Security Information and Event Management (SIEM) is the foundation of Security Operations Center (SOC) as it can be used for several purposes. SIEM delivers actionable alerts that provide context and data to help investigate a potential incident or unusual behavior to detect something never seen before.
SIEM organizes data of timeline, systems, and affected users to establish context around a new vulnerability; it also identifies anomalies in IT systems using correlations and behavioral analytics.
While SIEM has a variety of purposes, it can function even better through automation to make operations more efficient and reduce overall risks. Artificial intelligence (AI) and Machine learning (ML) can help assess the alerts, prioritize them, and manage a large chunk of the workload automatically using rules and use cases. Machine learning methods can detect anomalous and malicious behaviors like data staging, infected host, or account misuse.
Correlation Rules
Correlation rules consist of a condition (or set of conditions) that processes generated logs and determines which sequences of logs could be indicative of anomalies that could be a sign of vulnerability or cyber-attack. A correlation rule then triggers an alert when something other than what is defined as normal is identified. Correlation rules execute any instructions given to them by a human; moreover, SIEM correlation rules could be triggered by honest mistakes and simple user errors or technical glitches. However, properly developed SIEM correlation rules get past all of the unnecessary, trivial logs to detect the sequences of events that are likely indications of a cyber-attack. An instance of a correlation rule could be:
Warn administrators if five failed login attempts are tried with different usernames from the same IP to the same machine within fifteen minutes, if that event is followed by a successful login occurring from that same IP address to any machine inside the network.
Such an event could indicate that a cyber attacker is brute-forcing an authentication vector and then successfully acquires authentication to the network. It could be a possible privilege escalation attack.
SIEM Use Cases
A use case is a list of actions or event steps, typically defining the interactions between a role and a system to achieve a goal. SIEM use cases are a number of rules put together in order to accomplish a task. SIEM use cases can come in handy when it comes to threat hunting; use cases search security data for patterns similar to a current or previous security incident or signatures similar to known attacks to check if “this happened before”.
SIEM use cases make sense of all the large volumes of data by examining log data for patterns and identify the ones that could indicate a cyberattack, then correlate event information between devices to detect potentially anomalous activity and finally, issues alerts accordingly.
SIEM use cases manage regulatory compliance and audit requirements; they are also quite practical at monitoring day-to-day operational activities, such as data usage by specific applications, or inbound and outbound data usage.
Furthermore, SIEM use cases monitor connection activities to create an overview of network connections by status, origin, and direction to define whether connections are allowed/denied, the hostname, country name of source, and destination, and direction.
SIEM use cases are implemented to monitor authentication activities with added context, such as logins in critical systems and failed login attempts beyond a given limit. To manage resource and system access privileges, use cases also monitor user account creation, deletion, and other user account activities.
SIEM use cases are valuable in detecting activities related to threats, such as indicators of compromise, malware infections, and identification of vulnerable systems.
Threat detection rules
Threat detection rules are specifically tailored for threat detection, whereas rules in general could be created for a variety of purposes. For instance, specific rules are developed to monitor policy-related activities and changes including audit, authentication, authorization, and filtering. The important part of the rule is defining when the rule will be triggered. (BTW we have a whole category of Free detection rules. Don’t miss out!)
Detection rules define conditional logic applied to logs. Detection rules are tasked with triggering an alert when at least one case specified in the rule is matched over a given period of time.
References:
How SIEM Correlation Rules Work
10 SIEM Use Cases in a Modern Threat Landscape
Secure Your Organization’s Mind with Securemind.se