Making SIEM Use Cases

21.09.2020 Read
Making SIEM Use Cases

While threats continue to evolve every day, modern-day businesses cannot remain in oblivion and wait for the attackers to exploit a vulnerability or disrupt their business operations. Logsign experts recommend that businesses should be proactive while dealing with their cybersecurity. As a proactive measure, many of our clients have implemented Logsign SIEM solution to get a single-point view of their organization’s security posture. In this article, we are looking at how we can create a use case on the Logsign SIEM platform.

Demo Use Case

Let’s consider that you need to implement a custom use case for detecting failed login attempts. If there exist rules and alerts for any use case already, our obvious suggestion would be to modify them as per your requirements. If you believe that customized alerts would be more useful, the procedure is outlined below.

Step 1: Asset & Behavior

For any use case, the first step is to define the behaviour that we will like to get detected. Let’s call our behaviour as “Failed Login Attempts.” Go to the Assets and Behaviour section and click on the New List button in the top-right corner.

SIEM use cases

Figure 1: Alerts & Behaviours

From the dropdown, we selected the type and severity for behaviour. Since we are looking at failed login attempts from an IP address, we select @@LogonFailure in the Query field and Source.IP in the Group Column and Value Column fields. We configured the behaviour to get triggered whenever the value count is more than 100 in the last 360 seconds.

SIEM use cases

Figure 2: Behaviour definition

Step 2: Alerts & Categories

In this second step, we will be creating an alert and category (if required).

SIEM use cases

Figure 3: Categories on Logsign SIEM

If your alert for the use case can be grouped into an existing category, you can skip reading the remaining paragraph. If not, click on the New Category button in the top right corner of your screen. A pop-up appears, and it asks for category name and identifier. Enter the required details and click on the Save button.

SIEM use cases

Figure 4: New Category button in the top-right corner

SIEM use cases

Figure 5: Creating a new category

Now, click on the New Alert Rule button (check Figure 4) to create a new alert. There are three tabs here:

  1. Definition
  2. Rule Set
  3. Action and Notification

SIEM use cases

Figure 6: Creating a new alert

For the Definition tab, enter the description, category, severity, and tags for your alert. For this article, we have named the alert “Failed Login Attempt” and selected the category that we created earlier: “Brute Force Demo.” Depending on your business’ risk assessment, select the severity and add tags, if relevant.

The Rule Set tab decides how efficiently your use case will work. For this alert, we have selected DataType, EventMap.SubType, and List.Name.

SIEM use cases

Figure 7: Rule Set tab

The Action and Notification tab allows you to configure alerts when rule conditions are satisfied. You can select all the users to whom email and SMS alerts should be sent. Here, you have three options for email template: Basic, Advanced, and Custom. Once done, click on the Save button.

SIEM use cases

Figure 8: Action and Notification tab

Step 3: Reports & Analysis

Now, we will be first creating a report block followed by adding a report type. Go to the Reports section and click on the New Report Block button in the top-right corner. Enter the name and identifier for your report block and click on the Save button.

To create a new report, click on the Create a Report button. You should see an interface like the one shown in Figure 9. Based on how you require data to be visualized, you can configure various reporting features. For example, we have selected the same query and option in the Grouped Column dropdown. Besides, you can also add relevant tags and select laws to demonstrate compliance with legal requirements, whether local or international. Click on the Save button to save your report.

SIEM use cases

Figure 9: Creating a new report

That is all.

As soon as you click on the Save button, you will see the results as per your report configuration.

SIEM use cases

Figure 10: Results

Here, you can use various search filters available along with performing Time Analysis and Group Analysis.

Figure 11: Time Analysis

Figure 12: Group Analysis

Results can be exported in PDF, Excel, and HTML. We have exported the report in PDF.

SIEM use cases

Figure 13: Exporting the report

We hope that this article is useful. Have you been able to implement your business-specific use cases? If not, get in touch with our Support team today!