Splunk Use Case Library 2016-09-29

Splunk Use Case Repository Sept 29th 2016

Copyright 2016

The information transmitted in this document is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination or other use of or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. Proprietary and Confidential Information shall include, but not be limited to, performance, sales, financial, contractual and special marketing information, ideas, technical data and concepts originated by the disclosing party, its subsidiaries and/or affiliates, not previously published or otherwise disclosed to the general public, not previously available without restriction to the receiving party or others, nor normally furnished to others without compensation, and which the disclosing party desires to protect against unrestricted disclosure or competitive use, and which is furnished pursuant to this document and appropriately identified as being proprietary when furnished. Copyright © 2016 Splunk, Inc. All rights reserved. The Splunk logo is a registered trademark of Splunk. All other products and company names mentioned herein are trademarks or registered trademarks of their respective owners.

Version Control SECURITY PROGRAM REVIEW Client Name

None

Client Contact Document Issue No

2.1

Author(s)

Ryan Faircloth

Delivery Date

July 20th 2016

Data Classification

Proprietary

Splunk, Inc. 250 Brannan Street, 2nd Floor San Francisco, CA 94107

+1.415.568.4200(M ain) +1.415.869.3906 (Fax) www.splunk.com

Professional Services/Security Use Case Workshop The use case development workshop is designed to assist the customer in the process of cataloging business drivers and requirements used to guide the customer delivery team assisted by Splunk Consultants in delivery of a solution that will meet the customers needs and budget. Using information gained from the workshop the project team will deliver a prioritized list of data sources for on data boarding and use case adoption for the cyber security operations team.

Preparation Identify essential and beneficial staff per session based on the agenda that follows Secure meeting space Minimize meeting location changes as this is disruptive to progress and contributes to no shows Adequate seating for attendes One, preferable 2 projectors/screens Guest Wifi White boards Splunk will provide a Webex session and use digital whiteboards, and utilize recording unless the customer has objections, this is utilized to review enrich notes as needed to prepare deliverables and is not required if the customer is uncomfortable Collect supporting documentation electronically All applicable internal policies and supporting standards such as Information Resource Classification Information Retention and Destruction Infrastructure logging and configuration Database Logging and Configuration Application Logging and Configuration Inventory of Standards with requirments for logging and monitoring applicable to your business Internal Audit/Self Asessment for applicable security standards such as PCI/SOX/HIPPA inclusive current draft reports External Audit/Self Asessment for applicable security standards such as PCI/SOX/HIPPA Identifiy the following project roles and schedule for attendance Project Manager Senior Business Analyst Senior Technical Analyst/Architect Senior Security Analyst Test Lead Executive Sponsor Executive Stakeholders or immediate deputies Compliance Analysts Internal Assors

Typical Agenda 3 days The following agenda can be modified collaboratively if needed, our experience has been that we must allow some blocks of time between sessions and start/end of day to avoid walk aways due to urgent business need arising during the day. Opening Session 9:30-11:00 (all participants) Openings and personal introductions, roles and responsibilities (all) Presentation of methodology for the workshop (splunk) Executive Round Table discus formal and informal project drivers other goals and success criteria. Review audit findings, addressable items, mandated remediations Review prior year penetration test findings Review burdensome existing compliance and reporting activities Working Sessions each session will present a set of use cases to the team for joint evaluation and prioritization based on the criteria developed in the opening session. Each session requires a representative with relevant experience in the domain and empowerment to set priority within the bounds given. A deputy for each executive stakeholder should attend working sessions additional participants are welcome. Working Session #1 D1 11:00 13:00 (with 1 hour lunch) Review out of box use cases for Enterprise Security Identify and catalog required data, enrichment and applicable use cases Working Session #2 D1 13:00 - 16:00 Review Professional Services/Customer developed Security Use cases Identify and catalog required data, enrichment and applicable use cases Working Session #3 D2 9:30 - 12:00 Identify and catalog required data, enrichment and applicable use cases for gap areas in enterprise endpoint estate Working Session #4 D2 13:00 - 15:00 Identify and catalog required data, enrichment and applicable use cases for gap areas in enterprise network estate Working Session #5 D3 9:30 - 12:00

Review tabled items from prior sessions, interview stake holders identified in prior sessions but not planed Review Session 14:00 - 16:00 Review items captured Resort priority based on latter learning

1. Value Narrative and Use Case Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1 Adoption Motivations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1 Motivating Problem Type View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.1 PRT01-Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.1.1 PRT01Compliance-PCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.1.2 PRT02Compliance-NercCIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.1.3 PRT03Compliance-NIST Cyber Security Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.1.4 PRT04-FFIEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.2 PRT02-SecurityVisibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.2.1 PRT02-IdentifyPatientZero . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.2.2 PRT02-SecurityVisibilityEndpointMalware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.2.3 PRT02-SecurityVisibilityExfiltration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.2.4 PRT02-SecurityVisibilityLateralMovement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.2.5 PRT02-SecurityVisibilityPhishingAttack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.2.6 PRT02-SecurityVisibilityPriviledgeUserMonitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.2.7 PRT02-SecurityVisibilityUserActivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.2.8 PRT02-SecurityVisibilityZeroDayAttacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.2.9 PRT02-SecurityVisiblityWebbait . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.3 PRT03-PeerAdoption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.3.1 PRT03-PeerAdoption-Phase1-Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.3.2 PRT03-PeerAdoption-Phase2-Maturing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.3.3 PRT03-PeerAdoption-Phase3-Mature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.3.4 PRT03-PeerAdoption-Phase4-Edge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.4 PRT04-ProcessEffectivness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.4.1 PRT04-ProcessEffectivness-HuntPaths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.5 PRT05-Tactical Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.5.1 PRT05-TacticalThreat-InsiderThreat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.5.2 PRT05-TacticalThreat-Ransomeware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.5.3 PRT05-TacticalThreat-SpearphishingCampaign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.6 PRT06-SecureConfigurationMgmt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.6.1 PRT06-SecureConfigurationMgmtUpdateManagement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.6.2 PRT06-SecureConfigurationMgmtVulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.7 PRT07-SpecialRequests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.7.1 PRT07-SpecialRequests-Creative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.8 PRT08-ProductAdoption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.8.1 PRT08-ProductAdoption-ES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.2 Motivating Risk View Perspective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.2.1 RV1-AbuseofAccess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.2.2 RV2-Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.2.3 RV3-MaliciousCode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.2.4 RV4-ScanProbe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.2.5 RV5-DenialofService . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.2.6 RV6-Misconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3 Supporting Data View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.1 DS001MAIL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.2 DS002DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.3 DS003Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.4 DS004EndPointAntiMalware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.5 DS005WebProxyRequest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.6 DS006UserActivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.7 DS007AuditTrail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.8 DS008HRMasterData . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.9 DS009EndPointIntel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.10 DS010NetworkCommunication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.11 DS011MalwareDetonation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.12 DS012NetworkIntrusionDetection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.13 DS013TicketManagement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.14 DS014WebServer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.15 DS015ConfigurationManagement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.16 DS016DataLossPrevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.17 DS017PhysicalSecurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.18 DS018VulnerabilityDetection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.19 DS019PatchManagement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.20 DS020HostIntrustionDetection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.21 DS021Telephony . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.22 DS022Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.23 DS023CrashReporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.24 DS024ApplicationServer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4 Supporting Event Type View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.1 DS001Mail-ET01Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.2 DS001Mail-ET02Receive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.3 DS001Mail-ET03Send . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5 11 12 14 17 23 27 34 35 36 37 39 40 41 42 43 45 46 47 48 50 57 59 61 62 63 64 66 69 70 71 72 73 74 75 76 89 90 93 95 98 100 101 103 105 107 110 120 124 127 130 132 134 137 142 147 149 151 153 155 156 157 158 159 161 162 163 164 165 166 167 168

1.1.4.4 DS002DNS-ET01Query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.4.1 DS002DNS-ET01QueryRequest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.4.2 DS002DNS-ET01QueryResponse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.5 DS003Authentication-ET01Success . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.6 DS003Authentication-ET02Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.6.1 DS003Authentication-ET02FailureBadFactor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.6.2 DS003Authentication-ET02FailureError . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.6.3 DS003Authentication-ET02FailureUnknownAccount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.7 DS004EndPointAntiMalware-ET01SigDetected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.8 DS004EndPointAntiMalware-ET02UpdatedSig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.9 DS004EndPointAntiMalware-ET03UpdatedEng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.10 DS005WebProxyRequest-ET01Requested . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.10.1 DS005WebProxyRequest-ET01RequestedWebAppAware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.11 DS005WebProxyRequest-ET02Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.12 DS006UserActivity-ET01List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.13 DS006UserActivity-ET02Read . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.14 DS006UserActivity-ET03Create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.15 DS006UserActivity-ET04Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.16 DS006UserActivity-ET05Delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.17 DS006UserActivity-ET06Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.18 DS006UserActivity-ET07ExecuteAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.19 DS007AuditTrail-ET01Clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.20 DS007AuditTrail-ET02Alter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.21 DS007AuditTrail-ET03TimeSync . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.22 DS008HRMasterData-ET01Joined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.23 DS008HRMasterData-ET02SeperationNotice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.24 DS008HRMasterData-ET03SeperationImmediate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.25 DS009EndPointIntel-ET01ObjectChange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.26 DS009EndPointIntel-ET01ProcessLaunch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.27 DS010NetworkCommunication-ET01Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.27.1 DS010NetworkCommunication-ET01TrafficAppAware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.28 DS010NetworkCommunication-ET02State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.29 DS011MalwareDetonation-ET01Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.30 DS012NetworkIntrusionDetection-ET01SigDetection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.31 DS013TicketManagement-ET01 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.32 DS014WebServer-ET01Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.33 DS015ConfigurationManagement-ET01General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.34 DS016DataLossPrevention-ET01Violation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.35 DS017PhysicalSecurity-ET01Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.36 DS018VulnerabilityDetection-ET01SigDetected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.37 DS019PatchManagement-Applied . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.38 DS019PatchManagement-Eligable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.39 DS019PatchManagement-Failed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.40 DS020HostIntrustionDetection-ET01SigDetected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.41 DS021Telephony-ET01CDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.42 DS022Performance-ET01General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.43 DS023CrashReporting-ET01General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.44 DS024ApplicationServer-ET01General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5 Technology Provider View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.1 PT001-Microsoft-Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.2 PT002-Splunk-Stream . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.2.1 PT002-Splunk-Stream-DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.2.2 PT002-Splunk-Stream-DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.2.3 PT002-Splunk-Stream-SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.3 PT003-ExtraHop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.3.1 PT003-ExtraHop-DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.3.2 PT003-ExtraHop-SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.4 PT004-McAfee Web Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.5 PT005-Microsoft-Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.6 PT006-PaloAlto Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.7 PT008-Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.8 PT009-SourceFire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.9 PT010-Websense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.10 PT011-Bluecoat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.11 PT012-Splunk-InternalLogging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.12 PT013-ISCBIND-DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.13 PT014-PhysicalAccessControl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.14 PT015-Linux-Deb/RH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.15 PT016-Cisco-ASA/PIX/FWSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.16 PT017-Trend-TippingPoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.6 Enrichment Data View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.6.1 DE001AssetInformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

169 171 172 173 176 177 178 179 180 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 205 207 208 212 214 216 218 219 220 221 222 223 224 225 227 228 229 230 231 232 234 235 236 237 238 239 240 241 242 244 245 246 247 248 249 250 251 252 253 255 256 257

1.1.6.2 DE002IdentityInformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 1.2 Adoption Narratives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 1.2.1 Adoptable Compliance and Security Narratives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 1.2.1.1 UC0001 Detection of new/prohibited web application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 1.2.1.2 UC0002 Detection of prohibited protocol (application) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 1.2.1.3 UC0003 Server generating email outside of approved usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 1.2.1.4 UC0004 Excessive number of emails sent from internal user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 1.2.1.5 UC0005 System modification to insecure state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 1.2.1.6 UC0006 Windows security event log purged . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 1.2.1.7 UC0007 Account logon successful method outside of policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 1.2.1.8 UC0008 Activity on previously inactive account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 1.2.1.9 UC0009 Authenticated communication from a risky source network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 1.2.1.10 UC0010 Detect unauthorized use of remote access technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 1.2.1.11 UC0011 Improbable distance between logins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 1.2.1.12 UC0012 Increase risk score of employees once adverse seperation is identified or anticipated . . . . . . . . . 276 1.2.1.13 UC0013 Monitor change for high value groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 1.2.1.14 UC0014 Monitor use attempts of human accounts once primary account is expired disabled or deleted . . 278 1.2.1.15 UC0015 Privileged user accessing more than expected number of machines in period . . . . . . . . . . . . . . . 279 1.2.1.16 UC0016 Successfully authenticated computer accounts accessing network resources . . . . . . . . . . . . . . . . 280 1.2.1.17 UC0017 Unauthorized access or risky use of NHA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 1.2.1.18 UC0018 Unauthorized access SSO brute force . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 1.2.1.19 UC0019 User authenticated to routine business systems while on extended absense . . . . . . . . . . . . . . . . 283 1.2.1.20 UC0020 Attempted communication through external firewall not explicitly granted . . . . . . . . . . . . . . . . . . . 284 1.2.1.21 UC0021 Communication outbound to regions without business relationship . . . . . . . . . . . . . . . . . . . . . . . . 285 1.2.1.22 UC0022 Endpoint communicating with an excessive number of unique hosts . . . . . . . . . . . . . . . . . . . . . . . 286 1.2.1.23 UC0023 Endpoint communicating with an excessive number of unique ports . . . . . . . . . . . . . . . . . . . . . . . 287 1.2.1.24 UC0024 Endpoint communicating with external service identified on a threat list. . . . . . . . . . . . . . . . . . . . . 288 1.2.1.25 UC0025 Endpoint Multiple devices in 48 hours in the same site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 1.2.1.26 UC0026 Endpoint Multiple devices in 48 hours in the same subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 1.2.1.27 UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit . . . . . . . . 291 1.2.1.28 UC0028 Endpoint Multiple infections over short time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 1.2.1.29 UC0029 Endpoint new malware detected by signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 1.2.1.30 UC0030 Endpoint uncleaned malware detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 1.2.1.31 UC0031 Non human account starting processes not associated with the purpose of the account . . . . . . . 297 1.2.1.32 UC0032 Brute force authentication attempt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 1.2.1.33 UC0033 Brute force authentication attempt distributed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 1.2.1.34 UC0034 Brute force successful authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 1.2.1.35 UC0035 Compromised account access testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 1.2.1.36 UC0036 Compromised account access testing (Critical/Sensitive Resource) . . . . . . . . . . . . . . . . . . . . . . . 302 1.2.1.37 UC0037 Network Intrusion External - New Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 1.2.1.38 UC0038 Excessive use of Shared Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 1.2.1.39 UC0039 Use of Shared Secret for access to critical or sensitive system . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 1.2.1.40 UC0040 Use of Shared Secret for or by automated process with risky attributes . . . . . . . . . . . . . . . . . . . . 306 1.2.1.41 UC0041 SSH v1 detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 1.2.1.42 UC0042 SSH Authentication using unknown key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 1.2.1.43 UC0043 Direct Authentication to NHA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 1.2.1.44 UC0044 Network authentication using password auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 1.2.1.45 UC0045 Local authentication server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 1.2.1.46 UC0046 Endpoint failure to sync time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 1.2.1.47 UC0047 Communication with newly seen domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 1.2.1.48 UC0049 Detection of DNS Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 1.2.1.49 UC0051 Excessive physical access failures to CIP assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 1.2.1.50 UC0052 Non-CIP user attempts to access CIP asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 1.2.1.51 UC0065 Malware detected compliance asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 1.2.1.52 UC0071 Improbably short time between Remote Authentications with IP change . . . . . . . . . . . . . . . . . . . . 322 1.2.1.53 UC0072 Detection of unauthorized using DNS resolution for WPAD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 1.2.1.54 UC0073 Endpoint detected malware infection from url . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 1.2.1.55 UC0074 Network Intrusion Internal Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 1.2.1.56 UC0075 Network Malware Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 1.2.1.57 UC0076 Excessive DNS Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 1.2.1.58 UC0077 Detection Risky Referral Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330 1.2.1.59 UC0079 Use of accountable privileged identity to access new or rare sensitive resource . . . . . . . . . . . . . . 331 1.2.1.60 UC0080 Trusted Individual exceeds authorization in observation of other users . . . . . . . . . . . . . . . . . . . . . 333 1.2.1.61 UC0081 Communication with unestablished domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 1.2.1.62 UC0082 Communication with enclave by default rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 1.2.1.63 UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 1.2.1.64 UC0084 Monitor Execution of Triage Activtity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 1.2.1.65 UC0085 Alert per host where web application logs indicate a source IP not classified as WAF . . . . . . . . . 338 1.2.1.66 UC0086 Detect Multiple Primary Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 1.2.1.67 UC0087 Malware signature not updated by SLA for compliance asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 1.2.1.68 UC0088 User account sharing detection by source device ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

1.2.1.69 UC0089 Detection of Communication with Algorithmically Generated Domain . . . . . . . . . . . . . . . . . . . . . . 1.2.1.70 UC0090 User account cross enclave access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.1.71 UC0091 Validate Execution of Vulnerability Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.1.72 UC0092 Exception to Approved Flow for Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.1.73 UC0093 Previously active account has not accessed enclave/lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.1.74 UC0094 Insecure authentication method detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.2 Adoptable IT Operations Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.2.1 Enterprise Service Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.2.1.1 ITOAUC-0001 Enterprise Service Availability Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.2.1.2 ITOAUC-0002 Enterprise Service Availability Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3 Product Enterprise Security Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.1 UCESS002 Abnormally High Number of Endpoint Changes By User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.2 UCESS003 Abnormally High Number of HTTP Method Events By Src . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.3 UCESS004 Account Deleted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.4 UCESS005 Activity from Expired User Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.5 UCESS006 Anomalous Audit Trail Activity Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.6 UCESS007 Anomalous New Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.7 UCESS008 Anomalous New Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.8 UCESS009 Asset Ownership Unspecified . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.9 UCESS010 Anomalous New Listening Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.10 UCESS011 Brute Force Access Behavior Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.11 UCESS012 Brute Force Access Behavior Detected Over One Day . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.12 UCESS013 Cleartext Password At Rest Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.13 UCESS014 Completely Inactive Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.14 UCESS015 Concurrent Login Attempts Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.15 UCESS016 Default Account Activity Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.16 UCESS017 Default Account At Rest Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.17 UCESS018 Excessive DNS Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.18 UCESS019 Excessive DNS Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.19 UCESS020 Excessive Failed Logins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.20 UCESS021 Excessive HTTP Failure Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.21 UCESS022 Expected Host Not Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.22 UCESS023 Alerts on access attempts that are improbably based on time and geography. . . . . . . . . . . . . 1.2.3.23 UCESS024 High Number of Hosts Not Updating Malware Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.24 UCESS025 High Number Of Infected Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.25 UCESS026 High Or Critical Priority Host With Malware Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.26 UCESS027 High or Critical Priority Individual Logging into Infected Machine . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.27 UCESS028 High Process Count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.28 UCESS030 High Volume of Traffic from High or Critical Host Observed . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.29 UCESS031 Host Sending Excessive Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.30 UCESS032 Host With A Recurring Malware Infection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.31 UCESS033 Host With High Number Of Listening ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.32 UCESS034 Host With High Number Of Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.33 UCESS035 Host With Multiple Infections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.34 UCESS036 Host With Old Infection Or Potential Re-Infection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.35 UCESS037 Inactive Account Activity Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.36 UCESS038 Insecure Or Cleartext Authentication Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.37 UCESS039 Multiple Primary Functions Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.38 UCESS040 Network Change Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.39 UCESS041 Network Device Rebooted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.40 UCESS042 New User Account Created On Multiple Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.41 UCESS043 Outbreak Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.42 UCESS044 Personally Identifiable Information Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.43 UCESS045 Potential Gap in Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.44 UCESS046 Prohibited Process Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.45 UCESS047 Prohibited Service Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.46 UCESS048 Same Error On Many Servers Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.47 UCESS049 Short-lived Account Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.48 UCESS050 Should Timesync Host Not Syncing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.49 UCESS051 Substantial Increase In Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.50 UCESS052 Substantial Increase In Port Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.51 UCESS053 Threat Activity Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.52 UCESS056 Unapproved Port Activity Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.53 UCESS057 Unroutable Activity Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.54 UCESS058 Untriaged Notable Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.55 UCESS059 Unusual Volume of Network Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.56 UCESS060 Vulnerability Scanner Detected (by events) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.57 UCESS061 Vulnerability Scanner Detected (by targets) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.58 UCESS062 Watchlisted Event Observed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.59 UCESS063 Web Uploads to Non-corporate Sites by Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.4 Product Splunk PCI App Security Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412

Value Narrative and Use Case Repository Purpose A narrative defining a business impacting problem and a logical solution are the essential elements of each use case in the repository. Each narrative is cataloged using a number of fields allowing search ability within the repository. The fields themselves allow the consuming user to define a rubric for the problem type being addressed to arrive at a number of valid narratives which can be proposed to address the problem at hand.

Introduction

Target Audience The repository has a number of well define audience targets each as the repository evolves each group should be better served. Account Team - Utilizing key terms from customer dialog identify value proposition based on customer experiences Sales Engineering - Cross reference Core, Premium, Third party, and services solutions to support customer objectives Professional Services Managers - Better estimate project scope utilizing objective based planning with the ability to plan schedule based on prior experiences Professional Services Consultant - Better understand what was agreed to and implementation requirements

Scope Presently the scope of the repository if focused on addressing motivating problems experienced by leaders in the Information Security and Compliance markets.

How to Navigate Reactive Use of the repository allows the user to work along side the customer, typically analysts, managers, and architects, to demonstrate value which is currently being realized or can be realized based on data sources. Careful consideration should be made in how the narratives are presented. The amount of information can be overwhelming. Using the left hand navigation menu or a short cut below begin with one of the following "views" Supporting Data View - Supporting data represents types of data utilized to support a solution eventually achieving a business objective. These data types can be consumed equally by use case narratives regardless of the underling technology. In some cases we recognize that all technology sources are not equal and further define specific "events" and critical fields that must be provided to successfully implement a narrative. This approach allows the user to head off failure on implementation when a give combination can not achieve success. Technology Provider View - Technology Providers roughly equate to Splunk Technology Add Ons. When working with preexisting technology implementations the user can utilize this view to determine what use cases may be possible in a customer environment.

Proactive Use of the repository allows the user to work along side the customer, typically executive leaders and senior leaders to identify the opportunities within the organization where the greatest value gains can be realized for the smallest opportunity costs. When used in this way the Account team can being documenting the motivating problems, ideal solution narratives (use cases), and perceived value early in the relationship. These artifacts can easily be used by the account team, customer success, and professional services to assist the customer in staying on track to value delivery and recognition of product value. This approach is summarized as objective lead solutions development. Using the left hand navigation menu or a short cut below begin with one of the following "views" Motivating Problem Type View - Motivating problems are those broad business needs requiring generally these are targeted at the expected level conversation with executive leaders and senior leaders in a given organization. Our goal is to assist in defining the problem to be addressed in such a way as to be clearly understood by all parties involved. These defined problems can become natural

Copyright © 2016, Splunk Inc.

missions or objectives with charter and support from all involved. Motivating Risk View Perspective - Risk mitigation is tangential to the traditional view of business value, to address this motivation and realize value the customer will place an artificial cost on the occurrence of an event narratives and solutions will provide support for the decision makers to show the broader business leadership that risks are being addressed proactively through the development of detection and monitoring processes.

How to read the use case narrative The use case narrative is designed using the Rosetta Stone metaphor, it is intended that users may approach from a number of perspective and engage in dialog with users of another perspective.

Motivation and Data The Motivation, Data source and Enrichment requirements connect the narrative to the customer motivation and supporting data requirements for success.

Motivating Problem Type View Motivating problems are those broad business needs requiring generally these are targeted at the expected level conversation with executive leaders and senior leaders in a given organization. Our goal is to assist in defining the problem to be addressed in such a way as to be clearly understood by all parties involved. These defined problems can become natural missions or objectives with charter and support from all involved. Motivating Risk View Perspective Risk mitigation is tangential to the traditional view of business value, to address this motivation and realize value the customer will place an artificial cost on the occurrence of an event narratives and solutions will provide support for the decision makers to show the broader business leadership that risks are being addressed proactively through the development of detection and monitoring processes. Supporting Data View Supporting data represents types of data utilized to support a solution eventually achieving a business objective. These data types can be consumed equally by use case narratives regardless of the underling technology. In some cases we recognize that all technology sources are not equal and further define specific "events" and critical fields that must be provided to successfully implement a narrative. This approach allows the user to head off failure on implementation when a give combination can not achieve success. Data Definition - Tracker Data Definitions for tracking are dynamic lists created by search processes used to enrich latter searches as search time lookups. Data Definition - Enrichment Dynamic external or static content utilized at search time to provide critical contextual information for events.

Adoption The first section of each use case contains a brief descriptive narrative element, followed by adoption phase descriptors. Three types of adoption phase descriptors are used:


Adoption Phase SME Adoption Phase SME represents the current status of the narrative in the development life cycle. This attribute will assist the user and customer in determining the timing of use case implementation. APS-Accepted — The third stage of development "Accepted" indicates the RFC period has completed and the

narrative is awaiting implementation or pilot. APS-Obsolete — Used when a narrative concept is replaced by one or more new narratives delivering higher value or when for external reasons the narrative is no longer relevant to a meaningful number of customers. APS-Pilot — The fifth state of development indicates one or more customers is testing the narrative concept. Additional knowledge gained in the pilot may prompt a return to RFC or permit advancement to the next stage. APS-POC — The forth stage "Proof of Concept" allows for testing a narrative using demonstration data or partial implementation in a live environment before adoption as a pilot APS-Productized — The third stage of development "Productized" indicates the RFC period has completed and the narrative is awaiting implementation or pilot. APS-Proposed — Proposed narrative not yet tested in the field APS-ProposedField — A proposed narrative based on solutions developed in the field. Reserved for "live" narratives. APS-Rejected — At any point in the development live cycle a narrative may be rejected. Future developments in data sources, enrichment, technology, or the concept may permit a rejected narrative to return to the accepted phase. APS-Release — The final stage adoption is release, in this phase the narrative is considered complete. Revisions may occur in the narrative or implementation within the boundaries of the original stated objective. APS-RFC — The second phase in narrative development Request for Comments, allows interested parties to provide feedback to enhance the clarity of the narrative, including goals, data sources, enrichment and addressed problems.

Adoption Phase Customer The adoption phase of the customer describes the appropriate timing for this narrative in the continuum of the customer journey. APC-Edge — An edge use case is adopted by a customer for reasons which may be described in the

narrative. These reasons typically motivate customers in specific circumstances to adopt a use case narrative though we may not expect adoption by other customers in similar verticals or maturity stages. APC-Essential — An essential use case narrative when filtered by a Motivating problem describes a solution implemented almost by default. These use cases have qualities such as easy implementation, immediate high value return, or compliance satisfaction as justification for early adoption. APC-Mature — A Mature use case narrative when filtered by a Motivating problem describes a solution used to expand value from existing data sources or to justify the addition of data sources. APC-Maturing — A Maturing use case narrative when filtered by a Motivating problem describes a solution which will present a high value to the customer; however, customer maturity, implementation requirements, data sources, or complexity would likely cause delays. APC-Superceded — A Superceded use case narrative has been replaced with one or more improved narratives. The excerpt of the Superceded narrative should be updated to include a direct link to the targets. APC-Undetermined — Adoption phase has yet to be assigned


Adoption Phase Industry The adoption phase based on the industry perspective allows the user to estimate how widely known or how well the narrative could be expected with an audience reasonable well versed in industry trends. This attribute does not speak to deployment of solutions similar to the narrative and is not scientific. API-Accepted — Narratives described as accepted generally have recognized merit and value within the

industry. These narratives have not yet been widely adopted and represent an opportunity to provide value not presently obtained from current solutions within the organization. API-Dated — Narratives described as dated will have little emotional appeal and potentially no longer provide value when implemented. For customers with legacy needs it may be appropriate to recommend some use cases from this category. API-Distinctive — Narratives described as distinctive represent utilization of unique capabilities of the Splunk platform. While it may be possible to implement these narratives outside of the usage of Splunk factors such as specialized skill or complexity make implementation impractical. API-Expected — Narratives described as expected could also be described as must and should do. Adequate adoption in the industry allows the narrative to self justify implementation with little convincing of stakeholders required. API-Known — Narratives described as known would have recognition in the industry. These narratives may still be controversial but have been presented adequately as to not be considered foreign concepts. API-Socializing — Narratives described as socializing in the industry are currently being presented at conferences, spoken about in blogs or other venues and have not yet made an impression of value with the industry community.

Qualification The second section of each use case contains attributes intended to assist the user and customer in evaluating the use case in consideration of the customer environment, skill sets available and work load generated.

Severity Severity of any notable event generated (automatically or manually) as a result of discoveries made utilizing this use case. SV1 - Low — Low severity issues will frequently be trumped by higher priority issues and external work load. In

most organizations low priority issues frequently aged out without review. SV2 - Medium — Medium severity items must be addressed within the organizations service level agreement, however such events may not be an organizational priority. For example, "it will get dealt with, but I may go to lunch or an unrelated meeting before I actually address it." SV3 - High — High severity notable events will interrupt work for immediate attention. Evaluation of a high event may result in a formal incident and or escalation. For example, "I will skip meetings and lunch and other interruptions during the workday to deal with this; however, while I will stay late, I will not come in during the night or skip my child's recital because of it." SV4 - Critical — Critical severity items require immediate and constant attention until resolved. For example: "I will work nights and weekends and Christmas morning if necessary to resolve this."

Rate of Detection Rate of Detection is a non scientific estimate of the number of occurrences for a specified event. RATED0-Rare — Rare events will occur less than once per day on average. RATED1-Common — Common events may occur a few times per day in a typical environment. It is generally

expected that common events will not overwhelm the operations team. RATED2-Frequent — Frequent Events are expected to occur often in a typical event, this type of event may overwhelm a operations team without careful tuning and mitigations. RATED9-Undetermined — Adequate information has not yet been presented to determine this value


FIDELITY The fidelity of a narrative describes the ratio of signal (valid/positive) to noise (invalid/false positive) anticipated based on field experience. FIDELITY-High — This indicates a relatively high signal to noise ratio, and therefore a lower likelihood of false

positives, and it should not require additional searches to validate it. FIDELITY-Low — This indicates a relatively low signal to noise ratio, and therefore a higher likelihood of false positives. Confidence in the output can be increased through other means (i.e. cross-correlation and/or subsequent searches). FIDELITY-Moderate — This indicates an unpredictable signal to noise ratio with a bias towards signal, and therefore a higher likelihood of false positives than high. Confidence in the output can be increased through other means (i.e. cross-correlation and/or subsequent searches). FIDELITY-Undetermined — Adequate information has not yet been presented to determine this value

System Load System load estimates the noticeable impact of the narrative on system performance. LOAD-Excessive — Excessive impact to the system performance. Careful consideration should be made before

adoption of this use case such as limiting the scope to essential systems or users. LOAD-High — High impact to the system performance. Narratives are expected to require a noticeable amount of time to execute. LOAD-Low — Low estimated impact to the system performance. LOAD-Moderate — Moderate estimated impact to the system performance, unlikely to create a perceptible impact for interactive users, may contribute to the latency of scheduled searches. LOAD-Undetermined — Adequate information has not yet been presented to determine this value

Analyst Load Relative level of load or work effort involved in resolution of the notable event AnalystLoad-Automation — Requires no outside information for triage and can be automated to resolution in

many environments. When automation is not available these narratives are considered low. AnalystLoad-High — Requires a large amount of time/effort to triage the notable event. AnalystLoad-Low — Requires a small amount of time/effort to triage the notable event. AnalystLoad-Moderate — Requires a Moderate amount of time/effort to triage the notable event, triage is seldom expected to extend beyond the current shift AnalystLoad-Undetermined — Adequate information has not yet been presented to determine this value

Implementation Skill Relative level of skill necessary to implement the use case. SKILLI-Customer SKILLI-PS-General SKILLI-PS-SecurtityEnabled SKILLI-PS-SecurtitySpecialist SKILLI-Undetermined — Adequate information has not yet been presented to determine this value


Use Case Domains Use case domains reflect the data domain used to support a specific use case. Subject matter expertise will align closely with each individual domain or a sub domain. The repository will be segmented into domains aligning with those defined within Splunk Enterprise Security. Use Case Domain - Access — Use cases related to the use of access, authorized or unauthorized activity which

may identify a threat to the organization. Use Case Domain - Endpoint — Use cases related to the use or modification of an endpoint device in such a way that may be a threat to the organization. Use Case Domain - Identity — Use cases using information about an asset or identity to assign the priority, risk level, impact, and categorization for the object to better inform analysts with context when reviewing notable events. Use Case Domain - Network — Use cases utilizing data from network communications to identify a threat to the organization.

Measurement Each narrative describes appropriate key performance indicators and recommends an appropriate review cadence. Each implementing customer should utilize the metrics to monitor the effectiveness of each narrative in light of the organizations operational objectives.

Artifacts Each narrative describes the components of an implemented solution or provides details on the content packages for implementation.


Adoption Motivations Adoption motivations are an attempt to group together the impetus which drives a potential customer to seek out and/or be open to considering our solution. Here are a few example motivations: New functionality required by mandate (compliance requirement, executive directive, etc.) New functionality requested due to one or more pain points have been identified that need to be alleviated Existing functionality parity required due to a forced replacement (i.e. the existing system is EOL and its functionality must be replaced)


Motivating Problem Type View Motivating problems are those broad business needs requiring generally these are targeted at the expected level conversation with executive leaders and senior leaders in a given organization. Our goal is to assist in defining the problem to be addressed in such a way as to be clearly understood by all parties involved. These defined problems can become natural missions or objectives with charter and support from all involved.

Found 10 search result(s) for title:PRT*.

PRT03-PeerAdoption-Phase2-Maturing (Narrative and Use Case Center) Use case narratives adopted during the second deployment phase of a security operations, monitoring, and response program. Supporting Use Cases Sep 23, 2016

PRT03-PeerAdoption-Phase1-Essentials (Narrative and Use Case Center) Use case narratives adopted during the initial deployment phase of , monitoring, and response program. Supporting Use Cases Sep 23, 2016

PRT04-ProcessEffectivness-HuntPaths (Narrative and Use Case Center) Utilizing searches and automated prompts the analyst will investigate selected events that are considered low fidelity to identify using analytic process potential security weakness or previously unknown threats Jul 20, 2016

PRT08-ProductAdoption (Narrative and Use Case Center) Use cases provided by the Splunk Enterprise Security Application are mapped to the Adoption Phase and grouped by Supporting Data Source to assist the customer and consultant in the selection of use cases for implementation based on the likely readiness of the customer Aug 14, 2016

PRT08-ProductAdoption-ES (Narrative and Use Case Center) Aug 14, 2016

PRT08-ProductAdoption-ES-Maturing (Narrative and Use Case Center) DS010NetworkCommunication Network communication data is often the last chance available to identify the movement of an attacker in, into or out of the organization's network. All firewalls protecting systems in the DMZ, Public internet, segmenting private network from the public internet and segmenting the private network ... Aug 14, 2016

PRT08-ProductAdoption-ES-Mature (Narrative and Use Case Center) DS010NetworkCommunication Network communication data is often the last chance available to identify the movement of an attacker in, into or out of the organization's network. All firewalls protecting systems in the DMZ, Public internet, segmenting private network from the public internet and segmenting the private network ... Aug 14, 2016

PRT08-ProductAdoption-ES-Essentials (Narrative and Use Case Center) DS010NetworkCommunication Network communication data is often the last chance available to identify the movement of an attacker in, into or out of the organization's network. All firewalls protecting systems in the DMZ, Public internet, segmenting private network from the public internet and segmenting the private network ... Aug 14, 2016

PRT04-ProcessEffectivness (Narrative and Use Case Center) High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems in the enterprise and in the cloud. Supporting Use Cases Essentials Maturing Apr 07, 2016

PRT03-PeerAdoption (Narrative and Use Case Center) Pressure to emulate similar peers based on the objective of security via minimum accepted industry norms.


