Blog post

Fun Challenges with SIEM Use Cases

By Anton Chuvakin | November 11, 2015 | 6 Comments


Often I save the solutions for our Gartner GTP papers, but I blog about the challenges. No, this won’t be a post [eh…. a short trilogy of no more than 3000 pages?] on all the ways of SIEM FAIL (look here for this), the idea here is to focus on use case-related troubles and problems with SIEM and security monitoring.

  1. Canned or vendor-imposed SIEM use cases only — this essentially means that you are using the power of SIEM with one (well, maybe both?) hands tied behind your back. It will work, for sure, but it is most likely that the value won’t be maximized for you.
  2. No consistent mechanism for “converting” vague problems into precise SIEM use case — basically, a broken use case discovery process means you will solve only easy and specific problems (like “see if anybody connects to our payment card database at night”)
  3. Driving use case from available data alone — an input-driven SIEM (as opposed to “output-driven”) may work, with some luck, but overall we see more value and more happiness with an output-driven SIEM approach.
  4. Hero-driven use cases — while not truly problematic, this just does not pass the legendary “bus test”; if only one person owns all SIEM usage, and nobody else has a clue, what happens if this sole hero is hit by a bus – or ?
  5. Overly burdensome use case process — sure, some of us like “SIEM content as code” model, but this does not mean that a change to a correlation rule should take 3 weeks and 11 gates in the project….

What are YOUR SIEM use case challenges?!

Select recent blog posts related to SIEM:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Glen Sharlun says:

    If you really wanted to blow the roof off of this topic, I am fairly certain that I could assemble 4-5 of the best use-case engineers on the planet, from 15 years of in the trenches experience, for a 60 minute call.
    You and I should have a 15 minute conversation.
    Cheers & Godspeed,

  • As I see it, the huge roadblock to progress is still the digital marketing talent shortage. Most companies have a limited ‘talent puddle’ of skilled practitioners that are able to work on progressive market development strategies. Meanwhile, the majority of their old-school marketers have not attempted to learn the required new skills — so marketing organizations are dominated by staff that view the world through their legacy media-buyer mindset. To them, digital marketing merely means buying Google Ads or advertising placements on Facebook and LinkedIn. What can a CMO do when 80+ of their current team are not skilled for today’s demands? Clearly, it’s a big ongoing challenge.

  • jeanette sjoberg says:

    Hi Anton,
    Regarding your blog back in July on Cloud SIEMs – did you do any further investigation on offerings and particularly those that support both Azure and AWS?
    Kind regards