Acclaimed Contributor.. balahasan.v1 Acclaimed Contributor..
Acclaimed Contributor..
7798 views

List of Sample Use Cases Draft version

Hi Team,

Based on the Previous threads. I am uploading this sample list of use cases which are pretty straightforward and commonly used across all SIEM deployments. Will be useful for all new SOC Rookies who want to setup basic set of Use cases to start off the CSIRT.

Stay tuned for Complete list of Use cases Including Dashboard/Rule/Trend/Report Classification on Next release with the Advanced Content creation with Examples and Snapshots.

Cheers,

Itachihasan

THE FOLLOWING TEXT IS FOR SEARCH
List of Sample Use Cases – Draft version 2 Windows Server Shutdown/ Reboot Removable media detected Windows abnormal shutdown Login attempts with the same account from different source desktops Detection of Server shutdown-reboot after office hours Administrative Group Membership Changed Unauthorized Default Account Logins Interactive use of service account Remote access login - success & failure Windows Service Stop-Restart ACL Set on Admin Group members Windows Account Enabled Disabled Multiple Windows Account Locked out Multiple Windows Logins by Same User Brute force attempt from same source Logins outside normal business hours Logins to multiple user accounts from the same source. Brute force attempt from same source with successful login Windows Account Created Deleted Windows Hardware Failure Failed Login to Multiple Destination from Same Source Administrative Accounts- Multiple Login failure Detection of user account added/removed in admin group Detection of system time changes (Boot time) Detection of use of default product vendor accounts User Deleted Within 24hrs of Being Created Critical service stopped on Windows Servers Windows Security Log is full Multiple Password Changes in Short time period Windows group type was changed. Audit Policy change Audit Log cleared Windows Security Log is full Detection of user account added Logon Failure-A logon attempt was made using an expired account High number of users created/ removed within a short period of time Outbound Traffic observed from Severs to Internet. Failed Logins/Attempt with Disabled/Ex-Employee/Expired AccountsWindows File-Folder Delete Windows-File Folder Permission Changes High number of users created/removed within a short period of time Unix Unix FTP File Import and Export Events Unix File system full Server shutdown Users Created /Deleted within short period Users Group Created /Removed within short period Unix-Login attempts with the same account from different source desktops Failed Logins Failed Logins with disabled accounts Unix FTP Login Access Unix multiple SFTP Connection Failed logins from root access Unix Multiple SU login failures Remote Logon Attempts using Root User on Production Node Sudo access from Non sudo users Detection of use of default product vendor accounts Adding or Removing users to the group "root" Critical Service Stop Unix-High number of login failure for the same account within a short time Password Changed Adding, removing and modifying cron jobs SU login failures. Detection of change in syslog configuration Detection of change in network configuration ASA Administrator Login Failure Brute force with Successful Configuration Changes Firewall Failover event. Successful connection from internet IP after repetitive blocks in firewall Access attempts on unidentified protocols & port Exploit Event followed by Scanning Host Outbound access to invalid destination Ips Successful logon between Non-Business Hours Firewalls reboot. Detection of user account/group modifications User Added/Deleted to Firewall Database. Detection of insecure traffic like FTP, telnet, on critical serversDetection of adding/deletion of a Firewall admin Login Denied (Brute Force) High number of Denied events. Configuration Change detected. The link to peer device is down either because of physical cabling issue or NSRP configuration issue Network and Host Port Scan Attempts Detection of Primary-Secondary Switch Over An admin has allowed/removed access to the firewall from a particular IP Detected P2P traffic Alerting high CPU utilization on firewall Firewall failed to allocate RAM memory Detection of any kind of failure related to Standby FW Top dropped traffic from DMZ, FW Outbound Traffic observed on Important Ports. Successful Outbound Traffic to Blacklisted Threat IP Address Multiple Failed Outbound Traffic to Blacklisted Threat IP Address Checkpoint Firewall critical alert observed VPN configuration change observed Administrator Login Failure detected Successful logon between Non- Business Hours Successful access from Suspicious Countries Checkpoint Service restarts Firewall Cluster/Gateway Configuration Change CPU Utilization High Checkpoint Policy Installed High number of denied events Smart-Defense Signature Based Alert VPN Certificate Verification Failure Configuration Change detected Firewalls reboot. Exchange Top 10 users sending mails to external domains Top 10 Email Receivers/Senders Data Leakage Identified through Large file send via mail Malicious/Suspicious attachments identified Email Usage Group IDs Monitoring mails going out from the company domain to other domains after Office HoursHigh Email Bandwidth utilization by individual users Detection of Undelivered Messages Mailbox Access by Another user User sending a Message as another user User Sending a Message on behalf another user Detection of Users login to the Mail Box which is not their Primary Account Detection of Auto Redirected Mails Top 10 users sending mails internally SMTP gateway sudden spike in Incoming mails High number of rejected mails from single “from” address Detection of Users login to the Mail Box which is not their Primary Account Detection of Auto Redirected Mails Wireless/VPN Rouge Network Traffic Detected. Top VPN Account Logged in from Multiple Remote Locations Top VPN Account Logged in From VPN and on Local Network Wireless