2018 Popular SIEM Starter Use Cases

One of the most popular posts (example) on my blog is “Popular SIEM Starter Use Cases.” However, this post is from 2014, and is, in fact, partially based on my earlier experiences doing SIEM consulting in 2009-2011. In other words, it is kinda old.

Perhaps surprising to some, our data seems to indicate that many of the mentioned popular starter use cases are very relevant today. Some of the use cases were reborn as popular UEBA use cases, BTW (and here is a list of our UEBA use cases, ABTW). Am I not a master of blog post cross-linking, Anna? :-)

So, let’s take a look at these mid-level use cases (technically, I’d classify my use cases here as mid-level in abstraction, BTW) and perhaps add others we’ve been noticing lately:

Use Case Description Status in 2018
1 – old Authentication tracking and account compromise detection; admin and user tracking Very much alive, also became a popular UEBA use case
2 – old Compromised- and infected-system tracking; malware detection by using outbound firewall logs, proxy, etc Very much alive, more relevant than before, also an UEBA use case
3 – old Validating intrusion detection system/intrusion prevention system(IDS/IPS) alerts by using vulnerability data, etc Less relevant today, not common anymore – perhaps a candidate for removal from popular list?
4 – old Monitoring for suspicious outbound connectivity and data transfers by using firewall logs, Web proxy logs, etc Very much alive, also a popular UEBA use case (related to exfiltration detection)
5 – old Tracking system changes and other administrative actions across internal systems, etc Very much alive, AD log analysis became more popular, UEBA expands this to insider threats, etc
6 – old Tracking of Web application attacks and their consequences, etc I’d say alive today, but not that common, not sure why
7 – NEW Cloud activity monitoring, detecting cloud account compromise, cloud access and privilege abuse, other security issues, etc NEW! Also a use case for UEBA and (in case of SaaS, mostly) CASB, this covers many sub-use cases for AWS, Azure, Office 365, etc threat detection
8 – NEW Detecting threats by matching various logs to threat intelligence feeds NEW! A popular use case, pushed up by wide availability of low-priced TI feeds of … ahem… tolerable quality
9 – NEW SIEM as “poor man’s EDR” – review of sysmon and similar endpoint data NEW! As EDR and EPP converge, SIEM can occasionally help with deeper endpoint visibility by utilizing various source of endpoint telemetry; probably not a good STARTER use case though….

Note that I am NOT including foundational SIEM use cases like “use SIEM to search logs” or “use SIEM for PCI DSS compliance reporting.” Sure, they are alive and well, but …well…. not that sexy to mention here.

Any ideas? Anything to add? Anything to remove?

Posts related to SIEM research:

*** This is a Security Bloggers Network syndicated blog from Anton Chuvakin authored by Anton Chuvakin. Read the original post at: