Investigating SIEM Use Cases: A Pragmatic Approach

When working in roles related to Security Operations Centers (SOC), Security Analysts, or Level 2 (L2) positions, one of the core responsibilities is to analyze day-to-day Security Information and Event Management (SIEM) use cases triggered within the environment. As a security analyst, you are tasked with investigating these cases. In this article, we will explore five distinct SIEM (Security Information and Event Management) use cases, providing insights into the mindset and methods of a security investigator. We will not only conduct a comprehensive step-by-step investigation but also align this methodology with a lifecycle model, encompassing detection, investigation, mitigation, and remediation phases.

1. Threat Detection and Response:

In a hypothetical scenario where an organization's network is besieged by a sophisticated threat actor, SIEM emerges as the savior. It continually monitors network traffic, system logs, and user behavior to identify anomalies and trigger alerts, enabling rapid response by security teams.

Use Case Example:

Imagine that a SIEM system detects multiple failed login attempts (directed towards an internet-facing asset) from an unknown external IP address within a short timeframe. This unusual pattern triggers an alert.

• Identify the source IP address in the alert and the protocol in use (e.g., HTTP/SSH).
• Conduct Open-Source Intelligence (OSINT) on the IP address, gathering information on its reputation from various sources such as VirusTotal, IPvoid, and Abuse DB.
• Check the SIEM for additional logs originating from the source IP, utilizing log sources such as Firewalls, Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS), Proxies, and other network devices. Analyze these logs to gain a deeper understanding of the source traffic.
• Investigate the destination IP address and the host behind it, particularly on Windows systems where event IDs can provide insights into the host and user details.
• Search for any other detections related to the affected host during or near the timeline.
• Based on the investigation, assess the severity of the situation and determine the appropriate remediation steps, such as blocking the IP, ongoing monitoring, deeper investigation, or involving other stakeholders for a comprehensive understanding.

2. Compliance Monitoring:

Adhering to industry regulations and internal policies is paramount for organizations. SIEM systems streamline compliance monitoring by tracking security events and generating reports to demonstrate compliance with standards like GDPR, HIPAA, or ISO 27001.

Use Case Example:

Consider an organization in the healthcare sector that relies on a SIEM solution to monitor access to patient records. Regularly generated reports from the SIEM reveal that only authorized personnel access sensitive data, ensuring compliance with healthcare regulations.

• Scrutinize the relevant fields in the compliance report, including user details, host information, and timestamps.
• Investigate any instances of failed or blocked attempts to access the files.
• Examine pertinent tags associated with the user, such as business unit, department, or manager, as these are typically enriched in Active Directory (AD) logs. This information provides insight into the user's profile and responsibilities.
• Flag any users in the reports whose activities appear suspicious, and analyze previous reports to identify regular patterns or behavior.
• Based on these findings, engage relevant authorities, such as the user or their manager, to request business justifications. In cases involving vendor contractors, involve legal and human resources (HR) teams if any violations of terms are suspected.

3. Insider Threat Detection:

Insider threats, stemming from within an organization, can be as detrimental as external ones. SIEM plays a crucial role in identifying unusual user activities, including unauthorized access to sensitive data, data exfiltration, or abnormal login patterns, all indicative of potential insider threats.

Use Case Example:

Suppose an employee with legitimate access attempts to download a substantial volume of sensitive company data. The SIEM system detects this unusual activity, immediately alerts the security team, and prevents data leakage.

• Multiple methods can be employed to detect such events, including SIEM rules, Data Loss Prevention (DLP) systems, Unified Threat Management (UTM) solutions, and Extended Detection and Response (XDR) platforms.
• Examine the user's historical behavior, including past downloads and exfiltration events, to establish context.
• Utilize SIEM queries to assess the user's prior interactions with the network and identify any patterns.
• After a thorough analysis of the events, determine the appropriate course of action. This may involve blocking the user's ID, consulting the business or asset owner, or following the company's established policies.

4. DDoS Mitigation:

Distributed Denial of Service (DDoS) attacks can cripple an organization's online services. SIEM systems, capable of monitoring network traffic patterns in real-time, can identify sudden spikes or unusual traffic indicative of a DDoS attack.

Use Case Example:

During an unexpected surge in web traffic, the SIEM system detects this abnormality and automatically initiates countermeasures, redirecting traffic through a DDoS protection service to ensure continued availability of the organization's online services.

• SIEM-based DDoS detection can take the form of configured rules checking for traffic anomalies or event triggers from DDoS detection-capable products like IPS, Web Application Firewalls (WAFs), and User and Entity Behavior Analytics (UEBA) platforms.
• Carefully analyze the details contained in the alert, focusing on traffic patterns and destination information.
• Review the alert history related to the destination to identify any previous occurrences of similar behavior.
• If the organization has a DDoS mitigation strategy or product in place, and the event is confirmed as a true positive, implement the plan and engage relevant stakeholders.
• Common DDoS mitigation techniques include the use of scrubbing centers, Intrusion Prevention Systems (IPS), Anycast routing, Content Delivery Networks (CDNs), traffic filtering, and rate limiting.

5. Phishing Detection and Response:

Phishing attacks remain a persistent threat in the digital landscape. SIEM systems can detect suspicious email activities, such as a sudden influx of phishing emails or links leading to known malicious websites.

Use Case Example:

A SIEM solution identifies a surge in emails containing suspicious attachments. It takes immediate action to quarantine these emails, preventing employees from falling victim to phishing attempts and safeguarding sensitive information.

• Investigate common patterns in the received emails, including subject lines, attachments, sender information, and URLs.
• Identify the recipients who received these suspicious emails.
• Consider analyzing the interactions with the emails, such as whether recipients read or clicked on any links.
• Based on the investigation, determine appropriate remediation actions, such as purging affected mailboxes, blocking specific subjects, senders, or attachments, and rotating credentials of users who interacted with the links.

In conclusion, SIEM use cases encompass a wide array of security challenges that organizations encounter today. Whether dealing with threat detection and response, compliance monitoring, insider threat detection, DDoS mitigation, or phishing detection and response, SIEM solutions are indispensable tools for bolstering an organization's cybersecurity posture. As in my CISSP journey, success in the realm of security relies on a comprehensive approach, the utilization of appropriate resources, and unwavering vigilance. Therefore, do not depend solely on one solution; instead, combine the capabilities of SIEM with other security measures to ensure holistic protection.