One of the most popular posts (example) on my blog is “Popular SIEM Starter Use Cases.” However, this post is from 2014, and is, in fact, partially based on my earlier experiences doing SIEM consulting in 2009-2011. In other words, it is kinda old.
Perhaps surprising to some, our data seems to indicate that many of the mentioned popular starter use cases are very relevant today. Some of the use cases were reborn as popular UEBA use cases, BTW (and here is a list of our UEBA use cases, ABTW). Am I not a master of blog post cross-linking, Anna? 🙂
So, let’s take a look at these mid-level use cases (technically, I’d classify my use cases here as mid-level in abstraction, BTW) and perhaps add others we’ve been noticing lately:
|Use Case||Description||Status in 2018|
|1 – old||Authentication tracking and account compromise detection; admin and user tracking||Very much alive, also became a popular UEBA use case|
|2 – old||Compromised- and infected-system tracking; malware detection by using outbound firewall logs, proxy, etc||Very much alive, more relevant than before, also an UEBA use case|
|3 – old||Validating intrusion detection system/intrusion prevention system(IDS/IPS) alerts by using vulnerability data, etc||Less relevant today, not common anymore – perhaps a candidate for removal from popular list?|
|4 – old||Monitoring for suspicious outbound connectivity and data transfers by using firewall logs, Web proxy logs, etc||Very much alive, also a popular UEBA use case (related to exfiltration detection)|
|5 – old||Tracking system changes and other administrative actions across internal systems, etc||Very much alive, AD log analysis became more popular, UEBA expands this to insider threats, etc|
|6 – old||Tracking of Web application attacks and their consequences, etc||I’d say alive today, but not that common, not sure why|
|7 – NEW||Cloud activity monitoring, detecting cloud account compromise, cloud access and privilege abuse, other security issues, etc||NEW! Also a use case for UEBA and (in case of SaaS, mostly) CASB, this covers many sub-use cases for AWS, Azure, Office 365, etc threat detection|
|8 – NEW||Detecting threats by matching various logs to threat intelligence feeds||NEW! A popular use case, pushed up by wide availability of low-priced TI feeds of … ahem… tolerable quality|
|9 – NEW||SIEM as “poor man’s EDR” – review of sysmon and similar endpoint data||NEW! As EDR and EPP converge, SIEM can occasionally help with deeper endpoint visibility by utilizing various source of endpoint telemetry; probably not a good STARTER use case though….|
Note that I am NOT including foundational SIEM use cases like “use SIEM to search logs” or “use SIEM for PCI DSS compliance reporting.” Sure, they are alive and well, but …well…. not that sexy to mention here.
Any ideas? Anything to add? Anything to remove?
Posts related to SIEM research:
- What Is “SIEM+” Or “Can We Have A Cyber Defense Platform?”
- Can You Do a SIEM-less SOC?
- SIEM Alternatives? What Are They? Do They Exist?
- Next Research: SOC, SIEM, and Again Overall Detection and Response
- Let’s Define “SIEM”!
- Is SIEM The Best Threat Detection Technology, Ever?
- The Coming UBA / UEBA – SIEM War!
- UEBA Shines Where SIEM Whines?
- SIEM or Log Management?
- SIEM Future: A UEBA Path or An MDR Way?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.