This view will assist the user in determine which use cases should be considered in during the adoption phase Apr 07, 2016 A-C

D-M

N-T

U-Z

access asa cim-authentication cim-network-communication cim-network-session cisco creative

data-definition data-source data-source-event ha kb-detect kb-detect-network kb-how-to-article kb-troubleshooting-article loadbalancer

nlb provider-type prt05-tacticalthreat-ransomeware response risk-abuse sev-critical superceded syslog syslog-ng

ucd-access


PRT01-Compliance High level compliance problems regardless of specific regulation or standard applied tend may be addressed with very similar use case narratives. Within the compliance problem type, individual common regulations will be addressed.

Supporting Use Cases Essentials Click here to expand... Found 8 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT01-Compliance".

UCESS045 Potential Gap in Data (Narrative and Use Case Center) Detects gaps caused by the failure of the search head. If saved searches do not execute then there may be gaps in summary data.For the past 5 minutes starting 5 minutes after realtime, return scheduled searches that were successful where the app context ... Aug 16, 2016

UC0006 Windows security event log purged (Narrative and Use Case Center) Manually clearing the security event log on a windows system is a violation of policy and could indicate an attempt to cover malicious actions. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV1AbuseofAccess DS007AuditTrailET01Clear DE001AssetInformation Adoption ... Apr 08, 2016

UC0046 Endpoint failure to sync time (Narrative and Use Case Center) Failure to synchronize time will impact the usefulness of security log data from the endpoint, and potentially prevent valid authentication. Exclude virtual machine guests as their time is synchronized with the virtual host. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 25, 2016

UC0043 Direct Authentication to NHA (Narrative and Use Case Center) Direct authentication via SSH or console session to a non human account indicates a violation of security policy by recording the password of a non human account for later use or by association of a SSH key to a non human account. Problem Types Addressed Risk ... Apr 11, 2016

UC0030 Endpoint uncleaned malware detection (Narrative and Use Case Center) ... Contributing Events Search datamodel Malware MalwareAttacks search search MalwareAttacks.dest="$dest$" Compliance YES Container App DAESSSecKitEndpointProtection Related articles Related articles appear here ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case Center)

Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions (bypassing the firewall). Legacy Command and Control (a.k.a. C&C or C2 ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0074 Network Intrusion Internal Network (Narrative and Use Case Center) ... IDSAttacks.category,IDSAttacks.signature `dropdmobjectname("IDSAttacks")` Note alternative implementation with XS should be considered Compliance YES Container App SecKitDAESSNetworkProtection https://securitykit.atlassian.net/wiki/display/GD/SecKitDAESSNetworkProtection Windows 65m@m to 5m@m ... May 09, 2016 Labels: prt05-tacticalthreat-ransomeware


UC0075 Network Malware Detection (Narrative and Use Case Center) ... src dvcip dest product signature severity impact extref `getasset(src)` Compliance YES Container App SecKitDAESSNetworkProtection https://securitykit.atlassian.net/wiki/display/GD/SecKitDAESSNetworkProtection Windows 65m@m to now Cron ... Apr 25, 2016

Maturing Click here to expand... Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT01-Compliance".

UCESS016 Default Account Activity Detected (Narrative and Use Case Center) Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords and are therefore commonly targeted by attackers using brute force attack tools. Looking across a realtime window of /5 minutes, return lastTime, tag ... Aug 14, 2016

UCESS028 High Process Count (Narrative and Use Case Center) Alerts when host has a high number of processes. This may be due to an infection or a runaway process. For the past 24 hours, get the most recent time and group by destination (host, IP, name) and process. Get the max time by destination and compare ... Aug 14, 2016

UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center) Detects authentication requests that transmit the password over the network as cleartext (unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw, tags and count grouped by the application and destination (host, IP, name ... Aug 14, 2016

UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center) primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and associates identity and asset information with each. Looking back over the past 24 hours, return values of the function and their distinct count grouped by destination (host ... Aug 14, 2016

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center) Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners, Problem Types Addressed Risk Addressed ... Jul 12, 2016

UCESS009 Asset Ownership Unspecified (Narrative and Use Case Center) Alerts when there are assets that define a specific priority and category but do not have an assigned owner. Return all assets where the priority is not null and the length of the value in priority is greater than 0 and the category is not null and the length of the value in category is greater than ... Aug 14, 2016

UCESS058 Untriaged Notable Events (Narrative and Use Case Center) Alerts when notable events have not been triaged. For the past 48 hours starting 4 hours after realtime, return notable events that have a status group of New or the owner is unassigned. Return the values time, owner, status, rule ... Aug 14, 2016

UC0094 Insecure authentication method detected (Narrative and Use Case Center) each authentication technology in the network identify the values of authentication events that positively ensure that secure authentication is in use. Alert per authentication technology where a successful event occurs without the required indicators Problem Types Addressed Risk Addressed Event ... Jun 24, 2016


UC0090 User account cross enclave access (Narrative and Use Case Center) Detection of logon with the same account to a production and a non production environment. If an account (not user) has logged into more than one account access management controls have failed and must be remediated Problem Types Addressed Risk Addressed Event Data ... Jun 24, 2016

UC0040 Use of Shared Secret for or by automated process with risky attributes (Narrative and Use Case Center)

Usage (checkout) by an automated process such as software installation of a shared secret or service account where the source of the retrieval is new or outside of the change window. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access ... Apr 11, 2016


PRT01Compliance-PCI Guidance for implementation of logging and monitoring for business as usual compliance with PCI 3.2

Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement

Guidance

1.1.1

In support of testing procedure 1.1.1b maintain online and searchable logs for all change activity. In support of testing procedure 1.1.1b maintain online and searchable records for all change activity

1.1.4

In support of testing procedure 1.1.4.c maintain online and searchable logs for all DS010NetworkCommunication-ET01Traff ic from any dvc designated as cardholder, border, or internet.

1.1.6

In support of 1.1.6.a build upon the work effort invested in 1.1.4 Implement the following monitoring controls: UC0083 Communication from or to an enclave network permitted by previously unknown or modified firewall rule In support of 1.1.6.c build upon work effort invested in 1.1.4 Implement the following monitoring controls: UC0082 Communication with enclave by default rule

1.2.1

In support of 1.2.1.c implement the following monitoring controls to ensure continual compliance UC0084 Monitor Execution of Triage Activtity

1.2.3

In support of 1.2.3b build upon the work effort of 1.1.6 ensure consideration in existing process to consider the wifi network as an enclave

1.3.1

In support of 1.3.1 build upon the work effort of 1.1.5 UC0085 Alert per host where web application logs indicate a source IP not classified as WAF

1.4

In support of 1.4.b Ensure data collection for DS010NetworkCommunication-ET02State from all devices in scope

2.1

In support of 2.1.a Ensure data collection for DS003Authentication-ET01Success from all in scope systems. Ensure all PIM systems are correctly identified in DE001AssetInformation and ensure all default accounts have been correctly listed in DE0 02IdentityInformation prior to implementation of UC0007 Account logon successful method outside of policy

2.2.1

In support of 2.2.1.a Ensure data collection for dynamic primary function identification is in place to support the complete definition of DE001AssetInformation UC0086 Detect Multiple Primary Functions

2.2.5

In support of 2.2.4.c Ensure data collection for DS010NetworkCommunication-ET01TrafficAppAware is in place prior to implementation of RP001 New web application or network protocol detected

2.4

Implement a reliable dynamic asset identification solution DE001AssetInformation with the following attributes Appropriate Values for pci_domain by cidr All hosts within the CDE are identified with static IP address All firewalls and interfaces containing the CDE are identified Collect data from the following sources DS010NetworkCommunication-ET01Traffic DS003Authentication-ET01Success (Machine account) DS015ConfigurationManagement-ET01General

3.1

Implement clear logging and collection for each application component responsible for deletion of online CHD. Generate a customer specific use case for the absence of successful reports in the job execution window

3.2

Implement data collection for customer specific data identification system Implement custom use case for new location for PCI information Respond by verification that authentication data is not recorded


3.4.1

If disk/share encryption is used implement data collection for the specific provider supporting the following data types DS003Authentication-ET01Success DS006UserActivity-ET02Read DS006UserActivity-ET06Search

3.5.1

Implement customer specific use case alerting when a key is read, imported or assigned to a specific encrypted resource review for review by the key administrator

3.5.2

Implement customer specific use case alerting when a key is accessed by a human manually review the access with the key administrator

4.1

In support of 4.1.c ensure data collection for DS010NetworkCommunication-ET01TrafficAppAware is in place for all CDE network segments and implement RP001 New web application or network protocol detected

4.2

In support of 4.2.a ensure data collection for DS016DataLossPrevention-ET01Violation is in place and implement customer specific use case for alerting on actual or attempted transmission of CHD via email chat FTP or removable media

5.1

In support of 5.1 ensure data collection for DS004EndPointAntiMalware-ET02UpdatedSig is in place and ensure requires_antivirus is set for all applicable records in DE001AssetInformation implement the following use cases.

5.2

In support of 5.2.b 5.2.c and 5.2.d implement the following use cases UCESS024 High Number of Hosts Not Updating Malware Signatures UC0087 Malware signature not updated by SLA for compliance asset

6.4.1

In support of 6.4.1.b define an enclave for each CDE/lifecycle such that production and non production systems can be identified UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall rule

6.4.2

In support of 6.4.2 define an enclave for each CDE/lifecycle such that production and non production systems can be identified UC0090 User account cross enclave access

6.4.3

In support of 6.4.3 identify ranges or fixed sets of PAN ranges that may be utilized in the non production life cycle and create a set of periodic scripts to asses that no data exists outside of the fixed range. Log the results for compliance reporting.

6.4.4

While not conclusive for all environments the implementation of control 6.4.3 may assist in ongoing evidence of compliance.

6.4.5.x

Not applicable to the logging and monitoring processes

6.4.6


6.5.x

6.6

Capture and retain logs from automated software installation and testing processes to provide evidence of for compliance to the execution of testing against common weaknesses. Capture and retain applicable logs from defect tracking systems to evidence that issues were reported and reviewed without modification prior to release of software to production Using an external vulnerability scanner not granted unfiltered access scan the public facing networks UCESS010 Anomalous New Listening Port UC0091 Validate Execution of Vulnerability Scan Periodically validate the implementation of the load balancer and web application firewall. UC0092 Exception to Approved Flow for Web Applications

6.7


7.x


8.1

In support of this section all authentication success and failure events must be captured for all components of the application infrastructure.

8.1.1

In support of continued monitoring of compliance with 8.1.1 implement the following use cases: UC0039 Use of Shared Secret for access to critical or sensitive system UC0088 User account sharing detection by source device ownership

8.1.2



8.1.3

Support continued compliance and verification through implementation of the following use case UCESS005 Activity from Expired User Identity

8.1.4

Support continued compliance and verification through implementation of the following use case UC0008 Activity on previously inactive account UC0093 Previously active account has not accessed enclave/lifecycle

8.1.5


8.1.6


8.1.7


8.1.8


8.2

Implement an appropriate site specific compliance report to identify that all successful logins to a production enclave use one of the approved authentication factors for that enclave/component.

8.2.1

Support continued compliance and verification through implementation of the following use case UC0094 Insecure authentication method detected

8.2.2


8.2.3


8.2.4


8.2.5


8.2.6


8.3.x

Support continued compliance and verification through implementation of the following use case UC0007 Account logon successful method outside of policy

8.4

Support continued compliance and verification through implementation of the following use case

8.5

Support continued compliance and verification through implementation of the following use case UC0039 Use of Shared Secret for access to critical or sensitive system UC0040 Use of Shared Secret for or by automated process with risky attributes

8.6


8.7


8.8


9.1

Support continued compliance and verification through implementation of the following use case UC0045 Local authentication server Review resulting events in consideration of approved physical access activity, change, incident, problem and virtual remote console logs such as virtual infrastructure and KVM.

9.1.1

See 9.1

9.1.2


9.1.3


9.2


9.3


9.4


9.5


9.6


9.7


9.8



9.9


10.1

Implement collection and retention of the following log sources DS003Authentication DS003Authentication-ET01Success DS003Authentication-ET02Failure

10.2

See below

10.2.1

Implement collection and retention of the following log sources DS006UserActivity-ET02Read

10.2.2

Implement collection and retention of the following log sources DS006UserActivity-ET04Update DS007AuditTrail DS009EndPointIntel DS009EndPointIntel-ET01ProcessLaunch DS009EndPointIntel-ET01ObjectChange DS020HostIntrustionDetection-ET01SigDetected

10.2.3

Implement collection and retention of the following log sources DS007AuditTrail-ET01Clear

10.2.4

Implement collection and retention of the following log sources DS003Authentication-ET02Failure

10.2.5

Implement collection and retention of the following log sources as applied to authentication mechanisms such as directory servers, two factor authentication systems, single sign on systems, and local authentication controls DS006UserActivity-ET03Create DS006UserActivity-ET04Update DS006UserActivity-ET05Delete

10.2.6

Implement collection and retention of the following log sources as applied to the service and configuration utilized in auditing DS006UserActivity-ET04Update Note include service start, stop, and alter for configuration controlling the audit process such as syslog, group policy, windows registry, and database triggers DS007AuditTrail-ET01Clear DS007AuditTrail-ET02Alter

10.2.7

Implement collection and retention of the following log sources as applied to the service and configuration utilized in auditing

10.3

Verify compliance of data sources identified with minimum requirements of the objective

10.4

Implement collection and retention of the following log sources DS007AuditTrail-ET03TimeSync Implement the following use case UC0046 Endpoint failure to sync time

10.5 10.5.1

Implement streaming collection of all log sources. Avoid batch collection activities and build adequate defensive and detective controls to ensure audit processes are not tampered with when batch collection is in use. Implement access controls as is appropriate to limit access to audit trail data in Splunk Implement routine trim of original audit trails such that no audit data is retained on source systems beyond a reasonable amount allowing recovery in the event of streaming collection failure

10.5.2

Implement index integrity features in Splunk

10.5.3

Implement Splunk Archiver function with a write only external service such as Amazon S3 to ensure data is archived to a system under separate control.


10.5.4

Implementation of log collection for all web application server infrastructure logs especially the following: DS002DNS-ET01QueryResponse DS003Authentication-ET01Success DS003Authentication-ET02Failure DS004EndPointAntiMalware-ET01SigDetected DS004EndPointAntiMalware-ET03UpdatedEng DS005WebProxyRequest-ET01Requested DS006UserActivity DS007AuditTrail DS009EndPointIntel-ET01ProcessLaunch DS010NetworkCommunication-ET01Traffic DS014WebServer-ET01Access DS015ConfigurationManagement-ET01General DS018VulnerabilityDetection DS019PatchManagement DS020HostIntrustionDetection-ET01SigDetected

10.5.5

Implementation of log collection for all web application server infrastructure logs especially the following: DS020HostIntrustionDetection-ET01SigDetected

10.6.1

Implementation of a robust set of correlation search to monitor each security technology in the enterprise Management should daily review the PCI dashboards to ensure that notable events have been triaged and are being resolve in accordance with the company policy

10.6.2

Expansion of monitoring beyond the immediate PCI scope to ensure attackers are kept more than one degree away from all PCI systems. Management should daily review critical dashboards such as and act on trends highlighted Enterprise Security Security Posture Incident Review

10.6.3

Notable events determined to indicate suspicious activities should be identified as formal incident and handled in according to industry accepted practices.

10.7

Ensure all in scope event data is retained online and searchable for at minimum of 3 months. Ensure adequate search hardware is available or can be provisions (cloud) to recall and search data up to 1 full year OR ensure at least 1 full year for all data sources is available. Ensure that log infrastructure can not be subject to denial of service attach by external actors by identification of points where external actors can generate sufficient log traffic to cause early purge or failure of logging infrastructure. Identify methods of mitigating this risk.

10.8

Identify methods of detecting and alerting failure of critical control systems to produce events

10.9


11.1


11.2

Collect and retain vulnerability scan data DS018VulnerabilityDetection-ET01SigDetected

11.3


11.4

Implement the following use cases UC0074 Network Intrusion Internal Network

11.5

Implement collection of the following data sources, identify appropriate technology specific use cases for the environment. DS009EndPointIntel DS020HostIntrustionDetection-ET01SigDetected

11.6


12

Not applicable to the logging and monitoring processes except as noted

12.5

Adopt a formal methodology align with enterprise risk assessment to identify risk and detective controls to be implemented and monitored by appropriate sensor/detection technology with correlation in a single security event and information management system


Supporting Documentation PCI Data Security Standard (PCI-DSS)

Version 3.2 Apr 2016 - PCI_DSS_v3-2.pdf


PRT02Compliance-NercCIP Currently, there are 16 critical infrastructure sectors that compose the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have significant implications nationwide, with potential impacts to national economic security, public heath or safety, etc.

NERC CIP Requirements Standard

Requirement

Details

Guidance

CIP-002-3

R2

Critical Asset Identification:

Enrichment:

The responsible entity shall develop a list of its identified critical assets determined through an annual application of the risk-based assessment methodology as required by this standard. List shall be reviewed and updated annually, at minimum. Assets to be considered should include the following:

DDE001 Asset Information

Cyber Security: Critical Cyber Asset Identification

Control centers and backup control centers performing critical functions as described within CIP standards Transmission substations that support the reliable operation of the BES (Bulk Electris System) Generation resources that support the reliable operation of the BES Systems and facilities critical to system restoration, including blackstart generators and substations in the electrical path of transmission lines used for initial system restoration Systems and facilities critical to automatic load shedding under a common control system capable of shedding 300MW or more Special protection systems that support reliable operation of the BES Any additional assets that support reliable operation of the BES CIP-003-3

R5.1

Cyber Security: Security Management Controls

Note: pci_domain field not applicable to CIP assets Use Cases: UC0010 Asset Ownership Unspecified

Access Control:

Enrichment:

The responsible entity shall maintain a list of designated personnel who are responsible for authorizing logical or physical access to protected information.

DDE002 Identity Information

Personnel shall be identified by name, title, and the information for which the are responsible for authorizing access The list of personnel responsible for authorizing access to protected information shall be verified at least annually

In addition to CIP authorized individuals, CIP authorizing personnel should be identified in identity list. Information they are responsible for can be specified in bunit field Use Cases: UC0052 Non-CIP user attempted to access CIP asset UC0013 Monitor change for high value groups

CIP005-3a

R2

Cyber Security: Electronic Security Perimeter

Electronic Access Controls:

Enrichment:

The Responsible Entity shall implement and document the organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the Electronic Security Perimeter(s).

DDE002 Asset Information All assets that define the Electronic Security Perimeter (ESP) to be defined in asset list Use Cases: Prohibited Service Detected Unapproved Port Activity Detected UC0007 Anomalous New Process UC0008 Anomalous New Listening Port


CIP005-3a

R3

Cyber Security: Electronic Security Perimeter

Monitoring Electronic Access:

Use Cases:

The Responsible Entity shall implement and document an electronic or manual process(es) for monitoring and logging access at access points to the Electronic Security Perimeter(s) twenty-four hours a day, seven days a week.

Default Account Activity Detected UC0010 Detect unauthorized use of remote access technologies UC0032 Brute force authentication attempt UC0033 Brute force authentication attempt distributed UC0034 Brute force successful authentication

CIP006-3c

R.1.3

Physical Security of Critical Cyber Assets

Physical Security Perimeter:

Enrichment:

Process, tools, procedures to monitor access to physical security perimeter.

Physical Security access logs (lenel, etc) Use Cases: See ESP access control use cases above

CIP007-3a

R2

Cyber Security: System Security Management

Ports and Services:

Enrichment:

The Responsible Entity shall establish, document and implement a process to ensure that only those ports and services required for normal and emergency operations are enabled.

Interesting Ports Lookup Interesting Services Lookup Interesting Processes Lookup Use Cases: UC0007 Anomalous New Listening Port UC0008 Anomalous New Process UCXXXX Unapproved Port Activity Detected UCXXXX Anomalous New Service

CIP007-3a

R3



Security Patch Management:

Enrichment:

The Responsible Entity, either separately or as a component of the documented configuration management process specified in CIP-003-3 Requirement R6, shall establish, document and implement a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets within the Electronic Security Perimeter(s).

DDE001 Asset Information Use Cases: ES Vulnerability Center UCXXXX CIP asset with unpatched RCE (remote code execution) or critical vulnerability

CIP007-3a

R4


Malicious Software Prevention:

Enrichment:

The Responsible Entity shall use anti-virus software and other malicious software (“malware”) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s).

DDE001 Asset Information Use Cases: ES Malware Center UCESS024 High Number of Hosts Not Updating Malware Signatures UCESS053 Threat Activity Detected UCESS025 High Number Of Infected Hosts UCESS026 High Or Critical Priority Host With Malware Detected UCESS027 High or Critical Priority Individual Logging into Infected Machine UCESS032 Host With A Recurring Malware Infection UCESS035 Host With Multiple Infections UCESS036 Host With Old Infection Or Potential Re-Infection UCESS043 Outbreak Detected

CIP007-3a

R5


Account Management:

Enrichment:

The Responsible Entity shall establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access.

DDE001 Asset Information DDE002 Identity Information Use Cases: ES Access Center

UC0053 Successful access to CIP asset outside of baseline activity UC0054 Successful authentication to CIP asset by non-CIP user UC0034 Brute force successful authentication


Supporting Documents CIP


PRT03Compliance-NIST Cyber Security Framework Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. The Order directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices - for reducing cyber risks to critical infrastructure.

Risk Management Strategy (ID.RM) Data Security (PR.DS) Access Control (PR.AC) Protective Technology (PR.PT) Security Continuous Monitoring (DE.CM) Anomalies and Events (DE.AE)


Access Control (PR.AC) NIST Cybersecurity Framework Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions. PR.AC-1: Identities and credentials are managed for authorized devices and users PR.AC-2: Physical access to assets is managed and protected PR.AC-3: Remote access is managed PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate Supporting security use cases 1. UC0051 Excessive physical access failures to CIP assets 2. UC0052 Non-CIP user attempts to access CIP asset 3. Abnormal successful access to CIP asset (time of day, volume of activity, remote, etc) 4. User with non-CIP job function successfully accessed CIP asset (transferred, access not properly removed)

Required data sources - some or all of the following: Firewall allows and blocks Intrusion events Malware detections Change logs Authentication events


Anomalies and Events (DE.AE)


Data Security (PR.DS) NIST Cybersecurity Framework Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. PR.DS-1: Data-at-rest is protected PR.DS-2: Data-in-transit is protected PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition PR.DS-4: Adequate capacity to ensure availability is maintained PR.DS-5: Protections against data leaks are implemented PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity PR.DS-7: The development and testing environment(s) are separate from the production environment Supporting security use cases 1. 2. 3. 4.

UCXXXX Abnormal volume of access to CIP data (unstructured and structured data stores) UCXXXX ARP poisoning detected UCXXXX Abnormal volume of email from internal user (by bytes) UCXXXX Abnormal amount of email from internal user (by volume)

Required data sources - some or all of the following:


Protective Technology (PR.PT)


Risk Management Strategy (ID.RM) NIST Cybersecurity Framework - Risk Management Strategy Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders ID.RM-2: Organizational risk tolerance is determined and clearly expressed ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis Supporting security use cases 1. UCXXXX Asset exceeds risk threshold CIP asset exceeds risk threshold (based on vulnerabilities, scanning attempts, etc) - risk factors determined by system owner

Required data sources - some or all of the following: Firewall allows and blocks Intrusion events Malware detections Change logs Authentication events


Security Continuous Monitoring (DE.CM)


PRT04-FFIEC Information security enables a financial institution to meet its business objectives by implementing business systems with due consideration of information technology (IT)- related risks to the organization, business and trading partners, technology service providers, and customers. Organizations meet this goal by striving to accomplish the following objectives.Underlying Models for IT Security, NIST, SP800-33, p. 2. Availability-The ongoing availability of systems addresses the processes, policies, and controls used to ensure authorized users have prompt access to information. This objective protects against intentional or accidental attempts to deny legitimate users access to information or systems. Scope of monitoring must include all infrastructure involved in banking services in the modern environment Network Infrastructure operational and change for routers switches firewalls and active protection devices Network Communication Network Intrusion Detection Network Load Balancers and Global Load Balancers Application Firewalls Operating System Authentication and Change Audit for server and client operating systems. Network Authentication (local and virtual) Database Server Middleware Application Server Central Authentication and Authorization Use of Distributed Authentication (web SSO, SAML, Kerberos) Two Factor Authentication DNS Request Logs Honeypots Null Routes and Sink Holes email communication logs Integrity of Data or Systems-System and data integrity relate to the processes, policies, and controls used to ensure information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability. Host Intrusion Detection Antimalware Vulnerability Detection (Active and Passive) IOC detection (scan and result) Entitlement and Access Management Infrastructure Management activity and change Confidentiality of Data or Systems-Confidentiality covers the processes, policies, and controls employed to protect information of customers and the institution against unauthorized access or use. Entitlement and Access Management Data Loss Prevention Accountability-Clear accountability involves the processes, policies, and controls necessary to trace actions to their source. Accountability directly supports nonrepudiation, deterrence, intrusion prevention, security monitoring, recovery, and legal admissibility of records. Logs must be centralized in a secure and reliable manor including such features as log integrity checking, real time collection, and long term storage Assurance-Assurance addresses the processes, policies, and controls used to develop confidence that technical and operational security measures work as intended. Assurance levels are part of the system design and include availability, integrity, confidentiality, and accountability. Assurance highlights the notion that secure systems provide the intended functionality while preventing undesired actions. Operating System Hardening System Compliance Scan and Result Application System Hardening System Compliance Scan and Result Automated Application Penetration Testing Scan and Result Vulnerability Scan and Rsult


PRT02-SecurityVisibility High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems in the enterprise and in the cloud. PRT02-IdentifyPatientZero PRT02-SecurityVisibilityEndpointMalware PRT02-SecurityVisibilityExfiltration PRT02-SecurityVisibilityLateralMovement PRT02-SecurityVisibilityPhishingAttack PRT02-SecurityVisibilityPriviledgeUserMonitoring PRT02-SecurityVisibilityUserActivity PRT02-SecurityVisibilityZeroDayAttacks PRT02-SecurityVisiblityWebbait

Supporting Use Cases Essentials Click here to expand... Found 2 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibility".

UCESS061 Vulnerability Scanner Detected (by targets) (Narrative and Use Case Center) Detects a potential vulnerability scanner by detecting devices that have triggered events against a large number of unique targets. Vulnerability scanners generally trigger events against a high number of unique hosts when they are scanning a network for vulnerable hosts.For the past ... Aug 14, 2016

UCESS060 Vulnerability Scanner Detected (by events) (Narrative and Use Case Center) Detects a potential vulnerability scanner by detecting devices that have triggered a large number of unique events. Vulnerability scanners generally trigger a high number unique events when scanning a host since each vulnerability check tends to trigger a unique ... Aug 14, 2016

Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibility".

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center) Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all summary data even ... Aug 14, 2016


PRT02-IdentifyPatientZero In response to incursions identification of patient zero is a critical step. Information gathered in this identification activity can inform the organization as to the methods of the attackers and assist in the preparation of improved defenses.

Supporting Data Types DS002DNS DS003Authentication DS004EndPointAntiMalware DS005WebProxyRequest DS006UserActivity DS008HRMasterData DS009EndPointIntel DS010NetworkCommunication DS011MalwareDetonation-ET01Detection DS017PhysicalSecurity-ET01Access

Supporting Use Cases Essentials

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibilityPriviledge".

Maturing

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibilityPriviledge".


PRT02-SecurityVisibilityEndpointMalware High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems in the enterprise and in the cloud.

Supporting Data Sources DS002DNS DS004EndPointAntiMalware DS005WebProxyRequest DS009EndPointIntel DS010NetworkCommunication


Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibilityEndpoint".

Maturing

Click here to expand... Found 8 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibilityEndpoint".



UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center) Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ... Aug 16, 2016

UCESS006 Anomalous Audit Trail Activity Detected (Narrative and Use Case Center) Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log files in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking across a realtime window of /5 minutes, search for action ... Aug 14, 2016

UCESS037 Inactive Account Activity Detected (Narrative and Use Case Center) Discovers previously inactive accounts that are now being used. This may be due to an attacker that successfully gained access to an account that was no longer being used. Execute the inactiveaccountusage macro and look across the time range of less than 90 days ago and greater ... Aug 14, 2016

UCESS040 Network Change Detected (Narrative and Use Case Center) Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw and count grouped by the device that reported the change dvc (host, IP, name), the action performed on the resource and the command that initiated the change. Problem Types ... Aug 14, 2016

UCESS046 Prohibited Process Detected (Narrative and Use Case Center)


Looking across a realtime window of /5 minutes, run the macro getinterestingprocesses and return processes that isprobhibited is set to true. Run the macros geteventid and mapnotablefields and add the following fields to the output: origeventid (macro creates hash of indexer, time and raw event ... Aug 14, 2016

UCESS047 Prohibited Service Detected (Narrative and Use Case Center) Looking across a realtime window of /5 minutes, run the macro service and return services where isprobhibited is set to true. Run the macros geteventid and mapnotablefields and add the following fields to the output: origeventid (macro creates hash of indexer, time and raw ... Aug 14, 2016


PRT02-SecurityVisibilityExfiltration High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems in the enterprise and in the cloud.

Supporting Data Sources DS001MAIL DS003Authentication DS004EndPointAntiMalware DS005WebProxyRequest DS006UserActivity DS007AuditTrail DS008HRMasterData DS009EndPointIntel DS010NetworkCommunication DS014WebServer-ET01Access


Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibilityExfiltration".

Maturing

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibilityExfiltration".


PRT02-SecurityVisibilityLateralMovement Indication of movement within an organizations network following the compromise of an initial endpoint.

Supporting Data Types DS003Authentication DS006UserActivity DS009EndPointIntel DS010NetworkCommunication DS012NetworkIntrusionDetection-ET01SigDetection


Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibilityLateralMovement".

Maturing

Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibilityLateralMovement".



PRT02-SecurityVisibilityPhishingAttack High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems in the enterprise and in the cloud.

Supporting Data Sources DS001MAIL DS004EndPointAntiMalware DS005WebProxyRequest DS009EndPointIntel DS010NetworkCommunication



Maturing



PRT02-SecurityVisibilityPriviledgeUserMonitoring Users with privileged access to systems or information critical to the business should be monitored with greater scrutiny than users not similarly entrusted.

Supporting Data Types DS003Authentication DS006UserActivity DS008HRMasterData DS009EndPointIntel DS017PhysicalSecurity-ET01Access


Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibilityPriviledge".

Maturing

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibilityPriviledge".


PRT02-SecurityVisibilityUserActivity High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems in the enterprise and in the cloud.


Click here to expand... Found 2 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibilityUserActivity".

UC0036 Compromised account access testing (Critical/Sensitive Resource) (Narrative and Use Case Center) Following a successful authentication, an attacker will attempt to determine what resources may be accessed without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate and browse to shares, access email, access web applications, or connect to databases ... Apr 08, 2016


Maturing

Click here to expand... Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibilityUserActivity".





UC0012 Increase risk score of employees once adverse seperation is identified or anticipated (Narrative and Use Case Center)

Increase the risk score of users who have indication of adverse separation. Examples of users with an indication of adverse separation, include but are not limited to the following: User has entered a remediation program with human resources User has been identified as included in a reduction ... Apr 08, 2016

UC0088 User account sharing detection by source device ownership (Narrative and Use Case Center) Detection of logon device by asset name (may require resolution from IP) when logon user does not match the


owner and the number of unique owned devices is greater than two in the prior 24 hours. Exclude assets identified as loaner ... May 16, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center) Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices ensure the first "xforwardedfor" entry ... Jun 24, 2016

UC0033 Brute force authentication attempt distributed (Narrative and Use Case Center) When more than 10 failed authentication attempts for known accounts occur for a single account from more than 2 IP addresses in 60 minutes. This could indicate an adversary has identified a specific high value account and is attempting ... Jun 08, 2016

UC0045 Local authentication server (Narrative and Use Case Center) Following provisioning, nix servers seldom require local administration. Investigate any use of local authentication as it may indicate an attempt to compromise the host via KVM or virtual console. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 11, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center) Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode RV6Misconfiguration ... Apr 08, 2016

UC0080 Trusted Individual exceeds authorization in observation of other users (Narrative and Use Case Center)

Evaluate queries executed by authorized trusted individuals to determine if the user is observing the behavior of other users for reasons not authorized as part of the user's job function. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess ... Apr 25, 2016


PRT02-SecurityVisibilityZeroDayAttacks High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems in the enterprise and in the cloud.

Supporting Data Sources DS001MAIL DS002DNS DS003Authentication DS004EndPointAntiMalware DS005WebProxyRequest DS009EndPointIntel DS010NetworkCommunication DS011MalwareDetonation-ET01Detection DS012NetworkIntrusionDetection-ET01SigDetection DS014WebServer-ET01Access


Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibilityZeroDayAttacks".

Maturing

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibilityZeroDayAttacks".


PRT02-SecurityVisiblityWebbait Similar to Phishing attacks using baited web content such as compromised advertising systems and watering hole web sites

Supporting Data Sources DS004EndPointAntiMalware DS005WebProxyRequest DS009EndPointIntel DS010NetworkCommunication DS016DataLossPrevention-ET01Violation



Maturing



PRT03-PeerAdoption Pressure to emulate similar peers based on the objective of security via minimum accepted industry norms. This view will assist the user in determine which use cases should be considered in during the adoption phase PRT03-PeerAdoption-Phase1-Essentials PRT03-PeerAdoption-Phase2-Maturing PRT03-PeerAdoption-Phase3-Mature PRT03-PeerAdoption-Phase4-Edge


PRT03-PeerAdoption-Phase1-Essentials

Use case narratives adopted during the initial deployment phase of , monitoring, and response program.

Supporting Use Cases Found 12 search result(s) for title:UC0* contentBody:"APC-Essentials".



UC0002 Detection of prohibited protocol (application) (Narrative and Use Case Center) prohibited protocol such as IRC, FTP, or gopher could indicate malicious activity or the implementation of an insecure system on the network. Consider intranetwork communication and accepted communications from the internet Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware ... Apr 08, 2016

UC0037 Network Intrusion External - New Signatures (Narrative and Use Case Center) External IDS devices reporting an attack using a signature not previously encountered are more likely be successful as new signatures are prompted by newly know attacks in the wild. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware OR is this something ... Apr 08, 2016


UC0003 Server generating email outside of approved usage (Narrative and Use Case Center) Server operating systems often generate email for routine purposes. Configuration management can be used to identify which server may generate email and what recipients are permitted. Identify servers receiving email from the internet without approval Identify ... Apr 19, 2016


UC0030 Endpoint uncleaned malware detection (Narrative and Use Case Center) Endpoint with malware detection where anti malware product attempted to and was unable to clean, remove or quarantine. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected DDE007 Signature Special Processing List ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware


UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case Center) Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions (bypassing the firewall). Legacy Command and Control (a.k.a. C&C or C2 ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0074 Network Intrusion Internal Network (Narrative and Use Case Center) IDS/IPS detecting or blocking an attack based on a known signature. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS012NetworkIntrusionDetectionET01SigDetection DE001AssetInformation Adoption Phase Customer Adoption Phase SME Adoption Phase ... May 09, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0075 Network Malware Detection (Narrative and Use Case Center) Internal malware detection system such as fire eye devices reporting an attack. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS011MalwareDetonationET01Detection DE001AssetInformation Adoption Phase Customer Adoption Phase SME Adoption ... Apr 25, 2016

UC0029 Endpoint new malware detected by signature (Narrative and Use Case Center) When a new malware variant is detect by endpoint antivirus technology it is possible the configuration or capability of other controls are deficient. Review the sequence of events leading to the infection to determine if additional preventive measures can be put in place. Problem Types Addressed Risk ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware


PRT03-PeerAdoption-Phase2-Maturing Use case narratives adopted during the second deployment phase of a security operations, monitoring, and response program.

Supporting Use Cases Found 57 search result(s) for title:UC0* contentBody:"APC-Maturing".




UC0040 Use of Shared Secret for or by automated process with risky attributes (Narrative and Use Case Center) Usage (checkout) by an automated process such as software installation of a shared secret or service account where the source of the retrieval is new or outside of the change window. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access ... Apr 11, 2016



UC0082 Communication with enclave by default rule (Narrative and Use Case Center) Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit permission for communication has been granted and should be reviewed. Consider ingress ... Apr 27, 2016

UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center) Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac). Problem Types Addressed Risk Addressed ... Apr 28, 2016

UC0031 Non human account starting processes not associated with the purpose of the account (Narrative and Use Case Center)

Accounts designated for use by services and batch process should start a limited set of child processes. Creation of new child processes other than the process name defined in the service or batch definition may indicate compromise. Problem Types Addressed ... Apr 08, 2016

UC0088 User account sharing detection by source device ownership (Narrative and Use Case Center) Detection of logon device by asset name (may require resolution from IP) when logon user does not match the


owner and the number of unique owned devices is greater than two in the prior 24 hours. Exclude assets identified as loaner ... May 16, 2016

UC0093 Previously active account has not accessed enclave/lifecycle (Narrative and Use Case Center) Identify accounts no longer in use with access to high/critical or enclave systems and remove access when no longer required. Implement a tracking list of accounts and the accessed enclave or business service identifier, maintain the last accessed time and alert when the last ... Jun 24, 2016

UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall rule (Narrative and Use Case Center) Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when a rule is named in a allowed communication where the reviewed ... Apr 27, 2016

UC0077 Detection Risky Referral Domains (Narrative and Use Case Center) Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less than 48 ... Jun 24, 2016 Labels: creative

UC0085 Alert per host where web application logs indicate a source IP not classified as WAF (Narrative and Use Case Center)

Communication to any web application server without filtering by a network web application firewall indicates a security misconfigration. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS014WebServerET01Access DDE001 Asset Information ... Apr 27, 2016


UC0084 Monitor Execution of Triage Activtity (Narrative and Use Case Center) Define and maintain eventypes for unsuppressed notable events separately identifying review work flow, and triage SLA required. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS013TicketManagementET01 TBD Adoption Phase ... Apr 27, 2016



UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center) Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode


RV6Misconfiguration ... Apr 08, 2016

UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center) Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ... Apr 08, 2016

UC0041 SSH v1 detected (Narrative and Use Case Center) Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions indicate system probing or scanning. Problem Types Addressed Risk ... Apr 11, 2016

UC0025 Endpoint Multiple devices in 48 hours in the same site (Narrative and Use Case Center) Multiple infected devices in the same site could indicate a successful watering hole attack. Monitor for more than 5% of the hosts in a site. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected DE001AssetInformation ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center) Endpoints communicating with an excessive number of unique destination ports could indicate malicious code probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with the client such as ftp in passive mode and RPC on windows server. Utilize category ... Apr 08, 2016

UC0026 Endpoint Multiple devices in 48 hours in the same subnet (Narrative and Use Case Center) Multiple infected devices in the same subnet could indicate lateral movement of an adversary or a possible worm. Monitor for more than 5% of the host addresses on a subnet as it is not readily possible to know how many hosts are active on a subnet. Problem Types Addressed ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0080 Trusted Individual exceeds authorization in observation of other users (Narrative and Use Case Center) Evaluate queries executed by authorized trusted individuals to determine if the user is observing the behavior of other users for reasons not authorized as part of the user's job function. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess ... Apr 25, 2016

UC0042 SSH Authentication using unknown key (Narrative and Use Case Center) public key utilized for authentication is recorded in the SSHD authentication log. Detection of a new key should be investigated to determine the owner of the key and validate authorization to access the resource. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance ... Apr 11, 2016

UC0044 Network authentication using password auth (Narrative and Use Case Center) Even using SSH encryption, allowing password authentication to Linux/Unix systems over the network increases the attack surface and the possible impact of a compromised account. Investigate and resolve all instances of network authentication utilizing password. Problem Types Addressed ... Apr 11, 2016

UC0032 Brute force authentication attempt (Narrative and Use Case Center) When more than 10 failed authentication attempts for known accounts occur from single endpoint Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access DS003AuthenticationET02Failure DE001AssetInformation DE002IdentityInformation Adoption Phase Customer ... Apr 08, 2016

UC0017 Unauthorized access or risky use of NHA (Narrative and Use Case Center)


Detect the use of a Windows account designated by the organization as a non human account (NHA) outside of the normal usage of such an account. Login where the interactive indicator is set Login where the caller computer is a workstation or terminal server Problem Types Addressed Risk ... Apr 08, 2016

UC0013 Monitor change for high value groups (Narrative and Use Case Center) Detection of change for groups used to control access for sensitive, regulated, or critical infrastructure systems. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access DS006UserActivityET04Update DE002IdentityInformation Identity category terminated Identity category reductioninforce ... Apr 08, 2016

UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit (Narrative and Use Case Center)

Multiple infected devices in the same organizational unit could indicate a successful spear phishing attack. Monitor for more than 5% of the hosts in an organizational unit. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0089 Detection of Communication with Algorithmically Generated Domain (Narrative and Use Case Center) Using an algorithm determine text of the registration domain is likely to be generated by a computer excluding known cloud hosting domains, Alexa TOP 1 M domains and domains with long established communication with the organization. Problem Types Addressed Risk Addressed Event ... Jun 24, 2016 Labels: prt05-tacticalthreat-ransomeware, creative

UC0001 Detection of new/prohibited web application (Narrative and Use Case Center) prohibited web application such as Box or a game on the Facebook platform can be detected and filtered by modern web proxy solutions and next generation firewalls. Allowed prohibited applications or New application instances should be reviewed to ensure proper use. Problem Types ... Apr 08, 2016

UC0014 Monitor use attempts of human accounts once primary account is expired disabled or deleted (Narrativ e and Use Case Center)

human user may own multiple accounts. When the primary account of the human is expired, disabled, or deleted, we should expect no further activity from any other account owned by the user. Problem Types Addressed Risk Addressed Event ... Apr 08, 2016

UC0019 User authenticated to routine business systems while on extended absense (Narrative and Use Case Center)

user on leave, vacation, sabbatical, or other types of leave should not access business systems. This could indicate malicious activity by the employee or a compromised account. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access DS003AuthenticationET01Success ... Apr 08, 2016

UC0038 Excessive use of Shared Secrets (Narrative and Use Case Center) Usage of greater than X number of unique shared/secret credentials or more than 1 standard deviation from peers Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access DS006UserActivityET07ExecuteAs ... Apr 11, 2016

UC0008 Activity on previously inactive account (Narrative and Use Case Center) Excluding computer accounts in active directory, an account with new activity that has not been active in the previous thirty days is suspicious. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode DS003AuthenticationET01Success DE002IdentityInformation Adoption ... Apr 08, 2016


UC0039 Use of Shared Secret for access to critical or sensitive system (Narrative and Use Case Center) Use of a secret/shared secret account for access to such a system rather than accountable credentials could indicate an attempt to avoid detection. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access DS006UserActivityET07ExecuteAs ... Apr 11, 2016

UC0047 Communication with newly seen domain (Narrative and Use Case Center) Newly seen domain's may indicated interaction with risky or malicious servers. Identification of new domains via web proxy logs without other IOCs allows the analyst/threat hunter to explore the relevant data and potentially identify weaknesses or risky ... Jul 20, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0018 Unauthorized access SSO brute force (Narrative and Use Case Center) Single IP address attempting authentication of more than two valid users within ten minutes where one or more unique accounts is successful, and one or more accounts is not successful against an approved SSO System. Problem Types Addressed ... Apr 08, 2016

UC0072 Detection of unauthorized using DNS resolution for WPAD (Narrative and Use Case Center) Detection of an endpoint utilizing DNS as a method of proxying by querying for wpad.registrationdomain. Search for reply NXDOMAIN replies for A/AAA queries for wpad (bare host) and wpad. where the domain portion is not a company owned domain. Problem Types Addressed Risk Addressed Event ... Apr 25, 2016

UC0081 Communication with unestablished domain (Narrative and Use Case Center) Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose reputation score exceeds acceptable norms will be flagged ... Apr 25, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0009 Authenticated communication from a risky source network (Narrative and Use Case Center) Internet facing authentication system has allowed authenticated access from a risky source network. Always Anonymizing services such as VPN providers, Proxy systems Threat list identification of IP B2B communications consider the following sources risky Dial ... Apr 08, 2016

UC0007 Account logon successful method outside of policy (Narrative and Use Case Center) logon event properties could indicate account misuse in violation of policy OR as an indication of compromise by comparing the identified purpose of the account to the context of the logon to determine if the account is authorized for such usage. Accounts provisioned for human access should NOT be identified as logging on as a network or batch ... Jun 24, 2016 Labels: creative

UC0028 Endpoint Multiple infections over short time (Narrative and Use Case Center) Multiple infections detected on the same endpoint in a short period of time could indicate the presence of a undetected loader malware component (apt). Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected DE001AssetInformation DDE007 ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0005 System modification to insecure state (Narrative and Use Case Center) Authorized or unauthorized users may attempt to modify the system such that hardened configuration policies are removed or security monitoring tools are disabled. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV1AbuseofAccess RV6Misconfiguration DS TBD ... Apr 08, 2016


UC0021 Communication outbound to regions without business relationship (Narrative and Use Case Center) Outbound communication with servers hosted in regions where the organization does not expect to have employees, customers, or suppliers. Exclude authorized DNS servers communicating on a standard DNS port Exclude destination DNS servers on the ICANN root list Exclude authorized ... Apr 08, 2016

UC0079 Use of accountable privileged identity to access new or rare sensitive resource (Narrative and Use Case Center)

Use of an identity identified as privileged to access a system for the first time within a rolling time period will trigger a notable event for review of access reason. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityPriviledgeUserMonitoring RV1AbuseofAccess ... Apr 08, 2016

UC0015 Privileged user accessing more than expected number of machines in period (Narrative and Use Case Center)

Privileged user authenticates to more than X number of new targets successfully or is denied access to more than Y targets in the prior Z hours. For example: More than 5 new targets More than 3 failures In the last ... Apr 08, 2016

UC0034 Brute force successful authentication (Narrative and Use Case Center) source IP identified by a brute force use case authenticates successfully OR an account identified by a brute use case successfully logins after failing once from the same source address. Problem Types Addressed Risk Addressed Event Data ... Apr 27, 2016

UC0071 Improbably short time between Remote Authentications with IP change (Narrative and Use Case Center) employers that allow remote external connectivity the detection of two or more distinct values of external source IP address for successful authentications to a remote access solution in a short period of time indicates a likely compromise of credentials. The short period of time value ... Apr 25, 2016

UC0004 Excessive number of emails sent from internal user (Narrative and Use Case Center) Excessive email generation by an authorized user could indicate the presence of malware for the purpose of spam sending, abusing company resources, or attempting to solve a business problem using a technique not approved by policy. For this use case, email generated from endpoint networks ... Apr 08, 2016

UC0016 Successfully authenticated computer accounts accessing network resources (Narrative and Use Case Center)

Batch, Windows Services, App Pools, and specially constructed Windows shells can access network resources. A small number of technical solutions will require this type of behavior, however, after excluding a white list of hosts or shares (such as sysvol or netlogon), such access ... Apr 08, 2016

UC0011 Improbable distance between logins (Narrative and Use Case Center) Utilizing source IP address, geolocation data, and where available for company owned mobile devices, GPS for mobile devices. Using the Haversine algorithm, calculate the distance between the authenticated successful connections. Detect where: Total distance is greater than ... Apr 08, 2016

UC0035 Compromised account access testing (Narrative and Use Case Center) Following a successful authentication, an attacker will attempt to determine what resources may be accessed without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate and browse to shares, access email, access web applications, or connect to databases ... Apr 08, 2016

UC0073 Endpoint detected malware infection from url (Narrative and Use Case Center) Endpoint antimalware detection event occurred where the malicious content was retrieved from an external URL. Possible indication of gaps in protection by web proxy, intrusion prevention, or advanced threat prevention. Use


the information available for the event and determine how existing ... Apr 11, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0076 Excessive DNS Failures (Narrative and Use Case Center) endpoint utilizing DNS as a transmission method for data exfiltration, command and control, or evasion of security controls can be detected by either a large volume or high number of unique DNS queries. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 25, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0049 Detection of DNS Tunnel (Narrative and Use Case Center) Endpoint utilizing DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls. Detected by large total size of DNS traffic OR large number of unique queries. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 25, 2016 Labels: prt05-tacticalthreat-ransomeware


PRT03-PeerAdoption-Phase3-Mature Use case narratives adopted during the third deployment phase of a security operations, monitoring, and response program.

Supporting Use Cases Click here to expand... Found 10 search result(s) for title:UC* contentBody:"APC-Mature".









UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center) Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time, application, source (host, IP, name) and user ... Aug 14, 2016


UCESS063 Web Uploads to Non-corporate Sites by Users (Narrative and Use Case Center) Alerts on high volume web uploads by a user to noncorporate domains. For the past 60 minutes starting 5 minutes after realtime, sum the total number of bytes transferred where the HTTPmethod is POST or PUT and the domain is not in the corporate web domain lookup ... Aug 14, 2016


PRT03-PeerAdoption-Phase4-Edge Use case narratives adopted based on specific circumstances in the organization. Specific capabilities and complexities will dictate the appropriate time for adoption of these narratives.

Supporting Use Cases Click here to expand... Found 10 search result(s) for title:UC* contentBody:"APC-Edge".

UC0065 Malware detected compliance asset (Narrative and Use Case Center) Malware detection on a asset designated as compliance such as PCI, CIP or HIPPA requires review even when automatic clean has occurred Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected DDE001 ... Aug 29, 2016

UCESS013 Cleartext Password At Rest Detected (Narrative and Use Case Center) Detects cleartext passwords being stored at rest (such as in the Unix password file). Looking across a realtime window of /5 minutes, search for Last Time, Original Raw Event Data, tag and count grouped by destination(host, IP, name), user ... Aug 14, 2016

UCESS041 Network Device Rebooted (Narrative and Use Case Center) past 1 hour, using all summary data even if the model has changed, provide a count of device restarts grouped by the device that reported the change dvc (host, IP, name) and time where the time span is 1 second. Problem ... Aug 14, 2016

UCESS044 Personally Identifiable Information Detected (Narrative and Use Case Center) Looking across a realtime window of /5 minutes, find integer sequences and lookup against luhnlikelookup and output fields pii and piiclean. Lookup iinissuer in the iinlookup table based on the piiclean string and length of the string. Output event id (macro that creates ... Aug 14, 2016

UCESS052 Substantial Increase In Port Activity (Narrative and Use Case Center) Alerts when a statistically significant increase in events on a given port is observed. For the past hour, using all summary data even if the model has changed, generate a count by destination port and compare that count against the previous hour and trigger if the destination ... Aug 14, 2016

UCESS002 Abnormally High Number of Endpoint Changes By User (Narrative and Use Case Center) Detects an abnormally high number of endpoint changes by user account, as they relate to restarts, audits, filesystem, user, and registry modifications. For the past 24 hours starting on the hour, using all summary data even if the model has changed, generate a count ... Aug 14, 2016

UC0087 Malware signature not updated by SLA for compliance asset (Narrative and Use Case Center) Malware signature last updated on a asset designated as compliance such as PCI, CIP or Hippa beyond SLA limits Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET02UpdatedSig DDE001 Asset Information https://securitykit.atlassian.net/wiki/display/GD/DDE001AssetInformation ... Apr 28, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0051 Excessive physical access failures to CIP assets (Narrative and Use Case Center) user with continuous physical access failures could be someone searching for a physical vulnerability within the organization. When this occurs in an area that is protecting CIP assets, it is something that should be followed up on immediately. Problem Types Addressed Risk Addressed Event Data ... Apr 27, 2016


UCESS003 Abnormally High Number of HTTP Method Events By Src (Narrative and Use Case Center) Alerts when a host has an abnormally high number of HTTP requests by http method. For the past 24 hours starting on the hour, using all summary data even if the model has changed, generate a count of the source of the network traffic and the HTTP ... Jul 22, 2016

UCESS010 Anomalous New Listening Port (Narrative and Use Case Center) Alerts a series of hosts begin listening on a new port within 24 hours. This may be an indication that the devices have been compromised or have had new (and potentially vulnerable) software installed. Listening ports tracker contains destination IP and port ... Aug 14, 2016


PRT04-ProcessEffectivness High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems in the enterprise and in the cloud. PRT04-ProcessEffectivness-HuntPaths

Supporting Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT04-ProcessEffectivness".

Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT04-ProcessEffectivness".



PRT04-ProcessEffectivness-HuntPaths Utilizing searches and automated prompts the analyst will investigate selected events that are considered low fidelity to identify using analytic process potential security weakness or previously unknown threats.


PRT05-Tactical Threat In the constantly evolving threat landscape organizations often must set aside strategic plans and react to specific threats. Tactical threat motivations support the urgent on boarding of missing critical data sources. PRT05-TacticalThreat-InsiderThreat PRT05-TacticalThreat-Ransomeware PRT05-TacticalThreat-SpearphishingCampaign


PRT05-TacticalThreat-InsiderThreat Insiders, defined as employees, contractors, partners, or anyone else with AUTHORIZED internal access often have the knowledge and access necessary to allow them to bypass security measures to critical systems through legitimate means. The nature of the insider threat is different from external threats, and therefore require a different strategy for preventing and addressing them. The following use cases and data sources are helpful in detecting and mitigating potential insider threat activity.

Domain

Supporting Use Case

Description

Enrichment

Data Sources

Status

Data Exfiltration

UCESS031 Host Sending Excessive Email

Detects where a host that is not categorized as an email server is sending an excessive amount of email. Tune or create variant of this CS to search only for excessive email to non-corporate domains by user


DS001Mail-ET03Send

Adoptable: ES Product UC

Notable event is triggered when a single internal user sends more than 20 emails to a single non-corporate email address over a 60 minute period. Extreme Search should be used to set dynamic threshold when available.


DS001Mail-ET03Send

Draft Narrative

Detects when a user attempts to access an excessive number of unique file or directory objects.


Windows Security Logs

Draft Narrative

Auditing: File/Directory Object Access

(EventCodes 4656, 4663)

Data Exfiltration

Data Exfiltration

UC0090 High Volume of Email to Non-Corporate Email Address

UC0091 Excessive Unique File Object Access

DDE023 CIM Corporate Email Domains

DDE002 Identity Information DDE023 CIM Corporate Email Domains

Malicious Insider

UCESS060 Vulnerability Scanner Detected (by events)

Detects IDS/IPS signatures from a single source to a destination where the distinct signature count is greater than 25. Tune or create variant of this CS to search only for internally sourced events


IDS/IPS


Malicious Insider

UCESS061 Vulnerability Scanner Detected (by targets)

Detect IDS/IPS signatures from a single source to 25 or more distinct destinations. Tune or create variant of this CS to search only for internally sourced events


IDS/IPS


Unauthorized Access

UCESS011 Brute Force Access Behavior Detected

Excessive failed access attempts followed by successful authentication. Datamodel acceleration should be used for this UC whenever possible.


Authentication


Detects successful login activity outside of normal work hours. Thresholds and work hours should be defined within CS as per customer requirements


Authentication

In Development

Privileged user authenticates to more than X number of new targets successfully or is denied access to more than Y targets in the prior Z hours.For example:


Authentication

Adoptable Narrative Custom

Web

In Development

Unauthorized Access

Unauthorized Access

UCXXXX Excessive Logins Outside of Company Work Hours (by user)

UC0015 Privileged user accessing more than expected number of machines in period




More than 5 new targets More than 3 failures In the last 4 hours Potential Threat (various categories)

UCXXXX Excessive Watchlisted Website Activity by User


Searches for users visiting an excessive number of watchlisted sites. Threshold and site categories should be defined as per customer requirements. Designed to highlight possible job seekers, employees prone to violence, radicalists, etc.

DDE002 Identity Information Watchlisted Sites

Potential Threat (various categories)

UCXXXX Insider Threat Detected - High Probability


Takes into account all "insider threat content pack" rules. Flags on single user triggering multiple events (threshold to be defined) within a predefined time period, as defined by customer

DDE002 Identity Information Insider Threat "Content Pack"

Insider Threat Content Pack Correlation Rules

In Development

PRT05-TacticalThreat-Ransomeware Ransomware includes multiple broad categories including denial of service by encryption and extortion by data ex filtration. The following collection of data sources and use cases highlight strategies found useful in mitigation of this threat.

DS001MAIL

Found 1 search result(s) for contentBody:DS001* title:UC* PRT05-TacticalThreat-Ransomeware.

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware

DS002DNS



UC0089 Detection of Communication with Algorithmically Generated Domain (Narrative and Use Case Center)

Using an algorithm determine text of the registration domain is likely to be generated by a computer excluding known cloud hosting domains, Alexa TOP 1 M domains and domains with long established communication with the organization. Problem Types Addressed Risk Addressed Event ... Jun 24, 2016 Labels: prt05-tacticalthreat-ransomeware, creative




DS004EndPointAntiMalware



UC0087 Malware signature not updated by SLA for compliance asset (Narrative and Use Case Center) Malware signature last updated on a asset designated as compliance such as PCI, CIP or Hippa beyond SLA limits Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET02UpdatedSig DDE001 Asset Information https://securitykit.atlassian.net/wiki/display/GD/DDE001AssetInformation ... Apr 28, 2016 Labels: prt05-tacticalthreat-ransomeware








UC0073 Endpoint detected malware infection from url (Narrative and Use Case Center) Endpoint antimalware detection event occurred where the malicious content was retrieved from an external URL. Possible indication of gaps in protection by web proxy, intrusion prevention, or advanced threat prevention. Use the information available for the event and determine how existing ...


Apr 11, 2016 Labels: prt05-tacticalthreat-ransomeware DS005WebProxyRequest Found 3 search result(s) for contentBody:DS005* title:UC* PRT05-TacticalThreat-Ransomeware.



UC0081 Communication with unestablished domain (Narrative and Use Case Center) Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose reputation score exceeds acceptable norms will be flagged ... Apr 25, 2016 Labels: prt05-tacticalthreat-ransomeware DS010NetworkCommunication Found 2 search result(s) for contentBody:DS010* title:UC* PRT05-TacticalThreat-Ransomeware.


UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case Center) Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions (bypassing the firewall). Legacy Command and Control (a.k.a. C&C or C2 ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware DS012NetworkIntrusionDetection-ET01SigDetection Found 1 search result(s) for contentBody:DS012* title:UC* PRT05-TacticalThreat-Ransomeware.

UC0074 Network Intrusion Internal Network (Narrative and Use Case Center) IDS/IPS detecting or blocking an attack based on a known signature. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS012NetworkIntrusionDetectionET01SigDetection DE001AssetInformation Adoption Phase Customer Adoption Phase SME Adoption Phase ... May 09, 2016 Labels: prt05-tacticalthreat-ransomeware


PRT05-TacticalThreat-SpearphishingCampaign


PRT06-SecureConfigurationMgmt High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems in the enterprise and in the cloud. PRT06-SecureConfigurationMgmtUpdateManagement PRT06-SecureConfigurationMgmtVulnerability







PRT06-SecureConfigurationMgmtUpdateManagement High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems in the enterprise and in the cloud.

Supporting Data Sources DS019PatchManagement


Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT06-SecureConfigurationMgmtVulnerability".

Maturing

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT06-SecureConfigurationMgmtVulnerability".


PRT06-SecureConfigurationMgmtVulnerability High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems in the enterprise and in the cloud.

Supporting Data Sources DS018VulnerabilityDetection


Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT06-SecureConfigurationMgmtVulnerability".

Maturing

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT06-SecureConfigurationMgmtVulnerability".


PRT07-SpecialRequests A set of curated use case collections based on specific field requests PRT07-SpecialRequests-Creative







PRT07-SpecialRequests-Creative A set of curated use case collections based on specific field requests

Supporting Use Cases Click here to expand... Found 3 search result(s) for title:UC0* labelText:creative.





PRT08-ProductAdoption Use cases provided by the Splunk Enterprise Security Application are mapped to the Adoption Phase and grouped by Supporting Data Source to assist the customer and consultant in the selection of use cases for implementation based on the likely readiness of the customer. PRT08-ProductAdoption-ES PRT08-ProductAdoption-ES-Essentials PRT08-ProductAdoption-ES-Mature PRT08-ProductAdoption-ES-Maturing


PRT08-ProductAdoption-ES


PRT08-ProductAdoption-ES-Essentials

DS010NetworkCommunication

Network communication data is often the last chance available to identify the movement of an attacker in, into or out of the organization's network. All firewalls protecting systems in the DMZ, Public internet, segmenting private network from the public internet and segmenting the private network from third party network peers that are not part of the public internet should be included.

Found 2 search result(s) for title:UCESS* contentBody:"DS010NetworkCommunication*" contentBody:"APC-Essential". UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware

UCESS030 High Volume of Traffic from High or Critical Host Observed (Narrative and Use Case Center) Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate that the host has been compromised.For the past 60 minutes starting 5 minutes after realtime, using all summary data even ... Apr 26, 2016


Endpoint Antimalware logs such as Mcafee Antivirus, Symantec Endpoint Protection, or Microsoft Forefront collected from the central reporting database. Events including, detected, definition update and scheduled scan execution should be indexed.

Found 8 search result(s) for title:UCESS* contentBody:"DS004EndPointAntiMalware*" contentBody:"APC-Essential". UCESS035 Host With Multiple Infections (Narrative and Use Case Center) Alerts when a host with multiple infections is discovered.For the past 24 hours, using all summary data even if the model has changed, return a distinct count of signatures and group by destination (host, IP, name). Alert when the count is greater ... Aug 14, 2016

UCESS025 High Number Of Infected Hosts (Narrative and Use Case Center) Alerts when a high total number of infected hosts is discovered.For the past 15 days, using all summary data even if the model has changed, return and estimated distinct count of destination (host, IP, name) where nodename is MalwareAttacks ... Aug 14, 2016

UCESS026 High Or Critical Priority Host With Malware Detected (Narrative and Use Case Center) Alerts when an infection is noted on a host with high or critical priority.Looking across a realtime window of /5 minutes, search for destination priority (assigned in asset table) of high or critical and return most recently seen time, original raw log, destination ... Aug 14, 2016

UCESS027 High or Critical Priority Individual Logging into Infected Machine (Narrative and Use Case Center) Detects users with a high or critical priority logging into a malware infected machineUsing all summary data even if the model has changed, search for user over a 60 minute window starting 5 minutes after realtime where user priority ... Aug 14, 2016

UCESS043 Outbreak Detected (Narrative and Use Case Center) Alerts when a potential outbreak is observed based on newly infected systems all exhibiting the same infectionFor


the past 24 hours, using all summary data even if the model has changed, generate a distinct count of the system that was affected by the malware ... Apr 26, 2016

UCESS024 High Number of Hosts Not Updating Malware Signatures (Narrative and Use Case Center) Alerts when a high number of hosts not updating malware signatures have been discovered. These hosts should be evaluated to determine why they are not updating their malware signatures.Execute the malware operations tracker macro and calculate the timesignatureversion and return results that the day difference between ... Apr 26, 2016

UCESS036 Host With Old Infection Or Potential Re-Infection (Narrative and Use Case Center) Alerts when a host with an old infection is discovered (likely a reinfection).For the past 60 minutes starting 5 minutes after realtime, calculate the max time (lastTime) by signature and destination. Perform a lookup against the malwaretracker and match on destination and signature. If a match ... Apr 26, 2016

UCESS032 Host With A Recurring Malware Infection (Narrative and Use Case Center) Alerts when a host has an infection that has been reinfected remove multiple times over multiple days.For the past 10080 minutes (7 days) starting 5 minutes after realtime, using all summary data even if the model ... Apr 26, 2016

DS005WebProxyRequest

Web client request from internal endpoints processed by a proxy server, scope should include a endpoints including enduser devices and servers however guest wifi should not be included unless the guest network is abled to access to organizations internal trusted zone.

Found 0 search result(s) for title:UCESS* contentBody:"DS005WebClientRequest*" contentBody:"APC-Essential".

DS002DNS

Domain name resolution logs covering all internal clients querying for hosts outside of the organizations network should contain in a single event the source ip, query and response. The scope should be confirmed using the firewall communication logs where destination port is 23.

Found 1 search result(s) for title:UCESS* contentBody:"DS002DNS*" contentBody:"APC-Essential". UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware

DS003Authentication

Authentication logs covering all central authentication systems such as Active Directory, ADFS, Cyber Ark, WebSeal, and Siteminder as well as all local authentication logs from host operating systems identified as compliance targeted, or priority High/Critical.

Found 4 search result(s) for title:UCESS* contentBody:"DS003Authentication*" contentBody:"APC-Essential". UCESS012 Brute Force Access Behavior Detected Over One Day (Narrative and Use Case Center) Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this could indicate a successful brute force attack)Looking across the prior 24 hours starting 1 hour ago, search for application ... Aug 14, 2016

UCESS011 Brute Force Access Behavior Detected (Narrative and Use Case Center) Detects excessive number of failed login attempts along with a successful attempt (this could indicate a successful


brute force attack)Looking across the prior 60 minute period starting 5 minutes ago, search for tags, applications, count of failures ... Aug 14, 2016


UCESS005 Activity from Expired User Identity (Narrative and Use Case Center) Alerts when an event is discovered from a user associated with identity that is now expired (that is, the end date of the identity has been passed). Looking across a realtime window of /5 minutes, search for Last Time, Original Raw Event Data, user ... Aug 14, 2016

DS001MAIL

Email logs covering all inbound and outbound mail systems permitting the identification of the internal authenticated user or host where authentication is not used causing an email to be sent or which received a specific email. The scope should be confirmed by using firewall communication logs where destination port is 25.

Found 2 search result(s) for title:UCESS* contentBody:"DS001MAIL*" contentBody:"APC-Essential". UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware

UCESS031 Host Sending Excessive Email (Narrative and Use Case Center) Alerts when an host not designated as an email server sends excessive email to one or more target hosts.For the past 60 minutes starting 5 minutes after realtime, using all summary data even if the model has changed, calculate ... May 02, 2016

DS007AuditTrail

Audit trail information from internal endpoints providing logs supporting use cases in this adoption phase should be included in the initial scope.

Found 1 search result(s) for title:UCESS* contentBody:"DS007AuditTrail*" contentBody:"APC-Essential". UCESS022 Expected Host Not Reporting (Narrative and Use Case Center) ... Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV6Misconfiguration DS007AuditTrail DE001AssetInformation Adoption Phase Customer Adoption Phase SME Adoption Phase Industry ... Aug 14, 2016

DS012NetworkIntrusionDetection-ET01SigDetection

Network Intrusion detection logs often must be indexed for compliance purposes, all IDS/IPS sensors should be included except those which monitor unfiltered inbound public internet communications, unfiltered meaning may detect attacks that would be blocked by the border firewall based on destination port.

Found 2 search result(s) for title:UCESS* contentBody:"DS012NetworkIntrusionDetection*" contentBody:"APC-Essential". UCESS061 Vulnerability Scanner Detected (by targets) (Narrative and Use Case Center)


Detects a potential vulnerability scanner by detecting devices that have triggered events against a large number of unique targets. Vulnerability scanners generally trigger events against a high number of unique hosts when they are scanning a network for vulnerable hosts.For the past ... Aug 14, 2016


DS014WebServer-ET01Access

Web serve logs from all web servers serving authenticated organization users from the public internet, should contain the authenticated user account, (actual) source ip, reverse proxy ip, site, url, and port.

Found 0 search result(s) for title:UCESS* contentBody:"DS014WebServer*" contentBody:"APC-Essential".

DS006UserActivity

User activity related to the creation, modification or deletion of users, groups, access controls and policies should be indexed for all systems inscope for logging and monitoring within this phase.

Found 1 search result(s) for title:UCESS* contentBody:"DS006UserActivity*" contentBody:"APC-Essential". UCESS045 Potential Gap in Data (Narrative and Use Case Center) Detects gaps caused by the failure of the search head. If saved searches do not execute then there may be gaps in summary data.For the past 5 minutes starting 5 minutes after realtime, return scheduled searches that were successful where the app context ... Aug 16, 2016


PRT08-ProductAdoption-ES-Maturing



Found 3 search result(s) for title:UCESS* contentBody:"DS010NetworkCommunication*" contentBody:"APC-Maturing". UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center) primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and associates identity and asset information with each. Looking back over the past 24 hours, return values of the function and their distinct count grouped by destination (host ... Aug 14, 2016


UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center) Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ... Aug 14, 2016



Found 0 search result(s) for title:UCESS* contentBody:"DS004EndPointAntiMalware*" contentBody:"APC-Maturing".



Found 0 search result(s) for title:UCESS* contentBody:"DS005WebClientRequest*" contentBody:"APC-Maturing".

DS002DNS


Found 2 search result(s) for title:UCESS* contentBody:"DS002DNS*" contentBody:"APC-Maturing". UCESS019 Excessive DNS Queries (Narrative and Use Case Center) Alerts when a host starts sending excessive DNS queries. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count where the message ... Aug 14, 2016


UCESS018 Excessive DNS Failures (Narrative and Use Case Center) Alerts when a host receives many DNS failures in a short span. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count where ... Aug 14, 2016

DS003Authentication


Found 7 search result(s) for title:UCESS* contentBody:"DS003Authentication*" contentBody:"APC-Maturing". UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center) Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time, application, source (host, IP, name) and user ... Aug 14, 2016

UCESS020 Excessive Failed Logins (Narrative and Use Case Center) Detects excessive number of failed login attempts (this is likely a brute force attack)For the past 1 hour starting 5 minutes after realtime, search for failure in the tag field and return values of app and Source IP, tags, distinct user ... Aug 14, 2016



UCESS014 Completely Inactive Account (Narrative and Use Case Center) Discovers accounts that are no longer used. Unused accounts should be disabled and are oftentimes used by attackers to gain unauthorized access. Access tracker contains destination (host, IP, name), first and last time seen, 2nd to last time seen and user ... Aug 14, 2016


UCESS023 Alerts on access attempts that are improbably based on time and geography. (Narrative and Use Case Center)

Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this could indicate a successful brute force attack)For the past 18 hours starting 5 minutes after realtime, list the application, user ... Aug 14, 2016

DS001MAIL



Found 0 search result(s) for title:UCESS* contentBody:"DS001MAIL*" contentBody:"APC-Maturing".

DS007AuditTrail


Found 2 search result(s) for title:UCESS* contentBody:"DS007AuditTrail*" contentBody:"APC-Maturing". UCESS006 Anomalous Audit Trail Activity Detected (Narrative and Use Case Center) Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log files in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking across a realtime window of /5 minutes, search for action ... Aug 14, 2016

UCESS050 Should Timesync Host Not Syncing (Narrative and Use Case Center) Detects when hosts that are required to synchronize their clocks have failed to do so. Time synchronization is important because it ensures that the event logs are stamped with the proper time. Additionally, this is required by some regulatory compliance standards (such as PCI). For the past 30 days ... Aug 14, 2016



Found 0 search result(s) for title:UCESS* contentBody:"DS012NetworkIntrusionDetection*" contentBody:"APC-Maturing".



Found 1 search result(s) for title:UCESS* contentBody:"DS014WebServer*" contentBody:"APC-Maturing". UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center) Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ... Aug 16, 2016 DS006UserActivity


Found 4 search result(s) for title:UCESS* contentBody:"DS006UserActivity*" contentBody:"APC-Maturing". UCESS049 Short-lived Account Detected (Narrative and Use Case Center) past 4 hours, find all events that action is equal to created or deleted. Look at the time range across user and destination and use only two events and only return events where the count is greater than 1 and the time range ... Aug 14, 2016

UCESS004 Account Deleted (Narrative and Use Case Center) Detects user and computer account deletion. Looking across a realtime window of /5 minutes, search for the value delete within the tag field (autogenerated field in datamodels) and show the following aggregated values when the count is greater than 0: Last ... Aug 14, 2016

UCESS042 New User Account Created On Multiple Hosts (Narrative and Use Case Center)


Useraccountstracker returns destination (host, IP, name), user, firstTime, lastTime and isinteractive. Create earliestQual based on 24 hours ago, snapped to the top of the hour and latestQual which is now. Return values where firstTime is greater than or equal to earliestQual ... Aug 14, 2016

UCESS040 Network Change Detected (Narrative and Use Case Center) Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw and count grouped by the device that reported the change dvc (host, IP, name), the action performed on the resource and the command that initiated the change. Problem Types ... Aug 14, 2016 DS013TicketManagement-ET01

Notable event ticket data is indexed with no administrator action required.

Found 2 search result(s) for title:UCESS* contentBody:"DS013TicketManagement*" contentBody:"APC-Maturing". UCESS058 Untriaged Notable Events (Narrative and Use Case Center) Alerts when notable events have not been triaged. For the past 48 hours starting 4 hours after realtime, return notable events that have a status group of New or the owner is unassigned. Return the values time, owner, status, rule ... Aug 14, 2016

UCESS051 Substantial Increase In Events (Narrative and Use Case Center) Alerts when a statistically significant increase in a particular event is observed. For the past hour, using all summary data even if the model has changed, generate a count by signature and compare that count against the previous hour and trigger if the signature is above medium ... Aug 14, 2016


PRT08-ProductAdoption-ES-Mature



Found 3 search result(s) for title:UCESS* contentBody:"DS010NetworkCommunication*" contentBody:"APC-Mature". UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center) primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and associates identity and asset information with each. Looking back over the past 24 hours, return values of the function and their distinct count grouped by destination (host ... Aug 14, 2016





Found 0 search result(s) for title:UCESS* contentBody:"DS004EndPointAntiMalware*" contentBody:"APC-Mature".



Found 0 search result(s) for title:UCESS* contentBody:"DS005WebClientRequest*" contentBody:"APC-Mature".

DS002DNS


Found 2 search result(s) for title:UCESS* contentBody:"DS002DNS*" contentBody:"APC-Mature". UCESS019 Excessive DNS Queries (Narrative and Use Case Center) Alerts when a host starts sending excessive DNS queries. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count where the message ... Aug 14, 2016

UCESS018 Excessive DNS Failures (Narrative and Use Case Center) Alerts when a host receives many DNS failures in a short span. Looking across the prior 60 minute period starting


5 minutes ago, using all summary data even if the model has changed, provide a count where ... Aug 14, 2016

DS003Authentication


Found 7 search result(s) for title:UCESS* contentBody:"DS003Authentication*" contentBody:"APC-Mature". UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center) Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time, application, source (host, IP, name) and user ... Aug 14, 2016








DS001MAIL


Found 0 search result(s) for title:UCESS* contentBody:"DS001MAIL*" contentBody:"APC-Mature".


DS007AuditTrail


Found 2 search result(s) for title:UCESS* contentBody:"DS007AuditTrail*" contentBody:"APC-Mature". UCESS006 Anomalous Audit Trail Activity Detected (Narrative and Use Case Center) Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log files in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking across a realtime window of /5 minutes, search for action ... Aug 14, 2016




Found 0 search result(s) for title:UCESS* contentBody:"DS012NetworkIntrusionDetection*" contentBody:"APC-Mature".



Found 1 search result(s) for title:UCESS* contentBody:"DS014WebServer*" contentBody:"APC-Mature". UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center) Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ... Aug 16, 2016 DS006UserActivity


Found 4 search result(s) for title:UCESS* contentBody:"DS006UserActivity*" contentBody:"APC-Mature". UCESS049 Short-lived Account Detected (Narrative and Use Case Center) past 4 hours, find all events that action is equal to created or deleted. Look at the time range across user and destination and use only two events and only return events where the count is greater than 1 and the time range ... Aug 14, 2016


UCESS042 New User Account Created On Multiple Hosts (Narrative and Use Case Center) Useraccountstracker returns destination (host, IP, name), user, firstTime, lastTime and isinteractive. Create earliestQual based on 24 hours ago, snapped to the top of the hour and latestQual which is now. Return values


where firstTime is greater than or equal to earliestQual ... Aug 14, 2016

UCESS040 Network Change Detected (Narrative and Use Case Center) Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw and count grouped by the device that reported the change dvc (host, IP, name), the action performed on the resource and the command that initiated the change. Problem Types ... Aug 14, 2016 DS013TicketManagement-ET01

Notable event ticket data is indexed with no administrator action required.

Found 2 search result(s) for title:UCESS* contentBody:"DS013TicketManagement*" contentBody:"APC-Mature". UCESS058 Untriaged Notable Events (Narrative and Use Case Center) Alerts when notable events have not been triaged. For the past 48 hours starting 4 hours after realtime, return notable events that have a status group of New or the owner is unassigned. Return the values time, owner, status, rule ... Aug 14, 2016



Motivating Risk View Perspective Risk mitigation is tangential to the traditional view of business value, to address this motivation and realize value the customer will place an artificial cost on the occurrence of an event narratives and solutions will provide support for the decision makers to show the broader business leadership that risks are being addressed proactively through the development of detection and monitoring processes. Each use case will be further labeled to collect the use cases into a risk based paradigm RV1-AbuseofAccess — Abuse of access addressed the risk of authorized or entitled access in such a way as to cause harm

to the organization RV2-Access — Access addressed the risk of unauthorized access in such a way as to cause harm to the organization RV3-MaliciousCode — Malicious code addressed the risk of processes used against the organization, these risks include "malware" as well as authorized software used for malicious intent. RV4-ScanProbe — Risk of activities that could discover a weakness in the organizations systems, controls, or configuration that could latter be used to harm the organization RV5-DenialofService — Risk of denial of service includes such concerns as load based and destructive change to the infrastructure. RV6-Misconfiguration — Modification of a system that results in a misconfiguration defined as insecure or unreliable impacting the compliance, security, or availability of the system. Such configuration may increase the likelihood or impact of other adverse events.


RV1-AbuseofAccess Abuse of access addressed the risk of authorized or entitled access in such a way as to cause harm to the organization

Supporting Use Cases Essentials Click here to expand... Found 10 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"RV1-AbuseofAccess".


UCESS035 Host With Multiple Infections (Narrative and Use Case Center) Alerts when a host with multiple infections is discovered.For the past 24 hours, using all summary data even if the model has changed, return a distinct count of signatures and group by destination (host, IP, name). Alert when the count is greater ... Aug 14, 2016





UCESS012 Brute Force Access Behavior Detected Over One Day (Narrative and Use Case Center) Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this could indicate a successful brute force attack)Looking across the prior 24 hours starting 1 hour ago, search for application ... Aug 14, 2016

UCESS011 Brute Force Access Behavior Detected (Narrative and Use Case Center) Detects excessive number of failed login attempts along with a successful attempt (this could indicate a successful brute force attack)Looking across the prior 60 minute period starting 5 minutes ago, search for tags, applications, count of failures ... Aug 14, 2016

UC0006 Windows security event log purged (Narrative and Use Case Center)


Manually clearing the security event log on a windows system is a violation of policy and could indicate an attempt to cover malicious actions. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV1AbuseofAccess DS007AuditTrailET01Clear DE001AssetInformation Adoption ... Apr 08, 2016


Maturing Click here to expand... Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"RV1-AbuseofAccess".













UC0088 User account sharing detection by source device ownership (Narrative and Use Case Center) Detection of logon device by asset name (may require resolution from IP) when logon user does not match the owner and the number of unique owned devices is greater than two in the prior 24 hours. Exclude assets identified as loaner ... May 16, 2016


RV2-Access Access addressed the risk of unauthorized access in such a way as to cause harm to the organization

Supporting Use Cases Essentials Click here to expand... Found 2 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"RV2-Access".

UC0036 Compromised account access testing (Critical/Sensitive Resource) (Narrative and Use Case Center) ... Following a successful authentication, an attacker will attempt to determine what resources may be accesse d without causing host intrusion or DLP technologies to detect activity. Commonly the attacker ... Apr 08, 2016


Maturing Click here to expand... Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"RV2-Access".









UC0093 Previously active account has not accessed enclave/lifecycle (Narrative and Use Case Center) ... Identify accounts no longer in use with access to high/critical or enclave systems and remove access when no longer required. Implement a tracking list of accounts and the accessed enclave or business service identifier, maintain the last accessed time and alert when the last access ... Jun 24, 2016

UC0033 Brute force authentication attempt distributed (Narrative and Use Case Center) ... indicate an adversary has identified a specific high value account and is attempting to gain access. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity ... Jun 08, 2016


UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center) ... RV6Misconfiguration DS003AuthenticationET01Success DS010NetworkCommunicationET01TrafficAppAware DE001AssetInformation Categorization providing information to identify authorized remote access systems DE002IdentityInformation Categorization providing information on which users may access an individual remote access technology Adoption Phase Customer Adoption Phase SME Adoption ... Apr 08, 2016

UC0042 SSH Authentication using unknown key (Narrative and Use Case Center) ... Detection of a new key should be investigated to determine the owner of the key and validate authorization to access the resource. Problem Types Addressed Risk Addressed Event Data Sources Enrichment ... Apr 11, 2016


RV3-MaliciousCode Malicious code addressed the risk of processes used against the organization, these risks include "malware" as well as authorized software used for malicious intent.

Supporting Use Cases Essentials Click here to expand... Found 10 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"RV3-MaliciousCode".











UCESS043 Outbreak Detected (Narrative and Use Case Center) Alerts when a potential outbreak is observed based on newly infected systems all exhibiting the same infectionFor the past 24 hours, using all summary data even if the model has changed, generate a distinct count of the system that was affected by the malware ... Apr 26, 2016

Maturing Click here to expand... Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"RV3-MaliciousCode".








UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center) Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed


Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ... Apr 08, 2016





RV4-ScanProbe Risk of activities that could discover a weakness in the organizations systems, controls, or configuration that could latter be used to harm the organization

Supporting Use Cases Essentials Click here to expand... Found 6 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"RV4-ScanProbe".





UC0037 Network Intrusion External - New Signatures (Narrative and Use Case Center) External IDS devices reporting an attack using a signature not previously encountered are more likely be successful as new signatures are prompted by newly know attacks in the wild. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware OR is this something ... Apr 08, 2016



Maturing Click here to expand... Found 9 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"RV4-ScanProbe".

UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center) Detects authentication requests that transmit the password over the network as cleartext


(unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw, tags and count grouped by the application and destination (host, IP, name ... Aug 14, 2016










RV5-DenialofService Risk of denial of service includes such concerns as load based and destructive change to the infrastructure.

Supporting Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"RV5-DenialofService".

Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"RV5-DenialofService".



RV6-Misconfiguration Modification of a system that results in a misconfiguration defined as insecure or unreliable impacting the compliance, security, or availability of the system. Such configuration may increase the likelihood or impact of other adverse events.

Supporting Use Cases Essentials Click here to expand... Found 5 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"RV6-Misconfiguration".





UCESS022 Expected Host Not Reporting (Narrative and Use Case Center) Discovers hosts that are longer reporting events but should be submitting log events. This rule is used to monitor hosts that you know should be providing a constant stream of logs in order to determine why the host has failed to provide log data.Every 15 ... Aug 14, 2016

Maturing Click here to expand... Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"RV6-Misconfiguration".










UC0082 Communication with enclave by default rule (Narrative and Use Case Center) ... Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Communication filtered ... Apr 27, 2016



Supporting Data View Supporting data represents types of data utilized to support a solution eventually achieving a business objective. These data types can be consumed equally by use case narratives regardless of the underling technology. In some cases we recognize that all technology sources are not equal and further define specific "events" and critical fields that must be provided to successfully implement a narrative. This approach allows the user to head off failure on implementation when a give combination can not achieve success. DS001MAIL — Email remains the primary form of formal communication in most organizations. As such, mail server

databases and logs are some of the most important business records. Email messages and activity logs can be required to maintain compliance with an organization's information security, retention, and regulatory compliance processes, and may be subpoenaed or legally held as part of civil or criminal investigations. DS002DNS — The domain name system (DNS) is the Internet's phone book, providing a mapping between system or network resource names and IP addresses. DNS has a hierarchical name space that typically includes three levels: a top-level domain (TLD) such as .com, .edu or .gov; a second-level domain such as "google" or "Whitehouse;" and a system level such as "www" or "mail." DNS nameservers operate in this hierarchy either by acting as authoritative sources for particular domains, such as a company or governme DS003Authentication — Authentication systems establish the identity of an actor using one or more secret values i.e. password and one time pin. The authentication system typically issues a new secret which can be provided to applications i.e. Kerberos token or web cookie to permit access to a secured resource. DS004EndPointAntiMalware — The weakest link in corporate security are individuals, and antivirus is one way to protect them from performing inadvertently harmful actions. Whether it is clicking on an untrustworthy web link, downloading malicious software or opening a booby-trapped document (often one sent to them by an unsuspecting colleague), antivirus can often prevent, mitigate or reverse the damage. DS005WebProxyRequest — Web Proxies and some next generation firewalls may act in transparent or explicit mode communicating with (s) servers on behalf of a client. Using a number of related technologies the request and response can and permitted or blocked based on users role, site or resource category or attack indicator. Data logged in the events can potentially be used in detective correlation. DS006UserActivity — User activity within the organization environment such as Create Read(display), update, delete, search events must include critical data such as action, result, app, and a locator uri allowing normalized search on the targets of activity. DS007AuditTrail — Audit trail events represent a special class of events which can be triggered based on automated or user interaction with systems and indicate a condition has occurred where the integrity of the source is suspect at a point in time. DS008HRMasterData — Master Data system for Human Resources may publish an event indicating critical changes impacting people in an organization. Human Resources records include the entire employee lifecycle including recruitment, selection, hiring, job position and classification, promotion, salary, and bonuses, performance and ratings, disciplinary actions, training and certifications, and separation or retirement. For hourly employees, HR data often includes time and attendance records. HR systems often feed payr DS009EndPointIntel — In this context, endpoint refers to the security client software or agent installed on a client device that logs security-related activity not otherwise generated by the host operating system from the client OS, login, logout, shutdown events and various applications such as the browser (Explorer, Edge), mail client (Outlook) and Office applications. Endpoints also log their configuration and various security parameters (certificates, local anti-malware signatures, etc.), all of which is useful DS010NetworkCommunication — Network communication data is a record of communication between two system commonly using TCP version 4 or TCP version 6. Network communication can be recorded by a number of technologies including host operating systems, firewalls, switches, routers, deep packet inspection, and intrusion detection systems. DS011MalwareDetonation — Malware detonation systems also are known as sandboxing systems execute potentially malicious code in a clean environment for the purpose of collecting events related to their actions. Using automated and manual analysis indicators can be determined which can inform additional breach detection and prevention capability DS012NetworkIntrusionDetection — What is Intrusion Detection/Prevention? IDS and IPS are complementary, parallel security systems that supplement firewalls – IDS by exposing successful network and server attacks that penetrate a firewall, and IPS by providing more advanced defenses against sophisticated attacks. IDS is typically placed at the network edge, just inside a perimeter firewall, although some organizations also put a system outside the firewall to provide greater intelligence about all attacks. Likewise, IPS is typic DS013TicketManagement — Ticket management from tracking systems responsible for the security, and operational health of the environment(s) provides a rich resource for evaluating the effectiveness of the security program, as well as the detective, and preventive controls in place. DS014WebServer — Web server logs allow attribution of activity to a specific source ip and user when authenticated. The logs are detailed records of every transaction: every time a browser requests a web page, Apache logs details include items such as the time, remote IP address, browser type and page requested. Web Servers also log various error conditions such as a request for a missing file, attempts to access a file without appropriate permissions or problems with extension modules. Web Server logs are criti DS015ConfigurationManagement — Configuration management solution such as VMware Vcenter, MAAS, Puppet, Chef, System Center Configuration Manager, and System Center Virtualization Manager. Events generated by these systems


can provide valuable security investigations by providing information about who and what changes have been applied to systems. Additional information such as the base image utilized, birth and death timestamps provide data useful to identify windows of vulnerability. DS016DataLossPrevention — Data loss prevention solutions can identify human and automated activities as they interact with restricted information creating an audit trail of attempted actions and the systems response such as allow or block. DS017PhysicalSecurity — Most organizations use automated systems to secure physical access to facilities. Historically, these have been simple magnetic strips affixed to employee badges; however, locations with stringent security requirements may use some form of a biometric reader or digital key. Regardless of the technology, the systems compare an individual's identity with a database and activate doors when the user is authorized to enter a particular location. As digital systems, badge readers record information su DS018VulnerabilityDetection — An effective way to find security holes is to examine one's infrastructure from the attacker's point of view. Vulnerability scans probe an organization's network for known software defects that provide entry points for external agents. The scans yield data about open ports and IP addresses that can be used by malicious agents to gain entry to a particular system or entire network. Systems often keep network services running by default, even when they aren't required for a particular server. The DS019PatchManagement — Keeping operating systems and applications updated with the latest bug fixes and security patches is an essential task that can prevent unplanned downtime, random application crashes and security breaches. Although commercial apps and OSs often have embedded patching software, some organizations use independent patch management software to consolidate patch management and ensure the consistent application of patches across their software fleet and to build patch jobs for custom, internal applic DS020HostIntrustionDetection — Host based Intrusion Detection events provide signature based detection of changes that could weaken the security posture of the host based on changes to entire files or specific configuration. Such data can be very valuable in identifying when critical changes have occurred in the environment. DS021Telephony — Real-time business communications no longer are limited to voice calls provided by Plain Old Telephone Service (POTS); instead, voice, video, text messaging and web conferences are IP applications delivered over existing enterprise networks. Unlike traditional client-server or web applications, telephony and other communications applications have strict requirements on network quality of service, latency and packet loss, making service quality and reliability much more sensitive to network condi DS022Performance — Measures of system activity such as CPU load, memory and disk usage, and I/O traffic are the IT equivalent of EKGs to a doctor: the vital signs that show system health. Recording these measures provides a record of system activity over time that shows normal, baseline levels and unusual events. By registering myriad system parameters, performance logs also can highlight mismatches between system capacity and application requirements, such as a database using all available system memory and frequ DS023CrashReporting — Crash reports including summary of dumps, exceptions, and hangs can indicate attempts at exploitation of processes by malicious code or significant programing errors allowing possible future exploitation or failure of business services. DS024ApplicationServer — Application server logs, considering the actual business application, middleware such as Tomcat, and run time logs such as java runtime. contain a wealth of information created when users and systems interact. Anomalies in the logs can indicate potential failures or compromise attempts.

How to read the Supporting Data View Each data source represents a parent type of event and can contain zero or more specific event types for use by use case narratives and providing technologies.

Consuming use cases Consuming use cases are listed based on a dynamic search grouped by Adoption Phase Customer listing filtered for APC-Essential and APC-Mat uring

Provider Types Provider types are linkages to vendor and customer technologies which are believed or have been field validated to support the use cases identified.


DS001MAIL Introduction Email remains the primary form of formal communication in most organizations. As such, mail server databases and logs are some of the most important business records. Email messages and activity logs can be required to maintain compliance with an organization's information security, retention, and regulatory compliance processes, and may be subpoenaed or legally held as part of civil or criminal investigations.

Security Value Continuous Monitoring - Monitoring email server logs using analytic concepts such as new, rare, extremely over fields including sender, recipient, IP and domain increasing identify actors and potential victims of email based attacks Forensic Investigation Utilize email log events in contribution of other events to identify potential actors involved in targeted activity Utilize email log events to identify additional possible victims of email based attacks Utilize email log events to establish a timeline of who, when and what when investigating internal activity Legal compliance Utilize email logs to support discovery and defense of legal claims.

Event Types Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.

Available Continuous Monitoring Use Cases Essentials Found 3 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS001MAIL".



UC0003 Server generating email outside of approved usage (Narrative and Use Case Center) Server operating systems often generate email for routine purposes. Configuration management can be used to identify which server may generate email and what recipients are permitted. Identify servers receiving email from the internet without approval Identify ... Apr 19, 2016 Maturing Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS001MAIL-*".



UC0004 Excessive number of emails sent from internal user (Narrative and Use Case Center) Excessive email generation by an authorized user could indicate the presence of malware for the purpose of spam sending, abusing company resources, or attempting to solve a business problem using a technique not approved by policy. For this use case, email generated from endpoint networks ... Apr 08, 2016 Mature Found 2 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS001MAIL-*".



Providing Technologies Found 3 search result(s) for title:PT* contentBody:"DS001MAIL".

PT001-Microsoft-Exchange (Narrative and Use Case Center) ... solution and channel of communication useful in various attacks access monitoring is imperative. Provides DS0 01MAIL DS001MailET01Access DS001MAILET02Receive DS001MailET03Send DS003Authentication Authentication occurs for Administrative action Active Sync ... Apr 01, 2016 Labels: provider-type

PT003-ExtraHop-SMTP (Narrative and Use Case Center) ... Provides DS001MAIL providertype Feb 05, 2016 Labels: provider-type

PT002-Splunk-Stream-SMTP (Narrative and Use Case Center) ... Provides DS001MAIL providertype Feb 05, 2016 Labels: provider-type


DS002DNS The domain name system (DNS) is the Internet's phone book, providing a mapping between system or network resource names and IP addresses. DNS has a hierarchical name space that typically includes three levels: a top-level domain (TLD) such as .com, .edu or .gov; a second-level domain such as "google" or "Whitehouse;" and a system level such as "www" or "mail." DNS nameservers operate in this hierarchy either by acting as authoritative sources for particular domains, such as a company or government agency or by acting as caching servers that store DNS query results for subsequent lookup by users in a specific location or organization; for example, a broadband provider caching addresses for its customers.

Security Value Continuous Monitoring Monitoring using analytic concepts such as new, rare, extremely over fields IP port and protocols increasing identify potential command and control systems Forensic Investigation Utilize communication log events in contribution of other events to identify potential actors involved in targeted activity Utilize communication log events to identify additional ingress and egress points Utilize communication log events to identify pivot points utilized by attackers to move into controlled network segments Utilize communication log events to establish a timeline of who, when and what when investigating internal activity Legal compliance Utilize communication logs to support discovery and defense of legal claims.


Consuming Use Cases Essentials Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS002DNS".

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware Maturing Found 7 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS002DNS".


UCESS019 Excessive DNS Queries (Narrative and Use Case Center) Alerts when a host starts sending excessive DNS queries. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count where the message ... Aug 14, 2016


UC0072 Detection of unauthorized using DNS resolution for WPAD (Narrative and Use Case Center)


Detection of an endpoint utilizing DNS as a method of proxying by querying for wpad.registrationdomain. Search for reply NXDOMAIN replies for A/AAA queries for wpad (bare host) and wpad. where the domain portion is not a company owned domain. Problem Types Addressed Risk Addressed Event ... Apr 25, 2016



UC0049 Detection of DNS Tunnel (Narrative and Use Case Center) Endpoint utilizing DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls. Detected by large total size of DNS traffic OR large number of unique queries. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 25, 2016 Labels: prt05-tacticalthreat-ransomeware Maturing Found 7 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS002DNS".






UC0076 Excessive DNS Failures (Narrative and Use Case Center)


endpoint utilizing DNS as a transmission method for data exfiltration, command and control, or evasion of security controls can be detected by either a large volume or high number of unique DNS queries. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 25, 2016 Labels: prt05-tacticalthreat-ransomeware


Providing Technologies Found 3 search result(s) for title:PT* contentBody:"DS002DNS".

PT002-Splunk-Stream-DNS (Narrative and Use Case Center) Provides DS002DNSET01Query DS002DNSET01QueryResponse DS002DNSET01QueryRequest providertype Apr 25, 2016 Labels: provider-type

PT003-ExtraHop-DNS (Narrative and Use Case Center) Provides DS002DNSET01Query DS002DNSET01QueryResponse DS002DNSET01QueryRequest providertype Apr 25, 2016 Labels: provider-type

PT013-ISCBIND-DNS (Narrative and Use Case Center) Provides DS002DNSET01QueryResponse DS002DNSET01QueryRequest providertype Apr 25, 2016 Labels: provider-type


DS003Authentication Authentication systems establish the identity of an actor using one or more secret values i.e. password and one time pin. The authentication system typically issues a new secret which can be provided to applications i.e. Kerberos token or web cookie to permit access to a secured resource. Enterprise Directory is a central system containing information about accounts such as name, phone, public certificates, email addresses, and group membership. Common enterprise directories such as Microsoft Active Directory, Tivoli Directory Server or Oracle Directory Server are widely distributed systems across multiple geographies and may involve thousands of servers. Application Authentication logs are a subset of application telemetry focused on user identity and login attempts. Network access (or admission, if you are a Cisco customer) control is a form of client/endpoint security that uses a locally installed software agent to pre-authorize connections to a protected network. NAC screens client devices for contamination by known malware and adherence to security policies such as running an approved OS with the most recent patches. Clients failing NAC screens are rerouted to an isolated quarantine network until any detected problems are corrected. Network appliances, including switches, routers, firewalls, proxies and performance monitoring tools have access to read and modify significant amounts of enterprise data and their modification could weaken the security posture of the organization. Switches are network intersections, places where packets move from one network segment to another. In their purest form, switches work within a particular IP subnet and can't route Layer 3 packets on to another network. Modern data center designs typically use a two-tier switch hierarchy: top-of-rack (ToR) switches connecting servers and storage arrays at the edge and aggregation or spine switches connecting to the network core. Although Ethernet switches are far more widespread, some organizations also use Fiber Channel or Infiniband for storage area networks or HPC interconnects, each of which has its own type of switch. Network proxies are used in several ways in IT infrastructure: as Web application accelerators and intelligent traffic direction, application-level firewalls and content filters. By acting as a transparent, 'bump-in-the-wire' intermediary, proxies see the entire Layer 7 network protocol stack, which allows them to implement application-specific traffic management and security policies. Hosting platforms including on-prem physical systems such as Cisco UCS, HP Insights, Virtual systems such as Vmware, and cloud providers such as AWS, Azure, and Digital Ocean contain significant critical infrastructure. Online and Backup storage systems contain all enterprise raw data. While all logical access is otherwise monitored frequently the ability of the actor to clone and read data from storage is unmonitored. Midrange and Mainframe systems such as IBM system Z, HP Nonstop Server (tandem), IBM system I, VAX, and Stratus are often overlooked.

Security Value Continuous Monitoring Monitoring using analytic concepts such as new, rare, extremely over fields IP and source host increasing identify actors and potential victims of account takeover based attacks Monitoring evidence of password guessing in single factor authentication schemes. Forensic Investigation Utilize authentication log events in contribution of other events to identify potential actors involved in targeted activity Utilize authentication log events to identify additional ingress and egress points Utilize authentication log events to identify pivot points utilized by attackers to move into controlled network segments Utilize authentication log events to establish a timeline of who, when and what when investigating internal activity Legal compliance Utilize communication logs to support discovery and defense of legal claims.

Adoption Phase APC-Essential All central authentication solutions All authentication points for systems of elevated risk such as those with confidential information or identified as critical All border authentication points such as: Webmail VPN Single sign on Employee external portal APC-Maturing All servers All network devices All network authentication APC-Mature All endpoint local authentication



Problem Types Addressable Found 9 search result(s) for title:PRT* contentBody:"DS003Authentication".

PRT02-SecurityVisibilityLateralMovement (Narrative and Use Case Center) ... within an organizations network following the compromise of an initial endpoint. Supporting Data Types DS003A uthentication DS006UserActivity DS009EndPointIntel DS010NetworkCommunication DS012NetworkIntrusionDetectionET01SigDetection Supporting Use Cases Essentials Maturing May 16, 2016

PRT01Compliance-PCI (Narrative and Use Case Center) ... logging and monitoring processes 10.1 Implement collection and retention of the following log sources DS003A uthentication DS003AuthenticationET01Success DS003AuthenticationET02Failure 10.2 See below 10.2.1 Implement collection and retention of the following ... Jun 24, 2016

PRT02-SecurityVisibilityExfiltration (Narrative and Use Case Center) ... from many types of systems in the enterprise and in the cloud. Supporting Data Sources DS001MAIL DS003Au thentication DS004EndPointAntiMalware DS005WebProxyRequest DS006UserActivity DS007AuditTrail DS008HRMasterData DS009EndPointIntel DS010NetworkCommunication DS014WebServerET01Access Supporting Use ... May 16, 2016

PRT02-SecurityVisibilityZeroDayAttacks (Narrative and Use Case Center) ... many types of systems in the enterprise and in the cloud. Supporting Data Sources DS001MAIL DS002DNS DS 003Authentication DS004EndPointAntiMalware DS005WebProxyRequest DS009EndPointIntel DS010NetworkCommunication DS011MalwareDetonationET01Detection DS012NetworkIntrusionDetectionET01SigDetection DS014WebServerET01Access Supporting Use Cases ... May 16, 2016

PRT02-SecurityVisibilityPriviledgeUserMonitoring (Narrative and Use Case Center) ... monitored with greater scrutiny than users not similarly entrusted. Supporting Data Types DS003Authenticatio n DS006UserActivity DS008HRMasterData DS009EndPointIntel DS017PhysicalSecurityET01Access Supporting Use Cases Essentials Maturing May 05, 2016

PRT02-IdentifyPatientZero (Narrative and Use Case Center) ... methods of the attackers and assist in the preparation of improved defenses. Supporting Data Types DS002DNS DS003Authentication DS004EndPointAntiMalware DS005WebProxyRequest DS006UserActivity DS008HRMasterData DS009EndPointIntel DS010NetworkCommunication DS011MalwareDetonationET01Detection DS017PhysicalSecurityET01Access Supporting Use ... May 05, 2016

PRT08-ProductAdoption-ES-Maturing (Narrative and Use Case Center) ... should be confirmed using the firewall communication logs where destination port is 23. DS003Authentication Authentication logs covering all central authentication systems such as Active Directory, ADFS ... Aug 14, 2016

PRT08-ProductAdoption-ES-Mature (Narrative and Use Case Center) ... should be confirmed using the firewall communication logs where destination port is 23. DS003Authentication Authentication logs covering all central authentication systems such as Active Directory, ADFS ... Aug 14, 2016

PRT08-ProductAdoption-ES-Essentials (Narrative and Use Case Center) ... should be confirmed using the firewall communication logs where destination port is 23. DS003Authentication Authentication logs covering all central authentication systems such as Active Directory, ADFS ... Aug 14, 2016

Consuming Use Cases


Essentials Found 6 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS003Authentication".






UC0043 Direct Authentication to NHA (Narrative and Use Case Center) Direct authentication via SSH or console session to a non human account indicates a violation of security policy by recording the password of a non human account for later use or by association of a SSH key to a non human account. Problem Types Addressed Risk ... Apr 11, 2016 Maturing Found 31 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS003Authentication".




UCESS020 Excessive Failed Logins (Narrative and Use Case Center) Detects excessive number of failed login attempts (this is likely a brute force attack)For the past 1 hour starting 5 minutes after realtime, search for failure in the tag field and return values of app and Source IP, tags, distinct user


... Aug 14, 2016










UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center) Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment


PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode RV6Misconfiguration ... Apr 08, 2016





UC0017 Unauthorized access or risky use of NHA (Narrative and Use Case Center) Detect the use of a Windows account designated by the organization as a non human account (NHA) outside of the normal usage of such an account. Login where the interactive indicator is set Login where the caller computer is a workstation or terminal server Problem Types Addressed Risk ... Apr 08, 2016



UC0008 Activity on previously inactive account (Narrative and Use Case Center) Excluding computer accounts in active directory, an account with new activity that has not been active in the previous thirty days is suspicious. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode DS003AuthenticationET01Success DE002IdentityInformation Adoption ... Apr 08, 2016



UCESS023 Alerts on access attempts that are improbably based on time and geography. (Narrative and Use


Case Center)












UC0035 Compromised account access testing (Narrative and Use Case Center) Following a successful authentication, an attacker will attempt to determine what resources may be accessed without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate and browse to shares, access email, access web applications, or connect to databases ... Apr 08, 2016 Mature Found 31 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS003Authentication".





















UC0017 Unauthorized access or risky use of NHA (Narrative and Use Case Center) Detect the use of a Windows account designated by the organization as a non human account (NHA) outside of the normal usage of such an account. Login where the interactive indicator is set Login where the caller computer is a workstation or terminal server Problem Types Addressed Risk ... Apr 08, 2016



UC0008 Activity on previously inactive account (Narrative and Use Case Center) Excluding computer accounts in active directory, an account with new activity that has not been active in the previous thirty days is suspicious. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode DS003AuthenticationET01Success


DE002IdentityInformation Adoption ... Apr 08, 2016
















UC0035 Compromised account access testing (Narrative and Use Case Center) Following a successful authentication, an attacker will attempt to determine what resources may be accessed without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate and browse to shares, access email, access web applications, or connect to databases ... Apr 08, 2016

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS003Authentication" NOT contentBody:"DS003Authentication-*".


DS004EndPointAntiMalware The weakest link in corporate security are individuals, and antivirus is one way to protect them from performing inadvertently harmful actions. Whether it is clicking on an untrustworthy web link, downloading malicious software or opening a booby-trapped document (often one sent to them by an unsuspecting colleague), antivirus can often prevent, mitigate or reverse the damage.

Security Value Continuous Monitoring Monitoring for detection of malicious code using signatures to maintain a clean environment and react to newly identified weakness as exploited by attackers Forensic Investigation Identification of point of origin and potentially involved hosts in targeted and untargeted attacks Legal compliance Utilize communication logs to support discovery and defense of legal claims.


Consuming Use Cases Essentials Found 10 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS004EndPointAntiMalware".






