List of Sample Use Cases Draft version
Based on the Previous threads. I am uploading this sample list of use cases which are pretty straightforward and commonly used across all SIEM deployments. Will be useful for all new SOC Rookies who want to setup basic set of Use cases to start off the CSIRT.
Stay tuned for Complete list of Use cases Including Dashboard/Rule/Trend/Report Classification on Next release with the Advanced Content creation with Examples and Snapshots.
Thanks for reply,
i will go through it.
Currently i have to create a dashboard for all device patch updates. Could you guide me please
thank you, the example of your approach was very helpful.
I know it's been a while back, but above you stated that there are many approaches to building use cases. Is there any way of you sharing or pointing out some of the other approaches? I am specifically looking for published sources such as whitepapers, books or journal articles.
So far the only (scientific) source I found was a whitepaper from SANS:
Thank you for your help!
Cheers and regards,
While the whitepaper you mention touches on them the primary method if I recall they term "the Top Down, Bottom Up, Middle out"
As for published sources, I will have to look but I recall a book or a paper "Creating Effective Use Cases for SIEM" which has Use Cases created from Risk, Anton Chuvakin on his own then at the Gardner blog has some good write ups on creating Use Cases, from compliance needs, visibility needs, and just general creation workflows.
Otherwise, scientifically I'm not sure there are other sources. I'll keep an eye out.
Personally, I feel that when I talk to Nitro ESM guys, they talk a lot about creating time based and standard deviation based Use Cases. As that's a strength in the Nitro engine. So that's another place to look about approaches to building Use Cases as different strengths will usually require different approaches.