SOC SIEM - Use-Cases

Security Operations Centers have been the trending topic in the last few years, and the fact is that these center are expected to bring up whole new ideas and plans to be the first line-of-defence that tackle and anticipate any type of attack. During my work at one of these centers, I have faced many issues and challenges to design the structure of the major three dimensions; Technology, People, and Processes. One of the three dimensions that`s actually not less important that the others is the technology and how we use it and leverage the best out of it; not mentioning how essential to tune it and configure it the way that suites our environment, still we need to use the human-mind to invest and think of how we should convey the out-put of these technology.

In any SOC, the SIEM tool is the core technology that helps the people to detect and monitor the whole traffic and activities all over the environment; here in the post, I want to highlight to very useful use-cases that can be implemented in your SIEM tool to trigger or monitor the events in your network.

Before I go through these use-cases, I want to refer to on of the most important issue here is that your SIEM is useless without proper and smart integrations with the technology and tools that you have in your environment such as Perimeter nodes "Firewalls, DDOS, Routers, IPS, and any others"; plus, the integrations with DMZs, DC, and end-users monitoring nodes.  Some of these use-cases are: 

? Repeat attack from a single source to many ports or IPs "Port or Sweep Scanning".

? SMTP traffic from an unauthorized host.

? Anti-virus failed to clean or quarantine.

? Excessive SMTP traffic outbound.

? Excessive web or email traffic outbound.

? Excessive traffic inbound (streaming, web, etc.).

? Excessive access to a malicious website from a single internal source.

? Excessive connections to multiple hosts from a single host.

? Excessive exploit traffic from a single source.

? Excessive exploit traffic to a single destination.

? Excessive port blocking attempts from anti-virus or other monitoring systems.

? Excessive scan timeouts from anti-virus.

? Accessing a malicious website from multiple internal sources.

? Service account access to the Internet.

? Service account access to an unauthorized device.

? Scanning or probing during an unauthorized time window.

? Anomaly in DoS baselines.?Anomaly in recon baselines.

? Anomaly in malware baselines.

? Anomaly in suspicious activity baselines.

? Anomaly in user access and authentication baselines; "Could be failed or successful logins.

? Anomaly in network baselines "Netflow".

? Anomaly in application baselines.

? Multiple logins from different locations.

? Multiple changes from administrative accounts.

? Multiple infected hosts detected on a subnet "from your end-user protection solution".

?Unauthorized user access to confidential data.

?Unauthorized subnet access to confidential data.

?Unauthorized user on the network "Enable NAC".

?Unauthorized device on the network "Enable either NAC or ISE".

?Unauthorized server connection to the Internet.

?Suspicious traffic to known vulnerable host.

?Logging source stopped logging.

?Logs deleted from source.

?Device out of compliance (antivirus, patching, etc.).

All in all, above use-cases are very basic but very useful; however, you can even go deep and more in this matter to mention how we have make such correlations and aggregations to enable the "Security Intelligence" concepts for.

Kindest Regards,

Khalid Alateeq