For the data to be useful, appropriate Use Cases are needed to detect cyber incidents before it’s too late. SIEMs could further develop these Use Cases into specific rules.

Although the available tools in the market are “smart enough” to detect incidents, we still require a set of use cases for the data that is being ingested.

The following are some of the use cases

Monitoring should be in place to track both user and administrator credentials. A workflow will enable detecting any password compromise attack such as Brute Force, Rainbow table, pass the hash, MITM, etc. When an incident occurs, there is better insight into how to proceed and prevent further damage.

Whenever data is forwarded to a SIEM, a baseline is established. The baseline is determined by the type and amount of data ingested and the source from which it is obtained.

An increase in the EPS resulting from malicious actors tampering with the data being forwarded to a logging platform can negatively impact the search capability of a SIEM in detecting an abnormal event.

A Use case is necessary that monitors the EPS spikes and alerts the user when the threshold value is reached.

This is one of the most important indicators of a Cyber Attack. Attackers usually attempt to disable or manipulate some critical services such as Windows Defender, Endpoint protection, svchost, and winlogon. This is one of the most important indicators of a cyber attack.

It is crucial to monitor the uptime of critical services using a reference set or custom list. Analysts can keep a close eye on these significant services and look for unusual behavior that may signal a threat or a compromise.

There could be multiple reasons for a log source or a collector to go down. An attack on an asset could be one of the reasons and this may cause a log source or collector to stop working. The SIEM should be set to send an alert as soon as it stops receiving logs or metrics from a specific collector. The CIRT should be able to address the issue as soon as possible after learning the IP and hostname of the machine from the alert.

Generally, a threshold amount is already set to lock the user out for login failures. Additionally, this can be considered as a use case that can log the IP, time, and the source for admin or Sudo failures. This could be considered for both Windows and Linux-based OS.

The number of bytes sent and received should not exceed the threshold limit. Large number of outbound packets could be an indicator of a compromise of a BOTNET.

A botnet generally comes in through a backdoor and constantly keeps making a connection to the command and control server. These connections result in high bandwidth and large outbound packets.

DOS (Denial of service) attacks generally come in from multiple IPs and in a very short span of time.

A brute force attack’s IOC can be the usage of random usernames. The use of random usernames can also correlate to a dictionary attack

Contact us today and learn how we at M87 can secure your infrastructure!