SIEM Use Cases 45 use cases for Security Monitoring

Similar documents
CCNA Security v2.0 Chapter 2 Exam Answers

Knowledge Exchange (KE) System Cyber Security Plan

RSA SOLUTION OVERVIEW

Operational Security. Speaking Frankly The Internet is not a very safe place. A sense of false security... Firewalls*

Connect+/SendPro P Series Networking Technical Specification

CCNA Security v2.0 Chapter 1 Exam Answers

Privacy Policy. Information We Collect. Information You Choose to Give Us. Information We Get When You Use Our Services

CCNA Security v2.0 Chapter 9 Exam Answers

Web Application Security Version 13.0 Training Course

BMC Remedyforce Integration with Remote Support

CounterSnipe Software Installation Guide Software Version 10.x.x. Initial Set-up- Note: An internet connection is required for installation.

2. When logging is used, which severity level indicates that a device is unusable?

Configuring Database & SQL Query Monitoring With Sentry-go Quick & Plus! monitors

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

TDR and Symantec. Integration Guide

IT Essentials (ITE v6.0) Chapter 8 Exam Answers 100% 2016

TDR and Avast Business Antivirus. Integration Guide

Service Description Safecom Secure Mail Relay Version 3.5

Please contact technical support if you have questions about the directory that your organization uses for user management.

Packet Tracer - Skills Integration Challenge Topology

Succeed in ISO/IEC Audit Checks. Bob Cordisco Systems Engineer

UC Mobile Admin Guide. Release Android, ios. Document Version Maryland Way, Suite 300 Brentwood, TN Tel

Troubleshooting of network problems is find and solve with the help of hardware and software is called troubleshooting tools.

Welcome to Remote Access Services (RAS) Virtual Desktop vs Extended Network. General

CCNA Security v2.0 Chapter 3 Exam Answers

BMC Remedyforce Integration with Bomgar Remote Support

COMPLETE ENDPOINT DEFENSE INTEGRATING PROTECTION, DETECTION, RESPONSE AND REMEDIATION IN A SINGLE SOLUTION

SafeDispatch SDR Gateway for MOTOROLA TETRA

TDR and Sophos Software. Integration Guide

PCI Compliance Simplified A Case of Airport Parking System PCI Readiness

Dolby Conference Phone Support Frequently Asked Questions

TDR and ESET Endpoint. Integration Guide

Proficy* SmartSignal 6.1 Installation Guide

NiceLabel LMS. Installation Guide for Single Server Deployment. Rev-1702 NiceLabel

HW4 Software version 3. Device Manager and Data Logging LOG-RC Series Data Loggers

TDR and Panda Fusion. Integration Guide

Intelligence Driven Malware Analysis (IDMA) Malicious Profiling

Access the site directly by navigating to in your web browser.

TDR and Trend Micro. Integration Guide

White Paper. Contact Details

CCNA 1 v5.1 Practice Final Exam Answers %

Table of Contents. WipeDrive Enterprise Logging, March Logging Settings... 3 Log Format Types Audit Log Destination Options...

TDR and McAfee. Integration Guide

ABELDent Platform Setup Conventions

UDS Enterprise Configuring UDS Enterprise in HA

1. The first section examines common performance bottlenecks that need to be considered.

CCNA Security v2.0 Chapter 10 Exam Answers

Admin Report Kit for Exchange Server

Spectrum Enterprise SIP Trunking Service Zultys MX Phone System v9.0.4 IP PBX Configuration Guide

CCNA 1 Chapter v5.1 Answers 100%

HP OpenView Performance Insight Report Pack for Quality Assurance

ELEC5509 Mobile Networks

CCNA Voice ICOMM: (4 Day Course)

HP Server Virtualization Solution Planning & Design

This document describes new features and resolved issues for Intelligent Scene Analysis System

CXA-206-1I Citrix XenApp 6.5 Administration

Telkom VPN-Lite router setup User Manual Billion 810VGTX

FIREWALL RULE SET OPTIMIZATION

CCNA 1 Chapter v5.1 Answers 100%

Performance of usage of MindSphere depends on the bandwidth of your internet connection.

Cisco Smart Software Manager satellite

Launching Xacta 360 Marketplace AMI Guide June 2017

I. Introduction: About Firmware Files, Naming, Versions, and Formats

Second Assignment Tutorial lecture

TPP: Date: October, 2012 Product: ShoreTel PathSolutions System version: ShoreTel 13.x

These tasks can now be performed by a special program called FTP clients.

(CNS-220) Citrix NetScaler Essentials and Traffic Management

Student participation Students can register online, track progress, express interest and demonstrate proficiency.

