RE: SIEM Use Cases

[Uzair Hashmi <uzair.hashmi () kse com pk>]

It's usually called "Event Correlation", Read on this specific topic on the manual of your SIEM being implemented.

Regards,
Uzair

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Thugzclub Thugzclub
Sent: Monday, July 09, 2012 6:36 AM
To: listbounce () securityfocus com; security-basics () securityfocus com; pen-test () securityfocus com; discussion () 
siemusers org
Subject: SIEM Use Cases

Hi,

This may not be the right forum ( if so please point me to the right
location) but here goes:

I am working on a project where we are integrating a SIEM into our
environment and I need to create a monitoring and alerting standard.

If I can explain some more:
- There are specific "isolated" suspicious behaviour that we would
want the SIEM to alert on e.g  e.g Admin logon at specific times of
the day, mid night for instance.
- There are also specific "combination" of suspicious behaviour that
we should alert on: e.g

I have a simple 3-tier web app behind a firewall, and four event
sources for  SIEM: a firewall, system events from
whatever daemon running on your servers and an (D)IDS

Event 1 : IDS says I have an SQL injection. Taken alone, this is
false, it's just an attempt at an SQLi and I have no idea whether or
not it has succeeded.
Event 2 : system daemon says I have a file creation on a temp folder
in your DB server
Event 3 : system daemon says said dropped file is ran under the DBserver user
Event 4 : firewall says I have outbound connection created to blah
server on port 80
Event 5 : IDS says blah server is hosted on an IP with a bad
reputation (I assume that's the D in DIDS)

Based on the above, I would say that i have been hacked.

The query that I have is: are there specific set of malicious
behaviour  or "use cases" similar to the above that I can use as the
basis for configuring my SIEM to detect against malicious patterns of
behaviour.



Thanks in advance.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------