Making SIEM Use Cases
21.09.2020
Read
While threats continue to evolve every day, modern-day businesses cannot remain in oblivion and wait for the attackers to exploit a vulnerability or disrupt their business operations. Logsign experts recommend that businesses should be proactive while dealing with their cybersecurity. As a proactive measure, many of our clients have implemented Logsign SIEM solution to get a single-point view of their organization’s security posture. In this article, we are looking at how we can create a use case on the Logsign SIEM platform.
Let’s consider that you need to implement a custom use case for detecting failed login attempts. If there exist rules and alerts for any use case already, our obvious suggestion would be to modify them as per your requirements. If you believe that customized alerts would be more useful, the procedure is outlined below.
For any use case, the first step is to define the behaviour that we will like to get detected. Let’s call our behaviour as “Failed Login Attempts.” Go to the Assets and Behaviour section and click on the New List button in the top-right corner.
Figure 1: Alerts & Behaviours
From the dropdown, we selected the type and severity for behaviour. Since we are looking at failed login attempts from an IP address, we select @@LogonFailure in the Query field and Source.IP in the Group Column and Value Column fields. We configured the behaviour to get triggered whenever the value count is more than 100 in the last 360 seconds.
Figure 2: Behaviour definition
In this second step, we will be creating an alert and category (if required).
Figure 3: Categories on Logsign SIEM
If your alert for the use case can be grouped into an existing category, you can skip reading the remaining paragraph. If not, click on the New Category button in the top right corner of your screen. A pop-up appears, and it asks for category name and identifier. Enter the required details and click on the Save button.
Figure 4: New Category button in the top-right corner
Figure 5: Creating a new category
Now, click on the New Alert Rule button (check Figure 4) to create a new alert. There are three tabs here:
Figure 6: Creating a new alert
For the Definition tab, enter the description, category, severity, and tags for your alert. For this article, we have named the alert “Failed Login Attempt” and selected the category that we created earlier: “Brute Force Demo.” Depending on your business’ risk assessment, select the severity and add tags, if relevant.
The Rule Set tab decides how efficiently your use case will work. For this alert, we have selected DataType, EventMap.SubType, and List.Name.
Figure 7: Rule Set tab
The Action and Notification tab allows you to configure alerts when rule conditions are satisfied. You can select all the users to whom email and SMS alerts should be sent. Here, you have three options for email template: Basic, Advanced, and Custom. Once done, click on the Save button.
Figure 8: Action and Notification tab
Now, we will be first creating a report block followed by adding a report type. Go to the Reports section and click on the New Report Block button in the top-right corner. Enter the name and identifier for your report block and click on the Save button.
To create a new report, click on the Create a Report button. You should see an interface like the one shown in Figure 9. Based on how you require data to be visualized, you can configure various reporting features. For example, we have selected the same query and option in the Grouped Column dropdown. Besides, you can also add relevant tags and select laws to demonstrate compliance with legal requirements, whether local or international. Click on the Save button to save your report.
Figure 9: Creating a new report
As soon as you click on the Save button, you will see the results as per your report configuration.
Figure 10: Results
Here, you can use various search filters available along with performing Time Analysis and Group Analysis.
Figure 11: Time Analysis
Figure 12: Group Analysis
Results can be exported in PDF, Excel, and HTML. We have exported the report in PDF.
Figure 13: Exporting the report
We hope that this article is useful. Have you been able to implement your business-specific use cases? If not, get in touch with our Support team today!
