Gartner Blog Network


Security Monitoring Use Cases, the UPDATE!

by Augusto Barros  |  January 17, 2018  |  5 Comments

Posting about updated documents is often boring, but this time I’m talking about my favorite Gartner document, as usual, co-authored with Anton“How to Develop and Maintain Security Monitoring Use Cases”!

This document described an approach to identity, prioritize, implement and manage security monitoring use cases. Of course, it has a lot on SIEM, as it’s usually the chosen tool for implementation of those use cases, but we revised to ensure we are also covering technologies such as UEBA, EDR and even SOAR. If we consider that detection can often be implemented as multi-stage process, that’s a natural evolution!

The major changes are:

  • Revamping the main graphic of the document to better illustrate how the process works (below)
  • Putting more emphasis on some of the artifacts generated by the process, such as use case lists
  • Evolving the language around about doing use case development as software development to say “doing it as AGILE software development”
  • Reinforcing the types of use cases that are usually managed by this process: threat, controls and asset oriented
  • Including tips for use case management when working with a MSSP (we are writing more about this in our upcoming MSSP doc, BTW)

The summary diagram for the framework can be seen below:Enlarge Image

Again, we are always looking for feedback on our research. If you have anything to say about this document, please use this page to do it.

Category: siem-and-log-management  threat-detection  

Tags: detection  new-research  security-monitoring  siem  threat-detection  ueba  use-cases  

Augusto Barros
Research VP
3 years at Gartner
21 years IT Industry

Augusto Barros is Research Director in the Gartner for Technical Professionals (GTP) Security and Risk Management group. Read Full Bio


Thoughts on Security Monitoring Use Cases, the UPDATE!


  1. Andrii says:

    Hi Augusto, thank you for covering this challenge, its been chasing me since I first saw a SIEM 10+ years ago and is still a huge task to manage. I try to look at this workflow in 2 combined phases as Identify + Prioritize + Sprint task that requires SIEM (soon SOAR!) engineering resources that most organizations don’t have. And Review + Tune / Remove + Measure as the core process to any SOC and SIEM implementation. The latter will stay a huge work in itself for a while. The former should ideally be simplified to 1 word “Select!” (the needed use cases). A big roadblock to this is that every SIEM uses their own language for content blocks (and a big pain is documenting the use cases and keeping those pages updated). So if one would find a use case at Splunkbase there may be no corresponding one in QRadar or ArcSight marketplace. It gets even harder with threat-centric use cases as there are usually huge time constraints to create them. One of the huge advancements I’ve discovered in that regard is the SIGMA rules open source standard https://github.com/Neo23x0 by Florian Roth and Thomas Patzke. Sigma is like SNORT in IDS world or YARA in malware analysis. To make the authoring and distribution of SIGMA rules we’ve added a UI on top https://ucl.socprime.com/sigma/ , meaning one can create a working query for most common SIEM / VM tools available, including a good ol’ regex for Grep 😉 Though SIGMA is still in early stages I can see it being a huge resource saver even for mature SIEM engineering experts.

  2. […] Security Monitoring Use Cases, the UPDATE! (our updated security use cases paper publishes) […]

  3. […] development” as part of the Operating phase. This is something we also added to the recently updated Use Cases document. After all, there’s no reason to believe the MSSP knows everything you want them to detect […]

  4. […] SIEM Use Cases – And Other Security Monitoring Use Cases Too! (security monitoring research, new paper here) […]

  5. […] Security Monitoring Use Cases, the UPDATE! (our updated security use cases paper publishes) […]



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.