comment on SIEM use cases : to finetune

sunhux
sunhux used Ask the Experts™
on
Refer to attached:
need to clarify on the red-text items in the excel :
what are the usual industry-practice settings like
whether "occurs 10 times/minute" : is this the usual
setting or hackers usually will attempt 5 times/0.5min?

From our network IPS logs, have seen variations in
attempts (by blacklisted source IP addrs) in making
3-10 attemps over various time horizons.

Appreciate any comments/inputs on the red-text
items in the attached use cases which we're going
to adopt to finetune our SIEM/SOC
SiemSocUsecases.xlsx
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
nociSoftware Engineer
Distinguished Expert 2018

Commented:
There might easily be longer intervals, this would be to avoid detection, but will take longer to achieve results.
I see SSH password guess attempts to have one attempt / hour.  (probably hunting for specific known accounts with known values).

So don't count on the right value...

Author

Commented:
So what's the recommended settings/values?
nociSoftware Engineer
Distinguished Expert 2018

Commented:
TBH Honest i doubt there is a "best" setting.... It depends on what your Auditors want to see. If you need to fee the auditors then you need to analyze your threats and setup rules to take those threats into account. I have no blanket  recommendation, maybe others have?
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

Software Engineer
Distinguished Expert 2018
Commented:
You need to investigate all threats... The surface you expose to attack and first minimize that exposure.
You need procedures for maintenance & incident followup.
Then you can start sampling attempts etc. and analyze.
And then adjust all of the above to accomodate for observed issues.

And you may very well not notice something because attackers also try to stay low. (some of them ... others just try in bulk).
nociSoftware Engineer
Distinguished Expert 2018

Commented:
From that you maybe find this a useful reference: https://cisohandbook.com/

Lynis from https://cisofy.com/   might give some insight.
Lynis is a tool that tries to assess the state of a system and hold some common knowledge or best practices benchmarks.
(although they might be burried in code).

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial