Blog post

SIEM Use Case Implementation and Tuning Process

By Anton Chuvakin | November 25, 2015 | 2 Comments


Time to touch the main challenge: SIEM use case implementation / refinement process [also applicable to other monitoring technologies, like UBA / UEBA]. In our seminal paper on the topic, “Security Information and Event Management Architecture and Operational Processes”, (did I mention that it exudes pure awesomeness – from each of its 61 pages!), we have described the process similar to this:

  1. Define a particular problem to be solved by a SIEM tool in clear, unambiguous terms.

  2. Review the SIEM functionality (rules, algorithms, reports and dashboards) that is needed to solve the problem.

  3. Look at the available and potentially available log data that is useful for solving the problem.

  4. If a correlation rule is the chosen piece of content to be created, analyze what sequence of logged events needs to be tracked and how these events are represented in a SIEM tool; using normalized events and taxonomy categories is highly recommended because they make the rule easier to modify, maintain and apply to additional log sources.

  5. If using a statistical detection method, review its logic to confirm that it will deliver the result needed.

  6. Draft correlation rules on paper, and review the logic flow.

  7. Implement the correlation rule using the SIEM rule interface; some products allow one to click on events and define a rule straight from the observed sequence of events.

  8. If a product has functionality to test the rule or algorithm on historical data, execute this functionality to determine how often this rule would have fired in the past if it had been enabled.

  9. Review any alerting process that this rule will trigger, and set up alerts to go to the people who know how to triage them.

  10. Enable the rule to run on real-time data flow in the production environment.

  11. Review alerts generated by this rule, review the cases where the rule matches partially (if the SIEM product has such functionality) and refine when the rule is needed.

What stages do you think need additional details? Examples? Specific guidance? Any changes?

Select recent blog posts related to SIEM:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Dori Fisher says:

    I can add something –

    Step 3.5
    Verify that the configuration changes to the environment needed to create the relevant log are feasible and if not, what needs to change in order to support the needed logs.

    during many implementations (~60), I’ve found that every use case has a financial price. (storage, network, hardware, support), in some cases, the price is too high and the use case is forfeit at that stage or at least reconsidered.

    In order to create a use case that checks for internal assets returning to external attackers, you have to allow logging of Firewall’s “access allowed”, in many cases, the Firewall breaks down from this change or at least becomes congested, checking with the Firewall people that they can handle it, or what’s needed in order to allow it, will assist you in assessing a part the “price” of the use case. same true for monitoring a database or a file server access.

    • Thanks a lot for the comment — we wholeheartedly agree. Also, you definitely get extra points for mind-reading – we discussed a very similar addition to the process flow just yesterday.

      If changes are needed but impossible/infeasible, likley the use case won’t fly….