, taking pictures, finding the ways to access the data centers from elevators to the reception to the data center. ISO27001:2013 explains in detail what protective controls must be there to ensure physical security like access cards, port security, identification, CCTV, Biometrics, preventing WIFI access outside the location, fire alarm system, assembly points, etc.
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Aug 5, 2022
Hi dear professionals, Can you share with the community 2-3 top pain points you've been experiencing during the Security Information and Event Management (SIEM) solution purchase? How have you been able to overcome them, if at all? Thanks for sharing your knowledge with other peers.
See 2 answers
JK
CEO at a tech consulting company with 1-10 employees
Jun 30, 2022
1. License models are not communicated transparently which makes planning complicated. You have to talk to multiple people at multiple vendors in several meetings to fully understand the cost scaling factors. That is quite time-consuming. You can overcome this when you just dictate price limits - yes you can actually do that. 2. Planning and conducting a PoC can be a challenge. Depending on how a PoC process is being setup by the vendor. You can overcome this if you ask for the PoC Procedure Plan right from the initial contact with the vendor and use it for internal planning.
Jairo Willian Pereira - PeerSpot reviewer
Information Security Manager at a financial services firm with 5,001-10,000 employees
Aug 5, 2022
Volume versus costs.Using an intermediate (free) tool to store, transform data and  forward only the sumarization (smartdata) of what really matters.
Related Articles
Navcharan Singh - PeerSpot reviewer
Senior Seo Executive at Ace Cloud Hosting
Oct 7, 2022
Security Information and Event Management (SIEM) solutions differ significantly from firewalls. While both security solutions are integral components of cybersecurity infrastructure, they have different capabilities, functions, and roles. Do you need SIEM if you already have a firewall? If you have questions about the difference between SIEM and firewall, you have come to the right place....
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Jul 5, 2022
Dear PeerSpot community members, This is our latest Community Spotlight for YOU. Here we've summarized and selected the latest posts (professional questions, articles and discussions) contributed by PeerSpot community members.  Check them out! Trending See what your peers are discussing at the moment! What were your main pain points during the SIEM product purchase process? What...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Apr 4, 2022
Hi peers, This is our new Community Spotlight that includes recent contributions (questions, articles and discussions) by the PeerSpot community members. Trending Is RPA beneficial for a healthcare organization? With the increasing risk of cyber attacks in the west, due to the war in Ukraine, how safe is your data in the cloud? Articles 8 Business Automation Ideas to Save Time and...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Mar 18, 2022
Hi community members, Here we go with a new Community Spotlight. We publish it to help YOU catch up on recent contributions by community members. Trending What open-source HCI solution do you recommend? How much time does SSO save? What are the main technical differences between Microsoft Power Automate and Blue Prism? Articles Top HCI in 2022 What is Web Design? The Ultima...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Mar 4, 2022
Hi community members, Here is our new Community Spotlight for YOU. We publish it to help you catch up on recent contributions by community members. Do you find it useful? Please comment below! Trending Top HCI in 2022 What are the main differences between XDR and SIEM? Articles Top 5 Ethernet Switches in 2022 SASE: what is it and what are the main benefits? Questions Che...
Related Articles
Navcharan Singh - PeerSpot reviewer
Senior Seo Executive at Ace Cloud Hosting
Oct 7, 2022
SIEM vs. Firewall
Security Information and Event Management (SIEM) solutions differ significantly from firewalls. W...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Jul 5, 2022
Community Spotlight #17
Dear PeerSpot community members, This is our latest Community Spotlight for YOU. Here we've summ...
Download Free Report
Download our free Security Information and Event Management (SIEM) Report and find out what your peers are saying about Splunk, IBM, Microsoft, and more! Updated: November 2022.
DOWNLOAD NOW
654,218 professionals have used our research since 2012.