Cisco EPN Manager Operations

Enterprise Installation


Cisco Tetration Analytics, Release , Release Notes

Comprehensive LAN Security for the Banking Financial Services and Insurance Industries

TDR and Kaspersky. Integration Guide

TDR & Bitdefender. Integration Guide

Max 8/16 and T1/E1 Gateway, Version FAQs

Telkom VPN-Lite router setup User Manual Billion 800VGT

TDR and Malwarebytes. Integration Guide

Campuses that access the SFS nvision Windows-based client need to allow outbound traffic to:

CNS-222-1I: NetScaler for Apps and Desktops

Frequently Asked Questions

Weekly Tasks Check Policy Compliance:

CCNA 1 Chapter v5.1 Answers 100%

How to set up Dell SonicWALL Aventail SRA Appliance with OPSWAT GEARS Client

Transmission Control Protocol Introduction

Overview. Recommended pre-requisite courses: Key Skills. : CNS-220-1I: Citrix NetScaler Traffic Management

File Share Navigator Online

UPGRADING TO DISCOVERY 2005

ELEC5509 Mobile Networks

TRAUMACAD 2.5 PREREQUISITES

Secure Mobile Access to the Local ICS Network. Jan Vossaert Veilige industriële netwerken 29/09/2016

Release Notes. Dell SonicWALL Security firmware is supported on the following appliances: Dell SonicWALL Security 200

Date: October User guide. Integration through ONVIF driver. Partner Self-test. Prepared By: Devices & Integrations Team, Milestone Systems

Investor Services Online Quick Reference Guide FTP Delivery

Ephorus Integration Kit

Questions and Answers

Panorama Offsite Access Prepared for: WRHA Mass Immunization Events

Secure by Default Initiative

Managing User Accounts

IS315T IS Risk Management and Intrusion Detection [Onsite]

Transcription:

www.paladin.net SIEM Use Cases 45 use cases fr Security Mnitring

Paladin - SIEM Use Cases Use Case 02 Descriptin DMZ Jumping This rule will fire when cnnectins seemed t be bridged acrss the netwrk's DMZ. DMZ Reverse Tunnel This rule will fire when cnnectins seemed t be bridged acrss the netwrk's DMZ thrugh a reverse tunnel. Excessive Database Cnnectins Rule detects an excessive number f successful database cnnectins. Excessive Firewall Accepts Acrss Multiple Hsts Reprts excessive Firewall Accepts acrss multiple hsts. Mre than 100 events were detected acrss at least 100 unique destinatin IP addresses in 5 minutes. Excessive Firewall Accepts Frm Multiple Surces t a Single Destinatin Reprts excessive Firewall Accepts t the same destinatin frm at least 100 unique surce IP addresses in 5 minutes. Excessive Firewall Denies frm Single Surce Reprts excessive firewall denies frm a single hst. Detects mre than 400 firewall deny attempts frm a single surce t a single destinatin within 5 minutes. Lng Duratin Flw Invlving a Remte Hst Reprts a flw fr cmmunicating t r frm the Internet with a sustained duratin f mre than 48 hurs. This is nt typical behavir fr mst applicatins. We recmmend that yu investigate the hst fr ptential malware infectins. Lng Duratin ICMP Flws Detectin f ICMP packets between hsts that last a lng time. This is rare and shuldn't ever ccur. Outbund Cnnectin t a Freign Cuntry Reprts successful lgins r access frm an IP address knwn t be in a cuntry that des nt have remte access right. Befre yu enable this rule, we recmmend that yu cnfigure the activelist: Cuntries with n Remte Access building blck. Ptential Hneypt Access Reprts an event that was targeting r surced frm a hneypt r tarpit defined address. Befre enabling this rule, yu must cnfigure the Activelist: Hneypt like addresses building blck and create the apprpriate sentry frm the Netwrk Surveillance interface. Remte Access frm Freign Cuntry Reprts successful lgins r access frm an IP address knwn t be in a cuntry that des nt have remte access right. Befre yu enable this rule, we recmmend that yu cnfigure the Activelist: Cuntries with n Remte Access building blck.