UCESS024 High Number of Hosts Not Updating Malware Signatures (Narrative and Use Case Center) Alerts when a high number of hosts not updating malware signatures have been discovered. These hosts should


be evaluated to determine why they are not updating their malware signatures.Execute the malware operations tracker macro and calculate the timesignatureversion and return results that the day difference between ... Apr 26, 2016




UC0029 Endpoint new malware detected by signature (Narrative and Use Case Center) When a new malware variant is detect by endpoint antivirus technology it is possible the configuration or capability of other controls are deficient. Review the sequence of events leading to the infection to determine if additional preventive measures can be put in place. Problem Types Addressed Risk ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware Maturing Found 6 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS004EndPointAntiMalware".





Multiple infected devices in the same organizational unit could indicate a successful spear phishing attack. Monitor for more than 5% of the hosts in an organizational unit. Problem Types Addressed Risk Addressed Event Data


Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware


UC0073 Endpoint detected malware infection from url (Narrative and Use Case Center) Endpoint antimalware detection event occurred where the malicious content was retrieved from an external URL. Possible indication of gaps in protection by web proxy, intrusion prevention, or advanced threat prevention. Use the information available for the event and determine how existing ... Apr 11, 2016 Labels: prt05-tacticalthreat-ransomeware Mature Found 6 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS004EndPointAntiMalware".







UC0073 Endpoint detected malware infection from url (Narrative and Use Case Center)


Endpoint antimalware detection event occurred where the malicious content was retrieved from an external URL. Possible indication of gaps in protection by web proxy, intrusion prevention, or advanced threat prevention. Use the information available for the event and determine how existing ... Apr 11, 2016 Labels: prt05-tacticalthreat-ransomeware

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS004EndPointAntiMalware".


DS005WebProxyRequest Web Proxies and some next generation firewalls may act in transparent or explicit mode communicating with (s) servers on behalf of a client. Using a number of related technologies the request and response can and permitted or blocked based on users role, site or resource category or attack indicator. Data logged in the events can potentially be used in detective correlation.

Security Value Continuous Monitoring Monitoring logs using analytic concepts such as new, rare, extremely over fields including sender, recipient, IP, and domain increasing identify actors and potential victims of web-based attacks Monitor user agent strings in relation to websites and categories for potential indication of malware command and control. Monitor user agent strings and change in requests for a resource for potential indication of data exfiltration Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify additional possible victims of related attacks Utilize log events to establish a timeline of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims.


Consuming Use Cases Essentials Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS005WebProxyRequest".

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware Maturing Found 4 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS005WebProxyRequest".





UC0081 Communication with unestablished domain (Narrative and Use Case Center) Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose reputation score exceeds acceptable norms will be flagged ... Apr 25, 2016 Labels: prt05-tacticalthreat-ransomeware Mature Found 4 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS005WebProxyRequest".





Providing Technologies Found 6 search result(s) for title:PT* contentBody:"DS005WebProxyRequest".

PT004-McAfee Web Gateway (Narrative and Use Case Center) Provides DS003Authentication DS005WebProxyRequestET01RequestedWebAppAware providertype Apr 06, 2016 Labels: provider-type

PT009-SourceFire (Narrative and Use Case Center) Provides DS005WebProxyRequestET01RequestedWebAppAware DS010NetworkCommunicationET01TrafficAppAware providertype Apr 06, 2016 Labels: provider-type

PT008-Snort (Narrative and Use Case Center) Provides DS005WebProxyRequestET01RequestedWebAppAware DS010NetworkCommunicationET01TrafficAppAware providertype Apr 06, 2016 Labels: provider-type

PT006-PaloAlto Firewall (Narrative and Use Case Center) Provides DS003Authentication DS005WebProxyRequestET01RequestedWebAppAware


DS010NetworkCommunicationET01TrafficAppAware providertype Apr 06, 2016 Labels: provider-type

PT011-Bluecoat (Narrative and Use Case Center) ... Provides DS003Authentication DS005WebProxyRequest providertype Feb 05, 2016 Labels: provider-type

PT010-Websense (Narrative and Use Case Center) ... Provides DS003Authentication DS005WebProxyRequest providertype Feb 05, 2016 Labels: provider-type


DS006UserActivity User activity within the organization environment such as Create Read(display), update, delete, search events must include critical data such as action, result, app, and a locator uri allowing normalized search on the targets of activity.


Consuming Use Cases Essentials Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS006UserActivity".

UCESS045 Potential Gap in Data (Narrative and Use Case Center) Detects gaps caused by the failure of the search head. If saved searches do not execute then there may be gaps in summary data.For the past 5 minutes starting 5 minutes after realtime, return scheduled searches that were successful where the app context ... Aug 16, 2016 Maturing Found 9 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-*".

UCESS049 Short-lived Account Detected (Narrative and Use Case Center) past 4 hours, find all events that action is equal to created or deleted. Look at the time range across user and destination and use only two events and only return events where the count is greater than 1 and the time range ... Aug 14, 2016





UC0039 Use of Shared Secret for access to critical or sensitive system (Narrative and Use Case Center)


Use of a secret/shared secret account for access to such a system rather than accountable credentials could indicate an attempt to avoid detection. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access DS006UserActivityET07ExecuteAs ... Apr 11, 2016


UCESS042 New User Account Created On Multiple Hosts (Narrative and Use Case Center) Useraccountstracker returns destination (host, IP, name), user, firstTime, lastTime and isinteractive. Create earliestQual based on 24 hours ago, snapped to the top of the hour and latestQual which is now. Return values where firstTime is greater than or equal to earliestQual ... Aug 14, 2016

UCESS040 Network Change Detected (Narrative and Use Case Center) Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw and count grouped by the device that reported the change dvc (host, IP, name), the action performed on the resource and the command that initiated the change. Problem Types ... Aug 14, 2016 Mature Found 9 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS006UserActivity-*".







UC0039 Use of Shared Secret for access to critical or sensitive system (Narrative and Use Case Center) Use of a secret/shared secret account for access to such a system rather than accountable credentials could indicate an attempt to avoid detection. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access DS006UserActivityET07ExecuteAs ... Apr 11, 2016




Providing Technologies Found 1 search result(s) for title:PT* contentBody:"DS006UserActivity".

PT012-Splunk-InternalLogging (Narrative and Use Case Center) ... extensive internal logging covering performance and usage. Provides DS003Authentication DS003AuthenticationET01Success DS003AuthenticationET02Failure DS006UserActivity Key Facts Impact to index/license None LOADLow Work Estimates None ... Apr 01, 2016 Labels: provider-type


DS007AuditTrail Audit trail events represent a special class of events which can be triggered based on automated or user interaction with systems and indicate a condition has occurred where the integrity of the source is suspect at a point in time.

Security Value Continuous Monitoring - Identification of conditions which may impact the trustworthiness of a log source Forensic Investigation - Identification of point in time where trust in the log source may be suspect Legal compliance Utilize logs to support discovery and defense of legal claims. Utilize logs to establish a time sequence


Consuming Use Cases Essentials Found 3 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS007AuditTrail".



UCESS022 Expected Host Not Reporting (Narrative and Use Case Center) ... Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV6Misconfiguration DS007AuditTrail DE001AssetInformation Adoption Phase Customer Adoption Phase SME Adoption Phase Industry ... Aug 14, 2016 Maturing Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS007AuditTrail-*".


UCESS050 Should Timesync Host Not Syncing (Narrative and Use Case Center) Detects when hosts that are required to synchronize their clocks have failed to do so. Time synchronization is important because it ensures that the event logs are stamped with the proper time. Additionally, this is required by some regulatory compliance standards (such as PCI). For the past 30 days ... Aug 14, 2016 Mature


Found 2 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS007AuditTrail-*".



Providing Technologies Found 1 search result(s) for title:PT* contentBody:"DS007AuditTrail".

PT005-Microsoft-Windows (Narrative and Use Case Center) ... Provides DS003Authentication Authentication occurs for User Authentication Computer Authentication DS007A uditTrail DS007AuditTrailET01Clear DS007AuditTrailET02Alter Key Facts Impact to index/license Based on log files ... Aug 09, 2016 Labels: provider-type


DS008HRMasterData Master Data system for Human Resources may publish an event indicating critical changes impacting people in an organization. Human Resources records include the entire employee lifecycle including recruitment, selection, hiring, job position and classification, promotion, salary, and bonuses, performance and ratings, disciplinary actions, training and certifications, and separation or retirement. For hourly employees, HR data often includes time and attendance records. HR systems often feed payroll and finance systems for processing salary and benefits. HR records provide the definitive source of employee information for identity management systems and enterprise directories, making them an important source for authentication and authorization data. Although HR data traditionally has been textual, it increasingly includes images and biometric information such as an employee's portrait, fingerprints, and iris scans.

Security Value Continuous Monitoring - Identification of events which could increase the risk of a user


Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS008HRMasterData".

Maturing Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS008HRMasterData-*".




... Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access DS003AuthenticationET01Success DS008HRMasterData DE001AssetInformation DE002IdentityInformation Adoption Phase Customer Adoption Phase SME Adoption Phase ... Apr 08, 2016 Mature Found 2 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS008HRMasterData-*".




... Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access DS003AuthenticationET01Success DS008HRMasterData DE001AssetInformation DE002IdentityInformation Adoption Phase Customer Adoption Phase SME Adoption Phase ... Apr 08, 2016


Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS008HRMasterData".


DS009EndPointIntel In this context, endpoint refers to the security client software or agent installed on a client device that logs security-related activity not otherwise generated by the host operating system from the client OS, login, logout, shutdown events and various applications such as the browser (Explorer, Edge), mail client (Outlook) and Office applications. Endpoints also log their configuration and various security parameters (certificates, local anti-malware signatures, etc.), all of which is useful in posthoc forensic security incident analysis. Sources of endpoint data vary in their coverage consider Microsoft EMET, Microsoft Symon, Tripwire, Bit9, SolidCore, or Mcafee HIDs as examples.

Security Value Continuous Monitoring - Monitoring logs using analytic concepts such as new, rare, extremely over fields including sender, recipient, IP and domain increasing identify actors and potential victims of email based attacks Forensic Investigation Utilize email log events in contribution of other events to identify potential actors involved in targeted activity Utilize email log events to identify additional possible victims of email based attacks Utilize email log events to establish a timeline of who, when and what when investigating internal activity Legal compliance Utilize email logs to support discovery and defense of legal claims.


Consuming Use Cases Essentials Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS009EndPointIntel".

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware Maturing Found 5 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS009EndPointIntel".

UCESS008 Anomalous New Service (Narrative and Use Case Center) ... Data Sources Enrichment Select PRT Values RV3MaliciousCode https://securitykit.atlassian.net/wiki/display/GD/RV3MaliciousCode?src=contextnavpagetreemode RV6Misconfiguration https://securitykit.atlassian.net/wiki/display/GD/RV6Misconfiguration?src=contextnavpagetreemode DS009EndPoi ntIntel https://securitykit.atlassian.net/wiki/display/GD/DS009EndPointIntel?src=contextnavpagetreemode DS009EndPointIntelET01ServiceChange https://securitykit.atlassian.net/wiki/display/GD/DS009EndPointIntel?src=contextnavpagetreemode DDE001 Asset Information https://securitykit.atlassian.net/wiki/display/GD/DDE001AssetInformation?src=contextnavpagetreemode DDE004 Threat List ... Aug 14, 2016


UC0031 Non human account starting processes not associated with the purpose of the account (Narrative and


Use Case Center)


UCESS046 Prohibited Process Detected (Narrative and Use Case Center) Looking across a realtime window of /5 minutes, run the macro getinterestingprocesses and return processes that isprobhibited is set to true. Run the macros geteventid and mapnotablefields and add the following fields to the output: origeventid (macro creates hash of indexer, time and raw event ... Aug 14, 2016

UCESS047 Prohibited Service Detected (Narrative and Use Case Center) Looking across a realtime window of /5 minutes, run the macro service and return services where isprobhibited is set to true. Run the macros geteventid and mapnotablefields and add the following fields to the output: origeventid (macro creates hash of indexer, time and raw ... Aug 14, 2016 Mature Found 5 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS009EndPointIntel".

UCESS008 Anomalous New Service (Narrative and Use Case Center) ... Data Sources Enrichment Select PRT Values RV3MaliciousCode https://securitykit.atlassian.net/wiki/display/GD/RV3MaliciousCode?src=contextnavpagetreemode RV6Misconfiguration https://securitykit.atlassian.net/wiki/display/GD/RV6Misconfiguration?src=contextnavpagetreemode DS009EndPoi ntIntel https://securitykit.atlassian.net/wiki/display/GD/DS009EndPointIntel?src=contextnavpagetreemode DS009EndPointIntelET01ServiceChange https://securitykit.atlassian.net/wiki/display/GD/DS009EndPointIntel?src=contextnavpagetreemode DDE001 Asset Information https://securitykit.atlassian.net/wiki/display/GD/DDE001AssetInformation?src=contextnavpagetreemode DDE004 Threat List ... Aug 14, 2016







Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS009EndPointIntel".


DS010NetworkCommunication Network communication data is a record of communication between two system commonly using TCP version 4 or TCP version 6. Network communication can be recorded by a number of technologies including host operating systems, firewalls, switches, routers, deep packet inspection, and intrusion detection systems. Firewalls demarcate zones of different security policy. By controlling the flow of network traffic, firewalls act as gatekeepers collecting valuable data that might not be captured in other locations due to the firewall's unique position as the gatekeeper to network traffic. Firewalls also execute security policy and thus may break applications using unusual or unauthorized network protocols. Deep Package Inspection Data (DPI) is a fundamental technique used by firewalls to inspect headers and the payload of network packets before passing them down the network subject to security rules. DPI provides information about the source and destination of the packet, the protocol, other IP and TCP/UDP header information and the actual data. Virtual private networks (VPNs) are a way of building a secure extension of a private network over an insecure, public one. VPNs can be established either between networks, routing all traffic between two sites, or between a client device and a network. Network-to-network VPNs typically are created using strong credentials such as certificates on each end of the connection. Client-to-network VPNs rely on user authentication, which can be as simple as a username and password. VPNs use network tunneling IDS and IPS are complementary, parallel security systems that supplement firewalls – IDS by exposing successful network and server attacks that penetrate a firewall, and IPS by providing more advanced defenses against sophisticated attacks. IDS is typically placed at the network edge, just inside a perimeter firewall, although some organizations also put a system outside the firewall to provide greater intelligence about all attacks. Likewise, IPS is typically placed at the network perimeter, although it also may be used in layers at other points inside the network or on individual servers. IPS usually works by dropping packets, resetting network connections and blacklisting specific IP addresses or ranges. Though this type of source can provide this data it is rare to implement at scale due to performance and placement constraints in the enterprise network Switches are network intersections, places where packets move from one network segment to another. In their purest form, switches work within a particular IP subnet and can't route Layer 3 packets on to another network. Modern data center designs typically use a two-tier switch hierarchy: top-of-rack (ToR) switches connecting servers and storage arrays at the edge and aggregation or spine switches connecting to the network core. Although Ethernet switches are far more widespread, some organizations also use Fiber Channel or Infiniband for storage area networks or HPC interconnects, each of which has its own type of switch. Routers are devices responsible for ensuring that traffic goes to the right network segment. Unlike switches that operate at Layer 2, routers work at Layer 3, directing traffic based on TCP/IP address and protocol (port number). Routers are responsible for particular Layer 3 address spaces and manage traffic using information in routing tables and configured policies. Routers exchange information and update their forwarding tables using dynamic routing protocols. Netflow is a network monitoring protocol originally developed by Cisco but now supported by most equipment vendors, that provides a detailed record of network traffic organized by packet flow. A flow is defined as a set of IP packets sharing a set of five to seven attributes, namely IP source and destination address, source and destination port, Layer 3 protocol type, class of service (CoS) and router or switch interface (physical port). Flow records can be exported and aggregated to show traffic movement, statistics, and historical trends.

Security Value Continuous Monitoring Monitoring using analytic concepts such as new, rare, extremely over fields IP port and protocols increasing identify actors and potential victims of network based attacks Monitoring for blocked communication activity by intermediate defensive systems such as firewalls and intrusion detection systems Forensic Investigation Utilize communication log events in contribution of other events to identify potential actors involved in targeted activity Utilize communication log events to identify additional ingress and egress points Utilize communication log events to identify pivot points utilized by attackers to move into controlled network segments Utilize communication log events to establish a timeline of who, when and what when investigating internal activity Legal compliance Utilize communication logs to support discovery and defense of legal claims.


Consuming Use Cases Essentials Found 4 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS010NetworkCommunication".

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on


the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware



UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case Center) Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions (bypassing the firewall). Legacy Command and Control (a.k.a. C&C or C2 ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware Maturing Found 12 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS010NetworkCommunication-*".






UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)


Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices ensure the first "xforwardedfor" entry ... Jun 24, 2016






UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center) Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ... Aug 14, 2016 Maturing Found 12 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS010NetworkCommunication-*".



UC0082 Communication with enclave by default rule (Narrative and Use Case Center) Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit


permission for communication has been granted and should be reviewed. Consider ingress ... Apr 27, 2016










Providing Technologies


Found 4 search result(s) for title:PT* contentBody:"DS010NetworkCommunication".



PT006-PaloAlto Firewall (Narrative and Use Case Center) Provides DS003Authentication DS005WebProxyRequestET01RequestedWebAppAware DS010NetworkCommunicationET01TrafficAppAware providertype Apr 06, 2016 Labels: provider-type

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center) Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day (average ... Jul 25, 2016 Labels: provider-type


DS011MalwareDetonation Malware detonation systems also are known as sandboxing systems execute potentially malicious code in a clean environment for the purpose of collecting events related to their actions. Using automated and manual analysis indicators can be determined which can inform additional breach detection and prevention capability

Security Value Continuous Monitoring - Monitoring email server logs using analytic concepts such as new, rare, extremely over fields including sender, recipient, ip and domain increasing identify actors and potential victims of email based attacks Forensic Investigation - Logs can be utilized to determine if actions from a user/host may indicate control by a third party







UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center) primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and associates identity and asset information with each. Looking back over the past 24 hours, return values of the


function and their distinct count grouped by destination (host ... Aug 14, 2016










UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center) Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all


summary data even ... Aug 14, 2016

UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center) Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ... Aug 14, 2016 Mature Found 12 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS010NetworkCommunication-*".








UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center) Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may


indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ... Apr 08, 2016





Providing Technologies Click here to expand... Found 4 search result(s) for title:PT* contentBody:"DS010NetworkCommunication".







DS012NetworkIntrusionDetection What is Intrusion Detection/Prevention? IDS and IPS are complementary, parallel security systems that supplement firewalls – IDS by exposing successful network and server attacks that penetrate a firewall, and IPS by providing more advanced defenses against sophisticated attacks. IDS is typically placed at the network edge, just inside a perimeter firewall, although some organizations also put a system outside the firewall to provide greater intelligence about all attacks. Likewise, IPS is typically placed at the network perimeter, although it also may be used in layers at other points inside the network or on individual servers. IPS usually works by dropping packets, resetting network connections and blacklisting specific IP addresses or ranges.

Security Value Continuous Monitoring - Monitoring logs using analytic concepts such as new, rare, extremely over fields including ip and signature increasing identify actors and potential victims network vulnerability based attacks Forensic Investigation Identify compromised or potentially compromised hosts based on exploitation data Legal compliance Utilize email logs to support discovery and defense of legal claims.


Consuming Use Cases Essentials Found 3 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS012NetworkIntrusionDetection".



UC0074 Network Intrusion Internal Network (Narrative and Use Case Center) IDS/IPS detecting or blocking an attack based on a known signature. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS012NetworkIntrusionDetectionET01SigDetection DE001AssetInformation Adoption Phase Customer Adoption Phase SME Adoption Phase ... May 09, 2016 Labels: prt05-tacticalthreat-ransomeware Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS012NetworkIntrusionDetection-*".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS012NetworkIntrusionDetection-*".



Found 2 search result(s) for title:PT* contentBody:"DS012NetworkIntrusionDetection".

PT017-Trend-TippingPoint (Narrative and Use Case Center) Trend Micro tippingpoint IPS product Provides DS012NetworkIntrusionDetectionET01SigDetection Key Facts Impact to index/license Based on log files total size of message tracking log file over 7 days from devices where local log collection ... Jul 25, 2016 Labels: provider-type



DS013TicketManagement Ticket management from tracking systems responsible for the security, and operational health of the environment(s) provides a rich resource for evaluating the effectiveness of the security program, as well as the detective, and preventive controls in place.

Security Value Continuous Monitoring - Monitoring the effective execution of triage and remediation activities. Legal compliance Utilize logs to support discovery and defense of legal claims. Establish a timeline of what was known, when and by whom


Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essentials" contentBody:"DS013TicketManagement-*".

Maturing Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS013TicketManagement-*".



UCESS051 Substantial Increase In Events (Narrative and Use Case Center) Alerts when a statistically significant increase in a particular event is observed. For the past hour, using all summary data even if the model has changed, generate a count by signature and compare that count against the previous hour and trigger if the signature is above medium ... Aug 14, 2016 Mature Found 3 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS013TicketManagement-*".


UC0084 Monitor Execution of Triage Activtity (Narrative and Use Case Center) Define and maintain eventypes for unsuppressed notable events separately identifying review work flow, and triage SLA required. Problem Types Addressed Risk Addressed Event Data Sources Enrichment


PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS013TicketManagementET01 TBD Adoption Phase ... Apr 27, 2016


Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS013TicketManagement".


DS014WebServer Web server logs allow attribution of activity to a specific source ip and user when authenticated. The logs are detailed records of every transaction: every time a browser requests a web page, Apache logs details include items such as the time, remote IP address, browser type and page requested. Web Servers also log various error conditions such as a request for a missing file, attempts to access a file without appropriate permissions or problems with extension modules. Web Server logs are critical in debugging both web application and server problems but are also used to generate traffic statistics, track user behavior and flag security attacks such as attempted unauthorized entry or DDoS.


Security Value Continuous Monitoring Monitoring server logs using analytic concepts such as new, rare, extremely over fields including site, resource, and IP increasing identify actors and potential victims of attacks Monitoring server logs using analytic concepts to identify potential DOS attacks by increasing number of requests for sites or specific resource Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify scope of exploitation Utilize log events to identify scope of time for an incident Legal compliance Utilize logs to support discovery and defense of legal claims.

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS014WebServer".

Maturing Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS014WebServer-*".




Communication to any web application server without filtering by a network web application firewall indicates a security misconfigration. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS014WebServerET01Access DDE001 Asset Information ... Apr 27, 2016 Mature Found 3 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS014WebServer-*".






Providing Technologies Found 1 search result(s) for title:PT* contentBody:"DS014WebServer".



DS015ConfigurationManagement Configuration management solution such as VMware Vcenter, MAAS, Puppet, Chef, System Center Configuration Manager, and System Center Virtualization Manager. Events generated by these systems can provide valuable security investigations by providing information about who and what changes have been applied to systems. Additional information such as the base image utilized, birth and death timestamps provide data useful to identify windows of vulnerability.

Security Value Continuous Monitoring - Monitoring of privileged user activity such as change outside of windows, access to sensitive configuration values or modification to critical controls Forensic Investigation Establish a time line of activities of a privileged user Establish when controls were placed or removed on a specific host Legal compliance Utilize logs to support discovery and defense of legal claims.


Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS015ConfigurationManagement*".

Maturing Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS015ConfigurationManagement*".

UCESS009 Asset Ownership Unspecified (Narrative and Use Case Center) Alerts when there are assets that define a specific priority and category but do not have an assigned owner. Return all assets where the priority is not null and the length of the value in priority is greater than 0 and the category is not null and the length of the value in category is greater than ... Aug 14, 2016 Mature Found 1 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS015ConfigurationManagement*".


Providing Technologies Found 1 search result(s) for title:PT* contentBody:"DS014WebServer" NOT contentBody:"DS015ConfigurationManagement-*".

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center) Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day (average ...


Jul 25, 2016 Labels: provider-type


DS016DataLossPrevention Data loss prevention solutions can identify human and automated activities as they interact with restricted information creating an audit trail of attempted actions and the systems response such as allow or block.

Security Value Continuous Monitoring Monitoring alerts indicating policy violation or attempted policy violation to prompt immediate action by security monitoring. Monitoring alerts indicating excessive interaction with restricted information as possible indication of compromise Forensic Investigation Utilize events in contribution of other events to identify potential actors involved in targeted activity Utilize events to establish a time line of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims. Utilize logs to support documentation of compliance


Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS016DataLossPrevention".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS016DataLossPrevention-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS016DataLossPrevention-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS016DataLossPrevention".


DS017PhysicalSecurity Most organizations use automated systems to secure physical access to facilities. Historically, these have been simple magnetic strips affixed to employee badges; however, locations with stringent security requirements may use some form of a biometric reader or digital key. Regardless of the technology, the systems compare an individual's identity with a database and activate doors when the user is authorized to enter a particular location. As digital systems, badge readers record information such as user ID, date and time of entry and perhaps a photo for each access attempt. Motion and sensor indicators may also be useful in extreme situations where physical access is limited tightly.

Security Value Forensic Investigation Utilize log events to place a badge (single factor) or person (two-factor bio/pin) in a specific location Legal compliance Utilize logs to support discovery and defense of legal claims.


Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS017PhysicalSecurity".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS017PhysicalSecurity-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS017PhysicalSecurity-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS017PhysicalSecurity".


DS018VulnerabilityDetection An effective way to find security holes is to examine one's infrastructure from the attacker's point of view. Vulnerability scans probe an organization's network for known software defects that provide entry points for external agents. The scans yield data about open ports and IP addresses that can be used by malicious agents to gain entry to a particular system or entire network. Systems often keep network services running by default, even when they aren't required for a particular server. These running, yet orphaned, i.e. unmonitored services are a common means of external attack since they may not be patched with the latest OS security updates. Broadscale vulnerability scans can reveal security holes that could be leveraged to access an entire enterprise network.


Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS018VulnerabilityDetection".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS018VulnerabilityDetection-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS018VulnerabilityDetection-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS018VulnerabilityDetection".


DS019PatchManagement Keeping operating systems and applications updated with the latest bug fixes and security patches is an essential task that can prevent unplanned downtime, random application crashes and security breaches. Although commercial apps and OSs often have embedded patching software, some organizations use independent patch management software to consolidate patch management and ensure the consistent application of patches across their software fleet and to build patch jobs for custom, internal applications. Patch management software keeps a patch inventory using a database of available updates and can match these against an organization’s installed software. Other features include patch scheduling, post-install testing and validation and documentation of required system configurations and patching procedures.


Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS019PatchManagement*".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS019PatchManagement-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS019PatchManagement-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS019PatchManagement".


DS020HostIntrustionDetection Host based Intrusion Detection events provide signature based detection of changes that could weaken the security posture of the host based on changes to entire files or specific configuration. Such data can be very valuable in identifying when critical changes have occurred in the environment.

Security Value Continuous Monitoring - Monitoring of alerts generated to ensure the SOC triages events in a timely manor Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify additional possible victims of email based attacks Utilize log events to establish a time line of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims.


Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS020HostIntrustionDetection".

Maturing Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS020HostIntrustionDetection-*".


UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center) Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices ensure the first "xforwardedfor" entry ... Jun 24, 2016 Mature Found 2 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS020HostIntrustionDetection-*".




Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS020HostIntrustionDetection".


DS021Telephony Real-time business communications no longer are limited to voice calls provided by Plain Old Telephone Service (POTS); instead, voice, video, text messaging and web conferences are IP applications delivered over existing enterprise networks. Unlike traditional client-server or web applications, telephony and other communications applications have strict requirements on network quality of service, latency and packet loss, making service quality and reliability much more sensitive to network conditions and server responsiveness. Traditional POTS has conditioned people to expect immediate dial tone when picking up the phone and be intolerant of noise, echo or other problems that can plague IP telephony; as such, the systems and supporting infrastructure require careful monitoring and management to assure quality and reliability. Voice over IP protocol refers to several methods for transmitting real-time audio (and now video) information over an IP-based data network. Unlike traditional phone systems using dedicated, point-to-point circuits, VoIP applications use packet-based networks to carry real-time audio streams that are interspersed with other Ethernet data traffic. Since TCP packets may be delivered out of order due to data loss and retransmission, VoIP includes features to buffer and reassemble a stream. Similarly, VoIP packets are usually tagged with quality of service (QoS) headers to prioritize their delivery through the network.

Security Value Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify additional possible victims of social engineering attacks Utilize log events to establish a time line of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims.


Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS021Telephony".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS021Telephony-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS021Telephony-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS021Telephony".


DS022Performance Measures of system activity such as CPU load, memory and disk usage, and I/O traffic are the IT equivalent of EKGs to a doctor: the vital signs that show system health. Recording these measures provides a record of system activity over time that shows normal, baseline levels and unusual events. By registering myriad system parameters, performance logs also can highlight mismatches between system capacity and application requirements, such as a database using all available system memory and frequently swapping to disk. Application performance management (APM) software provides end-to-end measurement of complex, multitier applications to provide performance metrics from an end user's perspective. APM logs also provide event traces and diagnostic data that can assist developers in identifying performance bottlenecks or error conditions. The data from APM software provides both a baseline of typical application performance and record of anomalous behavior or performance degradation. Carefully monitoring APM logs can provide early warning to application problems and allow IT and developers to remediate issues before users experience significant degradation or disruption. APM logs also are required to perform post-hoc forensic analysis of complex application problems that may involve subtle interactions between multiple machines and/or network devices.

Security Value Continuous Monitoring Monitor system resources for increased utilization or exhaustion as possible indication of denial of service attack Monitor system resources for increased utilization or exhaustion as possible indication of brute force attack. Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify additional possible victims of social engineering attacks Utilize log events to establish a timeline of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims.


Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS022Performance".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS022Performance-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS022Performance-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS022Performance".


DS023CrashReporting Crash reports including summary of dumps, exceptions, and hangs can indicate attempts at exploitation of processes by malicious code or significant programing errors allowing possible future exploitation or failure of business services.

Security Value Continuous Monitoring Monitor and triage occurrences as possible indication of attack Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify additional possible victims of social engineering attacks Utilize log events to establish a time line of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims.


Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS023CrashReporting".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS023CrashReporting-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS023CrashReporting-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS023CrashReporting".


DS024ApplicationServer Application server logs, considering the actual business application, middleware such as Tomcat, and run time logs such as java runtime. contain a wealth of information created when users and systems interact. Anomalies in the logs can indicate potential failures or compromise attempts.

Security Value Continuous Monitoring Develop implementation specific monitoring to alert security operations to potential issues created by external interaction Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify additional possible victims of social engineering attacks Utilize log events to establish a timeline of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims.


Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS024ApplicationServer".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS024ApplicationServer-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS024ApplicationServer-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS024ApplicationServer".


Supporting Event Type View


DS001Mail-ET01Access Event indicates a specific message has been accessed by a user from a specific source system

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS001MAIL-ET01Send".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS001MAIL-ET01Send".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS001MAIL-ET01Send".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS001MAIL-ET01Send".


DS001Mail-ET02Receive An event indicates a message has been received one or more user.

Consuming Use Cases Essentials Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS001MAIL-ET02Receive".

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware Maturing Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS001MAIL-ET02Receive".

UC0077 Detection Risky Referral Domains (Narrative and Use Case Center) Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less than 48 ... Jun 24, 2016 Labels: creative Mature Found 1 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS001MAIL-ET02Receive".


Providing Technologies Found 1 search result(s) for title:PT* contentBody:"DS001MAIL-ET02Receive".

PT001-Microsoft-Exchange (Narrative and Use Case Center) ... solution and channel of communication useful in various attacks access monitoring is imperative. Provides DS0 01MAIL DS001MailET01Access DS001MAILET02Receive DS001MailET03Send DS003Authentication Authentication occurs for Administrative action Active Sync ... Apr 01, 2016 Labels: provider-type


DS001Mail-ET03Send Indicates a authorized user or system has sent a message to one or more recipients.

Consuming Use Cases Essentials Click here to expand... Found 3 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS001Mail-ET03Send".




Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS001MAIL-ET03Send".


Providing Technologies Click here to expand... Found 1 search result(s) for title:PT* contentBody:"DS001MAIL-ET03Send".

PT001-Microsoft-Exchange (Narrative and Use Case Center) ... solution and channel of communication useful in various attacks access monitoring is imperative. Provides D S001MAIL DS001MailET01Access DS001MAILET02Receive DS001MailET03Send DS003Authentication Authentication occurs for Administrative action Active Sync ... Apr 01, 2016 Labels: provider-type


DS002DNS-ET01Query DNS request and response reassembled into a single event

DS002DNS-ET01QueryRequest — DNS Request from a client, response reassembly is not required DS002DNS-ET01QueryResponse — Reassembled request response as a single event containing the original client ip

Consuming Use Cases Essentials Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS002DNS-ET01Query".


Maturing Click here to expand... Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS002DNS-ET01Query".




Providing Technologies Click here to expand... Found 2 search result(s) for title:PT* contentBody:"DS002DNS-ET01Query".

PT002-Splunk-Stream-DNS (Narrative and Use Case Center) Provides DS002DNSET01Query DS002DNSET01QueryResponse DS002DNSET01QueryRequest


providertype Apr 25, 2016 Labels: provider-type



DS002DNS-ET01QueryRequest DNS Request from a client, response reassembly is not required

Consuming Use Cases Essentials

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS002DNS-ET01QueryRequest".

Maturing

Click here to expand... Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS002DNS-ET01QueryRequest".




Providing Technologies Click here to expand... Found 3 search result(s) for title:PT* contentBody:"DS002DNS-ET01QueryRequest".





DS002DNS-ET01QueryResponse Reassembled request response as a single event containing the original client ip


Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS002DNS-ET01QueryResponse".

Maturing

Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS002DNS-ET01QueryResponse".


Providing Technologies Click here to expand... Found 3 search result(s) for title:PT* contentBody:"DS002DNS-ET01QueryResponse".





DS003Authentication-ET01Success Indicates the authentication system validated the factors provided

Consuming Use Cases Essentials Click here to expand... Found 5 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS003Authentication-ET01Success".






Maturing Click here to expand... Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS003Authentication-ET01Success".












Providing Technologies Click here to expand... Found 2 search result(s) for title:PT* contentBody:"DS003Authentication-ET01Success".

PT012-Splunk-InternalLogging (Narrative and Use Case Center) ... Enterprise Application includes extensive internal logging covering performance and usage. Provides DS003 Authentication DS003AuthenticationET01Success DS003AuthenticationET02Failure DS006UserActivity Key


Facts Impact to index/license None LOADLow ... Apr 01, 2016 Labels: provider-type



DS003Authentication-ET02Failure The authentication system did not approve the attempted based on invalid factors

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS003Authentication-ET02Failure" NOT contentBody:"DS003Authentication-ET02Failure*".

Maturing Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS003Authentication-ET02Failure" NOT contentBody:"DS003Authentication-ET02Failure*".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS003Authentication-ET02Failure" NOT contentBody:"DS003Authentication-ET02Failure*".


DS003Authentication-ET02FailureBadFactor Indicates the authentication system determined the factors provided were invalid


Click here to expand... Found 2 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS003Authentication-ET02FailureBadFactor".



Maturing

Click here to expand... Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS003Authentication-ET02FailureBadFactor".



Providing Technologies Click here to expand... Found 1 search result(s) for title:PT* contentBody:"DS003Authentication-ET02FailureBadFactor".



DS003Authentication-ET02FailureError Indicates the authentication system encountered and error and was unable to authenticate the user.


Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS003Authentication-ET02FailureError".

Maturing

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS003Authentication-ET02FailureError".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS003Authentication-ET02FailureError".


DS003Authentication-ET02FailureUnknownAccount Indicates the authentication system was unable to locate the account, factors were not evaluated


Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS003Authentication-ET02FailureUnknownAccount".

Maturing

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS003Authentication-ET02FailureUnknownAccount".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS003Authentication-ET02FailureUnknownAccount".


DS004EndPointAntiMalware-ET01SigDetected Endpoint product detected based on a signature or specified heuristics class

Consuming Use Cases Essentials Click here to expand... Found 10 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS004EndPointAntiMalware-ET01SigDetected".






UCESS024 High Number of Hosts Not Updating Malware Signatures (Narrative and Use Case Center) Alerts when a high number of hosts not updating malware signatures have been discovered. These hosts should be evaluated to determine why they are not updating their malware signatures.Execute the malware operations tracker macro and calculate the timesignatureversion and return results that the day difference between ... Apr 26, 2016



UC0030 Endpoint uncleaned malware detection (Narrative and Use Case Center) Endpoint with malware detection where anti malware product attempted to and was unable to clean, remove or


quarantine. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected DDE007 Signature Special Processing List ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware


Maturing Click here to expand... Found 5 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS004EndPointAntiMalware-ET01SigDetected".






UC0073 Endpoint detected malware infection from url (Narrative and Use Case Center) Endpoint antimalware detection event occurred where the malicious content was retrieved from an external URL. Possible indication of gaps in protection by web proxy, intrusion prevention, or advanced threat prevention. Use the information available for the event and determine how existing ... Apr 11, 2016 Labels: prt05-tacticalthreat-ransomeware



Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS004EndPointAntiMalware-ET01SigDetected".


DS004EndPointAntiMalware-ET02UpdatedSig Update occurrence for the signature data used by the anti malware engine, in a multiple engine/database relationship the database updated should be specified

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS004EndPointAntiMalware-ET02UpdatedSig".

Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS004EndPointAntiMalware-ET02UpdatedSig".


Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS006EndPointAntiMalware-ET02UpdatedSig".


DS004EndPointAntiMalware-ET03UpdatedEng Update occurrence for the engine used by the anti malware product, in a multiple engine/database relationship the engine updated should be specified

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS004EndPointAntiMalware-ET03UpdatedEng".

Maturing Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS004EndPointAntiMalware-ET03UpdatedEng".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS004EndPointAntiMalware-ET03UpdatedEng".


DS005WebProxyRequest-ET01Requested Tradditional HTTP request from a client

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS005WebClientRequest-ET01Requested".

Maturing Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS005WebClientRequest-ET01Requested".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS005WebClientRequest-ET01Requested".


DS005WebProxyRequest-ET01RequestedWebAppAware Indicates a traditional web application request with additional context provided by the generating system detecting the "application" implied by the request such as Facebook/Farmvile or Teamviewer


Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS001MAIL-ET01RequestedWebAppAware".

Maturing

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS001MAIL-ET01RequestedWebAppAware".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS001MAIL-ET01RequestedWebAppAware".


DS005WebProxyRequest-ET02Connect Connect (tunnel) request from an http clienthttp

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS005WebClientRequest-ET02Connect".

Maturing Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS005WebClientRequest-ET02Connect".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS005WebClientRequest-ET02Connect".


DS006UserActivity-ET01List User activity listing the contents of a container

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS006UserActivity-ET01List".

Maturing Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET01List".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET01List".


DS006UserActivity-ET02Read User activity Reading the contents of a object

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS006UserActivity-ET02Read".

Maturing Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET02Read".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET02Read".


DS006UserActivity-ET03Create User activity creating a new object

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS006UserActivity-ET03Create".

Maturing Click here to expand... Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET03Create".



Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET03Create".


DS006UserActivity-ET04Update User activity updating an object

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS006UserActivity-ET04Update".

Maturing Click here to expand... Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET04Update".



Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET04Update".


DS006UserActivity-ET05Delete User activity deleting an object

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS006UserActivity-ET05Delete".

Maturing Click here to expand... Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET05Delete".



Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET05Delete".


DS006UserActivity-ET06Search User activity searching for additional content

Consuming Use Cases Essentials Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS006UserActivity-ET06Search".


Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET06Search".



Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET06Search".


DS006UserActivity-ET07ExecuteAs User activity searching for additional content

Consuming Use Cases Essentials Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS006UserActivity-ET06Search".


Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET06Search".



Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET06Search".


DS007AuditTrail-ET01Clear Events such as Clear, Delete, Purge or Rotate should record the controlling user, target of the action and result

Consuming Use Cases Essentials Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS007AuditTrail-ET01Clear".


Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS007AuditTrail-ET01Clear".


Providing Technologies Click here to expand... Found 1 search result(s) for title:PT* contentBody:"DS007AuditTrail-ET01Clear".

PT005-Microsoft-Windows (Narrative and Use Case Center) ... Provides DS003Authentication Authentication occurs for User Authentication Computer Authentication DS00 7AuditTrail DS007AuditTrailET01Clear DS007AuditTrailET02Alter Key Facts Impact to index/license Based on log files ... Aug 09, 2016 Labels: provider-type


DS007AuditTrail-ET02Alter Where possible identify the acting user, current and new log retention parameters

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS007AuditTrail-ET02Alter".

Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS007AuditTrail-ET02Alter".


Providing Technologies Click here to expand... Found 1 search result(s) for title:PT* contentBody:"DS007AuditTrail-ET02Alter".



DS007AuditTrail-ET03TimeSync Where possible identify the acting user where not result is included success must be assumed due to limitations of common time sync software

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS007AuditTrail-ET02Alter".

Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS007AuditTrail-ET02Alter".


Providing Technologies Click here to expand... Found 1 search result(s) for title:PT* contentBody:"DS007AuditTrail-ET02Alter".



DS008HRMasterData-ET01Joined Information regarding a new person in the organization

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS008HRMasterData-ET01Joined".

Maturing Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS008HRMasterData-ET01Joined".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS008HRMasterData-ET01Joined".


DS008HRMasterData-ET02SeperationNotice Advanced notice of separation for a human in the organization

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS008HRMasterData-ET02SeperationNotice".

Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS008HRMasterData-ET02SeperationNotice".



Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS008HRMasterData-ET02SeperationNotice".


DS008HRMasterData-ET03SeperationImmediate Final notice of separation for a human in the organization

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS008HRMasterData-ET03SeperationImmediate".

Maturing Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS008HRMasterData-ET03SeperationImmediate".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS008HRMasterData-ET03SeperationImmediate".


DS009EndPointIntel-ET01ObjectChange Change to an object such as file, registry, service or configuration

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS009EndPointIntel-ET01ObjectChange".

Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS009EndPointIntel-ET01ObjectChange".


Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS009EndPointIntel-ET01ObjectChange".


DS009EndPointIntel-ET01ProcessLaunch Endpoint product record of process launch

Consuming Use Cases Essentials Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS009EndPointIntel-ET01ProcessLaunch".


Maturing Click here to expand... Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS009EndPointIntel-ET01ProcessLaunch".





Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS004EndPointAntiMalware-ET01SigDetected".


DS010NetworkCommunication-ET01Traffic Communication event including a result (allowed/denied) logged at the time the connection is created

Consuming Use Cases Essentials Click here to expand... Found 3 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS010NetworkCommunication-ET01Traffic".





Maturing Click here to expand... Found 9 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS010NetworkCommunication-ET01Traffic".




UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall rule (Narrative and Use Case Center) Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by


dvc alert when a rule is named in a allowed communication where the reviewed ... Apr 27, 2016






Providing Technologies Click here to expand... Found 1 search result(s) for title:PT* contentBody:"DS010NetworkCommunication-ET01Traffic".



DS010NetworkCommunication-ET01TrafficAppAware Communication event including a result (allowed/denied) logged at the time the connection is created


Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS010NetworkCommunication-ET01TrafficAppAware".


Maturing

Click here to expand... Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS010NetworkCommunication-ET01TrafficAppAware".




Providing Technologies Click here to expand... Found 3 search result(s) for title:PT* contentBody:"DS010NetworkCommunication-ET01TrafficAppAware".






DS010NetworkCommunication-ET02State Event indicating the state of the firewall has changed (start/stop block/noblock)

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS010NetworkCommunication-ET02State".

Maturing Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS010NetworkCommunication-ET02State".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS010NetworkCommunication-ET02State".


DS011MalwareDetonation-ET01Detection Malware detonation systems also are known as sandboxing systems execute potentially malicious code in a clean environment for the purpose of collecting events related to their actions. Using automated and manual analysis indicators can be determined which can inform additional breach detection and prevention capability

Security Value Continuous Monitoring - Monitoring email server logs using analytic concepts such as new, rare, extremely over fields including sender, recipient, ip and domain increasing identify actors and potential victims of email based attacks Forensic Investigation - Logs can be utilized to determine if actions from a user/host may indicate control by a third party

Event Types







UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)


Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners, Problem Types Addressed Risk Addressed ... Jul 12, 2016










UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center)


Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ... Aug 14, 2016 Mature Found 12 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS010NetworkCommunication-*".









UC0041 SSH v1 detected (Narrative and Use Case Center) Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication


of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions indicate system probing or scanning. Problem Types Addressed Risk ... Apr 11, 2016




Providing Technologies Click here to expand... Found 4 search result(s) for title:PT* contentBody:"DS010NetworkCommunication".






DS012NetworkIntrusionDetection-ET01SigDetection What is Intrusion Detection/Prevention? IDS and IPS are complementary, parallel security systems that supplement firewalls – IDS by exposing successful network and server attacks that penetrate a firewall, and IPS by providing more advanced defenses against sophisticated attacks. IDS is typically placed at the network edge, just inside a perimeter firewall, although some organizations also put a system outside the firewall to provide greater intelligence about all attacks. Likewise, IPS is typically placed at the network perimeter, although it also may be used in layers at other points inside the network or on individual servers. IPS usually works by dropping packets, resetting network connections and blacklisting specific IP addresses or ranges.

Security Value Continuous Monitoring - Monitoring logs using analytic concepts such as new, rare, extremely over fields including ip and signature increasing identify actors and potential victims network vulnerability based attacks Forensic Investigation Identify comproised or potentially compromised hosts based on exploitation data Legal compliance Utilize email logs to support discovery and defense of legal claims.

Event Types

Consuming Use Cases Essentials Found 3 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS012NetworkIntrusionDetection".



UC0074 Network Intrusion Internal Network (Narrative and Use Case Center) IDS/IPS detecting or blocking an attack based on a known signature. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS012NetworkIntrusionDetectionET01SigDetection DE001AssetInformation Adoption Phase Customer Adoption Phase SME Adoption Phase ... May 09, 2016 Labels: prt05-tacticalthreat-ransomeware Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS012NetworkIntrusionDetection-*".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS012NetworkIntrusionDetection-*".

Providing Technologies Found 2 search result(s) for title:PT* contentBody:"DS012NetworkIntrusionDetection".

PT017-Trend-TippingPoint (Narrative and Use Case Center)


Trend Micro tippingpoint IPS product Provides DS012NetworkIntrusionDetectionET01SigDetection Key Facts Impact to index/license Based on log files total size of message tracking log file over 7 days from devices where local log collection ... Jul 25, 2016 Labels: provider-type



DS013TicketManagement-ET01 Ticket management from tracking systems responsible for the security, and operational health of the environment(s) provides a rich resource for evaluating the effectiveness of the security program, as well as the detective, and preventive controls in place.

Security Value

Continuous Monitoring - Monitoring the effective execution of triage and remediation activities. Legal compliance Utilize logs to support discovery and defense of legal claims. Establish a timeline of what was known, when and by whom

Event Types

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essentials" contentBody:"DS013TicketManagement-*".

Maturing Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS013TicketManagement-*".



UCESS051 Substantial Increase In Events (Narrative and Use Case Center) Alerts when a statistically significant increase in a particular event is observed. For the past hour, using all summary data even if the model has changed, generate a count by signature and compare that count against the previous hour and trigger if the signature is above medium ... Aug 14, 2016 Mature Found 3 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS013TicketManagement-*".


UC0084 Monitor Execution of Triage Activtity (Narrative and Use Case Center) Define and maintain eventypes for unsuppressed notable events separately identifying review work flow, and triage SLA required. Problem Types Addressed Risk Addressed Event Data Sources Enrichment


PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS013TicketManagementET01 TBD Adoption Phase ... Apr 27, 2016


Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS013TicketManagement".


DS014WebServer-ET01Access Web server logs allow attribution of activity to a specific source ip and user when authenticated. The logs are detailed records of every transaction: every time a browser requests a web page, Apache logs details include items such as the time, remote IP address, browser type and page requested. Web Servers also log various error conditions such as a request for a missing file, attempts to access a file without appropriate permissions or problems with extension modules. Web Server logs are critical in debugging both web application and server problems but are also used to generate traffic statistics, track user behavior and flag security attacks such as attempted unauthorized entry or DDoS.

Event Types

Security Value Continuous Monitoring Monitoring server logs using analytic concepts such as new, rare, extremely over fields including site, resource, and ip increasing identify actors and potential victims of attacks Monitoring server logs using analytic concepts to identify potential DOS attacks by increasing number of requests for sites or specific resource Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify scope of exploitation Utilize log events to identify scope of time for an incident Legal compliance Utilize logs to support discovery and defense of legal claims.

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS014WebServer".

Maturing Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS014WebServer-*".




Communication to any web application server without filtering by a network web application firewall indicates a security misconfigration. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS014WebServerET01Access DDE001 Asset Information ... Apr 27, 2016 Mature Found 3 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS014WebServer-*".

UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center) Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ...


Aug 16, 2016




Providing Technologies Found 1 search result(s) for title:PT* contentBody:"DS014WebServer".



DS015ConfigurationManagement-ET01General Configuration management solution such as VMware Vcenter, MAAS, Puppet, Chef, System Center Configuration Manager, and System Center Virtualization Manager. Events generated by these systems can provide valuable security investigations by providing information about who and what changes have been applied to systems. Additional information such as the base image utilized, birth and death timestamps provide data useful to identify windows of vulnerability.

Security Value Continuous Monitoring - Monitoring of privileged user activity such as change outside of windows, access to sensitive configuration values or modification to critical controls Forensic Investigation Establish a time line of activities of a privileged user Establish when controls were placed or removed on a specific host Legal compliance Utilize logs to support discovery and defense of legal claims.

Event Types

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS015ConfigurationManagement*".

Maturing Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS015ConfigurationManagement*".

UCESS009 Asset Ownership Unspecified (Narrative and Use Case Center) Alerts when there are assets that define a specific priority and category but do not have an assigned owner. Return all assets where the priority is not null and the length of the value in priority is greater than 0 and the category is not null and the length of the value in category is greater than ... Aug 14, 2016 Mature Found 1 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS015ConfigurationManagement*".


Providing Technologies Found 1 search result(s) for title:PT* contentBody:"DS014WebServer" NOT contentBody:"DS015ConfigurationManagement-*".



DS016DataLossPrevention-ET01Violation Data loss prevention solutions can identify human and automated activities as they interact with restricted information creating an audit trail of attempted actions and the systems response such as allow or block.

Security Value Continuous Monitoring Monitoring alerts indicating policy violation or attempted policy violation to prompt immediate action by security monitoring. Monitoring alerts indicating excessive interaction with restricted information as possible indication of compromise Forensic Investigation Utilize events in contribution of other events to identify potential actors involved in targeted activity Utilize events to establish a time line of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims. Utilize logs to support documentation of compliance

Event Types

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS016DataLossPrevention".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS016DataLossPrevention-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS016DataLossPrevention-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS016DataLossPrevention".


DS017PhysicalSecurity-ET01Access Most organizations use automated systems to secure physical access to facilities. Historically, these have been simple magnetic strips affixed to employee badges; however, locations with stringent security requirements may use some form of biometric reader or digital key. Regardless of the technology, the systems compare an individual's identity with a database and activate doors when the user is authorized to enter a particular location. As digital systems, badge readers record information such as user ID, date and time of entry and perhaps a photo for each access attempt. Motion and sensor indicators may also be useful in extreme situations where physical access is limited tightly.

Security Value Forensic Investigation Utilize log events to place a badge (single factor) or person (two factor bio/pin) in a specific location Legal compliance Utilize logs to support discovery and defense of legal claims.

Event Types

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS017PhysicalSecurity".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS017PhysicalSecurity-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS017PhysicalSecurity-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS017PhysicalSecurity".


DS018VulnerabilityDetection-ET01SigDetected Vulnerability by signature detected based on a signature or specified heuristics class

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS018VulnerabilityDetection-ET01SigDetected".

Maturing Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS018VulnerabilityDetection-ET01SigDetected".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS018VulnerabilityDetection-ET01SigDetected".


DS019PatchManagement-Applied


DS019PatchManagement-Eligable


DS019PatchManagement-Failed


DS020HostIntrustionDetection-ET01SigDetected Host-based Intrusion Detection events provide signature based detection of changes that could weaken the security posture of the host based on changes to entire files or specific configuration. Such data can be very valuable in identifying when critical changes have occurred in the environment.

Security Value Continuous Monitoring - Monitoring of alerts generated to ensure the SOC triages events in a timely manor Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify additional possible victims of email based attacks Utilize log events to establish a time line of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims.

Event Types

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS020HostIntrustionDetection".

Maturing Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS020HostIntrustionDetection-*".


UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center) Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices ensure the first "xforwardedfor" entry ... Jun 24, 2016 Mature Found 2 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS020HostIntrustionDetection-*".



Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS020HostIntrustionDetection".



DS021Telephony-ET01CDR Real-time business communications no longer are limited to voice calls provided by Plain Old Telephone Service (POTS); instead, voice, video, text messaging and web conferences are IP applications delivered over existing enterprise networks. Unlike traditional client-server or web applications, telephony and other communications applications have strict requirements on network quality of service, latency and packet loss, making service quality and reliability much more sensitive to network conditions and server responsiveness. Traditional POTS has conditioned people to expect immediate dial tone when picking up the phone and be intolerant of noise, echo or other problems that can plague IP telephony; as such, the systems and supporting infrastructure require careful monitoring and management to assure quality and reliability. Voice over IP protocol refers to several methods for transmitting real-time audio (and now video) information over an IP-based data network. Unlike traditional phone systems using dedicated, point-to-point circuits, VoIP applications use packet-based networks to carry real-time audio streams that are interspersed with other Ethernet data traffic. Since TCP packets may be delivered out of order due to data loss and retransmission, VoIP includes features to buffer and reassemble a stream. Similarly, VoIP packets are usually tagged with quality of service (QoS) headers to prioritize their delivery through the network.

Security Value Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify additional possible victims of social engineering attacks Utilize log events to establish a time line of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims.

Event Types

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS021Telephony".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS021Telephony-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS021Telephony-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS021Telephony".


DS022Performance-ET01General Measures of system activity such as CPU load, memory and disk usage, and I/O traffic are the IT equivalent of EKGs to a doctor: the vital signs that show system health. Recording these measures provides a record of system activity over time that shows normal, baseline levels and unusual events. By registering myriad system parameters, performance logs also can highlight mismatches between system capacity and application requirements, such as a database using all available system memory and frequently swapping to disk. Application performance management (APM) software provides end-to-end measurement of complex, multitier applications to provide performance metrics from an end user's perspective. APM logs also provide event traces and diagnostic data that can assist developers in identifying performance bottlenecks or error conditions. The data from APM software provides both a baseline of typical application performance and record of anomalous behavior or performance degradation. Carefully monitoring APM logs can provide early warning to application problems and allow IT and developers to remediate issues before users experience significant degradation or disruption. APM logs also are required to perform post-hoc forensic analysis of complex application problems that may involve subtle interactions between multiple machines and/or network devices.

Security Value Continuous Monitoring Monitor system resources for increased utilization or exaustion as possible indication of denial of service attack Monitor system resources for increased utilization or excaustion as possible indication of brute force attack. Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify additional possible victims of social engineering attacks Utilize log events to establish a time line of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims.

Event Types

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS022Performance".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS022Performance-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS022Performance-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS022Performance".


DS023CrashReporting-ET01General Crash reports including summary of dumps, exceptions, and hangs can indicate attempts at exploitation of processes by malicious code or significant programing errors allowing possible future exploitation or failure of business services.

Security Value Continuous Monitoring Monitor and triage occurances as possible indication of attack Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify additional possible victims of social engineering attacks Utilize log events to establish a time line of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims.

Event Types

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS023CrashReporting".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS023CrashReporting-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS023CrashReporting-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS023CrashReporting".


DS024ApplicationServer-ET01General Application server logs, considering the actual business application, middle ware such as Tomcat, and run time logs such as java runtime. contain a wealth of information created as users and systems interact. Anomolies in the logs can indicate potential failures or compromise attempts.

Security Value Continuous Monitoring Develop implementation specific monitoring to alert security operations to potential issues created by external interaction Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify additional possible victims of social engineering attacks Utilize log events to establish a time line of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims.

Event Types

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS024ApplicationServer".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS024ApplicationServer-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS024ApplicationServer-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS024ApplicationServer".


Technology Provider View Technology Providers roughly equate to Splunk Technology Add Ons. When working with preexisting technology implementations the user can utilize this view to determine what use cases may be possible in a customer environment.


PT001-Microsoft-Exchange The Microsoft Exchange collaboration platform is a significant information resource to many organizations. Representing both a information storage solution and channel of communication useful in various attacks access monitoring is imperative.

Provides DS001MAIL DS001Mail-ET01Access DS001MAIL-ET02Receive DS001Mail-ET03Send DS003Authentication Authentication occurs for Administrative action Active Sync Exchange Web Services Outlook Web Access RPC (Deprecated)

Key Facts Impact to index/license Educated 3k * nm * nu = Total K per Day (average over at least 7 days dropping lowest 2) nm= number of emails sent recommend 40 nu= weighted number of users Educated option 2: 3k * actual message count = Total K per Day (average over at least 7 days dropping lowest 2) Based on log files total size of message tracking log file over 7 days from all exchange servers total size of iis logs over 7 days from all exchange servers Day 0 Impact, Customers frequently have no or poor retention policy in place on the monitored files. This can result in a large historical load impacting or exceeding the license utilization for that day. If implementing over multiple days prepare with a license reset key. LOAD-Low additional impact to mail and web data models in general is minimal inclusion will motivate additional search activity increasing utilization on IT Ops and Security search heads. Work Estimates Splunk Core Resource <2 hours Change Control Process 3-4 hours Meetings 1-2 Opposition: Low Skills: SKILLI-Customer

Data Acquisition Procedure Microsoft Exchange 2013 Deployment Servers Stage the following apps to deployment-apps TA-Exchange-2013-ClientAccess TA-Exchange-2013-Mailbox TA-Windows-2012-Exchange-IIS Index app (one of) SecKit_splunk_index_2_exchange_home SecKit_splunk_index_2_exchange_vol Review the inputs in the following apps with the exchange SME verify the monitor paths are correct for the customer implementation and update in local as required TA-Exchange-2013-ClientAccess_SecKit_0_inputs TA-Exchange-2013-ClientAccess_SecKit_1_inputs TA-Exchange-2013-Mailbox_SecKit_0_inputs TA-Exchange-2013-Mailbox_SecKit_1_inputs Update SecKit_all_deploymentserver_2_msexchange/local/serverclass.conf define the whitelist.0 to capture host naming standards for Exchange 2013 Client Access Servers

[serverClass:seckit_all_2_msexchange2013_cas_0] whitelist.0 = ^-

Update SecKit_all_deploymentserver_2_msexchange/local/serverclass.conf define the whitelist.0 to capture host naming standards for Exchange 2013 Mailbox Servers


[serverClass:seckit_all_2_msexchange2013_1] whitelist.0 = ^-

(Optional) Update SecKit_all_deploymentserver_2_msexchange/local/serverclass.conf define the whitelist.0 to capture host naming standards for Exchange 2013 Client Access Servers. This configuration group support performance and specialized data collection for Splunk App for Exchange

[serverClass:seckit_all_2_msexchange2013_cas_1] whitelist.0 = ^-

(Optional) Update SecKit_all_deploymentserver_2_msexchange/local/serverclass.conf define the whitelist.0 to capture host naming standards for Exchange 2013 Mailbox ServersThis configuration group support performance and specialized data collection for Splunk App for Exchange

[serverClass:seckit_all_2_msexchange2013_mailbox_1] whitelist.0 = ^-


PT002-Splunk-Stream Splunk App for Stream is a scalable and easy-to-configure software solution that captures real-time streaming wire data from anywhere in your datacenter or from any public Cloud infrastructure.

Provides PT002-Splunk-Stream-DHCP PT002-Splunk-Stream-DNS PT002-Splunk-Stream-SMTP

Key Facts Impact to index/license - Variable based on collection configuration see child pages LOAD-Low - Variable based on collection configuration see child pages Work Estimates Splunk Core Resource <2 hours Change Control Process 3-4 hours Meetings 1-2 TAP Dedicated deployment requires the addition of a capture server and availability of a TAP on the desired network. Coexistance deployment is possible with common open source IDS solutions such as BRO, Suritcata, and Snort HOST Deployment on host such as common DNS and DHCP servers may only require deployment via Splunk Deployment server Opposition: Low Skills: SKILLI-Customer

Data Acquisition Procedure Stream App 6.4 Decide where to install your Stream App. Typically this will be the Enterprise Security search head. However if your ES search head is also a search head cluster you will need to use an AD-HOC search head, dedicated search head or a deployment server. Note: If using the deployment server (DS) you must configure the server to search the indexer or index cluster containing your stream data. 1. Install Splunk App for Stream using the standard procedures located here. 2. Configure Stream for collection per appropriate protocol specific instructions on child pages.


PT002-Splunk-Stream-DHCP


PT002-Splunk-Stream-DNS Provides DS002DNS-ET01Query DS002DNS-ET01QueryResponse DS002DNS-ET01QueryRequest


PT002-Splunk-Stream-SMTP Provides DS001MAIL


PT003-ExtraHop


PT003-ExtraHop-DNS Provides DS002DNS-ET01Query DS002DNS-ET01QueryResponse DS002DNS-ET01QueryRequest


PT003-ExtraHop-SMTP Provides DS001MAIL


PT004-McAfee Web Gateway Provides DS003Authentication DS005WebProxyRequest-ET01RequestedWebAppAware


PT005-Microsoft-Windows Provides DS003Authentication Authentication occurs for User Authentication Computer Authentication DS007AuditTrail DS007AuditTrail-ET01Clear DS007AuditTrail-ET02Alter

Key Facts Impact to index/license Based on log files total size of change in oswin* indexes over 7 days Day 0 Impact, Customers frequently have no or poor retention policy in place on the monitored files and very large windows event logs to support problem resolution when no central solution exists. This can result in a large historical load impacting or exceeding the license utilization for that day. If implementing over multiple days prepare with a license reset key. LOAD-Low additional impact to mail and web data models in general is minimal inclusion will motivate additional search activity increasing utilization on IT Ops and Security search heads. Work Estimates Splunk Core Resource <4 hours Change Control Process 3-4 hours (Possibly require multiple iterations) Meetings 1-2 Opposition: Low Skills: SKILLI-Customer

Data Acquisition Procedure Microsoft Windows XP/2008R2+ Data collection for security use case today requires collection via universal forwarder using windows event log classic format. Other options such as WMI, Snare and Windows Event Log XML are known to produce search results that are not consistant with expected values. Bitbucket Link https://bitbucket.org/rfaircloth-splunk/securitykit/src/8304061fc8c6f4a87f3a26adf51710f58b8fd375/base/ds/?at=master Deployment Servers Stage the following apps to deployment-apps Splunk_TA_windows Index app (one of) SecKit_splunk_index_2_win_home SecKit_splunk_index_2_win_vol Splunk_TA_windows_SecKit_0_all_inputs Splunk_TA_windows_SecKit_1_all_inputs Splunk_TA_windows_SecKit_2_dcadmon_inputs Splunk_TA_windows_SecKit_2_dcadmonsync_inputs Splunk_TA_microsoft_ad Splunk_TA_microsoft_ad_SecKit_0_all_inputs Splunk_TA_microsoft_dns Splunk_TA_microsoft_dns_SecKit_0_all_inputs Update SecKit_all_deploymentserver_2_oswin/local/serverclass.conf define the whitelist.0 to capture host naming standards for Active Directory servers

[serverClass:seckit_all_2_os_windows_dc] whitelist.0 = ^-

Update SecKit_all_deploymentserver_2_oswin/local/serverclass.conf define whitelist.0 to include exactly one Active Directory server per domain

[serverClass:seckit_all_2_os_windows_dc_admon_sync] whitelist.0 = ^-


Wait until "sync" events are no longer streaming into index=appmsad expect on 30-90 min Replace SecKit_all_deploymentserver_2_oswin/local/serverclass.conf entry above as follows including 2-6 Active Directory servers per domain

[serverClass:seckit_all_2_os_windows_dc_admon] machineTypesFilter = windows-* whitelist.0 = ^-


PT006-PaloAlto Firewall Provides DS003Authentication DS005WebProxyRequest-ET01RequestedWebAppAware DS010NetworkCommunication-ET01TrafficAppAware


PT008-Snort Provides DS005WebProxyRequest-ET01RequestedWebAppAware DS010NetworkCommunication-ET01TrafficAppAware


PT009-SourceFire Provides DS005WebProxyRequest-ET01RequestedWebAppAware DS010NetworkCommunication-ET01TrafficAppAware


PT010-Websense Provides DS003Authentication DS005WebProxyRequest


PT011-Bluecoat Provides DS003Authentication DS005WebProxyRequest


PT012-Splunk-InternalLogging The Splunk Enterprise Application includes extensive internal logging covering performance and usage.

Provides DS003Authentication DS003Authentication-ET01Success DS003Authentication-ET02Failure DS006UserActivity

Key Facts Impact to index/license None LOAD-Low Work Estimates None Meetings None Opposition: Low Skills: SKILLI-Customer

Data Acquisition Procedure NA


PT013-ISCBIND-DNS Provides DS002DNS-ET01QueryResponse DS002DNS-ET01QueryRequest


PT014-PhysicalAccessControl


PT015-Linux-Deb/RH Provides DS003Authentication Authentication occurs for User Authentication

Key Facts Impact to index/license Based on log files average size of change in osnix* indexes over 7 days Day 0 Impact, Customers frequently have no or poor retention policy in place on the monitored files and very large windows event logs to support problem resolution when no central solution exists. This can result in a large historical load impacting or exceeding the license utilization for that day. If implementing over multiple days prepare with a license reset key. LOAD-Low additional impact to authentication datamodels Work Estimates. Note presumption that no deviation from OS default configuration os the syslog service. Splunk Core Resource <4 hours Change Control Process 3-4 hours (Possibly require multiple iterations) Meetings 1-2 Opposition: Low Skills: SKILLI-Customer

Data Acquisition Procedure Supported versions of RedHat and Debian based OSes Bitbucket Link https://bitbucket.org/rfaircloth-splunk/securitykit/src/8304061fc8c6f4a87f3a26adf51710f58b8fd375/base/ds/?at=maste Nix Deployment Servers and Cluster Masters Deploy the following apps from base/ds/deployment-servers Splunk_TA_nix TA-linux_auditd SA-LinuxAuditd Index app (one of) SecKit_splunk_index_1_splunk_vol SecKit_splunk_index_1_splunk_home Splunk_TA_nix_SecKit_0_all_inputs Splunk_TA_nix_SecKit_1_all_inputs Stage the following apps to deployment-apps Splunk_TA_nix TA-linux_auditd SA-LinuxAuditd Index app (one of) SecKit_splunk_index_1_splunk_vol SecKit_splunk_index_1_splunk_home Splunk_TA_nix_SecKit_0_all_inputs Splunk_TA_nix_SecKit_1_all_inputs

sudo /usr/bin/setfacl -m "u:splunk:r-x" /var/log sudo /usr/bin/setfacl -m "u:splunk:r--" /var/log/* sudo /usr/bin/setfacl -m d:user:splunk:r /var/log


PT016-Cisco-ASA/PIX/FWSM The Cisco ASA is a multi function firewall, VPN, reverse proxy device

Provides DS003Authentication-ET01Success DS003Authentication-ET02Failure DS003Authentication-ET02FailureBadFactor DS010NetworkCommunication-ET01Traffic DS012NetworkIntrusionDetection-ET01SigDetection DS014WebServer-ET01Access

Key Facts Impact to index/license Educated 3k * nm * nu = Total K per Day (average over at least 7 days dropping lowest 2) nm= number of emails sent recommend 40 nu= weighted number of users Educated option 2: 3k * actual message count = Total K per Day (average over at least 7 days dropping lowest 2) Based on log files total size of message tracking log file over 7 days from devices where local log collection is enabled Day 0 Impact, none no prior logs can be collected LOAD-Low additional impact to mail and web data models in general is minimal inclusion will motivate additional search activity increasing utilization on IT Ops and Security search heads. Work Estimates Splunk Core Resource <2 hours Change Control Process 3-4 hours Meetings 1-2 Opposition: Low Skills: SKILLI-Customer

Data Acquisition Procedure ASA Prerequisites Ensure static or dynamic assets inventory contains ip, nt_host and dns entries for the management interface of each device PCI_DOMAIN per enterprise requirements category: vendor_Cisco category: product_ASA category (one or more): svc_firewall svc_ips svc_vpn is_expected true ASA configured With current supported vendor firmware Time SYNC enabled Clock set to GMT Ensure reverse and forward DNS entries exist for each device Index: firewall

Step-by-step guide 1. Deploy TA a. Deployment Server i. Unzip Splunk_TA_cisco-asa.zip to $SPLUNK_HOME/etc/deployment-apps ii. Create Splunk_TA_cisco-asa/local/props.conf


#Note the following transforms are undesirable as they will not match so we set the TRANSFORM = [source::tcp:514] TRANSFORMS-force_sourcetype_for_cisco = [source::udp:514] TRANSFORMS-force_sourcetype_for_cisco = [syslog] TRANSFORMS-force_sourcetype_for_cisco = #Custom source type for initially routing data [syslog:cisco] TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_ cisco_pix,force_sourcetype_for_cisco_fwsm

2. 3. 4. 5.

iii. Update b. Cluster Master(s) i. Apply Cluster Bundle Deploy Syslog inputs.conf Deploy syslog-ng configuration Deploy VIP Configure the ASA a.

logging logging logging logging logging logging


enable host interface_name ip_address tcp 514 permit-hostdown trap 6 buffered 6 facility 20

PT017-Trend-TippingPoint The Trend Micro tippingpoint IPS product

Provides DS012NetworkIntrusionDetection-ET01SigDetection

Key Facts Impact to index/license Based on log files total size of message tracking log file over 7 days from devices where local log collection is enabled Day 0 Impact, none no prior logs can be collected LOAD-Low additional impact to mail and web data models in general is minimal inclusion will motivate additional search activity increasing utilization on IT Ops and Security search heads. Work Estimates Splunk Core Resource <2 hours Change Control Process 3-4 hours Meetings 1-2 Opposition: Low Skills: SKILLI-Customer

Data Acquisition Procedure Prerequisites a. Ensure static or dynamic assets inventory contains ip, nt_host and dns entries for the management interface of each device PCI_DOMAIN per enterprise requirements category: vendor_TrendMicro category: product_Tippingpoint category (one or more): EPP is_expected true b. Syslog Configuration i. SMS Configuration 1. Open SMS console 2. Goto Admin System Properties 3. Click Add under Remote Syslog for Events a. Syslog Server: IP of syslog server b. Port: 514 c. Log Type: SMS 2.0/2.1 Syslog format d. Facility: Local 7 e. Severity: Severity in Event f. Delimiter: TAB 4. Select "Use Original Event Timestamp" 5. Select "Include SMS Hostname in Header" 6. Click "OK"


Enrichment Data View Enrichment data represents types of data utilized to provide color, context, or assessment when applied to events from a data source. Such feeds allow more refined searches producing better more useful results DE001AssetInformation — Creating or having access to a robust asset inventory is a foundational activity because it is

critical for a security team to know what it is defending before there can be any hope of securing it. Indeed, many attackers succeed because they have a deeper understanding of the target environment than the teams who are tasked with defending them thus increasing their attack surface. The Assets and Identities framework in Splunk Enterprise Security provides a simple yet very useful way to store ass DE002IdentityInformation

Provider Types Provider types are linkages to vendor and customer technologies which are believed or have been field validated to support the use cases identified.