unauthorized login attempts Wireless authorization server is down. Anonymous login from unknown IP address VPN Account logged in from multiple locations in short span of time, or from suspicious countries Simultaneous Login from Multiple Locations for Single User VPN Connection beyond 24 Hour VPN Access from Internal IP Address VPN access from overseas Rogue AP detected. Wireless AP rebooted Wireless unsecure AP detected VPN access from onshore team VPN access and Access card on Onshore observed Cisco IPS UNIX Password File Access Attempt IPS High Alert Possible Exploit of Vulnerability Probable Port Scanning in the network SQL Injection Attempt Virus Traffic in the network Signature Based Attacks ProxyAccess attempts on unidentified protocols & port Malware Domain Access Report Proxy Category based Summary Report Malware IP Access Report Potentially Unwanted Software access Dynamic DNS Host Malicious Sources/Malnets Malicious Outbound Data/Botnets Peer-to-Peer (P2P) Proxy Avoidance Remote Access Tools Access from unusual User Agent Post request to uncategorized sites after office hours Unwanted Internet Access Proxy configuration changes Proxy failed login attempt Content access violation Anonymous proxy access Hacker tool website access Access attempts by BOTNET identified by HTTP Request header Oracle/DB Oracle password expired Critical command usage Critical commands executed on the database during non-business hours Oracle- Update or Insert Commands Oracle user Created/Deleted Multiple login failures observed for database Database Schema Creation/Modification Top Query Execution Failures. Monitoring login attempts on database Use of default vendor accounts against policy Database access during non-business hours Login failures for sys/system or privileged accounts Connection to production databases from disallowed network segments Router and Switches Emergency router error messages BGP Neighbor Relationship Status Change Router-Power supply failure Configuration Change Critical messages observed from the SWITCHAlert messages observed from the SWITCH Detection of Antispam File Dropped due to large size Detection of application process proxy Detection of land attack Detection of Ping of death attack Detection of new policy addition Detection of policy violation Virus traffic Content filtering detected Authentication failure/success AV AV Virus Detected AV Detection of Backdoor traffic in the network Removable Storage Identified AV Malware Infection Identified (Not quarantined/cleaned/deleted/moved) Multiple AV Malware Infection Identified from Same Host Multiple Sources accessing the same Malware URL Multiple Types of AV Malware Infection Identified from Same Host Detection failure of Antivirus DAT update in end user machines Detection of Worm outbreak in the network Detection of Virus Outbreak Attempt to stop the Adhoc/daily scan schedules Detection of Backdoor traffic in the network Attempt to stop the AV Services Attempt to stop the critical AV modules AV identified the Rogue machines in the network Detection of the scan which is stopped before it completes Detection of the scheduled scan is stopped/paused (delayed) Detection of the computer which is not protected with latest definitions Detection of the new client software installed Detection of the client software uninstalled AV Malware Breakout Identified across multiple machines on same Subnet/ Different Subnet Multiple re-occurrence of same Infection identified from same machine (AL and Trend - Historical) Multiple re-occurrence of unique Infection identified from same machine (AL and Trend - Historical) Blacklist Domain/IP Addresses monitoring of traffic emerging to/from the Infected machine (AL and Trend - Real Time)Brute Force/port or host scan/privilege elevation access attempt from the Infected machine (AL and Trend - Real Time) Attempt to restart AV service or process, AV modules from Infected machine. Access to critical file share, network path, SSH or Remote RDP attempt from the Infected Host. Uncategorized: Default User Account Usage Inactive User Accounts After Hour VPN Assess Monitoring Firewall Top Talkers P2P Traffic Distributed Host Port Scan Distributed Network Host Scan SYN Flood by IDS/Firewall High Number of Denied Connections for a Single Host Worm/Virus Outbreak Detected Outbound/Inbound Network Sweep AV Update Failed Malware IP Access Malware URL Access Hacking attempt on web portal Data Leakage Detection of BOTNET infection in Internal LAN Unauthorised access from Third Party or vendor networks Infected Host Activities Suspicious, Adware, Phishing and Hacking Activities Unwanted Software’s AV Malware Breakout Identified across multiple machines Monitor Development team’s access to Production systems Blacklisted IP Blacklisted IP Pass after multiple Firewall Block Blacklisted URL Data Overview Trend Outbound Traffic to Suspicious Countries Outbound Traffic to Suspicious port Outbound Traffic to Suspicious Services Terminated User Activity Malicious Traffic to Vulnerable Asset Communications to Bad Domains Communications to Blacklisted Domains/IP’s Data Transfer involved on Blacklisted Domains/IP’s Outbound traffic involving DatabaseCross Site Scripting Script Injection Malicious Activity Detection of FW Interface Status Changes/Failures Insecure Protocol Usage - Detection of insecure traffic like FTP, telnet ,VNC on critical servers. VPN Access from Outside Country Suspicious VPN Login Attempts Detection of service stop on ESX servers Detection of multiple user failed logins on ESX servers from the same source Detection of ESX server shutdown/restart Detection of virtual machine start/stop/resume/reboot Detection of addition/removal of a host on vCenter Detection of virtual machine creation/removal on vCenter Probable XSS attack observed Probable Directory Traversal attack observed Suspicious HTTP methods observed HTTP Request Other Than GET, POST, HEAD and OPTIONS Probable SQL Injection attack observed Web Attack- Vulnerability scanning using Nessus Use Case Form Use Case ID Use Case Name Submitter Name Submission DateProblem Description / Overview – What are you trying to detect? Description: What security issue is there a concern about? What bad security event are you attempting to detect? Can it be clearly defined? If the description is vague, there can be no clear solution. Good Examples: 1 – A security log on a Windows Server should not be cleared. If one is cleared, that can indicate a hacker clearing traces of their attack and should be detected. 