Blog post

Detailed SIEM Use Case Example

By Anton Chuvakin | September 24, 2013 | 0 Comments


During inquiries, I am handling a lot of questions about SIEM use cases, what they are, where to get them, how to create them, how to document them, evolve them, map them to particular SIEM features, etc, etc. I often walk through a complete example to explain it, with a painful level of details; here is that example for everybody to enjoy:

Baby’s first SIEM use case: tracking user authentications | logins/logons

Step Details
Use-case Selection Selected use case is tracking authentication information across systems [what] to detect unauthorized access. [why]
Data Collection Needed Prepare a list of systems such as servers, VPN concentrators, network devices, and others.
Log Source Configuration Needed Contact the team that operates the systems and make them modify the logging configurations in order for the logs to be collected by SIEM.
SIEM Content Creation, Preparation and Selection Review vendor’s content — such as their authentication reports and relevant correlation rules or other “canned” analytics — that deals with the problem and check it for suitability; modify the reports and rules until satisfied.
Definition of Operational Processes Required Review operational processes related to the security use case and check whether additional processes are needed. A process for suspending or disabling user accounts might have to be created.
Refinement of the Content and Processes Loop After reports and correlation rules are deployed and the data is flowing in, review reports, dashboards, and perform the testing of correlation rules on the collected data to see whether incidents will be detected. Simulate password guessing and check whether SIEM detected and sent an alert.

Another reason why you want to be that specific with your SIEM use cases is that they provide a nice way to measure your ongoing SIEM program effectiveness and, ultimately, your SIEM capability maturity….


My SIEM research papers (GTP subscriber access):

Blog posts related to SIEM:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed