Skip to content ↓ | Skip to navigation ↓

If you are reading this article, you are probably aware that Security Incident and Event Management solutions, or SIEMs, are powerful systems that allow IT professionals to gather and analyze activity in a company’s infrastructure through the collection and correlation of logs.

Though SIEM solutions have a significant amount of built-in content in the form of alerts, rules, reports and dashboards, a successful implementation requires custom, adapted content in order to properly fit a given environment.

The means for facilitating this involves the creation of a strong use case development process – the points below are intended to serve as a framework for use case creation around the following core concepts.

The Big 3 for SIEMs

SIEMs, as their name implies, are more commonly associated with security events. However, these systems can be utilized in responding to a broad range of activity beyond the scope of IT security. Most use cases fall into one of three major categories: Security, Operations and Compliance.


  • Malware – Malware has become an unavoidable evil that every environment will interact with at some point. Luckily, enterprise antivirus solutions have comprehensive logging capability and, when integrated with the SIEM, allow incident response to be efficient and effective.

It is generally best to have multiple rules that target differing levels of malicious activity based on what warrants the fastest response. A Trojan detected and blocked on a single workstation may be less of a priority than five occurrences of the same malware detected across multiple hosts.

This information can be easily correlated to other potential indicators of compromise, such as web requests to malicious sites, to help determine if a host has in-fact been compromised.

  • Network Intrusions – Network Intrusion activity can be one of the more difficult risks to respond to, and generally requires the integration of expensive network appliances that analyze inbound and outbound traffic for known malicious signatures (IDS/IPS).

Many intrusions rely on an internal endpoint existing within a network to reach out and download some type of malicious data. More targeted attacks may initiate directly from a remote source to publicly facing systems in hopes to exploit vulnerabilities by bypassing authentication and running malicious code.

Breaking these two methods of attack up and correlating other events can narrow down the scope to what warrants response and what is just noise. Correlating web requests to suspicious websites with attack signature events during similar time frames may help indicate a passive threat that should be considered for blocking at the web gateway or firewall.

Multiple detections from a single source to a DMZ node may indicate a specific attacker that may present an ongoing threat. Anomalous activity occurring shortly after an exploit attempt, such as a scan initiated be the impacted node, a large file transfer, or an authentication event, can be a clear indication of a breach that likely requires immediate response.


  • Outages – Security incidents certainly get the media’s attention and are often considered very severe but many overlook the severity of an operation outage. On a given day, it is more likely that a server or service will shut down unexpectedly than the network be breached by a hacker, making it a very real threat if the wrong system goes down.

A popular example would be if a web server for a retail company went down, preventing customers from making orders. Downtime is proportional to money lost, so it is always a good idea to have some form of availability monitoring on critical systems.

Alerting and responding to these outages quickly can mean the difference between a pat on the back or an updated resume. For SIEMs that may not have a good monitoring component, simply alerting on instances where logs have gone fifteen minutes without being received from a specific nodes is a good alternative.

  • Performance – Along with monitoring outages, it is also important to track the performance of critical nodes.Many outages occur due to maximum utilization of resources, such as disk space, CPU and memory.

Noticing high utilization issues before they become a serious problem is generally the ideal approach. It can be difficult to explain why no one noticed that a network share had been above 95 percent utilization for weeks prior to it maxing out and corrupting the volume.

Generally, alerting on hard drive space reaching a threshold between 85-95 percent, and memory or CPU running at over 90 percent for an extended time frame is wise, but it is important to prioritize alerting based on the priority of the node being monitored to prevent an incident response team from being flooded with alerts.


  • Log Collection – Compliance has quickly become one of the most painful headaches for IT Administrators over the past few years. Compliance audits can be a nightmare if caught unprepared but luckily, SIEM vendors have made huge strides to make it easier to monitor and maintain compliance for most major standards, including PCI, ISO, HIPAA and more.

There are many use cases that could be mentioned related to this concept, but this is actually one of the only areas we do not need to think of content on our own. Industry standard guidelines are generally well documented, so the “use cases” are basically given to you.

Though most of the work may be done for us, it is critical to confirm that data is being collected and retained for all in-scope nodes. Alerting on log source failures and inactivity can often be overlooked, but can easily be the reason for a failed audit.

SIEM solutions and use cases are critical components within an organization’s security environment and operations that allow organizations to become consumers of more intelligent security alerts, anomalies, and better detection of possible threats. I hope that this article provides value and insight during your endeavor to build and optimize your security environment.

Learn how to reduce the workload and costs associated with traditional SIEMs and security analytics solutions, here.


mason venslandAbout the Author: Mason Vensland graduated from Old Dominion University with a degree in Criminal Justice and Computer Science. He began his IT career working in Systems Administration and Support, then transitioned to Information Security in 2014. He moved from Virginia to Florida to join ReliaQuest in 2015 with a background in Security Operations and Digital Forensics.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

10 Ways Tripwire Outperforms Other Cybersecurity Solutions
  • Yuri

    As per 28-Mar-2017 there are 3 vendor-hosted use case appstores (ArcSight, QRadar, Splunk). Majority of cases are free and thus low-to-medium qualify and rarely well-supported. That is why security vendor SOC Prime created own Use Case Library.
    These and other tasks are covered for 3 listed SIEMs:
    1. Detection of Advanced Persistent Threats.
    2. Detection of Bute force attempts of password cracking. Even slow mode is covered.
    3. Measures metrics of gathered information (correctness of logs acquisition, parsing quality, etc).
    4. Detects usage of TOR network by your users. Often used by infeted hosts to communicate with Command Centers, send stolen information, etc.
    5. Finds DNS Misconfigurations and anomalies in corporate network (including data tunneling, non-corporate DNS-usage, etc).
    6. Detects usage of dumped-from-the-RAM honeyCredentials. Gives advice of securing them.
    7. Database of known Mirai infected hosts
    8. Network anomalies detection, bases on NETFLOW protocol data.
    9. Detects plain-text passwords in authentication logs (usually, caused by entering password into login field by user)
    10. Shows possibly infected by ransomware hosts in your network
    11. Reads SAP logs. Provides analysis and visualization of SAP standard security audit events
    12. Keep up with all the information about SSL certificates on your organization’s perimeter. Powered by Qualys SSL Labs API usage.
    13. VPN usage visualization. User profiling and deviation detection.
    14. Visualization of Microsoft Windows and Active Directory basic security events, performs statistical analysis and profiling of basic security events and detects abnormal deviations from the norm.

<!-- -->