2 – If a user who is no longer employed at the company (terminated, retired, deceased, etc.) logs in to a UNIX server, that action is bad and should be detected. Bad Examples: 1 – Monitor the UNIX servers and make sure no one does anything that they shouldn’t. Problem: What shouldn’t they do? Current Solution – How is the problem being addressed today? Description: Is this an improvement to an existing solution, or is this a new solution? Is there currently a workaround or other method whereby some or all of the requirements are being met? Is it a manual review of log files? Is it a periodic spot check? Good Examples: 1 – The login failures are being printed out in a report from the UNIX servers, and Jack Black is manually reviewing them for possible exposed passwords. This process is very time and resource consuming, is not near-real time, and is prone to mistakes or oversights. 2 – There is currently no solution for this problem. This is a gap.Bad Examples: 1 – I think that someone might be looking at this, but I am not sure. Problem: Possible duplication of effort. Priority / Risk – What is the cost of NOT solving this problem? Description: What is the risk or penalty for not doing this effort? Is there an open audit finding for this issue? Is this required to meet a legal or regulatory compliance effort? Is there a known attack or exploit that this could detect? Is a specific VP requesting that this be accomplished? Good Examples: 1 – In order to meet the PCI audit that will occur on November 15 this requirement must be met. Our company’s lead for this effort is Cary Grant and he can be reached at 555-1212. 2 –There is an open internal audit finding (#12345) that I have attached to this ticket. The resolution requirement is April 15 and the Internal Auditor assigned to this is Myrna Loy. Bad Examples: 1 – If we don’t detect this, bad things will happen. Problem: What bad things? 2 – I read about this in a magazine. We should do this. Problem: Why is what you read relevant to our company? What specific issue will happen if we do not? Feed Identification – Where do the Security Events come from or Event Sources? Description: What events can deliver the information required to meet the requirements set forth in Section 1? What technology generates these events? What specific systems? (Hostnames, IP addresses, etc.) Which contacts can assist in obtaining these events from these systems? Good Examples: 1 – The Windows Security events need to be obtained from all of the Windows Servers located in the Credit Card Enclave. There is a spreadsheet attached with all of the host names and IP addresses. Brad Pitt on the Windows Server Team is the correct contact. 2 – All UNIX servers need to have their events analyzed for this. The correct contact for this is Jane Powell on the Midrange Team. The Midrange team maintains a list of all of the servers and can supply it for this effort. The employee status can be obtained from the PeopleSoft Database. The contact for that database is Gregory Peck. Bad Examples: 1 – Look at all of the company’s devices for this hacker activity. Problem: What are “all of the company’s devices”? What is “hacker activity”? Sample Events – What does it look like when it occurs or events of interest? Description: Samples of the events from the correct sources that contain all of the necessary data to be able to detect when the requirements in Section 1 have occurred must be supplied. If there are multiple source events that must be correlated together, then all of those event samples must be supplied. Note: If an event does not contain enough information to make a decision and determine that the requirements in Section 1 have been met, then this is not a viable Use Case. The SEM can only make decisions when it has the data to do so. Note: If an event may contain enough information to make a decision and determine that the requirements in Section 1 have been met, but there are no examples of this ever having occurred, then this is not a viable Use Case. The SEM can only make decisions when it has the data to do so. Good Examples:1 – The Windows Servers generate an event with a security ID of 517. Any events with this ID are suspect. Enclosed is a screenshot of an event on the Windows Server showing one of these events. 2 – A syslog event from a UNIX server that shows a successful login with an id that matches an ID in the PeopleSoft database which is flagged as terminated, retired or deceased would indicate one of these events. Attached is both a text file of the syslog events showing a successful login on a UNIX server and a text file showing a CSV extract of the PeopleSoft database showing examples of active, terminated, retired, and deceased employees. Bad Examples: 1 – The UNIX server should have some kind of log for this activity. Problem: If samples can not be provided, then it may not be possible to accomplish this use case. Action requirements – What needs to be done when it occurs and how the content operates? Description: Once the events are seen and the determination that the requirements in Section 1 have been met, what actions need to be taken to remediate the identified issue? Does an email need to be sent to a specific team? Should the FBI be notified? Note: If the requestor does not know what needs to be done, the iSOC can work with the requestor to attempt to determine a viable option. However, if one cannot be determined, then the Use Case cannot proceed. Good Examples: 1 – This event is a very rare occurrence. There are very few false positives. When detected, an alert will go into the iSOC queue and be worked. The iSOC analyst will contact the appropriate Windows Server Team Member, as identified by the Server Database. That administrator will either identify a legitimate reason why this occurred, or an Incident will be declared and the Windows Server will be treated like it has been compromised. 