Paladin - SIEM Use Cases Use Case Remte Inbund Cmmunicatin frm a Freign Cuntry 03 Descriptin Reprts traffic frm an IP address knwn t be in a cuntry that des nt have remte access right. Befre yu enable this rule, we recmmend that yu cnfigure the Activelist: Cuntries with n Remte Access building blck. SMTP and DNS have been remved frm this test as yu have little cntrl ver that activity. Yu may als have t remve WebServers in the DMZ that are ften prbed by remte hsts with web scanners Single IP with Multiple MAC Addresses This rule will fire when a single IP's MAC address changes multiple times ver a perid f time. Systems using many different prtcls Lcal system cnnecting t the internet n mre than 50 DST prts in ne hur. Cnnectins must be successful. This rule can be edited t als detect failed cmmunicatins which may als be useful. Lgin Failures Fllwed By Success t the same Destinatin IP Reprts multiple lg in failures t a single hst, fllwed by a successful lg in t the hst. Lgin Failures Fllwed By Success t the same Surce IP Reprts multiple lg in failures t a single hst, fllwed by a successful lg in t the hst. Lgin Failures Fllwed By Success t the same Username Reprts multiple lg in failure fllwed by a successful lgin frm the same user. Lgin Failure t Disabled Accunt Reprts a hst lgin message frm a disabled user accunt. If the user is n lnger a member f the rganizatin, we recmmend that yu investigate any ther received authenticatin messages frm the same user. Lgin Failure t Expired Accunt Reprts a hst lgin failure message frm an expired user accunt knwn. If the user is n lnger a member f the rganizatin, we recmmend that yu investigate any ther received authenticatin messages. Lgin Successful After Scan Attempt Reprts a successful lg in t a hst after recn has been perfrmed against the netwrk. Multiple Lgin Failures fr Single Username Reprts authenticatin failures fr the same username.

Paladin - SIEM Use Cases Use Case 04 Descriptin Multiple Lgin Failures frm the Same Surce Reprts authenticatin failures n the same surce IP address mre than three times, acrss mre than three destinatin IP addresses within 10 minutes. Multiple Lgin Failures t the Same Destinatin Reprts authenticatin failures n the same destinatin IP address mre than ten times, frm mre than 10 surce IP addresses within 10 minutes. Multiple VIP Lgin Failures N Activity fr 60 Days Reprts multiple lg in failures t a VIP PBX. This accunt has nt lgged in fr ver 60 days Pssible Shared Accunts Detectin f Shared Accunts. Yu will need t add in additinal false psitive system accunts t the and NOT when the event username matches the fllwing...". " Repeat Nn-Windws Lgin Failures Reprts when a surce IP address causes an authenticatin failure event at least 7 times t a single destinatin within 5 minutes. Repeat Windws Lgin Failures Reprts when a surce IP address causes an authenticatin failure event at least 9 times t a single Windws hst within 1 minute. VPN Sneak Attack Check frm where remte users are cnnecting, and what they are accessing. A VPN cnnectin access can be misused t gain access t the intranet. Anmalus Prts, Services and Unpatched Hsts r Netwrk Devices Unusual traffic is identified as a ptential intrusin; n signatures are invlved in the prcess, s it is mre likely t detect new attacks fr which signatures are yet t be develped. Brute Frce Attack Check fr attempts t gain access t a system by using multiple accunts with multiple passwrds. Privileged user abuse Mnitr misuse f access f privileged user access such as admin r rt access t perfrm malicius activities.

Paladin - SIEM Use Cases Advanced Use Cases 01 Unauthrized applicatin access 02 Which systems have suspicius access/applicatin activity? Are terminated accunts still being used? Which accunts are being used frm suspicius lcatins? High risk user access mnitring Privileged user mnitring Wrm/malware prpagatin mnitring Malware beacn mnitring CnC access mnitring CnC Terminatin mnitring Malware/Wrm prpagatin mnitring Anti-virus status/infectin trends 03 Hacker detectin Wh is attacking me and where are they attacking frm? Which f my internal systems are they attacking? 04 VPN Sneak Attack 05 Anmalus Prts, Services and Unpatched Hsts/Netwrk Devices 06 Brute Frce Attack 07 Privileged User Abuse 05

ABOUT PALADION Paladin is a glbal cyber defense cmpany that prvides Managed Detectin and Respnse Services, DevOps Security, Cyber Frensics, Incident Respnse, and mre by tightly bundling its semi-autnmus cyber platfrm and managed services with leading security technlgies. Paladin is cnsistently rated and recgnized by independent analyst firms and awarded by CRN, Asian Banker, Red Herring, amngst thers. Fr 17 years, Paladin has been actively managing cyber risk fr ver 700 custmers frm its six cyber peratins centers placed acrss the glbe. It huses 900+ cyber security prfessinals including security researchers, threat hunters, ethical hackers, incident respnders, slutin architects, cnsultants and mre. Paladin is als actively invlved in several infrmatin security research frums such as OWASP, and has authred several bks n security mnitring, applicatin security, and mre. WW Headquarters: 11480 Cmmerce Park Drive, Suite 210, Restn, VA 20191 USA. Ph: +1-844-507-7668 Bangalre: +91-80-42543444, Mumbai: +91-2233655151, Delhi: +91-9910301180, Lndn: +44(0)2071487475, Dubai: +971-4-2595526, Sharjah: +971-50-8344863, Dha: +97433559018, Riyadh: +966(0)114725163, Muscat: +968 99383575, Kuala Lumpur: +60-3-7660-4988, Bangkk: +66 23093650-51, Jalan Kedya Raya: +62-8111664399. sales@paladin.net www.paladin.net

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback