Watch: What is SIEM Use Cases?

SIEM Use Cases

SIEM Benefits with Less Effort

  • Respond to incidents faster with built-in SIEM
  • Detect and contain malware
  • Detect and report on fraud
  • Monitor privileged users
  • Pass compliance audits

Download a Free Trial

SIEM Use Case Examples
& How USM Does It Better

We designed the Security Information and Event Management, or SIEM, capability to provide the complete security visibility organizations need to detect threats, respond to incidents, and pass compliance audits. It works by aggregating security-relevant data from your environment, and applying over 2,000 event correlation rules to identify relationships among your data and identify malicious activity. These correlation directives identify patterns that signal threats, policy violations, and other exposures.

AlienVault USM delivers all of the essential security capabilities you need to be ready to start an ISO compliance program—right out of the box. There is no need for purchasing, deploying, and integrating separate asset discovery, intrusion detection, vulnerability assessment, behavioral analysis and SIEM technologies. The AlienVault USM platform has all of these capabilities already built-in.

Incident Response & Investigation

Here are the basic steps involved with each SIEM use case

  1. Identify the goal for each use case.
  2. Determine the conditions for the alert.
  3. Select relevant data sources.
  4. Determine response strategies, and document them.

Although the primary budget driver for SIEM is monitoring compliance, the primary use case for SIEM is to identify and investigate security incidents. Spotting attacks as quickly as possible to minimize damage requires a combination of data sources, as well as the latest threat intelligence from experienced security researchers, such as AlienVault Labs.

To help you get started, we've collected some SIEM use cases examples. Please note that these examples are provided for your reference only. Any SIEM use cases you implement should reflect your own security requirements, policies, and business priorities.

SIEM Use Case Examples

Watering Hole Attack

Watering hole attacks are where the attacker compromises a website likely to be visited by a particular target group, and eventually infects members of that group when they visit the infected site. Rather than attacking the target group directly, the attacker "lays in wait" after compromising the website in question.

Following our methodology above, here are the key pieces of information to implement this SIEM use case.

  • Goal: Identify a targeted attack on staff members and block the attacker
  • Alert Conditions: Alert on two or more malware infections from the same compromised website
  • Data Sources: AlienVault OTX Reputation Monitor, intrusion detection (IDS), log data from firewall, anti-virus, web proxy, content filtering software
  • USM Advantage: Integrated OTX and built-in Network IDS

SQL Injection Attack and other Web application Attacks

One of the oldest and most common attacks used against web applications, SQL injection attacks happen by inserting malicious SQL statements into a web-based entry field for execution (e.g. to dump the database contents to the attacker). Finding these exposures quickly is essential in order to detect system compromise and avoid information leakage.

Following our methodology above, here are the key pieces of information to implement this SIEM use case.

  • Goal: Identify an attack on a web server in real-time and to validate that it is blocked
  • Alert Conditions: Alert from intrusion detection system software (IDS) and host-based intrusion detection (HIDS), source IP address known as malicious according to AlienVault OTX Reputation Monitor
  • Data Sources: AlienVault OTX Reputation Monitor, web server logs, web application firewall logs, intrusion detection (IDS), host-based intrusion detection (HIDS)
  • USM advantage: Integrated OTX, built-in Network IDS and Host IDS

Malware Detection & Removal

Malware remains a reliable tool for attackers. According to the latest Verizon Data Breach Investigation Report, direct installation of malware by an attacker continues to be the most common risk vector for security breaches. Successfully finding, containing and removing malware involves a series of steps, and so we've included each of these SIEM use cases below.

Malware infection

  • Goal: Identify traffic from an internal address to known malicious destinations as identified by AlienVault OTX Reputation Monitor
  • Alert Conditions: Alert on any event where traffic is being sent to known malicious IP addresses
  • Data Sources: AlienVault OTX Reputation Monitor, intrusion detection (IDS), host-based intrusion detection (HIDS), failed logins, log data from firewall, anti-virus, netflow
  • USM advantage: Integrated OTX, built-in Network IDS and Host IDS, integrated netflow and out-of-the-box correlation rules updated weekly for newest threats.

Malware containment

  • Goal: Alert on the detection of malware before it spreads beyond a limited number of hosts
  • Alert Conditions: Alert when 5 or more hosts on the same subnet trigger the same malware signature within a 1 hour interval
  • Data Sources: AlienVault OTX Reputation Monitor, intrusion detection (IDS), host-based intrusion detection (HIDS), log data from firewall, anti-virus, netflow analysis
  • USM advantage: Integrated OTX, Network IDS,Host IDS and netflow

Failure to Remove Malware

  • Goal: Alert when > 1 hour has passed since malware was detected on a source, with no corresponding removal
  • Alert Conditions: Alert when a single host fails to auto-clean malware within 1 hour of detection
  • Data Sources: AlienVault OTX Reputation Monitor, intrusion detection (IDS), host-based intrusion detection (HIDS), log data from anti-virus
  • USM advantage: Integrated OTX Network IDS and Host IDS

