What is SIEM Use Case Management and what is it all about? 5 FAQs

What is a SIEM use case?

In the context of SIEM, a use case is an overall package of components that make it possible to identify a specific threat scenario. Typical components of a comprehensive use case include detailed documentation of the threat scenario, requirements for operational IT, detection mechanism, technical requirements for the SIEM, a description of the normalizations to be performed, and an association of the use case with covered compliance requirements.

It makes sense to additionally create a test case that can be used for ongoing validation of the use case functionality. The use of such tests is particularly useful in the case of operating system updates and to cover compliance requirements in order to ensure the continued functionality of the use case.

How do I select the appropriate use cases for my company?

One challenge in selecting appropriate use cases, especially initially, is the lack of an overview of potential threats that need to be identified. Therefore, it is advisable to rely on established frameworks when creating a comprehensive overview, in order to be able to enter the planning phase without spending large amounts of resources and yet with high quality. In this context, SECUINFRA recommends the use of frameworks that are both technical and practical.

Compliance frameworks are rather unsuitable as a guideline for the selection of concrete use cases, since they usually only formulate vague instructions and recommendations from which no concrete detection mechanisms can be derived. However, since compliance frameworks and requirements often have a high degree of importance in auditing, the identified use cases should then be assigned to the fulfilled requirements from compliance.

What are the most important frameworks for the development of SIEM use cases?

A number of different frameworks now exist that can be very helpful in identifying relevant threats. The following are the frameworks that have proven to be particularly suitable for deriving threats and use cases. These include, for example, MITRE’s ATT&CK framework, the Microsoft Security Monitoring Recommendations, the CIS (Center for Internet Security) Top 20, and OWASP (Open Web Application Security Project).

MITRE’s ATT&CK framework is the most comprehensive collection of system-related attack techniques freely available. The attack techniques are assigned to one or more tactics (categories) that correspond to the typical course of an attack and are strongly reminiscent of the killchain.

Each entry of the framework contains

– a description of the attack

– a list of APTs (Advanced Persistent Threats) that are known to use the technique

– recommendations to prevent the successful use of the technique, and

– methods of detection.

Since relevant frameworks are very comprehensive, it does not make sense to try to achieve complete coverage, especially in the course of implementing a SIEM system. Instead, it is advisable to skilfully diversify the use case selection to the areas of attacker behavior that are particularly clearly detectable and are frequently used. Please also read our TechTalk article: How MITRE ATT&CK can be used to select use cases for your SIEM Implementation

Which criteria are relevant for SIEM use case selection?

To evaluate potential use cases, at least the following criteria should be considered:

1. Potential impact if it occurs

• On the affected asset
• On the affected users
• On the affected organizational unit
• On the business processes

2. Probability of occurrence

• Frequency of occurrence in general
• Factoring by IT landscape (How vulnerable is my company to such an attack?)
• Probability of mitigation by existing security mechanisms

3. Quality of the detection mechanism

At a minimum, divided into the following quality levels:

• Detects specific tools that can exploit the technique
• Detects IoC that point to the technique
• Detects the technique itself

4. Estimated complexity of the use case

• Administrative effort (including customization of audit logs, installation of additional software, connection of new log sources, necessary firewall enabling)
• Process-related effort (e.g., adaptation of runbooks, consultation with works council and/or data protection officer, creation of new processes, etc.)
• Use case logic (e.g., technical complexity of the subject matter, number of data sources to be considered, use of storage mechanisms, need for new extractions, and need for further data enrichment)
• Visibility requirements (e.g. need to maintain user lists, classification of network segments as well as connection of further, secondary data sources)

5. Estimated probability of detection by the SIEM system in use

What is important for the development and implementation of SIEM use cases?

The development of use cases

The goal of the development should be to work out the optimal detection mechanism(s) to cover a threat, which seem feasible under the given conditions. If possible, the development of use cases should take place in a separate test environment, which should, however, be kept close to the productive environment in terms of its structure. A simple way to achieve this is to forward the events from the production instance or via the message streaming service to the test instance of the SIEM system. In order to create synergies between development and implementation, minimalistic documentation should already take place during the development phase.

This documentation should include at least the following items:

1. Affected log sources
2. Justification for the choice of approach
   – Informal description of possible detection approaches
   – Evaluation of the described detection approaches based on practical experience
   – Explanation of the decision making process-Description of the requirements for the log source
3. Description of requirements to the SIEM system
   – Normalization of events
   – Enrichment of events
   – Addition of own developments
4. Description of rule logic
5. Description of potential false positives and false negatives
6. Description of potential problems during implementation

Implementation of use cases

The goal of the implementation should be to port the finished detection approach into the productive SIEM system in such a way that it can be operated performantly and reliably. To this end, the peculiarities of the SIEM system and the IT landscape must be taken into account to a greater extent than in the development phase. The documentation of the implementation phase requires special care and meticulousness, as this document is often subject to review by external auditors.

At a minimum, it should include the following items, in addition to the information previously captured:

Implemented requirements for the SIEM

1. Normalization of events
– Type of normalization
– Technical description (regular expression, XPath or similar)
– Reason for deviation from development
2. Enrichment of events
– Description of the technical mechanism for enrichment
– Data source for enrichment
– Cycle for updating data
3. Addition of custom development
– Description of the added functionality
– Name and contact information of the developer
– Reference to the documentation of the custom development

Implemented rule logic

1. Deviations from the development/justification of these deviations
2. Adjustments in the course of rule tuning
– Description per adjustment occasion
3. Documentation of the test phase
– Duration of the test phase
– Number of rule triggers
– Interpretation of the test phase
4. Time of productive activation of the use case
– Acceptance by SOC management