2 – The user ID will be validated if they are a contractor or not. If it is a contractor, the iSOC will contact the contractor representative, Bing Crosby, and confirm if the contractor’s contract was extended without a proper PeopleSoft update. If yes, then this is a false positive and will be closed. If no, or if this is a full time employee, this will be declared an incident and be treated like a Breach. Bad Examples: 1 – The iSOC gets an alert and handles it. Note: If part of the Action Requirements requires notification of a team or person via email, phone, snmp, etc. then these notification requirements must be specifically spelled out. (Full names, phone numbers with area codes, alternate contacts, email addresses, etc.) Known False Positives – Are there scenarios where this is okay? Description: Sometimes an event that would typically denote that something bad has occurred can, under the proper context, be proven to have been benign. Sometimes these scenarios are known beforehand and can be taken into account when building the SEM content and filtered out to avoid taking action on these. Any efforts taken now can greatly enhance the acceptance of the new SEM content by those who will be contacted as part of the actions taken. In addition to wasting valuable resources, a solution that generates a high volume of false positives can negatively affect morale. Good Examples: 1 – No users should ever log in to a UNIX server directly using the “root” user account. All logins should be made with the user’s individual account and then elevate to root level access as warranted. This provides proper logging of who is performing what actions in the audit logs. However, when a new UNIX server is in “build” status, the individual accounts have not yet been created and logging directly in as “root” is acceptable. The server build status can be obtained from the Enterprise CMDB. The contact for the CMDB is Bob Hope. 2 – A “UDP Host Scan” event can be triggered by a malicious actor (“hacker”) attempting to do reconnaissance on servers and is typically a precursor to further attacks. However, a dns server is known to have normal activity that can cause this IDS signature to fire falsely. Attached is a list of the enterprise’s known internal and external dns servers. Please filter these source host addresses out from firing this signature. Bad Examples:1 – Just assume that they are all bad. We can figure out the false positives as we go. 2 – Just show us when they do something that they don’t normally do. Problem: You as the SME are in a better position to know normal and not normal activity. The analyst has no easy way to determine this and respond. Test Scenarios – Can this action be recreated for testing? Description: If an event can be recreated in a test scenario, then SEM content can be created and validated much quicker and more thoroughly. If the analyst must wait for a rare event to occur naturally then it may not be possible to provide a high level of confidence that the content will perform as desired. Ideally, test scenarios for both true positives and false positives can be performed as necessary. Good Examples: 1 – If a user who is no longer employed at the company (terminated, retired, deceased, etc.) logs in to a UNIX server, that action is bad and should be detected. For a test, the analyst can change a UNIX administrator’s status from “active” to “terminated” and have them login to generate the event. Then the analyst can change a UNIX administrator’s status back from “terminated” to “active” and have them login to validate the absence of an event. 2 – A security log on a Windows Server should not be cleared. There is a test server, servername1, which can have its Security log safely cleared on demand, generating the necessary windows event with the security ID of 517. You can contact Basil Rathbone on the Windows Server Team to perform this task. Bad Examples: 1 – There is no way to test this. Note: The absence of a viable test doe not completely invalidate a use case, however the submitter must acknowledge that the content will be “best effort” with a lower level of confidence that it will work as intended. 2 – There is a way to test this, but it will only generate the event some of the time. Problem: A test that does not generate reliable results cannot be considered a viable test.Use Case Overview –How you are going to view/present that ? Description: What security issue is there a concern about? What bad security event are you attempting to detect? Can it be clearly defined? If the description is vague, there can be no clear solution. How you are going to present those threat scenarios and how it can be analyzed by the CSIRT. Either Dashboards, Reports, Trends and Rules. Good Examples: 1 – The Baseline and threshold violation are detected using the Trends and Dashboards 2 – If a user who is no longer employed at the company (terminated, retired, deceased, etc.) logs in to a UNIX server, that action is bad and should be detected as high priority alert. 3 – List of Multiple Failed logins and Account lockouts are not alert/dashboard criteria, but used by the System administrators. Bad Examples: 1 – Creating a Dashboard with 1 month buffer to analyse the anomalies. Problem: Performance issues with the Manager. Next Release will contain complete list of use cases and the Methods for building complex Use cases. Stay tuned. References: Cindy Jones - SEM Use Case Form - Version 1.1.doc
15 Replies
Acclaimed Contributor.. balahasan.v1 Acclaimed Contributor..
Acclaimed Contributor..

