Gartner Blog Network


Discovering New Monitoring Use Cases

by Augusto Barros  |  November 6, 2015  |  5 Comments

We’ve been thinking about the multiple processes around monitoring use cases for our next research project. This week, the focus was on the use case discovery process. So you have the ability/technology to implement use cases; but how to find out which ones?

 As Anton explained in his post, the process is a mix of compliance regulations mining, threat and risk assessments, etc. The use cases are then assessed and prioritized from a relevance and “doability” point view. But exploring this a bit further, what kind of use cases we can get? It seems that they would be classified in three big buckets:

  • Control Oriented Use Cases: those use cases required as a control from a framework or other regulatory document, such as PCI DSS. The use case can be the control itself (such as “investigate all unauthorized access attempts”) or a way to demonstrate a control presence or effectiveness (denied events, antivirus signature update events, etc).
  • Threat Oriented Use Cases: the UCs implemented to identify a specific threat or threat actor. Those are the use cases where you try to find activities related specific sources and destinations (that content you’re getting from your Threat Intelligence provider?) or specific activities related to Tactics, Techniques and Procedures (TTPs). Lots of interesting stuff to look for here: network events similar to C&C activity, executables running from user profile folders, DLL injection attempts, crazy stuff detected by the malware sandbox, etc.
  • Asset Oriented Use Cases: We know a lot of malicious activity we want to detect, but hopefully you also want to know about activities touching specific data assets – payment card data, for example. Those are the UCs looking at events from DLP systems, File Integrity or Activity Monitoring or even business applications.

 It is expected to have use cases from all those buckets; it doesn’t make sense to “select” one of those as the right one. If you are only putting in UCs from one of those it might be time to stop and think if you really shouldn’t be doing anything else related to the other two.

 We are having a lot of fun finding ways to “slice and dice” use cases and use case selection and development processes. As usual, another call to action: Let us know how you select (and classify) monitoring use cases!

Category: siem-and-log-management  threat-detection  

Tags: siem  use-cases  

Augusto Barros
Research Director
1 years at Gartner
19 years IT Industry

Augusto Barros is Research Director in the Gartner for Technical Professionals (GTP) Security and Risk Management group. Read Full Bio


Thoughts on Discovering New Monitoring Use Cases


  1. Fernando Montenegro says:

    Great concept. I would argue that we could also consider a fourth bucket, perhaps called the “Operations Bridge Oriented Use Cases”. These would be the use cases related to the impact of an organization’s operational practices on security posture/practices. How is the execution (or not…) of the change management process affecting security results? How does the cadence of IT operations align with the pace of security-specific events? How costly is it – in terms of operational complexity – to implement specific security initiatives or controls?
    Basically, leveraging the SIEM platform to inform not only on the state of security controls within the organization, but on the maturity and operation of the security program itself.

  2. Ronald says:

    I think the strength of detection is in the correlation between these three use case categories. So this should also be a part of the selection process or at least some thing to keep in mind.

  3. […] Discovering New Monitoring Use Cases […]

  4. […] use case content, but DO rank them by means of your risk/threat assessment, compliance, etc – see this for details! Also, link the use cases you keep to your security operations processes, such as alert triage […]



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.