www.paladin.net SIEM Use Cases 45 use cases fr Security Mnitring
Paladin - SIEM Use Cases Use Case 02 Descriptin DMZ Jumping This rule will fire when cnnectins seemed t be bridged acrss the netwrk's DMZ. DMZ Reverse Tunnel This rule will fire when cnnectins seemed t be bridged acrss the netwrk's DMZ thrugh a reverse tunnel. Excessive Database Cnnectins Rule detects an excessive number f successful database cnnectins. Excessive Firewall Accepts Acrss Multiple Hsts Reprts excessive Firewall Accepts acrss multiple hsts. Mre than 100 events were detected acrss at least 100 unique destinatin IP addresses in 5 minutes. Excessive Firewall Accepts Frm Multiple Surces t a Single Destinatin Reprts excessive Firewall Accepts t the same destinatin frm at least 100 unique surce IP addresses in 5 minutes. Excessive Firewall Denies frm Single Surce Reprts excessive firewall denies frm a single hst. Detects mre than 400 firewall deny attempts frm a single surce t a single destinatin within 5 minutes. Lng Duratin Flw Invlving a Remte Hst Reprts a flw fr cmmunicating t r frm the Internet with a sustained duratin f mre than 48 hurs. This is nt typical behavir fr mst applicatins. We recmmend that yu investigate the hst fr ptential malware infectins. Lng Duratin ICMP Flws Detectin f ICMP packets between hsts that last a lng time. This is rare and shuldn't ever ccur. Outbund Cnnectin t a Freign Cuntry Reprts successful lgins r access frm an IP address knwn t be in a cuntry that des nt have remte access right. Befre yu enable this rule, we recmmend that yu cnfigure the activelist: Cuntries with n Remte Access building blck. Ptential Hneypt Access Reprts an event that was targeting r surced frm a hneypt r tarpit defined address. Befre enabling this rule, yu must cnfigure the Activelist: Hneypt like addresses building blck and create the apprpriate sentry frm the Netwrk Surveillance interface. Remte Access frm Freign Cuntry Reprts successful lgins r access frm an IP address knwn t be in a cuntry that des nt have remte access right. Befre yu enable this rule, we recmmend that yu cnfigure the Activelist: Cuntries with n Remte Access building blck.
Paladin - SIEM Use Cases Use Case Remte Inbund Cmmunicatin frm a Freign Cuntry 03 Descriptin Reprts traffic frm an IP address knwn t be in a cuntry that des nt have remte access right. Befre yu enable this rule, we recmmend that yu cnfigure the Activelist: Cuntries with n Remte Access building blck. SMTP and DNS have been remved frm this test as yu have little cntrl ver that activity. Yu may als have t remve WebServers in the DMZ that are ften prbed by remte hsts with web scanners Single IP with Multiple MAC Addresses This rule will fire when a single IP's MAC address changes multiple times ver a perid f time. Systems using many different prtcls Lcal system cnnecting t the internet n mre than 50 DST prts in ne hur. Cnnectins must be successful. This rule can be edited t als detect failed cmmunicatins which may als be useful. Lgin Failures Fllwed By Success t the same Destinatin IP Reprts multiple lg in failures t a single hst, fllwed by a successful lg in t the hst. Lgin Failures Fllwed By Success t the same Surce IP Reprts multiple lg in failures t a single hst, fllwed by a successful lg in t the hst. Lgin Failures Fllwed By Success t the same Username Reprts multiple lg in failure fllwed by a successful lgin frm the same user. Lgin Failure t Disabled Accunt Reprts a hst lgin message frm a disabled user accunt. If the user is n lnger a member f the rganizatin, we recmmend that yu investigate any ther received authenticatin messages frm the same user. Lgin Failure t Expired Accunt Reprts a hst lgin failure message frm an expired user accunt knwn. If the user is n lnger a member f the rganizatin, we recmmend that yu investigate any ther received authenticatin messages. Lgin Successful After Scan Attempt Reprts a successful lg in t a hst after recn has been perfrmed against the netwrk. Multiple Lgin Failures fr Single Username Reprts authenticatin failures fr the same username.
Paladin - SIEM Use Cases Use Case 04 Descriptin Multiple Lgin Failures frm the Same Surce Reprts authenticatin failures n the same surce IP address mre than three times, acrss mre than three destinatin IP addresses within 10 minutes. Multiple Lgin Failures t the Same Destinatin Reprts authenticatin failures n the same destinatin IP address mre than ten times, frm mre than 10 surce IP addresses within 10 minutes. Multiple VIP Lgin Failures N Activity fr 60 Days Reprts multiple lg in failures t a VIP PBX. This accunt has nt lgged in fr ver 60 days Pssible Shared Accunts Detectin f Shared Accunts. Yu will need t add in additinal false psitive system accunts t the and NOT when the event username matches the fllwing...". " Repeat Nn-Windws Lgin Failures Reprts when a surce IP address causes an authenticatin failure event at least 7 times t a single destinatin within 5 minutes. Repeat Windws Lgin Failures Reprts when a surce IP address causes an authenticatin failure event at least 9 times t a single Windws hst within 1 minute. VPN Sneak Attack Check frm where remte users are cnnecting, and what they are accessing. A VPN cnnectin access can be misused t gain access t the intranet. Anmalus Prts, Services and Unpatched Hsts r Netwrk Devices Unusual traffic is identified as a ptential intrusin; n signatures are invlved in the prcess, s it is mre likely t detect new attacks fr which signatures are yet t be develped. Brute Frce Attack Check fr attempts t gain access t a system by using multiple accunts with multiple passwrds. Privileged user abuse Mnitr misuse f access f privileged user access such as admin r rt access t perfrm malicius activities.
Paladin - SIEM Use Cases Advanced Use Cases 01 Unauthrized applicatin access 02 Which systems have suspicius access/applicatin activity? Are terminated accunts still being used? Which accunts are being used frm suspicius lcatins? High risk user access mnitring Privileged user mnitring Wrm/malware prpagatin mnitring Malware beacn mnitring CnC access mnitring CnC Terminatin mnitring Malware/Wrm prpagatin mnitring Anti-virus status/infectin trends 03 Hacker detectin Wh is attacking me and where are they attacking frm? Which f my internal systems are they attacking? 04 VPN Sneak Attack 05 Anmalus Prts, Services and Unpatched Hsts/Netwrk Devices 06 Brute Frce Attack 07 Privileged User Abuse 05
ABOUT PALADION Paladin is a glbal cyber defense cmpany that prvides Managed Detectin and Respnse Services, DevOps Security, Cyber Frensics, Incident Respnse, and mre by tightly bundling its semi-autnmus cyber platfrm and managed services with leading security technlgies. Paladin is cnsistently rated and recgnized by independent analyst firms and awarded by CRN, Asian Banker, Red Herring, amngst thers. Fr 17 years, Paladin has been actively managing cyber risk fr ver 700 custmers frm its six cyber peratins centers placed acrss the glbe. It huses 900+ cyber security prfessinals including security researchers, threat hunters, ethical hackers, incident respnders, slutin architects, cnsultants and mre. Paladin is als actively invlved in several infrmatin security research frums such as OWASP, and has authred several bks n security mnitring, applicatin security, and mre. WW Headquarters: 11480 Cmmerce Park Drive, Suite 210, Restn, VA 20191 USA. Ph: +1-844-507-7668 Bangalre: +91-80-42543444, Mumbai: +91-2233655151, Delhi: +91-9910301180, Lndn: +44(0)2071487475, Dubai: +971-4-2595526, Sharjah: +971-50-8344863, Dha: +97433559018, Riyadh: +966(0)114725163, Muscat: +968 99383575, Kuala Lumpur: +60-3-7660-4988, Bangkk: +66 23093650-51, Jalan Kedya Raya: +62-8111664399. sales@paladin.net www.paladin.net