Re: List of Sample Use Cases Draft version

. Number 2 Document

0 Likes
Aleks Super Contributor.
Super Contributor.

Re: List of Sample Use Cases Draft version

Thanks Balahasan!

Good List!

0 Likes
tahira2211 Absent Member.
Absent Member.

Re: List of Sample Use Cases Draft version

Hi,

Can anyone share a step by step guide on how to make a use case? All use cases mentioned in the pdf are very good, but I currently don't know how and where to start?

Looking forward to a step by step guide

0 Likes
mike_of_many Trusted Contributor.
Trusted Contributor.

Re: List of Sample Use Cases Draft version

Tah

In the doc, beginning with page 9 there are examples. good and bad.  But I assume your looking for a more step by step or foundational answer...

If so, great, if not, I hope someone finds this thinking useful

Quite simply a Use Case is some problem or issue that you want to raise awareness of and provide a course of action for your team within your monitoring tools. Sticking to Arcsight, a Use Case is why content is built.

There are many approaches to building Use Cases, but I'll talk about one of mine.

The first steps to it, don't involve Arcsight or a SIEM at all, but involve knowing the network and it's uses that I need to protect. Let's say for this example I have 10 servers that must always be up, if they are ever down for any reason or any length of time, then an Engineer must be paged. I also have about 5 other servers that provide various functions, and are allowed out to the internet. I have 50 workstations for people, and these are allowed out to the internet. All servers have some FIM and a local repo. All changes must be done during predefined windows from the change board. Workstations upgrade from a local repo. and have AV, HIPS, and a kernel splice for process and memory monitoring.  I have a few firewalls, and only 5 of the 50 workstations should ever connect to the first 10 servers.

