comment on SIEM use cases : to finetune

Refer to attached:
need to clarify on the red-text items in the excel :
what are the usual industry-practice settings like
whether "occurs 10 times/minute" : is this the usual
setting or hackers usually will attempt 5 times/0.5min?

From our network IPS logs, have seen variations in
attempts (by blacklisted source IP addrs) in making
3-10 attemps over various time horizons.

Appreciate any comments/inputs on the red-text
items in the attached use cases which we're going
to adopt to finetune our SIEM/SOC
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
There might easily be longer intervals, this would be to avoid detection, but will take longer to achieve results.
I see SSH password guess attempts to have one attempt / hour.  (probably hunting for specific known accounts with known values).

So don't count on the right value...
sunhuxAuthor Commented:
So what's the recommended settings/values?
nociSoftware EngineerCommented:
TBH Honest i doubt there is a "best" setting.... It depends on what your Auditors want to see. If you need to fee the auditors then you need to analyze your threats and setup rules to take those threats into account. I have no blanket  recommendation, maybe others have?
4 signs you’re cut out for a cybersecurity career

It’s one of the most in-demand fields in technology and in the job market as a whole. It’s crucial to our individual and national security. And it may be your path to a future filled with success and job satisfaction—if these four traits sound like you.

sunhuxAuthor Commented:
nociSoftware EngineerCommented:
You need to investigate all threats... The surface you expose to attack and first minimize that exposure.
You need procedures for maintenance & incident followup.
Then you can start sampling attempts etc. and analyze.
And then adjust all of the above to accomodate for observed issues.

And you may very well not notice something because attackers also try to stay low. (some of them ... others just try in bulk).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nociSoftware EngineerCommented:
From that you maybe find this a useful reference:

Lynis from   might give some insight.
Lynis is a tool that tries to assess the state of a system and hold some common knowledge or best practices benchmarks.
(although they might be burried in code).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.