Rate this post
What are use cases?
The use cases are critical to identifying any of the early, middle, and end-stage operations of the adversary. A small abnormal event can be a clue to a larger attack. There also needs to be a playbook on how to respond. A use case can be technical rules or conditions applied on
logs which are ingested into the SIEM. E.g. – malicious traffic is seen hitting critical servers of the infra, too many logins attempt in last 1 min etc.
Best practises
- Ensure to have a clear list of your use cases handy always.
- The use cases need to be mapped to the MITRE ATT&CK phases so you can know how much the adversary succeeded in his objective. Tagging and mapping to the MITRE ATT&CK Matrix would help detection (what logs to be tapped into) and mitigation. Also helps attribution to an APT group.
- Each use case to have a clear priority based on your organisation.
- Each use case to have the log source which must be ingested into your SIEM.
Why it is important to have a large set of use cases and have playbooks for them?
- Real cyber-attacks are complex. It is actually very hard for the attacker to be invisible to a SOC who has enabled the right set of use cases.
- Use cases are rules that trigger alerts. You need playbooks or instruction on how to respond to them, steps to analyse and mitigate.
- The process of creation of playbooks is very important. It helps a lot for you to be prepared for handling a cyber-attack.
Below is a list of sample use cases. You can categorize it in multiple ways and refer to your SIEM-specific documentation to get the list of rules that come bundled. Windows
- Server Shutdown/ Reboot
- Removable media detected
- Windows abnormal shutdown
- Login attempts with the same account from different source desktops
- Detection of Server shutdown-reboot after office hours
- Administrative Group Membership Changed
- Unauthorized Default Account Logins
- Interactive use of service account
- Remote access login – success & failure
- Windows Service Stop-Restart
- ACL Set on Admin Group members
- Windows Account Enabled Disabled
- Multiple Windows Account Locked out
- Multiple Windows Logins by Same User
- Brute force attempt from same source
Views: 0