Sounds like a lot, and nothing about Use Cases ... but in describing that network, I revealed several Use Cases.

Use Case 1:

If my core 10 servers ever have downtime, an Engineer must be paged.

Use Case 2:

If any machine other than the 5 approved machines connects to the core 10 servers,Security needs to know about that.

Use Case 3:

If any machine fetches upgrades from the non-approved source, then Security needs to know about it.

From those statements about knowing your network, one can then define in a condition statement/action relationship the Use Cases that you should build.

Condition Statement "If my core 10 servers ever go down"

Action "and Engineer must be paged"

Next comes the requirements and logic.

Requirements: A log must be generated if a core machine goes down.

- This requirement can be satisfied in a number of ways, to keep this simple let's say all 10 machines will have nagios monitoring installed.

To satisfy that requirement, nagios is configured to send a log to ArcSight when a monitored machine does not respond to pings.

Now in ArcSight, a connector is setup for Nagios.

Content Logic is created around the Requirement for ArcSight to know that the core 10 machines and the log delivery of when a machine is down.

Action:

From there, Content Logic around the action is created in ArcSight.

"an Engineer must be paged"

Via a rule and action. ArcSight will now ingest nagios logs, and when one of the core 10 machines is recorded as being down, ArcSight will send an SMS.

There you have a Use Case for

"

Use Case 1:

If my core 10 servers ever have downtime, an Engineer must be paged."

The same tactics can be applied to any of the Use Cases mentioned above. Define the Use Case as a condition statement / action. The condition statement describes a specific situation, that you use to identify the requirements, and the action which provides what ArcSight should do when the requirements are met and the condition occurs.

Mike

0 Likes
siddharth.biswa1 Absent Member.
Absent Member.

Re: List of Sample Use Cases Draft version

Hi Bala,

Could you be able to share few more details on the following listed AV use case. are they specific to any AV.

1. Access to critical file share, network path, SSH or Remote RDP attempt from the Infected Host.

2. Brute Force/port or host scan/privilege elevation access attempt from the Infected machine (AL

and Trend - Real Time)

0 Likes
sujansures Absent Member.
Absent Member.

Re: List of Sample Use Cases Draft version

Dear ​, wonderful preparation. good work.

Where can I download this stuff for fiddling around it with..?

Thanks.

0 Likes
younuspatel Absent Member.
Absent Member.

Re: List of Sample Use Cases Draft version

Hi All,

Can i have filter this windows use cases?

regards,

younus

0 Likes
Acclaimed Contributor.. balahasan.v1 Acclaimed Contributor..
Acclaimed Contributor..

Re: List of Sample Use Cases Draft version

Sure

0 Likes
Acclaimed Contributor.. balahasan.v1 Acclaimed Contributor..
Acclaimed Contributor..

Re: List of Sample Use Cases Draft version

I doubt that. Most of them are developed from logic based on eventID's from  www.ultimatewindowssecurity.com

0 Likes
sandeepu Absent Member.
Absent Member.

Re: List of Sample Use Cases Draft version

Hello Balahasan,

Can we get this document, where can we download for our reference.

Thanks,

Sandeep N

0 Likes
Highlighted
sujansures Absent Member.
Absent Member.

Re: List of Sample Use Cases Draft version

Hi ​,

you can download the document directly from here.

Regards,

Sujan

0 Likes
younuspatel Absent Member.
Absent Member.

Re: List of Sample Use Cases Draft version

Hello Balahasan,

Thanks for reply,

i will go through it.

Currently i have to create a dashboard for all device patch updates. Could you guide me please

regards,

younus

0 Likes
sandeepu Absent Member.
Absent Member.

Re: List of Sample Use Cases Draft version

Thank you Sujan and Balahasan

0 Likes
philip.clough@h Absent Member.
Absent Member.

Re: List of Sample Use Cases Draft version

Hey Mike,

thank you, the example of your approach was very helpful.

I know it's been a while back, but above you stated that there are many approaches to building use cases. Is there any way of you sharing or pointing out some of the other approaches? I am specifically looking for published sources such as whitepapers, books or journal articles.

So far the only (scientific) source I found was a whitepaper from SANS:

https://www.sans.org/reading-room/whitepapers/auditing/effective-case-modeling-security-information-event-management-333…

Thank you for your help!

Cheers and regards,

Philip

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.