2018 Popular SIEM Starter Use Cases

One of the most popular posts (example) on my blog is “Popular SIEM Starter Use Cases.” However, this post is from 2014, and is, in fact, partially based on my earlier experiences doing SIEM consulting in 2009-2011. In other words, it is kinda old.

Perhaps surprising to some, our data seems to indicate that many of the mentioned popular starter use cases are very relevant today. Some of the use cases were reborn as popular UEBA use cases, BTW (and here is a list of our UEBA use cases, ABTW). Am I not a master of blog post cross-linking, Anna? :-)

So, let’s take a look at these mid-level use cases (technically, I’d classify my use cases here as mid-level in abstraction, BTW) and perhaps add others we’ve been noticing lately:

Use CaseDescriptionStatus in 2018
1 – oldAuthentication tracking and account compromise detection; admin and user trackingVery much alive, also became a popular UEBA use case
2 – oldCompromised- and infected-system tracking; malware detection by using outbound firewall logs, proxy, etcVery much alive, more relevant than before, also an UEBA use case
3 – oldValidating intrusion detection system/intrusion prevention system(IDS/IPS) alerts by using vulnerability data, etcLess relevant today, not common anymore – perhaps a candidate for removal from popular list?
4 – oldMonitoring for suspicious outbound connectivity and data transfers by using firewall logs, Web proxy logs, etcVery much alive, also a popular UEBA use case (related to exfiltration detection)
5 – oldTracking system changes and other administrative actions across internal systems, etcVery much alive, AD log analysis became more popular, UEBA expands this to insider threats, etc
6 – oldTracking of Web application attacks and their consequences, etcI’d say alive today, but not that common, not sure why
7 – NEWCloud activity monitoring, detecting cloud account compromise, cloud access and privilege abuse, other security issues, etcNEW! Also a use case for UEBA and (in case of SaaS, mostly) CASB, this covers many sub-use cases for AWS, Azure, Office 365, etc threat detection
8 – NEWDetecting threats by matching various logs to threat intelligence feedsNEW! A popular use case, pushed up by wide availability of low-priced TI feeds of … ahem… tolerable quality
9 – NEWSIEM as “poor man’s EDR” – review of sysmon and similar endpoint dataNEW! As EDR and EPP converge, SIEM can occasionally help with deeper endpoint visibility by utilizing various source of endpoint telemetry; probably not a good STARTER use case though….

Note that I am NOT including foundational SIEM use cases like “use SIEM to search logs” or “use SIEM for PCI DSS compliance reporting.” Sure, they are alive and well, but …well…. not that sexy to mention here.

Any ideas? Anything to add? Anything to remove?

Posts related to SIEM research:

*** This is a Security Bloggers Network syndicated blog from Anton Chuvakin authored by Anton Chuvakin. Read the original post at: https://blogs.gartner.com/anton-chuvakin/2018/07/20/2018-popular-siem-starter-use-cases/