Popular SIEM Starter Use Cases

Do you recall my post Detailed SIEM Use Case Example? I described one SIEM use case in depth, and mentioned that a lot of aspiring SIEM users are looking for “top use cases” to implement. Of course, the honest answer to “What are the best SIEM use cases?” must always be “it depends on your risks and priorities” (and your threat assessment), but in fact one may be able to identify the popular use cases, implemented successfully by many. Before I get to them, I want to once again say: you need to do what YOU need to do, not necessarily what your peers are doing.

With that that long preface, here are some of the common SIEM use cases that would make my “top list”:

1. Authentication tracking and account compromise detection; admin and user tracking [this is the very use case that I detail in that post]
2. Compromised- and infected-system tracking; malware detection by using outbound firewall logs, NIPS alerts and Web proxy logs, as well as internal connectivity logs, network flows, etc
3. Validating intrusion detection system/intrusion prevention system (IDS/IPS) alerts by using vulnerability data and other context data about the assets collected in the SIEM [while some say “this is so 2002”, this use case is still here in its modern form of using SIEM for “context-enabling” various alerts]
4. Monitoring for suspicious outbound connectivity and data transfers by using firewall logs, Web proxy logs and network flows; detecting exfiltration and other suspicious external connectivity
5. Tracking system changes and other administrative actions across internal systems and matching them to allowed policy; detecting violations of various internal policies, etc [and, yes, even the classic “root access from an unknown IP in a foreign country at 3AM, leading to system changes” sits here as well]
6. Tracking of Web application attacks and their consequences by using Web server, WAF and application server logs; detecting attempts to compromise and abuse web applications by combining logs from different components.

Note that I am leaving the use cases around log search (“type an IP, see logs from all systems related to it”) and basic incident investigations aside, because, frankly, they don’t really require a SIEM – a nice indexed pile of logs would do.

What makes them the top starter use cases? Reasons include:

• The necessary logs are easy to collect; they are supported by most SIEM tools [normalized and categorized for easy correlation]
• Canned rules are often included in top products to enable these with minimal site customization
• Easy analysis of alerts requires only basic SIEM operational processes
• Using SIEM for these “clear and present” dangers has value for most organizations
• These allow the SIEM operators to learn and gain experience and then go do more fun things with their SIEM

The same template can be used to document all these use cases – but I am leaving it as an exercise to the reader [or maybe for later GTP SIEM papers]

Select recent blog posts related to SIEM:

• Back to SIEM Research!
• SIEM Webinar Questions – Answered
• How to Use Threat Intelligence with Your SIEM?
• Detailed SIEM Use Case Example
• On “Output-driven” SIEM
• On SIEM Maturity Scale and Maybe On CMM Too
• On SIEM Deployment Evolution
• On People Running SIEM
• On SIEM Processes/Practices
• On Large-scale SIEM Architecture