SOC SIEM Use Cases

What are use cases?
The use cases are critical to identifying any of the early, middle, and end-stage operations of the adversary. A small abnormal event can be a clue to a larger attack. There also needs to be a playbook on how to respond. A use case can be technical rules or conditions applied on
logs which are ingested into the SIEM. E.g. – malicious traffic is seen hitting critical servers of the infra, too many logins attempt in last 1 min etc.
Best practises

• Ensure to have a clear list of your use cases handy always.
• The use cases need to be mapped to the MITRE ATT&CK phases so you can know how much the adversary succeeded in his objective. Tagging and mapping to the MITRE ATT&CK Matrix would help detection (what logs to be tapped into) and mitigation. Also helps attribution to an APT group.
• Each use case to have a clear priority based on your organisation.
• Each use case to have the log source which must be ingested into your SIEM.

Why it is important to have a large set of use cases and have playbooks for them?

• Real cyber-attacks are complex. It is actually very hard for the attacker to be invisible to a SOC who has enabled the right set of use cases.
• Use cases are rules that trigger alerts. You need playbooks or instruction on how to respond to them, steps to analyse and mitigate.
• The process of creation of playbooks is very important. It helps a lot for you to be prepared for handling a cyber-attack.

Below is a list of sample use cases. You can categorize it in multiple ways and refer to your SIEM-specific documentation to get the list of rules that come bundled. Windows

• Server Shutdown/ Reboot
• Removable media detected
• Windows abnormal shutdown
• Login attempts with the same account from different source desktops
• Detection of Server shutdown-reboot after office hours
• Administrative Group Membership Changed
• Unauthorized Default Account Logins
• Interactive use of service account
• Remote access login – success & failure
• Windows Service Stop-Restart
• ACL Set on Admin Group members
• Windows Account Enabled Disabled
• Multiple Windows Account Locked out
• Multiple Windows Logins by Same User
• Brute force attempt from same source

Views: 0