Detecting Unusual Activities Using a Next Generation SIEM -Use Cases Part 2

SureLog SIEM
5 min readOct 13, 2020

--

This article is part of a series. Check out the full series Part1 [1]. The efficiency and effectiveness of security monitoring are directly related to the appropriate implementation and optimization of the right use cases on the right security monitoring tools [2].

SureLog SIEM use cases:

  • An alert will be triggered when the total number of authentication events increase of 50 % is detected in the last 1 hour (Ex. between 18:30–17:30) compared to 1 week ago at the same time (Ex. 7 days before between 18:30–17:30)
  • An alert will be triggered when the total number of authentication events increase of 50 % is detected in the last 1 hour compared to 1 week ago.
  • An alert will be triggered when an outlier detected for the hourly total number of authentication events.
  • An alert will be triggered when a user’s total number of authentication events increase of 50 % is detected in the last 1 hour (Ex. between 18:30–17:30) compared to 1 week ago at the same time (Ex. 7 days before between 18:30–17:30)
  • An alert will be triggered when a user’s total number of authentication events increase of 50 % is detected in the last 1 hour compared to 1 week ago.
  • An alert will be triggered when an outlier detected for the hourly total number of a user’s authentication events.
  • Suspicious file rename/archival transaction
  • Endpoint accessed at unusual time of the day
  • Email from previously uncommunicated domains
  • Traffic to rare domains
  • Traffic to possible Algorithmically Generated Domains
  • Suspicious process execution detection
  • Possible beaconing — detection of robotic traffic pattern
  • Detect web uploads anomaly
  • Detect suspicious failed logins with different user accounts from a single source system within 24 hours
  • Look for a user whose HTTP to DNS protocol ratio is %300 more than %95 of the other users for
  • Detect service account access to an unauthorized device
  • Detect a user is connected from a source country where organization has no presence
  • Detect a user ‘s VPN duration is different from avg of his group
  • Detect if a user with no failed login event during normal working hours creates a failed login event for two consecutive days at lunchtime
  • Detect concurrent VPN from Multiple Locations
  • Detect when a user is trying to modify any critical file.
  • Detect if the same malware occurs on multiple systems
  • Detect if there are reoccurring infections on the same host
  • Detect process launching without parent process or services
  • Detect traffic with periodicity (e.g. traffic to the same URL at the same interval every day)
  • Detect core windows process with name path anomalies
  • Detect core windows process started in the wrong user context
  • Detect core windows process with the wrong parent process
  • Detect off-hour malware detection alert from security devices
  • Detect when a user last hour logon count is two or more standards of deviation away from their mean’ or %100 more than the same user’s maximum logon count
  • if a user last hour logon count is more than “mean plus two times the standard deviation” of all users or %100 more than the same user’s maximum logon count, then notify.
  • Detect If a request was blocked via WAF from an IP address, within 2 minutes after this block action a request from the same IP address was seen in the WEB Server (IIS) logs
  • Detect a user switches from their normal account to a privileged one, then performs an abnormal data transfer to or from an external service.
  • Detect a user logs in remotely at 3 a.m. (usually only doing so locally during normal business hours), then makes repeated attempts to connect to a production database as an administrator.
  • If a user failed to authenticate a server, and at the same time, the same user authenticates to another server, then notify.
  • If a user accesses sensitive files, and at the same time, the same user has a connection to file sharing sites, then notify.
  • If there is authentication failure from the user interface (Oracle Management Studio) and console (SQL*Plus) at the same time, notify
  • Detect File Storage / WeTransfer actions
  • Detect multiple login failure from same user where user has not changed the account password in last 3 days.
  • Detect the ratio of login success versus failure per IP address anomaly.
  • Phishing attack detection by similarity check. For example, many average users would likely accept that jon@fed3x.com is an employee at FedEx. Why? The address looks enough like the legitimate domain, fedex.com
  • Rare executable detected in web-request
  • Detect traffic to rare domains
  • Detect traffic to possible Algorithmically Generated Domains
  • Suspicious process execution detection
  • Detect possible beaconing — detection of robotic traffic pattern
  • Detect Web Uploads anomaly
  • Cryptomining detected
  • Detect spike in SSH client sessions
  • Detect data hoarding
  • Detect If no other devices in the network had been observed connecting to that host with RDP
  • Detect suspicious file download
  • Detect unauthorised device
  • Detect downloading HTML content at a rate which is too high for human consumption -Abnormal Web Activity -
  • Detect Outbound Port Sweep -An internal host is generating many more unsuccessful attempts to connect to external services than successful ones
  • Detect new connectivity for hour
  • Detect rare domain
  • Detect script from Rare External,
  • Detect CertUtil External Connection
  • Detect sbnormal VPN connections from the user
  • Detect sbnormal VPN session duration
  • Detect first VPN connection from an unknown device
  • Detect VPN connection from an anonymous proxy
  • Detect sbnormal amount of data uploaded during a VPN session
  • Detect increase of company-related data files access
  • Detect MFA from a new device for a user
  • Detect physical badge access after VPN access
  • Detect too many failed VPN logins
  • Detect VPN access from a disabled account
  • Detect source IP from unauthorized location
  • Detect abnormal emails to countries from a user/group/organization
  • Detect multiple accounts are attempting to authenticate to a single, unusual location.
  • Detect a domain account has attempted to access several new assets in a short period of time.
  • Detect a user has accessed the network from multiple external organizations too quickly.

References

Originally published at https://www.peerlyst.com on May 12, 2020.

--

--

SureLog SIEM
SureLog SIEM

No responses yet