List of Sample Use Cases Draft version
Based on the Previous threads. I am uploading this sample list of use cases which are pretty straightforward and commonly used across all SIEM deployments. Will be useful for all new SOC Rookies who want to setup basic set of Use cases to start off the CSIRT.
Stay tuned for Complete list of Use cases Including Dashboard/Rule/Trend/Report Classification on Next release with the Advanced Content creation with Examples and Snapshots.
Can anyone share a step by step guide on how to make a use case? All use cases mentioned in the pdf are very good, but I currently don't know how and where to start?
Looking forward to a step by step guide
In the doc, beginning with page 9 there are examples. good and bad. But I assume your looking for a more step by step or foundational answer...
If so, great, if not, I hope someone finds this thinking useful
Quite simply a Use Case is some problem or issue that you want to raise awareness of and provide a course of action for your team within your monitoring tools. Sticking to Arcsight, a Use Case is why content is built.
There are many approaches to building Use Cases, but I'll talk about one of mine.
The first steps to it, don't involve Arcsight or a SIEM at all, but involve knowing the network and it's uses that I need to protect. Let's say for this example I have 10 servers that must always be up, if they are ever down for any reason or any length of time, then an Engineer must be paged. I also have about 5 other servers that provide various functions, and are allowed out to the internet. I have 50 workstations for people, and these are allowed out to the internet. All servers have some FIM and a local repo. All changes must be done during predefined windows from the change board. Workstations upgrade from a local repo. and have AV, HIPS, and a kernel splice for process and memory monitoring. I have a few firewalls, and only 5 of the 50 workstations should ever connect to the first 10 servers.
Sounds like a lot, and nothing about Use Cases ... but in describing that network, I revealed several Use Cases.
Use Case 1:
If my core 10 servers ever have downtime, an Engineer must be paged.
Use Case 2:
If any machine other than the 5 approved machines connects to the core 10 servers,Security needs to know about that.
Use Case 3:
If any machine fetches upgrades from the non-approved source, then Security needs to know about it.
From those statements about knowing your network, one can then define in a condition statement/action relationship the Use Cases that you should build.
Condition Statement "If my core 10 servers ever go down"
Action "and Engineer must be paged"
Next comes the requirements and logic.
Requirements: A log must be generated if a core machine goes down.
- This requirement can be satisfied in a number of ways, to keep this simple let's say all 10 machines will have nagios monitoring installed.
To satisfy that requirement, nagios is configured to send a log to ArcSight when a monitored machine does not respond to pings.
Now in ArcSight, a connector is setup for Nagios.
Content Logic is created around the Requirement for ArcSight to know that the core 10 machines and the log delivery of when a machine is down.
From there, Content Logic around the action is created in ArcSight.
"an Engineer must be paged"
Via a rule and action. ArcSight will now ingest nagios logs, and when one of the core 10 machines is recorded as being down, ArcSight will send an SMS.
There you have a Use Case for
Use Case 1:
If my core 10 servers ever have downtime, an Engineer must be paged."
The same tactics can be applied to any of the Use Cases mentioned above. Define the Use Case as a condition statement / action. The condition statement describes a specific situation, that you use to identify the requirements, and the action which provides what ArcSight should do when the requirements are met and the condition occurs.
Could you be able to share few more details on the following listed AV use case. are they specific to any AV.
1. Access to critical file share, network path, SSH or Remote RDP attempt from the Infected Host.
2. Brute Force/port or host scan/privilege elevation access attempt from the Infected machine (AL
and Trend - Real Time)