Gartner Blog Network


SIEM Use Case Implementation and Tuning Process

by Anton Chuvakin  |  November 25, 2015  |  4 Comments

Time to touch the main challenge: SIEM use case implementation / refinement process [also applicable to other monitoring technologies, like UBA / UEBA]. In our seminal paper on the topic, “Security Information and Event Management Architecture and Operational Processes”, (did I mention that it exudes pure awesomeness – from each of its 61 pages!), we have described the process similar to this:

  1. Define a particular problem to be solved by a SIEM tool in clear, unambiguous terms.

  2. Review the SIEM functionality (rules, algorithms, reports and dashboards) that is needed to solve the problem.

  3. Look at the available and potentially available log data that is useful for solving the problem.

  4. If a correlation rule is the chosen piece of content to be created, analyze what sequence of logged events needs to be tracked and how these events are represented in a SIEM tool; using normalized events and taxonomy categories is highly recommended because they make the rule easier to modify, maintain and apply to additional log sources.

  5. If using a statistical detection method, review its logic to confirm that it will deliver the result needed.

  6. Draft correlation rules on paper, and review the logic flow.

  7. Implement the correlation rule using the SIEM rule interface; some products allow one to click on events and define a rule straight from the observed sequence of events.

  8. If a product has functionality to test the rule or algorithm on historical data, execute this functionality to determine how often this rule would have fired in the past if it had been enabled.

  9. Review any alerting process that this rule will trigger, and set up alerts to go to the people who know how to triage them.

  10. Enable the rule to run on real-time data flow in the production environment.

  11. Review alerts generated by this rule, review the cases where the rule matches partially (if the SIEM product has such functionality) and refine when the rule is needed.

What stages do you think need additional details? Examples? Specific guidance? Any changes?

Select recent blog posts related to SIEM:

Category: monitoring  security  siem  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on SIEM Use Case Implementation and Tuning Process


  1. […] we continue to work on our research about security monitoring use cases, a few interesting questions around the technology implementation and optimization arise. Any […]

  2. Dori Fisher says:

    I can add something –

    Step 3.5
    Verify that the configuration changes to the environment needed to create the relevant log are feasible and if not, what needs to change in order to support the needed logs.

    Why?:
    during many implementations (~60), I’ve found that every use case has a financial price. (storage, network, hardware, support), in some cases, the price is too high and the use case is forfeit at that stage or at least reconsidered.

    Example:
    In order to create a use case that checks for internal assets returning to external attackers, you have to allow logging of Firewall’s “access allowed”, in many cases, the Firewall breaks down from this change or at least becomes congested, checking with the Firewall people that they can handle it, or what’s needed in order to allow it, will assist you in assessing a part the “price” of the use case. same true for monitoring a database or a file server access.

    • Thanks a lot for the comment — we wholeheartedly agree. Also, you definitely get extra points for mind-reading – we discussed a very similar addition to the process flow just yesterday.

      If changes are needed but impossible/infeasible, likley the use case won’t fly….



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.