Validating IDS/IPS Alerts & Reducing False Positives

  • Goal: Reduce wasted time investigating alerts from IDS/IPS
  • Conditions: Use vulnerability data and other context data about your assets to dismiss some IDS/IPS alerts
  • Data Sources: Asset information, vulnerability information on these assets and AlienVault OTX Reputation Monitor
  • USM advantage: Integrated asset discovery and inventory and vulnerability scanning information from a single console

Monitoring for Suspicious Outbound Connections

  • Goal: Alert when there is exfiltration of data and other suspicious external connectivity
  • Alert Conditions: Alert when outbound connections are made and data is exfiltrated
  • Data Sources: Firewall logs, web proxy logs and network flows and AlienVault OTX Reputation Monitor
  • USM advantage: Integrated netflow and Network IDS

Tracking System Changes

  • Goal: Alert when administrative actions across internal systems deviate from allowed policy
  • Alert Conditions: Alert when policy is violated
  • Data Sources: Host IDS, correlated with policy
  • USM advantage: Integrated Host IDS

Privileged User Monitoring

Tracking the activities of privileged users - those with administrative or root system access - is an essential security practice, and one that many regulatory standards require. Before you can implement this SIEM use case, you'll need to know who these users are (including all of their accounts), as well as deploy HIDS agents on the critical systems they access. You'll also need to make sure your change control system and process support implementing this use case.

  • Goal: Detect unauthorized user access attempts, including escalation of privilege
  • Alert Conditions: Alert on a privilege escalation with no corresponding change request
  • Data Sources: Log data from Active Directory/LDAP server, change control system, ticketing system; host-based intrusion detection (HIDS), file integrity monitoring
  • USM advantage: Integrated Host IDS and file integrity monitoring

Fraud Detection & Reporting

Another powerful SIEM use case is to rapidly detect fraudulent activity. The challenge with implementing this use case is to imagine the most likely scenarios for fraud attempts, and then connect the activity to the appropriate data sources. Here's a basic example that illustrates this SIEM use case, but there are certainly others that you can implement to catch fraud in your organization.

  • Goal: To identify potential fraud activity within payment systems
  • Alert Conditions: Two new accounts set up and used to initiate and authorize a $1B payment
  • Data Sources: Log data from Active Directory/LDAP server and payment system application

Pass Compliance Audits

SIEM is very often purchased with budgetary funds from compliance projects. SIEM can indeed make passing audits easier. It can provide, for example:

  • An array of specific regulatory reports for requirements such as PCI and HIPAA
  • The capability to monitor changes to critical files and settings. In USM, there is an integrated Host IDS which provides file integrity monitoring
  • Detailed information about all changes to Active Directory - users added, group memberships changed, escalated privileges and so on
  • Proof that employees and contractors who leave the business no longer have access

Handle more use cases without any integration of external data sources

SIEM without the hassle

Traditional SIEM doesn't work for most small/medium businesses. It's too resource-intensive to implement, integration data sources, tune and use for monitoring. It's too expensive and does not meet needs.

> Learn more about how USM is Better than A SIEM

Deploy Quickly
and Easily

Download and deploy in less than
one hour, with all of your
IP-enabled devices discovered

Get Security Visibility Immediately

Get Security

Get prioritized vulnerability and
threat alarms within minutes of

Respond to Issue Rapidly

Respond to
Issue Rapidly

Pinpoint who, what, when, where,
and how in one console, with
remediation guidance to act quickly.

AlienVault Unified Security
Management™ (USM)

All your security data in one place

AlienVault USM™ provides intrusion detection system (IDS) with all of the essential security capabilities needed for complete security visibility - all in one easy-to-use console Learn More

Deploy USM today and get answers to questions such as:

  • Unpatched software, insecure configurations, or other vulnerabilities?
  • Devices communicating with known malicious hosts?
  • Vulnerable assets under attack?
  • Active attack attempts or malware infections?
“AlienVault has been an indispensable tool in Marquette's move from a reactionary to a proactive security posture; security is so much about visibility - you can only cursorily protect what you can't see. AlienVault helped turn the lights on.”

Justin P. Webb Security Analyst, IT Services
Marquette University

“AlienVault allows us to get a quick picture of everything going on in our environment… it would be hard for me to name a better product for security operations.”

Mike Ahrendt, Security Officer
Grand Rapids Community College

Trusted by thousands of customers.

eHarmony Peet's Coffee and Tea Save Mart Supermarkets The Davey Tree Expert Company Terre Haute Savings Bank Boise State University ABP Foods Epsilon Systems Solutions Benaissance Florida Heart Research Institute Progress Software Ubisoft Wintershall Noordzee B.V. Big Fish Games New York Times Company NemoExpress High Plains Bank LifeSpan BioSciences Pepco Holdings Regis University Skyhigh Networks Ziosk

Free Trial Demo Get Price ChatNeed help?