DE001AssetInformation

Creating or having access to a robust asset inventory is a foundational activity because it is critical for a security team to know what it is defending before there can be any hope of securing it. Indeed, many attackers succeed because they have a deeper understanding of the target environment than the teams who are tasked with defending them thus increasing their attack surface. The Assets and Identities framework in Splunk Enterprise Security provides a simple yet very useful way to store asset data and correlate it with activity observed across the environment. An asset for the purpose of security monitoring is an authorized presence on the internal network which may be identified as a source or destination network address by IP address, MAC address, hostname, or fully qualified domain name.

Prioritization The same type of events on two different systems may not deserve the same level of attention; a medium severity event against a desktop machine is less urgent than the same issue against an externally facing web server that processes credit card information. Asset management allows an urgency to be computed based on the priority of hosts and assign higher urgency to high priority assets.

Categorization Asset management allows information about the assets to be added to events. For example, identity management can look up the source of an event and find the location of the asset, indicate whether the source is subject to PCI compliance or identify the owner.

Normalization Asset management allows hosts to be normalized and determine whether two events relate to the same host. For example, two events may use different information to refer to the host; one event may use an IP address and another event may use a DNS name. Identity management can determine that both of the events are for the same host by recognizing that the IP address and DNS name are for the same host.

The following table describes each field: Field

Description

Example

ip

single value of IP address (can be a range).

2.0.0.0/8,1.2.3.4, 192.168.15.9-192.169.15.27

mac

single value of The MAC address of the host (can be a range).

00:25:bc:42:f4:60, 00:25:bc:42:f4:60-00:25:bc:42:f4:6F

nt_host

single value of The Windows machine name of the host

ACME-0005

dns

single value of The DNS name of the host.

acme-0005.corp1.acmetech.com

owner

The name of the user who owns or uses the host

user principal name or email address of asset owner, or primary contact

priority

The priority of the host.

Must be one of the following: unknown, informational, low, medium, high or critical

lat

The latitude of the asset.

41.040855.

long

The longitude of the asset.

28.986183.

city

The city in which the asset is located

Chicago

country

The country in which the asset is located

USA

bunit

The business unit of the asset

emea

category

One or more categories for the asset. To specify multiple categories for an asset, use a vertical bar. To use this field, you must set up the category list.

server

pci_domain

Used to identify assets which should be included in reporting or alerting used to support PCI compliance

trust trust|wireless trust|cardholder trust|dmz untrust (not this value is the default when left blank)


is_expected

Indicates whether events from this asset should always be expected; if set to true, then an alert will be triggered when this asset quits reporting events.

true (leave blank to indicate "false")

should_timesync

Indicates whether this asset must be monitored for time-syncing events

true (leave blank to indicate "false") If true, then an alert will be triggered if the host has not performed a time-sync event (such as an NTP request)

should_update

Indicates whether this asset must be monitored for system update events


requires_av

Indicates whether this asset must have anti-virus software installed


A-C

D-M

N-T

U-Z




ucd-access


DE002IdentityInformation An identity (for the purpose of security monitoring) is an authorized or previously authorized presence on the network which may be identified as a source or destination account. Multiple records are grouped together by account to identify one human identity or nonhuman application.

Prioritization The same type of events on two different systems may not deserve the same level of attention; a medium severity event against a marketing user is less urgent than the same issue against an assistant to the CEO. Identity management allows an urgency to be computed based on the priority of identities.

Categorization Identity management allows information about the assets to be added to events. For example, categories such as executive, legal, pic, or hr can inform the analyst of the types of information at risk should the user's access be used maliciously.users

Normalization Identity management allows accounts to be normalized; regardless of the account name or format used in a specific log, the identity will be available for evaluation in the rule or by the analyst. The following table describes the fields: Column

Description

Examples

Identity (key)

Pipe-delimited list of usernames representing the identity

system | manager, admin | ESadmin, PS | BD

prefixprefix

Prefix of the identityPrefix

Mr., Mrs., Ms., Dr.

nick

Nickname of the identity

Bobby, Spud, Dr. Z

firstfirst

First name of the identityFirst

Gordon

lastlast

Last name of the identityLast

Trisler

suffixsuffix

Suffix of the identitySuffix

Jr., Esq., M.D.

emailemail

Email address of the identityEmail

[email protected], [email protected]

phone

Telephone number of the identity

+1 (800)555-8924

phone2

Secondary telephone number of the identity

+1 (800)555-7152

managedBy

Username representing manager of the identity

lietzow.tim, a.koskitim

prioritypriority

Priority of the identityPriority

Value can be "low," "medium," "high," or "critical"; for instance, CEO would be "critical"

bunit

Business unit of the identity

emea, americas

categorycategory

Category of the identity;Category can be a pipe-delimited list

intern, officer, pip, pci | secure, default | privilegedpci

watchlist

Is the identity on a watchlist?

Value can be "true" or "false"

startDate

Start/Hire date of the identity

Formats: %m/%d/%Y %H:%M, %m/%d/%y %H:%M, %s

endDate

End/Termination date of the identity

Formats: %m/%d/%Y %H:%M, %m/%d/%y %H:%M, %s


Adoption Narratives


Adoptable Compliance and Security Narratives Adoptable Compliance and Security Narratives are use cases developed by consultants or gathered from industry knowledge for implementation on the Splunk Platform, typically utilizing the advanced capabilities of Enterprise Security to reduce time to value.

Create a new UC

UC0001 Detection of new/prohibited web application — A prohibited web application such as Box or a game on the Facebook

platform can be detected and filtered by modern web proxy solutions and next generation firewalls. Allowed prohibited applications or New application instances should be reviewed to ensure proper use. UC0002 Detection of prohibited protocol (application) — A prohibited protocol such as IRC, FTP, or gopher could indicate malicious activity or the implementation of an insecure system on the network. Consider intranetwork communication and accepted communications from the internet UC0003 Server generating email outside of approved usage — Server operating systems often generate email for routine purposes. Configuration management can be used to identify which server may generate email and what recipients are permitted. UC0004 Excessive number of emails sent from internal user — Excessive email generation by an authorized user could indicate the presence of malware for the purpose of spam sending, abusing company resources, or attempting to solve a business problem using a technique not approved by policy. For this use case, email generated from endpoint networks and operating systems should be considered. Servers often can impersonate users for the purpose of email transmission; when this is allowed in an environment, these could generate false positives. UC0005 System modification to insecure state — Authorized or unauthorized users may attempt to modify the system such that hardened configuration policies are removed or security monitoring tools are disabled. UC0006 Windows security event log purged — Manually clearing the security event log on a windows system is a violation of policy and could indicate an attempt to cover malicious actions. UC0007 Account logon successful method outside of policy — The logon event properties could indicate account misuse in violation of policy OR as an indication of compromise by comparing the identified purpose of the account to the context of the logon to determine if the account is authorized for such usage. UC0008 Activity on previously inactive account — Excluding computer accounts in active directory, an account with new activity that has not been active in the previous thirty days is suspicious. UC0009 Authenticated communication from a risky source network — An Internet facing authentication system has allowed authenticated access from a risky source network. UC0010 Detect unauthorized use of remote access technologies — Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity or an internal control failure. UC0011 Improbable distance between logins — Utilizing source IP address, geolocation data, and where available for company owned mobile devices, GPS for mobile devices. Using the Haversine algorithm, calculate the distance between the authenticated successful connections. UC0012 Increase risk score of employees once adverse seperation is identified or anticipated — Increase the risk score of users who have indication of adverse separation. UC0013 Monitor change for high value groups — Detection of change for groups used to control access for sensitive, regulated, or critical infrastructure systems. UC0014 Monitor use attempts of human accounts once primary account is expired disabled or deleted — A human user may own multiple accounts. When the primary account of the human is expired, disabled, or deleted, we should expect no further activity from any other account owned by the user. UC0015 Privileged user accessing more than expected number of machines in period — Privileged user authenticates to more than X number of new targets successfully or is denied access to more than Y targets in the prior Z hours. UC0016 Successfully authenticated computer accounts accessing network resources — Batch, Windows Services, App Pools, and specially constructed Windows shells can access network resources. A small number of technical solutions will require this type of behavior, however, after excluding a white list of hosts or shares (such as sysvol or netlogon), such access attempts (success or fail) could indicate the presence of malware or attempts to elevate access. Exclude infrastructure file servers. UC0017 Unauthorized access or risky use of NHA — Detect the use of a Windows account designated by the organization as a non human account (NHA) outside of the normal usage of such an account. UC0018 Unauthorized access SSO brute force — Single IP address attempting authentication of more than two valid users within ten minutes where one or more unique accounts is successful, and one or more accounts is not successful against an approved SSO System. UC0019 User authenticated to routine business systems while on extended absense — A user on leave, vacation, sabbatical, or other types of leave should not access business systems. This could indicate malicious activity by the employee or a compromised account. UC0020 Attempted communication through external firewall not explicitly granted — Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions (bypassing the firewall). UC0021 Communication outbound to regions without business relationship — Outbound communication with servers hosted in regions where the organization does not expect to have employees, customers, or suppliers.


UC0022 Endpoint communicating with an excessive number of unique hosts — Endpoints attempting to communicate with an

excessive number of unique hosts over a given time period may indicate malicious code. Exclude category svc_network_scanner UC0023 Endpoint communicating with an excessive number of unique ports — Endpoints communicating with an excessive number of unique destination ports could indicate malicious code probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with the client such as ftp in passive mode and RPC on windows server. Utilize category wl_hv_open_client_ports UC0024 Endpoint communicating with external service identified on a threat list. — Superceded by UCESS053 Threat Activity Detected UC0025 Endpoint Multiple devices in 48 hours in the same site — Multiple infected devices in the same site could indicate a successful watering hole attack. Monitor for more than 5% of the hosts in a site. UC0026 Endpoint Multiple devices in 48 hours in the same subnet — Multiple infected devices in the same subnet could indicate lateral movement of an adversary or a possible worm. Monitor for more than 5% of the host addresses on a subnet as it is not readily possible to know how many hosts are active on a subnet. UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit — Multiple infected devices in the same organizational unit could indicate a successful spear phishing attack. Monitor for more than 5% of the hosts in an organizational unit. UC0028 Endpoint Multiple infections over short time — Multiple infections detected on the same endpoint in a short period of time could indicate the presence of a undetected loader malware component (apt). UC0029 Endpoint new malware detected by signature — When a new malware variant is detect by endpoint antivirus technology it is possible the configuration or capability of other controls are deficient. Review the sequence of events leading to the infection to determine if additional preventive measures can be put in place. UC0030 Endpoint uncleaned malware detection — Endpoint with malware detection where anti malware product attempted to and was unable to clean, remove or quarantine. UC0031 Non human account starting processes not associated with the purpose of the account — Accounts designated for use by services and batch process should start a limited set of child processes. Creation of new child processes other than the process name defined in the service or batch definition may indicate compromise. UC0032 Brute force authentication attempt — When more than 10 failed authentication attempts for known accounts occur from single endpoint UC0033 Brute force authentication attempt distributed — When more than 10 failed authentication attempts for known accounts occur for a single account from more than 2 IP addresses in 60 minutes. This could indicate an adversary has identified a specific high value account and is attempting to gain access. UC0034 Brute force successful authentication — If a source IP identified by a brute force use case authenticates successfully OR an account identified by a brute use case successfully logins after failing once from the same source address. UC0035 Compromised account access testing — Following a successful authentication, an attacker will attempt to determine what resources may be accessed without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate and browse to shares, access email, access web applications, or connect to databases yet perform minimal or no activity. UC0036 Compromised account access testing (Critical/Sensitive Resource) — Following a successful authentication, an attacker will attempt to determine what resources may be accessed without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate and browse to shares, access email, access web applications, or connect to databases yet not perform any or minimal activity. Critical and Sensitive systems during routine use should not log access denied events. UC0037 Network Intrusion External - New Signatures — External IDS devices reporting an attack using a signature not previously encountered are more likely be successful as new signatures are prompted by newly know attacks in the wild. UC0038 Excessive use of Shared Secrets — Usage of greater than X number of unique shared/secret credentials or more than 1 standard deviation from peers UC0039 Use of Shared Secret for access to critical or sensitive system — Use of a secret/shared secret account for access to such a system rather than accountable credentials could indicate an attempt to avoid detection. UC0040 Use of Shared Secret for or by automated process with risky attributes — Usage (checkout) by an automated process such as software installation of a shared secret or service account where the source of the retrieval is new or outside of the change window. UC0041 SSH v1 detected — Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication of accepted SSHv1 sessions indicate a mis-configured system. Attempted and denied sessions indicate system probing or scanning. UC0042 SSH Authentication using unknown key — The public key utilized for authentication is recorded in the SSHD authentication log. Detection of a new key should be investigated to determine the owner of the key and validate authorization to access the resource. UC0043 Direct Authentication to NHA — Direct authentication via SSH or console session to a non human account indicates a violation of security policy by recording the password of a non human account for later use or by association of a SSH key to a non human account. UC0044 Network authentication using password auth — Even using SSH encryption, allowing password authentication to Linux/Unix systems over the network increases the attack surface and the possible impact of a compromised account. Investigate and resolve all instances of network authentication utilizing password.


UC0045 Local authentication server — Following provisioning, nix servers seldom require local administration. Investigate any

use of local authentication as it may indicate an attempt to compromise the host via KVM or virtual console. UC0046 Endpoint failure to sync time — Failure to synchronize time will impact the usefulness of security log data from the endpoint, and potentially prevent valid authentication. UC0047 Communication with newly seen domain — Newly seen domain's may indicated interaction with risky or malicious servers. Identification of new domains via web proxy logs without other IOCs allows the analyst/threat hunter to explore the relevant data and potentially identify weaknesses or risky behavior than could be identified. The daily number of new domains will be substantial in a typical organization the search will select a subset of those for triage. UC0049 Detection of DNS Tunnel — Endpoint utilizing DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls. Detected by large total size of DNS traffic OR large number of unique queries. UC0051 Excessive physical access failures to CIP assets — A user with continuous physical access failures could be someone searching for a physical vulnerability within the organization. When this occurs in an area that is protecting CIP assets, it is something that should be followed up on immediately. UC0052 Non-CIP user attempts to access CIP asset — CIP assets require special protections; therefore, users that have not been vetted for CIP access, or should have had their access removed, should not have access. System owners should be notified immediately should a non-CIP user attempt to access a CIP asset. UC0065 Malware detected compliance asset — Malware detection on a asset designated as compliance such as PCI, CIP or HIPPA requires review even when automatic clean has occurred UC0071 Improbably short time between Remote Authentications with IP change — For employers that allow remote external connectivity the detection of two or more distinct values of external source IP address for successful authentications to a remote access solution in a short period of time indicates a likely compromise of credentials. UC0072 Detection of unauthorized using DNS resolution for WPAD — Detection of an endpoint utilizing DNS as a method of proxying by querying for wpad.registrationdomain. Search for reply NXDOMAIN replies for A/AAA queries for wpad (bare host) and wpad.* where the domain portion is not a company owned domain. UC0073 Endpoint detected malware infection from url — Endpoint antimalware detection event occurred where the malicious content was retrieved from an external URL. Possible indication of gaps in protection by web proxy, intrusion prevention, or advanced threat prevention. Use the information available for the event and determine how existing prevention controls can be modified to prevent future infections. UC0074 Network Intrusion Internal Network — IDS/IPS detecting or blocking an attack based on a known signature. UC0075 Network Malware Detection — Internal malware detection system such as fire eye devices reporting an attack. UC0076 Excessive DNS Failures — An endpoint utilizing DNS as a transmission method for data exfiltration, command and control, or evasion of security controls can be detected by either a large volume or high number of unique DNS queries. UC0077 Detection Risky Referral Domains — Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the following sequence occurs UC0079 Use of accountable privileged identity to access new or rare sensitive resource — Use of an identity identified as privileged to access a system for the first time within a rolling time period will trigger a notable event for review of access reason. UC0080 Trusted Individual exceeds authorization in observation of other users — Evaluate queries executed by authorized trusted individuals to determine if the user is observing the behavior of other users for reasons not authorized as part of the user's job function. UC0081 Communication with unestablished domain — Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose reputation score exceeds acceptable norms will be flagged. UC0082 Communication with enclave by default rule — Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit permission for communication has been granted and should be reviewed. Consider ingress communication allowed by the default rule, and egress communication allowed or blocked. UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall rule — Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when a rule is named in a allowed communication where the reviewed time is null or prior to the last known modification time. UC0084 Monitor Execution of Triage Activtity — Define and maintain eventypes for unsuppressed notable events separately identifying review work flow, and triage SLA required. UC0085 Alert per host where web application logs indicate a source IP not classified as WAF — Communication to any web application server without filtering by a network web application firewall indicates a security misconfigration. UC0086 Detect Multiple Primary Functions — Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac). UC0087 Malware signature not updated by SLA for compliance asset — Malware signature last updated on a asset designated as compliance such as PCI, CIP or Hippa beyond SLA limits UC0088 User account sharing detection by source device ownership — Detection of logon device by asset name (may require resolution from IP) when logon user does not match the owner and the number of unique owned devices is greater than two in the prior 24 hours. Exclude assets identified as loaner, and public or shared. UC0089 Detection of Communication with Algorithmically Generated Domain — Using an algorithm determine text of the registration domain is likely to be generated by a computer excluding known cloud hosting domains, Alexa TOP 1 M


domains and domains with long established communication with the organization. UC0090 User account cross enclave access — Detection of logon with the same account to a production and a non production environment. If an account (not user) has logged into more than one account access management controls have failed and must be remediated UC0091 Validate Execution of Vulnerability Scan — Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners, UC0092 Exception to Approved Flow for Web Applications — Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices ensure the first "x-forwardedfor" entry is the address of the WAF UC0093 Previously active account has not accessed enclave/lifecycle — Identify accounts no longer in use with access to high/critical or enclave systems and remove access when no longer required. Implement a tracking list of accounts and the accessed enclave or business service identifier, maintain the last accessed time and alert when the last access time is more than 90 days from current date. UC0094 Insecure authentication method detected — For each authentication technology in the network identify the values of authentication events that positively ensure that secure authentication is in use. Alert per authentication technology where a successful event occurs without the required indicators


UC0001 Detection of new/prohibited web application A prohibited web application such as Box or a game on the Facebook platform can be detected and filtered by modern web proxy solutions and next generation firewalls. Allowed prohibited applications or New application instances should be reviewed to ensure proper use. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV1-AbuseofAccess

DS005WebProxyRequest-ET01RequestedWebAppAware

RV4-ScanProbe

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Maturing

APS-ProposedField

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response RP001 New web application or network protocol detected Implementation Details Effectiveness Monitoring Metrics Captured 1. Track and trend positive versus false positive rate Metrics Review 1. Review prohibited protocol list and determine if new protocols should be added Artifacts TBD

Related articles


Enrichment DE001AssetInformation DE002IdentityInformation DDE005 Prohibited Network Protocol/Application List DDE006 Acceptable Network Protocol/Application List

UC0002 Detection of prohibited protocol (application) A prohibited protocol such as IRC, FTP, or gopher could indicate malicious activity or the implementation of an insecure system on the network. Consider intranetwork communication and accepted communications from the internet Problem Types Addressed

Risk Addressed

Event Data Sources


RV1-AbuseofAccess

DS010NetworkCommunication-ET01TrafficAppAware

RV4-ScanProbe


Adoption Phase SME


APC-Essential

APS-ProposedField

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-High

System Load

Analyst Load


LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Response RP002 Endpoint generating suspicious network activity Implementation Details Effectiveness Monitoring Metrics Captured 1. N/A Metrics Review 1. Review prohibited protocol list and determine if new protocols should be added Artifacts TBD

Related articles


Enrichment DE001AssetInformation DDE005 Prohibited Network Protocol/Application List

UC0003 Server generating email outside of approved usage Server operating systems often generate email for routine purposes. Configuration management can be used to identify which server may generate email and what recipients are permitted. Identify servers receiving email from the internet without approval Identify servers sending email to the internet without approval Identify servers relaying email to internal users without approval Identify servers relaying email to external users without approval Problem Types Addressed

Risk Addressed

Event Data Sources


RV3-MaliciousCode RV6-Misconfiguration

DS001Mail-ET03Send

Enrichment


Adoption Phase SME


APC-Essential

APS-ProposedField

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low


SKILLI-PS-SecurtityEnabled

Response RP008 Unauthorized service detected on an endpoint Implementation Details Effectiveness Monitoring Metrics Captured 1. N/A Metrics Review 1. N/A Artifacts TBD

Related articles



UC0004 Excessive number of emails sent from internal user Excessive email generation by an authorized user could indicate the presence of malware for the purpose of spam sending, abusing company resources, or attempting to solve a business problem using a technique not approved by policy. For this use case, email generated from endpoint networks and operating systems should be considered. Servers often can impersonate users for the purpose of email transmission; when this is allowed in an environment, these could generate false positives. Problem Types Addressed

Risk Addressed

Event Data Sources


RV1-AbuseofAccess

DS001Mail-ET03Send

PRT02-SecurityVisibilityUserActivity

RV3-MaliciousCode


Adoption Phase SME

APC-Maturing

APS-Accepted

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Enrichment DE001AssetInformation CAT-svc:mailgw Exclude from detection DE002IdentityInformation CAT-nha Exclude from detection CAT-svc:mail Exclude from detection


Response RP005 Malicious Code detected on endpoint Implementation Details Effectiveness Monitoring Metrics Captured 1. N/A Metrics Review 1. N/A Artifacts

Context Gen Email sent count by account in 10 min Using context, create a notable event when number of email sent is sharply increasing over two 10 min blocks

Related articles


UC0005 System modification to insecure state Authorized or unauthorized users may attempt to modify the system such that hardened configuration policies are removed or security monitoring tools are disabled. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess RV6-Misconfiguration

DS TBD - Host IDS/IPS


DS TBD - System logs (Windows Event Log) Group policy modification Local security policy modification Start configuration change or removal of critical service Add / change local user object DS TBD - System logs (Linux audit logs) Modification of init level or removal of existing service Addition / modification of local user Modification of critical configuration file


Adoption Phase SME


APC-Mature

APS-ProposedField

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

TBD

System Load

Analyst Load


TBD

TBD

TBD

Response RP007 Potentially Unauthorized change detected on endpoint Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend Reporting by organizational unit 2. Trend Reporting by result of investigation Metrics Review 1. Review after-action reports to identify control weaknesses enabling recurrence Artifacts TBD

Related articles


Enrichment DE001AssetInformation DDE012 Service State by platform DDE013 Critical Policy Objects

UC0006 Windows security event log purged Manually clearing the security event log on a windows system is a violation of policy and could indicate an attempt to cover malicious actions. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS007AuditTrail-ET01Clear



Adoption Phase SME


APC-Essential

APS-RFC

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low



Response RP007 Potentially Unauthorized change detected on endpoint Implementation Details Effectiveness Monitoring Metrics Captured 1. N/A Metrics Review 1. N/A Artifacts TBD

Related articles


Enrichment DE001AssetInformation

UC0007 Account logon successful method outside of policy The logon event properties could indicate account misuse in violation of policy OR as an indication of compromise by comparing the identified purpose of the account to the context of the logon to determine if the account is authorized for such usage. Accounts provisioned for human access should NOT be identified as logging on as a network or batch account in windows or as a cron task or service on Linux/Unix. Accounts provisioned for NON-human access should NOT be identified as logging on to server operating systems interactively except for those accounts identified as privileged. Accounts provisioned for service, batch or app pool usage should not logon interactively. Occurrences of this activity may indicate the account password has been compromised. Accounts provisioned for service, batch or app pool usage should not logon to non server operating systems. Accounts identified as default where the authentication source is not an asset identified as a privilege credential management jump server

Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS003Authentication-ET01Success


RV2-Access RV3-MaliciousCode


Adoption Phase SME

APC-Mature

APS-TBD

API-TBD

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Moderate


SKILLI-PS-SecurtitySpecialist

Enrichment DE001AssetInformation DE002IdentityInformation Category indicating exception list listing accounts to exclude from this search


Response 1. RP010 Contain potentially compromised account 2. RP012 Contain potentially compromised non human account

Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend time to resolve Metrics Review 1. Review time to resolve trends 2. Review exception list to determine if entries may be invalid and remove as required. Artifacts TBD

Related articles


UC0008 Activity on previously inactive account Excluding computer accounts in active directory, an account with new activity that has not been active in the previous thirty days is suspicious. Problem Types Addressed

Risk Addressed

Event Data Sources


RV2-Access


Enrichment DE002IdentityInformation

RV3-MaliciousCode


Adoption Phase SME


APC-Mature

APS-RFC

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Moderate



Response RP010 Contain potentially compromised account Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend Reporting by account type 2. Trend Reporting by result of investigation Metrics Review 1. Quarterly review thresholds and monitoring statistics determine if the tolerances should be modified relative to risk acceptance Artifacts TBD

Related articles


UC0009 Authenticated communication from a risky source network An Internet facing authentication system has allowed authenticated access from a risky source network. Always Anonymizing services such as VPN providers, Proxy systems Threat list identification of IP B2B communications consider the following sources risky Dial up Dsl/cable/fios ISP Mobile broadband Satellite broadband Education networks B2E Hosting provider networks Education networks B2C Hosting provider networks Problem Types Addressed

Risk Addressed

Event Data Sources


RV2-Access


RV3-MaliciousCode

Web server logs

Enrichment DE002IdentityInformation DDE003 Public Network attributes DDE004 Threat List

VPN logs email server logs instance messaging logs file transfer servers


Adoption Phase SME


APC-Mature

APS-RFC

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Low

System Load

Analyst Load


LOAD-High



Response RP003 Authentication on Internet facing system with potentially compromised account Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend Reporting by account type (employee vs customer vs business) 2. Trend Reporting by result of investigation 3. Trend Reporting of call center impact (customer) Metrics Review 1. Quarterly review thresholds and monitoring statistics determine if the tolerances should be modified relative to risk acceptance Artifacts TBD

Related articles


UC0010 Detect unauthorized use of remote access technologies Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity or an internal control failure. Problem Types Addressed

Risk Addressed

Event Data Sources


RV2-Access



RV3-MaliciousCode


RV6-Misconfiguration


Adoption Phase SME


APC-Mature

APS-RFC

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low


Response RP014 Unknown remote access observed Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend resolution and escalation types Metrics Review 1. Review identity enrichment to determine if any access controls are no longer approved Artifacts TBD

Related articles


Enrichment DE001AssetInformation Categorization providing information to identify authorized remote access systems DE002IdentityInformation Categorization providing information on which users may access an individual remote access technology

UC0011 Improbable distance between logins Utilizing source IP address, geolocation data, and where available for company owned mobile devices, GPS for mobile devices. Using the Haversine algorithm, calculate the distance between the authenticated successful connections.Detect where: Total distance is greater than 7000 mi If the distance between events is greater than 500mi, then evaluate the distance between points in mi/Time delta between events (T) in hours>600 If the distance between events is less than 500mi, then evaluate the distance between points in mi/Time delta between events (T) in hours>100 Do not consider special connection types dial up, cellular, satellite Do not consider cloud service providers Do not consider anonymized connections Problem Types Addressed

Risk Addressed

Event Data Sources


RV2-Access

DS003Authentication-ET01Success network authentication only


Adoption Phase SME

APC-Maturing

APS-Accepted

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-High



Enrichment DDE TBD (Customer) Can manage account Can admin users DE002IdentityInformation (Employee)


Response RP010 Contain potentially compromised account Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend Reporting by account type (employee vs customer) 2. Trend Reporting by result of investigation 3. Trend Reporting of call center impact (customer) Metrics Review 1. Quarterly review thresholds and monitoring statistics determine if the tolerances should be modified relative to risk acceptance Artifacts TBD

Related articles


UC0012 Increase risk score of employees once adverse seperation is identified or anticipated Increase the risk score of users who have indication of adverse separation.Examples of users with an indication of adverse separation, include but are not limited to the following: User has entered a remediation program with human resources User has been identified as included in a reduction in force User has announced voluntary separation User has been identified in a reorganization program Problem Types Addressed

Risk Addressed

Event Data Sources


RV1-AbuseofAccess

DS008HRMasterData-ET02SeperationNotice

RV2-Access


Adoption Phase SME

APC-Mature

APS-Proposed

API-TBD

Initial Severity

Occurrence/Fidelity

Fidelity

SV - TBD

RATED0-Rare

TBD

System Load

Analyst Load


TBD

TBD

TBD

Response RP TBD Implementation Details Effectiveness Monitoring Metrics Captured 1. N/A Metrics Review 1. N/A Artifacts TBD

Related articles



Enrichment N/A

UC0013 Monitor change for high value groups Detection of change for groups used to control access for sensitive, regulated, or critical infrastructure systems. Problem Types Addressed

Risk Addressed

Event Data Sources


RV2-Access

DS006UserActivity-ET04Update

Enrichment


Adoption Phase SME


APC-Maturing

APS-Accepted

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-Low

System Load

Analyst Load


LOAD-High

AnalystLoad-Low


Response RP013 Change to critical access control detected Implementation Details Effectiveness Monitoring Metrics Captured 1. Time to investigate 2. Time to close 3. Number of reportable incidents Metrics Review 1. Quarterly review risky groups list for additions and removals Artifacts TBD

Related articles


DE002IdentityInformation Identity category terminated Identity category reduction_in_force Identity category org_change Identity termination date (including future) Identity category access_admin DDE0016 List of risky groups.

UC0014 Monitor use attempts of human accounts once primary account is expired disabled or deleted A human user may own multiple accounts. When the primary account of the human is expired, disabled, or deleted, we should expect no further activity from any other account owned by the user. Problem Types Addressed

Risk Addressed

Event Data Sources


RV2-Access



DS003AUTHENTICATION-ET02Failure


Adoption Phase SME


APC-Maturing

APS-Accepted

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low


Response RP009 Unauthorized (actual or attempted) access by employees or contractors Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend time to resolve Metrics Review 1. Review incidents to identify root cause failures permitting accounts to remain active. Artifacts TBD

Related articles


UC0015 Privileged user accessing more than expected number of machines in period Privileged user authenticates to more than X number of new targets successfully or is denied access to more than Y targets in the prior Z hours.For example: More than 5 new targets More than 3 failures In the last 4 hours Problem Types Addressed

Risk Addressed

Event Data Sources


RV2-Access



Adoption Phase SME

APC-Maturing

APS-Accepted

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-Low

System Load

Analyst Load


LOAD-Moderate



Enrichment DE002IdentityInformation DDT002 Logon Tracker


Response RP009 Unauthorized (actual or attempted) access by employees or contractors Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend positive vs false positive rate 2. Trend time to resolve Metrics Review 1. Review thresholds and adjust for risk tolerance Artifacts

Detection Activities 1. Search Logic index=wineventlog user_priority=critical Source_Workstation=* | stats dc(Source_Workstation) as systemcount values(Source_Workstation) as systems by user | where systemcount>5 2. Drilldown | datamodel Authentication Authentication search | search Authentication.user=$user$

Related articles


UC0016 Successfully authenticated computer accounts accessing network resources Batch, Windows Services, App Pools, and specially constructed Windows shells can access network resources. A small number of technical solutions will require this type of behavior, however, after excluding a white list of hosts or shares (such as sysvol or netlogon), such access attempts (success or fail) could indicate the presence of malware or attempts to elevate access. Exclude infrastructure file servers. Problem Types Addressed

Risk Addressed

Event Data Sources


RV2-Access



Adoption Phase SME


APC-Maturing

APS-RFC

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Moderate

AnalystLoad-Low

SKILLI-PS-General

Response Determine appropriate response based on information available in the event. 1. RP007 Potentially Unauthorized change detected on endpoint 2. RP009 Unauthorized (actual or attempted) access by employees or contractors 3. RP011 Unwanted/Unauthorized Code detected on endpoint

Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend positive vs false positive rate 2. Trend time to resolve Metrics Review 1. Review thresholds and adjust for risk tolerance Artifacts TBD

Related articles


Enrichment DE001AssetInformation DE002IdentityInformation DDE015 Share Access exclusion list

UC0017 Unauthorized access or risky use of NHA Detect the use of a Windows account designated by the organization as a non human account (NHA) outside of the normal usage of such an account. Login where the interactive indicator is set Login where the caller computer is a workstation or terminal server Problem Types Addressed

Risk Addressed

Event Data Sources


RV2-Access


Enrichment DE001AssetInformation DE002IdentityInformation

Windows Security Logs Windows Security Logs Endpoint Windows Security Logs Active Directory Endpoint security logs Physical Access CCTV


Adoption Phase SME


APC-Mature

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Moderate



Response RP012 Contain potentially compromised non human account Implementation Details Effectiveness Monitoring Metrics Captured 1. Time to investigate 2. Time to close 3. Number of reportable incidents Metrics Review 1. Review 10 longest investigations per quarter determine if additional log source on boarding could reduce time to close. Artifacts TBD

Related articles


UC0018 Unauthorized access SSO brute force Single IP address attempting authentication of more than two valid users within ten minutes where one or more unique accounts is successful, and one or more accounts is not successful against an approved SSO System. Problem Types Addressed

Risk Addressed

Event Data Sources


RV2-Access

DS003Authentication-ET01Success SSO Systems, Active Directory, Customer SSO DS003Authentication-ET02Failure

Enrichment Customer Can manipulate accounts Can admin users Employee Privileged

SSO Systems, Active Directory, Customer SSO


Adoption Phase SME


APC-Mature

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Moderate



Urgency: Customer No fraud = Low Fraud = High Employee Privileged user = High All others = Low

Response RP010 Contain potentially compromised account Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend Reporting by account type (employee vs customer) 2. Trend Reporting by result of investigation 3. Trend Reporting of call center impact (customer) Metrics Review 1. Quarterly review thresholds and monitoring statistics determine if the tolerances should be modified relative to risk acceptance Artifacts TBD

Related articles


UC0019 User authenticated to routine business systems while on extended absense A user on leave, vacation, sabbatical, or other types of leave should not access business systems. This could indicate malicious activity by the employee or a compromised account. Problem Types Addressed

Risk Addressed

Event Data Sources


RV2-Access



DS008HRMasterData


Adoption Phase SME


APC-Mature

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Moderate

AnalystLoad-Low


Response RP009 Unauthorized (actual or attempted) access by employees or contractors Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend Reporting by account type 2. Trend Reporting by result of investigation 3. Trend Reporting of call center impact (customer) Metrics Review 1. Quarterly review thresholds and monitoring statistics determine if the tolerances should be modified relative to risk acceptance Artifacts TBD

Related articles


UC0020 Attempted communication through external firewall not explicitly granted Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions (bypassing the firewall). Legacy Command and Control (a.k.a. C&C or C2) channels included protocols such as Domain Name Service (DNS), AOL Instant Messenger (AIM), and Internet Relay Chat (IRC); the default ports for those protocols are 53, 5190, and 6667, respectively. Commonly C2 channels will use protocols on alternate ports, especially for egress. Additionally, modern malware will frequently attempt to utilize ingress ports that are almost always allowed for legitimate traffic such as http (80) and https (443). As a result, Application/Protocol detection is required to effectively implement this use case. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV3-MaliciousCode

