Detecting Unusual Activities Using a Next Generation SIEM: Use Cases

SureLog SIEM
6 min readOct 11, 2020

--

Next-Gen SIEMs have brought new capabilities to organizations and their security teams. They’re built from the ground up to take advantage of big data, machine learning, and other cutting-edge technologies. Next-Gen SIEM Platform can help organizations detect and respond to threats faster than ever before. The biggest advantage of Next-Gen SIEMs is security analytics. Security analytics use cases generally fall into three broad categories.

Real-Time Rule-Based Use Cases

Usually, real-time rule-based use cases apply to the detection and remediation of known cyber-attacks or attackers; specifically, rule-based analytics draws from threat intelligence feeds. Additionally, real-time rule-based use cases define and detect rule-based approaches.

SureLog Real Time Rule Wizard

Use case samples:

  • Warn if Powershell command with base64 format and more than 100 characters appears,
  • Password changes for the same user more than 3 within 45 days,
  • If there are more than 10 DNS requests within 5 minutes which have the same domain but different subdomains, notify. Example: xxx.domian.com , yyy.domian.com,
  • Misuse of an account,
  • Lateral movement,
  • 100 failed login attempts from the same IP address in 24 hours,
  • Executive only asset accessed by non-executive user,
  • Multiple vpn accounts failed login from single ip,
  • First access to critical assets,
  • User access from multiple hosts,
  • User account created and deleted in a short period of time,
  • Monitor privileged accounts for suspicious activity,
  • Chained RDP connections,
  • Concurrent Authentication Success from Multiple Locations,
  • Detect, RDP with unusual charset,
  • Multiple RDP from same host in short time,
  • Detect, external DNS Server Used,
  • Detect, powerShell PSExec,
  • Detect, lateral movement following an attack,
  • If a user logs in from a location, and then ten minutes later from another location that is in another country, detect,
  • Unknown User Account Alarm,
  • Windows RunAs Privilege Escalation,
  • If the user signing on from the same place using the same devices at the same time, detect,
  • Detect, dozens of failed login attempts in a very short time,
  • Detect, logging in from an unrecognized device,
  • Detect, accessing from an unusual location,
  • Detect, non-executive logon to executive asset,
  • Credential switch to a privileged or execute sa,
  • Security alert malware found on host on a asset during a VPN session,
  • Detect, high volume of sensitive files viewed / downloaded by user,
  • Detect, high volume of sensitive information printed,
  • Detect, data download followed by exfiltration (via email/removable media/network upload/print/CD burn),
  • Detect, file copy blocked by DLP,
  • Detect, excessive mail to personnel mail address.

Real-Time Security Analytics Use Cases

Real-time means operating on data as it flows through a set of analytics. It means being able to interact with, analyze, augment and visualize that data in milliseconds to seconds of response time.

Moreover, it can match potential threat patterns requiring longer detection times. For example, real-time security analytics can analyze potentially dangerous IP addresses to discover previous attacks and their severity.

Real-time security analytics use case samples:

  • DGA detection [1],
  • Hunting critical process masquerade [2],
  • Hunting malware and viruses by detecting random strings [3],
  • Detecting top four tools used by cyber criminals recently [4],
  • Detect odd time of email activity,
  • Detect, peaks of email counts,
  • Detect, peaks of DNS Subdomain numbers,
  • Detect excessive Incoming Mails,
  • Detect excessive Incoming Mails,
  • Detect abnormal session start time,
  • Detect unusual employee Web traffic based on IP, hostname, user agent, byte size,
  • Detect, rare user agents,
  • Detect, rare login to critical server,
  • Rare executable detected in web-request,
  • Detect traffic to rare domains.

Batch Security

Unlike the above categories, batch security analytics applies cybersecurity to unknown attacks and attackers; after all, IT teams best handle unknown attacks batches. Batch security uses deep statistical models and large data set profiling to discover threats and remediate them. Moreover, it can help with visualizing the threats and security vulnerabilities. Machine learning is the key technology for batch security.

Batch security use case samples:

  • If there is a port usage, which is very rare (like under %1 of all used ports), detect,
  • If there is a port usage, which is very rare for a computer (like under %1 of all used ports by this computer), detect,
  • If there is an anomaly of authentication failure to authentication successful ratio per user per day, detect,
  • If there is an anomaly of password change ratio per user per day, detect,
  • Check if the user internet upload activity when compared to its last four weeks’ activity. (Ex. If today is Friday, check if Friday upload activity is anomalous when compared to last 4 weeks),
  • Check if the user internet download activity when compared to its last four weeks’ activity. (Ex. If today is Friday, check if Friday download activity is anomalous when compared to last 4 weeks),
  • If there is an anomaly of account creation/ disable/ lockout / deletion rates,detect,
  • If there is an anomaly of internet allowed to denied packet ratio per user per day, detect,
  • Detect HTTP to DNS protocol ratio anomaly (Look for a user whose HTTP to DNS protocol ratio is %150 more than %95 of the other users compared to the last four-week ratio. ),
  • Detect HTTP to Nonstandard port ratio anomaly (Look for a user whose HTTP to Nonstandard port ratio is %150 more than %95 of the other users compared to the last four-week ratio. ),
  • Check if the country is the least count country for the user,
  • Check if the user login activity is anomalous when compared to other users. (Ex. Number of authentication is too high compared to other users),
  • Check if the user login activity is anomalous when compared to its last four weeks’ activity. (Ex. If today is Friday, check if Friday number of logins is anomalous when compared to last 4 weeks),
  • Check if the user internet activity is anomalous when compared to its last four weeks’ activity. (Ex. If today is Friday, check if Friday number of blocked traffic is anomalous when compared to last 4 weeks),
  • If there is a huge difference (%30 more) in the number of logins to a computer today when compared with the last 4 weeks, detect,
  • Detect if the user never logged-in to a machine for the last 14 days,
  • Detect beacon,
  • If there is a huge difference in internet traffic for each user per URL when compared to the last seven days of the same user to the same URL, detect
  • Detect an unusual activity by day of week or time of day,
  • Detect an unusual access to servers, file shares, applications or other resources,
  • Detect an unusually high amount of access to certain resources,
  • Detect anomalous application usage and anomalous access patterns to storage,
  • Detect spike in failed login attempts,
  • Detect spike in data egressed to removable media,
  • Detect access/export critical files anomalous to peer behavior,
  • Detect suspicious activity compared to peers,
  • Detect suspicious process execution,
  • Detect user accounts that have unchanged passwords for the past 90 days

Copyright © 2020 by Ertuğrul AKBAŞ. All Rights Reserved

References

1. https://www.peerlyst.com/posts/domain-generational-algorithm-dga-detection-in-surelog-ertugrul-akbas

2. https://www.peerlyst.com/posts/hunting-critical-process-masquerade-using-a-next-gen-siem-ertugrul-akbas

3. https://www.peerlyst.com/posts/hunting-malware-and-viruses-by-detecting-random-strings-using-a-modern-siem-ertugrul-akbas

4. https://www.peerlyst.com/posts/detecting-top-4-tools-used-by-cyber-criminals-recently-ertugrul-akbas

Originally published at https://www.peerlyst.com on April 7, 2020.

--

--