Detecting Unusual Activities Using a Next Generation SIEM -Use Cases Part 2
5 min readOct 13, 2020
This article is part of a series. Check out the full series Part1 [1]. The efficiency and effectiveness of security monitoring are directly related to the appropriate implementation and optimization of the right use cases on the right security monitoring tools [2].
SureLog SIEM use cases:
- An alert will be triggered when the total number of authentication events increase of 50 % is detected in the last 1 hour (Ex. between 18:30–17:30) compared to 1 week ago at the same time (Ex. 7 days before between 18:30–17:30)
- An alert will be triggered when the total number of authentication events increase of 50 % is detected in the last 1 hour compared to 1 week ago.
- An alert will be triggered when an outlier detected for the hourly total number of authentication events.
- An alert will be triggered when a user’s total number of authentication events increase of 50 % is detected in the last 1 hour (Ex. between 18:30–17:30) compared to 1 week ago at the same time (Ex. 7 days before between 18:30–17:30)
- An alert will be triggered when a user’s total number of authentication events increase of 50 % is detected in the last 1 hour compared to 1 week ago.
- An alert will be triggered when an outlier detected for the hourly total number of a user’s authentication events.
- Suspicious file rename/archival transaction
- Endpoint accessed at unusual time of the day
- Email from previously uncommunicated domains
- Traffic to rare domains
- Traffic to possible Algorithmically Generated Domains
- Suspicious process execution detection
- Possible beaconing — detection of robotic traffic pattern
- Detect web uploads anomaly
- Detect suspicious failed logins with different user accounts from a single source system within 24 hours
- Look for a user whose HTTP to DNS protocol ratio is %300 more than %95 of the other users for
- Detect service account access to an unauthorized device
- Detect a user is connected from a source country where organization has no presence
- Detect a user ‘s VPN duration is different from avg of his group
- Detect if a user with no failed login event during normal working hours creates a failed login event for two consecutive days at lunchtime
- Detect concurrent VPN from Multiple Locations
- Detect when a user is trying to modify any critical file.
- Detect if the same malware occurs on multiple systems
- Detect if there are reoccurring infections on the same host
- Detect process launching without parent process or services
- Detect traffic with periodicity (e.g. traffic to the same URL at the same interval every day)
- Detect core windows process with name path anomalies
- Detect core windows process started in the wrong user context
- Detect core windows process with the wrong parent process
- Detect off-hour malware detection alert from security devices
- Detect when a user last hour logon count is two or more standards of deviation away from their mean’ or %100 more than the same user’s maximum logon count
- if a user last hour logon count is more than “mean plus two times the standard deviation” of all users or %100 more than the same user’s maximum logon count, then notify.
- Detect If a request was blocked via WAF from an IP address, within 2 minutes after this block action a request from the same IP address was seen in the WEB Server (IIS) logs
- Detect a user switches from their normal account to a privileged one, then performs an abnormal data transfer to or from an external service.
- Detect a user logs in remotely at 3 a.m. (usually only doing so locally during normal business hours), then makes repeated attempts to connect to a production database as an administrator.
- If a user failed to authenticate a server, and at the same time, the same user authenticates to another server, then notify.
- If a user accesses sensitive files, and at the same time, the same user has a connection to file sharing sites, then notify.
- If there is authentication failure from the user interface (Oracle Management Studio) and console (SQL*Plus) at the same time, notify
- Detect File Storage / WeTransfer actions
- Detect multiple login failure from same user where user has not changed the account password in last 3 days.
- Detect the ratio of login success versus failure per IP address anomaly.
- Phishing attack detection by similarity check. For example, many average users would likely accept that jon@fed3x.com is an employee at FedEx. Why? The address looks enough like the legitimate domain, fedex.com
- Rare executable detected in web-request
- Detect traffic to rare domains
- Detect traffic to possible Algorithmically Generated Domains
- Suspicious process execution detection
- Detect possible beaconing — detection of robotic traffic pattern
- Detect Web Uploads anomaly
- Cryptomining detected
- Detect spike in SSH client sessions
- Detect data hoarding
- Detect If no other devices in the network had been observed connecting to that host with RDP
- Detect suspicious file download
- Detect unauthorised device
- Detect downloading HTML content at a rate which is too high for human consumption -Abnormal Web Activity -
- Detect Outbound Port Sweep -An internal host is generating many more unsuccessful attempts to connect to external services than successful ones
- Detect new connectivity for hour
- Detect rare domain
- Detect script from Rare External,
- Detect CertUtil External Connection
- Detect sbnormal VPN connections from the user
- Detect sbnormal VPN session duration
- Detect first VPN connection from an unknown device
- Detect VPN connection from an anonymous proxy
- Detect sbnormal amount of data uploaded during a VPN session
- Detect increase of company-related data files access
- Detect MFA from a new device for a user
- Detect physical badge access after VPN access
- Detect too many failed VPN logins
- Detect VPN access from a disabled account
- Detect source IP from unauthorized location
- Detect abnormal emails to countries from a user/group/organization
- Detect multiple accounts are attempting to authenticate to a single, unusual location.
- Detect a domain account has attempted to access several new assets in a short period of time.
- Detect a user has accessed the network from multiple external organizations too quickly.
References
Originally published at https://www.peerlyst.com on May 12, 2020.