DS010NetworkCommunication-ET01Traffic


RV4-ScanProbe


Adoption Phase SME


APC-Essential

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED2-Frequent

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Moderate



Response RP002 Endpoint generating suspicious network activity Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend closed false positive 2. Trend time to close Metrics Review 1. Assess suspect application list , add/remove as required 2. Assess allowed service category and asset list remove old entries 3. Trend false positive vs positive assess continued value of the use case Artifacts TBD

Related articles


Enrichment DE001AssetInformation DDE005 Prohibited Network Protocol/Application List DDE006 Acceptable Network Protocol/Application List

UC0021 Communication outbound to regions without business relationship Outbound communication with servers hosted in regions where the organization does not expect to have employees, customers, or suppliers. Exclude authorized DNS servers communicating on a standard DNS port Exclude destination DNS servers on the ICANN root list Exclude authorized SMTP server communicating on a standard SMTP port Exclude HTTP traffic (requires protocol aware firewall or web proxy) to domains on the Alexa Top 1 Million via proxy or NG firewall Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV3-MaliciousCode

DS TBD - Firewall, Web Proxy, IDS/IPS, DNS logs



Adoption Phase SME

APC-Maturing

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV1 - Low

RATED1-Common

FIDELITY-High

System Load

Analyst Load


LOAD-Moderate



Enrichment DE001AssetInformation DDE010 Alexa TOP 1 million sites DDE011 External Known systems list DDE021 Commercially maintained Geo IP Database


Response RP002 Endpoint generating suspicious network activity Implementation Details Effectiveness Monitoring Metrics Captured 1. Quantity of events closed by tier 1 by intel source 2. Quantity of events investigated by intel source a. QTY false positive b. QTY true positive Metrics Review 1. Monthly review active threat source lists to determine if the list should continue to be included 2. Monthly review industry news to identify potential new sources Artifacts TBD

Related articles


UC0022 Endpoint communicating with an excessive number of unique hosts Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may indicate malicious code. Exclude category svc_network_scanner Problem Types Addressed

Risk Addressed

Event Data Sources


RV3-MaliciousCode


RV4-ScanProbe


Adoption Phase SME


APC-Maturing

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response RP002 Endpoint generating suspicious network activity Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend closed false positive 2. Trend time to close Metrics Review 1. Review false positive rate and adjust threshold based on organization risk tolerance Artifacts TBD

Related articles



UC0023 Endpoint communicating with an excessive number of unique ports Endpoints communicating with an excessive number of unique destination ports could indicate malicious code probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with the client such as ftp in passive mode and RPC on windows server. Utilize category wl_hv_open_client_ports Problem Types Addressed

Risk Addressed

Event Data Sources


RV3-MaliciousCode


RV4-ScanProbe


Adoption Phase SME


APC-Maturing

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response RP002 Endpoint generating suspicious network activity Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend closed false positive 2. Trend time to close Metrics Review 1. Review false positive rate and adjust threshold based on organization risk tolerance Artifacts TBD

Related articles



UC0024 Endpoint communicating with external service identified on a threat list. Superceded by UCESS053 Threat Activity Detected The endpoint has attempted (success or fail) to communicate with an external server identified on a threat list using any protocol. An attempted communication could indicate activity generated by malicious code. Problem Types Addressed

Risk Addressed

Event Data Sources


RV3-MaliciousCode

DS001Mail-ET02Receive

Enrichment DE001AssetInformation DDE010 Alexa TOP 1 million sites

DS002DNS-ET01Query DS002DNS-ET01QueryResponse DS002DNS-ET01QueryRequest DS005WebProxyRequest DS010NetworkCommunication-ET01Traffic


Adoption Phase SME


APC-Superceded

APS-Obsolete

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load


LOAD-High

AnalystLoad-High


Response RP002 Endpoint generating suspicious network activity Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend closed false positive by threat list source 2. Trend time to close Metrics Review 1. Review false positive vs positive results by threat list determine if the threat list should remain active 2. Review industry trends and white papers to identify potential new threat list sources Artifacts TBD

Related articles


UC0025 Endpoint Multiple devices in 48 hours in the same site Multiple infected devices in the same site could indicate a successful watering hole attack. Monitor for more than 5% of the hosts in a site. Problem Types Addressed

Risk Addressed

Event Data Sources


RV3-MaliciousCode

DS004EndPointAntiMalware-ET01SigDetected


Adoption Phase SME


APC-Mature

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Moderate

AnalystLoad-Low


Response RP006 Potential outbreak or targeted attack Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend closed false positive 2. Trend time to close Metrics Review 1. Evaluate white list for additional removal based on risk tolerance. Artifacts TBD

Related articles


Enrichment DE001AssetInformation DDE007 Signature Special Processing List DDE008 Network CIDR Details

UC0026 Endpoint Multiple devices in 48 hours in the same subnet Multiple infected devices in the same subnet could indicate lateral movement of an adversary or a possible worm. Monitor for more than 5% of the host addresses on a subnet as it is not readily possible to know how many hosts are active on a subnet. Problem Types Addressed

Risk Addressed

Event Data Sources


RV3-MaliciousCode



Adoption Phase SME


APC-Mature

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Low

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low



Related articles



UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit Multiple infected devices in the same organizational unit could indicate a successful spear phishing attack. Monitor for more than 5% of the hosts in an organizational unit. Problem Types Addressed

Risk Addressed

Event Data Sources


RV3-MaliciousCode



Adoption Phase SME


APC-Mature

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer


Related articles



UC0028 Endpoint Multiple infections over short time Multiple infections detected on the same endpoint in a short period of time could indicate the presence of a undetected loader malware component (apt). Problem Types Addressed

Risk Addressed

Event Data Sources


RV3-MaliciousCode



Adoption Phase SME

APC-Mature

APS-Proposed

API-Socializing

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low


Enrichment DE001AssetInformation DDE007 Signature Special Processing List


Response RP006 Potential outbreak or targeted attack Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend closed false positive 2. Trend time to close Metrics Review 1. Evaluate white list for additional removal based on risk tolerance. Artifacts

Detection Activities Rule Name - UC0027-S01-V001 Multiple infections for host Notable Title - UC0027-S01 $gov$ Multiple infections ($count$) occurred on $dest$ Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0027 Search Logic

| tstats allow_old_summaries=true dc(Malware_Attacks.signature) as unique_signature values(Malware_Attacks.signature) as signatures earliest(Malware_Attacks.signature) as first_signature latest(Malware_Attacks.signature) as last_signature count from datamodel=Malware where nodename=Malware_Attacks NOT "Malware_Attacks.action"=Allowed by "Malware_Attacks.dest" | `drop_dm_object_name("Malware_Attacks")` | where count>3 OR unique_signature>2 Drilldown Name View Contributing Events Search

| datamodel Malware Malware_Attacks search | search Malware_Attacks.dest="$dest$" Compliance YES Container App DA-ESS-SecKit-EndpointProtection

Related articles

| tstats allow_old_summaries=true dc(Malware_Attacks.signature) as unique_signature values(Malware_Attacks.signature) as signatures


earliest(Malware_Attacks.signature) as first_signature latest(Malware_Attacks.signature) as last_signature countfrom datamodel=Malware where nodename=Malware_Attacks NOT "Malware_Attacks.action"=Allowed by "Malware_Attacks.dest"| `drop_dm_object_name("Malware_Attacks")`| where count>3 OR unique_signature>2


UC0029 Endpoint new malware detected by signature When a new malware variant is detect by endpoint antivirus technology it is possible the configuration or capability of other controls are deficient. Review the sequence of events leading to the infection to determine if additional preventive measures can be put in place. Problem Types Addressed

Risk Addressed

Event Data Sources


RV3-MaliciousCode



Adoption Phase SME

APC-Essential

APS-Accepted

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-PS-General

Enrichment DDE007 Signature Special Processing List DDT001 Signature Tracker


Response RP005 Malicious Code detected on endpoint Open investigation to determine method of infection and possible preventive measure

Implementation Details Effectiveness Monitoring Metrics Captured 1. N/A Metrics Review 1. N/A Artifacts Rule Name - UC0029-S01-V001 New malware signature detected Notable Title - UC0029-S01 $gov$ First detection for $signature$ occurred on $dest$ user $user$ Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0029 Search Logic

| inputlookup append=T seckit_endpoint_malware_tracker | stats min(firstTime) as firstTime,dc(dest) as affected first(dest) as dest first(user) as user by signature | eval _time=firstTime | `daysago(1)` | sort 100 - firstTime | ùitime(firstTime)` | table signature dest user firstTime Drilldown Name View Contributing Events Search

| datamodel Malware Malware_Attacks search | search Malware_Attacks.dest="$dest$"

Compliance YES Rabbit hole +/- 60 min web activity by fqdn Did this infection occur from materials accessed on the internet? Did this infection lead to additional activity based on a remote access tool? +/- 60 min emails accessed Did this infection occur from materials accessed via email?


Did this infection lead to additional email activity (ie to spread the infection)? +/- 60 min new processes started If not email/web origin, did this malware get added by an automated process on the machine (lateral movement)? Did this malware (whatever this infection was) also unpack and install more stuff? Container App DA-ESS-SecKit-EndpointProtection

Related articles


UC0030 Endpoint uncleaned malware detection Endpoint with malware detection where anti malware product attempted to and was unable to clean, remove or quarantine. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV3-MaliciousCode




Adoption Phase SME

APC-Essential

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED2-Frequent

FIDELITY-High

System Load

Analyst Load


LOAD-Low

AnalystLoad-High

SKILLI-PS-General

Enrichment DDE007 Signature Special Processing List DDT001 Signature Tracker


Response RP005 Malicious Code detected on endpoint Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend closed false positive 2. Trend time to close Metrics Review 1. Evaluate white list for additional removal based on risk tolerance. Artifacts Rule Name - UC0030-S01-V002 Endpoint uncleaned malware detection Notable Title - UC0030-S01 Endpoint uncleaned malware $signature$ detection occurred on $dest$ Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0030 Search Logic

| datamodel "Malware" "Malware_Attacks" search | `drop_dm_object_name("Malware_Attacks")` | fillnull value="unknown" file_hash file_path | stats max(_time) as "lastTime",latest(_raw) as "orig_raw",latest(dest_priority) as "dest_priority", latest(action) as action count by dest,signature,file_path,file_hash | search NOT action=blocked Drilldown Name View Contributing Events Search

| datamodel Malware Malware_Attacks search | search Malware_Attacks.dest="$dest$" Compliance YES Container App DA-ESS-SecKit-EndpointProtection

Related articles


UC0031 Non human account starting processes not associated with the purpose of the account Accounts designated for use by services and batch process should start a limited set of child processes. Creation of new child processes other than the process name defined in the service or batch definition may indicate compromise. Problem Types Addressed

Risk Addressed

Event Data Sources


RV3-MaliciousCode

DS009EndPointIntel-ET01ProcessLaunch


Adoption Phase SME


APC-Maturing

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load


LOAD-High



Response RP011 Unwanted/Unauthorized Code detected on endpoint Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend closed false positive 2. Trend time to close Metrics Review 1. Review enrichment lists for items no longer valid Artifacts TBD

Related articles


Enrichment DDE014 Service Account process name/hash

UC0032 Brute force authentication attempt When more than 10 failed authentication attempts for known accounts occur from single endpoint Problem Types Addressed

Risk Addressed

Event Data Sources


RV2-Access

DS003Authentication-ET02Failure


Adoption Phase SME

APC-Maturing

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV1 - Low

RATED1-Common

FIDELITY-Low

System Load

Analyst Load


LOAD-Low


SKILLI-Customer



Response internal source IP RP009 Unauthorized (actual or attempted) access by employees or contractors Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend false positive vs positive Metrics Review 1. Review trending determine if changes should be made to threshold Artifacts

Automated Response external source IP Add account to watchlist for successful authentication

Related articles


UC0033 Brute force authentication attempt distributed When more than 10 failed authentication attempts for known accounts occur for a single account from more than 2 IP addresses in 60 minutes. This could indicate an adversary has identified a specific high value account and is attempting to gain access. Problem Types Addressed

Risk Addressed

Event Data Sources


RV2-Access



Adoption Phase SME

APC-Mature

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV1 - Low

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low


SKILLI-Customer



Response internal source IP RP009 Unauthorized (actual or attempted) access by employees or contractors Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend false positive vs positive Metrics Review 1. Review trending determine if changes should be made to threshold Artifacts


Related articles


UC0034 Brute force successful authentication If a source IP identified by a brute force use case authenticates successfully OR an account identified by a brute use case successfully logins after failing once from the same source address. Problem Types Addressed

Risk Addressed

Event Data Sources


RV2-Access

DS003Authentication-ET01Success DS003Authentication-ET02Failure


Adoption Phase SME

APC-Maturing

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low


SKILLI-Customer

Enrichment DE001AssetInformation DE002IdentityInformation Assets Identities Brute force watchlist


Response RP010 Contain potentially compromised account Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend false positive vs positive Metrics Review 1. Review trending determine if changes should be made to threshold Artifacts Code: | tstats `summariesonly` values(Authentication.tag) as tag values(Authentication.app) as app count from datamodel=Authentication by Authentication.src Authentication.action | rename count as actioncount | `drop_dm_object_name("Authentication")` | eval successes=case(action=="success",actioncount) | eval failures=case(action=="failure",actioncount) | stats values(tag) as tag values(app) as app values(failures) as failures values(successes) as successes by src | search successes>0 | xswhere failures from failures_by_src_count_1h in authentication is above medium

Related articles


UC0035 Compromised account access testing Following a successful authentication, an attacker will attempt to determine what resources may be accessed without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate and browse to shares, access email, access web applications, or connect to databases yet perform minimal or no activity.For example: Consider where more than 10 distinct resources are accessed within 10 minutes. Exclude common systems such as domain controllers from consideration. Problem Types Addressed

Risk Addressed

Event Data Sources


RV2-Access



Session Start, Session End, Share access


Adoption Phase SME


APC-Maturing

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-High



Response RP009 Unauthorized (actual or attempted) access by employees or contractors Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend positive vs false positive Metrics Review 1. Identify resources where access is frequently denied Artifacts


Related articles


UC0036 Compromised account access testing (Critical/Sensitive Resource) Following a successful authentication, an attacker will attempt to determine what resources may be accessed without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate and browse to shares, access email, access web applications, or connect to databases yet not perform any or minimal activity. Critical and Sensitive systems during routine use should not log access denied events. Problem Types Addressed

Risk Addressed

Event Data Sources


RV2-Access


Enrichment


Adoption Phase SME

APC-Essential

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-High



DE001AssetInformation DE002IdentityInformation


Response RP009 Unauthorized (actual or attempted) access by employees or contractors Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend positive vs false positive Metrics Review 1. Identify resources accessed leading to false positive events. 2. Determine if improvements to the architecture of the environment or suppression of events related to false positives are appropriate. Artifacts TBD

Related articles


UC0037 Network Intrusion External - New Signatures External IDS devices reporting an attack using a signature not previously encountered are more likely be successful as new signatures are prompted by newly know attacks in the wild. Problem Types Addressed

Risk Addressed

Event Data Sources


RV3-MaliciousCode

DS TBD - Network Intrusion Detection System

OR is this something new, like SecurityVisibilityNetwork?

RV4-ScanProbe


(IDS or equivalent)


Adoption Phase SME


APC-Essential

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response RP004 Network intrusion system (IDS/IPS, WAF, DAM, etc) observes attack without blocking Implementation Details Effectiveness Monitoring Metrics Captured 1. N/A Metrics Review 1. N/A Artifacts TBD

Related articles


UC0038 Excessive use of Shared Secrets Usage of greater than X number of unique shared/secret credentials or more than 1 standard deviation from peers Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS006UserActivity-ET07ExecuteAs


RV2-Access


Adoption Phase SME

APC-Mature

APS-Proposed

API-Socializing

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Moderate





Response RP009 Unauthorized (actual or attempted) access by employees or contractors Implementation Details Effectiveness Monitoring Metrics Captured 1. Time to investigate 2. Time to close 3. Number of reportable incidents Metrics Review 1. Review thresholds determine if adjustments to reduce thresholds should be made Artifacts TBD

Related articles


UC0039 Use of Shared Secret for access to critical or sensitive system Use of a secret/shared secret account for access to such a system rather than accountable credentials could indicate an attempt to avoid detection. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess



RV2-Access


Adoption Phase SME

APC-Mature

APS-Proposed

API-Socializing

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Moderate

LOAD-Moderate




Response RP009 Unauthorized (actual or attempted) access by employees or contractors Implementation Details Effectiveness Monitoring Metrics Captured 1. Time to investigate 2. Time to close 3. Number of reportable incidents Metrics Review 1. Review thresholds determine if adjustments to reduce thresholds should be made Artifacts TBD

Related articles


UC0040 Use of Shared Secret for or by automated process with risky attributes Usage (checkout) by an automated process such as software installation of a shared secret or service account where the source of the retrieval is new or outside of the change window. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess



RV2-Access


Adoption Phase SME


APC-Mature

APS-Proposed

API-Socializing

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low



Response RP012 Contain potentially compromised non human account Implementation Details Effectiveness Monitoring Metrics Captured 1. N/A Metrics Review 1. N/A Artifacts TBD

Related articles



UC0041 SSH v1 detected Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication of accepted SSHv1 sessions indicate a mis-configured system. Attempted and denied sessions indicate system probing or scanning. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV4-ScanProbe






Adoption Phase SME


APC-Maturing

APS-Proposed

API-Dated

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response: RP008 Unauthorized service detected on an endpoint RP002 Endpoint generating suspicious network activity

Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend closed false positive 2. Trend time to close Metrics Review 1. Evaluate white list for additional removal based on risk tolerance. Artifacts TBD

Related articles



UC0042 SSH Authentication using unknown key The public key utilized for authentication is recorded in the SSHD authentication log. Detection of a new key should be investigated to determine the owner of the key and validate authorization to access the resource. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess



RV2-Access


Adoption Phase SME


APC-Mature

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED1-Common

FIDELITY-High

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-PS-General

Response: RP015 New SSH Private key


Related articles



UC0043 Direct Authentication to NHA Direct authentication via SSH or console session to a non human account indicates a violation of security policy by recording the password of a non human account for later use or by association of a SSH key to a non human account. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess



RV2-Access



PRT02-SecurityVisibilityPriviledgeUserMonitoring


Adoption Phase SME


APC-Essential

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Moderate



Response RP012 Contain potentially compromised non human account Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend closed false positive 2. Trend time to close Metrics Review 1. Evaluate white list for additional removal based on risk tolerance. Artifacts TBD

Related articles



UC0044 Network authentication using password auth Even using SSH encryption, allowing password authentication to Linux/Unix systems over the network increases the attack surface and the possible impact of a compromised account. Investigate and resolve all instances of network authentication utilizing password. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV2-Access


DE002IdentityInformation



Adoption Phase SME


APC-Mature

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-Moderate

rare in a tuned environment after the migration System Load

Analyst Load


LOAD-Low



Response: RP010 Contain potentially compromised account RP007 Potentially Unauthorized change detected on endpoint


Related articles


UC0045 Local authentication server Following provisioning, nix servers seldom require local administration. Investigate any use of local authentication as it may indicate an attempt to compromise the host via KVM or virtual console. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess



RV2-Access



Adoption Phase SME


APC-Maturing

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low



Response RP010 Contain potentially compromised account Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend closed false positive 2. Trend time to close Metrics Review 1. Evaluate white list for additional removal based on risk tolerance. Artifacts TBD

Related articles



UC0046 Endpoint failure to sync time Failure to synchronize time will impact the usefulness of security log data from the endpoint, and potentially prevent valid authentication.Exclude virtual machine guests as their time is synchronized with the virtual host. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance


DS007AuditTrail-ET03TimeSync



Adoption Phase SME


APC-Essential

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-High

System Load

Analyst Load


TBD

TBD

TBD

Response RP017 Asset Symptomatic of abnormal condition Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend closed false positive 2. Trend time to close Metrics Review 1. Evaluate white list for additional removal based on risk tolerance. Artifacts TBD

Related articles



UC0047 Communication with newly seen domain Newly seen domain's may indicated interaction with risky or malicious servers. Identification of new domains via web proxy logs without other IOCs allows the analyst/threat hunter to explore the relevant data and potentially identify weaknesses or risky behavior than could be identified. The daily number of new domains will be substantial in a typical organization the search will select a subset of those for triage. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-IdentifyPatientZero

RV3-MaliciousCode

DS005WebProxyRequest-ET01Requested

PRT04-ProcessEffectivness-HuntPaths


Adoption Phase SME

APC-Maturing

APS-Accepted

API-Distinctive

Initial Severity

Occurrence

Fidelity

SV1 - Low

RATED2-Frequent

FIDELITY-Low

System Load

Analyst Load


LOAD-Low


SKILLI-Customer

Enrichment DDE001 Asset Information DDE010 Alexa TOP 1 million sites DDT004 New Domain Tracker


Response RP019 Unauthorized device detected

Implementation Details Effectiveness Monitoring Metrics Captured Count notables generated Count resolution Metrics Review 1. Monthly review threshold score where false positive resolution was noted to determine if tolerance should be adjusted Artifacts

Detection Activities


| tstats `summariesonly` max(_time) as _time,dc(Web.src) as srccount, values(Web.src) as srcs, values(Web.user) as users count from datamodel=Web.Web where web.action=allowed by Web.dest | `drop_dm_object_name("Web")` | `get_whois` | search newly_seen=* | eval "Age (days)"=ceil((_time-newly_seen)/86400) | where 'Age (days)'=1 OR 'Age (days)'=2 | eval domain=if(isnull(domain), dest, domain) | `swap_resolved_domain(domain)` | `per_panel_filter("ppf_new_domains","domain")` | àlexa_lookup(domain)` | where isnull(domain_rank) | eval alexa_rank=if(isnull(domain_rank), "below 1 million", domain_rank) | rename ppf_filter as filter | eval resolved_domain=if(isnull(resolved_domain) OR resolved_domain=="unknown",null(),resolved_domain) | sort - srccount | head 10 | ùitime(newly_seen)` | fields _time,dest,domain,newly_seen,count,srcs,srccount,users | mvexpand srcs | mvexpand users | rename users as user | rename srcs as src | `get_asset(src)` | `get_identity4events(user)`

Related articles


UC0049 Detection of DNS Tunnel Endpoint utilizing DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls. Detected by large total size of DNS traffic OR large number of unique queries. Problem Types Addressed

Risk Addressed

Event Data Sources


RV3-MaliciousCode

DS002DNS-ET01Query


Adoption Phase SME

APC-Maturing

APS-Accepted

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Enrichment DE001AssetInformation CAT-svc:dnsresolver CAT-svc:mailgw CAT-svc:webproxy DDE017 Legitimate DNS command and control domains DDE010 Alexa TOP 1 million sites


Response RP005 Malicious Code detected on endpoint Implementation Details Effectiveness Monitoring Metrics Captured Count notables generated Count resolution Indicator value Metrics Review Per Quarter review indicator values impacting false positive resolutions and determine if thresholds should be adjusted Artifacts Rule Name - UC0049-S01-V001 Potential use of DNS tunneling Notable Title - UC0049-S01 $gov$-$asset_name$ High DNS traffic size $length$ Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0049 Search Logic


| tstats allow_old_summaries=true dc("DNS.query") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" NOT (`cim_corporate_web_domain_search("DNS.query")`) NOT "DNS.query"="*.in-addr.arpa" NOT ("DNS.src_category"="svc_infra_dns" "DNS.src_category"="svc_infra_webproxy" OR "DNS.src_category"="svc_infra_email*" ) by "DNS.src","DNS.query" | rename "DNS.src" as src "DNS.query" as message | eval length=len(message) | stats sum(length) as length by src | append [ tstats allow_old_summaries=true dc("DNS.answer") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" NOT (`cim_corporate_web_domain_search("DNS.query")`) NOT "DNS.query"="*.in-addr.arpa" NOT ("DNS.src_category"="svc_infra_dns" "DNS.src_category"="svc_infra_webproxy" OR "DNS.src_category"="svc_infra_email*" ) by "DNS.src","DNS.answer" | rename "DNS.src" as src "DNS.answer" as message | eval message=if(message=="unknown","",message) | eval length=len(message) | stats sum(length) as length by src ] | stats sum(length) as length by src | where length > 10000

Note alternative implementation with XS should be considered Compliance YES Drilldown


| tstats allow_old_summaries=true dc("DNS.query") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" "DNS.src"="$src$" NOT (`cim_corporate_web_domain_search("DNS.query")`) NOT "DNS.query"="*.in-addr.arpa" NOT ("DNS.src_category"="svc_infra_dns" "DNS.src_category"="svc_infra_webproxy" OR "DNS.src_category"="svc_infra_email*" ) by "DNS.src","DNS.query" | rename "DNS.src" as src "DNS.query" as message | append [ tstats allow_old_summaries=true dc("DNS.answer") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" "DNS.src"="$src$" NOT (`cim_corporate_web_domain_search("DNS.query")`) NOT "DNS.query"="*.in-addr.arpa" NOT ("DNS.src_category"="svc_infra_dns" "DNS.src_category"="svc_infra_webproxy" OR "DNS.src_category"="svc_infra_email*" ) by "DNS.src","DNS.answer" | rename "DNS.src" as src "DNS.answer" as message | eval message=if(message=="unknown","",message) ]

Container App DA-ESS-SecKit-NetworkProtection Rule Name - UC0049-S02-V001 Potential use of DNS tunneling Notable Title - UC0049-S02 $gov$-$src$ High DNS query count Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0049 Search Logic -

| tstats allow_old_summaries=true dc("DNS.query") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" NOT (`cim_corporate_web_domain_search("DNS.query")`) NOT "DNS.query"="*.in-addr.arpa" NOT ("DNS.src_category"="svc_infra_dns" "DNS.src_category"="svc_infra_webproxy" OR "DNS.src_category"="svc_infra_email*" ) by "DNS.src" | rename "DNS.src" as "src" | where 'count'>100

Windows -65m@m to -5m@m Cron 20 * * * * Compliance YES Container App DA-ESS-SecKit-NetworkProtection


Related articles


UC0051 Excessive physical access failures to CIP assets A user with continuous physical access failures could be someone searching for a physical vulnerability within the organization. When this occurs in an area that is protecting CIP assets, it is something that should be followed up on immediately. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV2-Access

PT014-PhysicalAccessControl

TBD



Adoption Phase SME


APC-Edge

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


TBD

TBD

TBD

Response Investigate identity - add to watchlist for successful authentication This needs to be merged with OR added to a new Response Plan pertaining to Physical access responses

Implementation Details Effectiveness Monitoring Metrics Captured 1. Trending vs False positives Metrics Review 1. Review legitimate badge access attempts/failures (security officers, vulnerability assessments, etc); add to false positive database Artifacts TBD

Related articles


UC0052 Non-CIP user attempts to access CIP asset CIP assets require special protections; therefore, users that have not been vetted for CIP access, or should have had their access removed, should not have access. System owners should be notified immediately should a non-CIP user attempt to access a CIP asset. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV2-Access






Adoption Phase SME

APC-Edge

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


TBD

TBD

TBD

Enrichment DE001AssetInformation CAT-gov:CIP DDE002 Identity Information CAT-gov:CIP


Response Alert and Investigate cause of identity access attempt document disposition (examples below) administrative process error - user access incorrectly removed after review cycle due to inactivity; user needs to go through the process to be added back to the list employee training error - new employee without CIP access mistakenly tried to connect before completing the CIP training and vetting process; user needs to complete process to get on the list suspicious / malicious behavior - unjustified actions (including no explanation); incident response team to investigate the asset, and identify actors and follow up with management / HR / legal actions, and file relevant compliance paperwork This needs to be merged with OR added to a new Response Plan pertaining to electronic access responses

Implementation Details Effectiveness Monitoring Metrics Captured 1. N/A Metrics Review 1. N/A Artifacts TBD

Related articles


UC0065 Malware detected compliance asset Malware detection on a asset designated as compliance such as PCI, CIP or HIPPA requires review even when automatic clean has occurred Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV3-MaliciousCode




Adoption Phase SME


APC-Edge

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low



Response RP005 Malicious Code detected on endpoint


Related articles


Enrichment DDE001 Asset Information CAT-gov

UC0071 Improbably short time between Remote Authentications with IP change For employers that allow remote external connectivity the detection of two or more distinct values of external source IP address for successful authentications to a remote access solution in a short period of time indicates a likely compromise of credentials.The short period of time value will need to be tuned for any given environment. A good starting point might be 15 minutes. Rare but valid exceptions (false positives) might include: employee logs in briefly from home, then goes to local coffee shop and logs in again there employee logs in from home, has power outage that resets router and gets new DHCP assignment from ISP employee alternates between two specific IPs such as mobile broadband and coffee shop connection due to IOS Wifi Assist Problem Types Addressed

Risk Addressed

Event Data Sources


RV2-Access


Enrichment

DE001AssetInformation SRC IP not found in the asset information DE002IdentityInformation Employee Customer Can manage account Can admin users


Adoption Phase SME

APC-Maturing

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High (Customer)

RATED0-Rare

FIDELITY-Moderate

SV4 - Critical (Employee)


well tuned RATED1-Common poorly tuned

System Load

Analyst Load

LOAD-Moderate

AnalystLoad-High


Response RP010 Contain potentially compromised account

Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend Reporting by account type (employee vs customer) 2. Trend Reporting by result of investigation 3. Trend Reporting of call center impact (customer) Metrics Review 1. Review thresholds and monitoring statistics quarterly to determine if the tolerances should be modified relative to risk acceptance Artifacts TBD

Related articles


UC0072 Detection of unauthorized using DNS resolution for WPAD Detection of an endpoint utilizing DNS as a method of proxying by querying for wpad.registrationdomain. Search for reply NXDOMAIN replies for A/AAA queries for wpad (bare host) and wpad.* where the domain portion is not a company owned domain. Problem Types Addressed

Risk Addressed

Event Data Sources


RV3-MaliciousCode

DS002DNS-ET01QueryRequest


Adoption Phase SME

APC-Maturing

APS-Accepted

API-Distinctive

Initial Severity

Occurrence

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low

AnalystLoad-Automation

SKILLI-Customer

Enrichment DDE001 Asset Information CAT-svc:dnsresolver CAT-svc:mailgw CAT-svc:webproxy DDE017 Legitimate DNS command and control domains



Implementation Details Effectiveness Monitoring Metrics Captured Count notables generated Count resolution Metrics Review 1. N/A Artifacts

Detection Activities Rule Name - UC0072-S01-V001 Potential unauthorized device detected by wpad resolution Notable Title - UC0072-S01 $gov$-$src_ip$ Unauthorized device detected by wpad resolution Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0072 Search Logic - TBD Compliance YES Container App DA-ESS-SecKit-NetworkProtection

Related articles


UC0073 Endpoint detected malware infection from url Endpoint antimalware detection event occurred where the malicious content was retrieved from an external URL. Possible indication of gaps in protection by web proxy, intrusion prevention, or advanced threat prevention. Use the information available for the event and determine how existing prevention controls can be modified to prevent future infections.Possible control gaps could include: detection signatures, white lists, and black lists not being updated on appliances possible misconfiguration of network traffic - for example a cable bypass of one or more of the network appliances endpoint connected to wrong network - for example an open wifi access point instead of a company provisioned network Problem Types Addressed

Risk Addressed

Event Data Sources


RV3-MaliciousCode




Adoption Phase SME

APC-Maturing

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load


TBD

TBD

TBD

Enrichment DE001AssetInformation DDE007 Signature Special Processing List


Response RP005 Malicious Code detected on endpoint Begin response plan at lessons learned stage. Implementation Details Effectiveness Monitoring Metrics Captured 1. N/A Metrics Review 1. Evaluate white list for additional removal based on risk tolerance. Artifacts

Detection Activities Rule Name - UC0073-S01-V001 Endpoint malware infection from url Dependency Notable Title - UC0073-S01 Endpoint malware infection from $domain$ Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0073 Search Logic

tag=attack tag=malware url=* | rex field=url "(?:http|https)://(?[^\/]*)" | rex field=url "(?[^?]*)" | stats first(domain) as domain first(url) as url by url_noquery Drilldown Name View Contributing Events Search

$domain$ (( tag=attack tag=malware ) OR (tag=web tag=proxy)) Compliance YES Container App DA-ESS-SecKit-EndpointProtection

Related articles



UC0074 Network Intrusion Internal Network IDS/IPS detecting or blocking an attack based on a known signature. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV3-MaliciousCode





Adoption Phase SME


APC-Essential

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low


SKILLI-Customer

Response RP004 Network intrusion system (IDS/IPS, WAF, DAM, etc) observes attack without blocking

Implementation Details Effectiveness Monitoring Metrics Captured 1. N/A Metrics Review 1. N/A Artifacts

Detection Activities Rule Name - UC0074-S01-V001 Network Intrusion Internal Network Notable Title - UC0074-S01 $gov$-$src$ Network Intrusion Internal Network $signature$ Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0074 Search Logic

| tstats `summariesonly` dc(IDS_Attacks.signature) as attack_count last(IDS_Attacks.severity) as severity values(IDS_Attacks.src_tag) as tag from datamodel=Intrusion_Detection where NOT IDS_Attacks.dest_category=ZONE_DMZ NOT IDS_Attacks.src_category=svc_scanner by IDS_Attacks.src,IDS_Attacks.category,IDS_Attacks.signature | `drop_dm_object_name("IDS_Attacks")` Note alternative implementation with XS should be considered Compliance YES Container App SecKit-DA-ESS-NetworkProtection Windows -65m@m to -5m@m Cron 20 * * * * Compliance YES Container App SecKit-DA-ESS-NetworkProtection

Related articles


UC0075 Network Malware Detection Internal malware detection system such as fire eye devices reporting an attack. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV3-MaliciousCode

DS011MalwareDetonation-ET01Detection




Adoption Phase SME


APC-Essential

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

TBD

TBD

Response RP004 Network intrusion system (IDS/IPS, WAF, DAM, etc) observes attack without blocking Implementation Details Effectiveness Monitoring Metrics Captured 1. N/A Metrics Review 1. N/A Artifacts

Detection Activities Rule Name - UC0075-S01-V001 FireEye detection unblocked Notable Title - UC0075-S01 $gov$-$src$ Fire Eye APT detection $signature$ Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0075 Search Logic

eventtype=fe action=notified NOT "169.250.0.1" | table src dvc_ip dest product signature severity impact ext_ref | `get_asset(src)` Compliance YES Container App SecKit-DA-ESS-NetworkProtection Windows -65m@m to now Cron */2 * * * * Compliance YES Container App SecKit-DA-ESS-NetworkProtection

Related articles


UC0076 Excessive DNS Failures An endpoint utilizing DNS as a transmission method for data exfiltration, command and control, or evasion of security controls can be detected by either a large volume or high number of unique DNS queries. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS002DNS-ET01Query


RV3-MaliciousCode

Enrichment


Adoption Phase SME

APC-Maturing

APS-Proposed

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer

DE001AssetInformation CAT-svc:dnsresolver CAT-svc:mailgw CAT-svc:webproxy DDE017 Legitimate DNS command and control domains DDE010 Alexa TOP 1 million sites DDE019 CIM Corporate Web Domains



Implementation Details Effectiveness Monitoring Metrics Captured Count notables generated Count resolution Indicator value Metrics Review Per Quarter review indicator values impacting false positive resolutions and determine if thresholds should be adjusted Artifacts

Detection Activities Rule Name - UC0076-S01-V001 Excessive DNS Failures Notable Title - UC0076-S01 $gov$-$asset_name$ Excessive DNS Failures $count$ Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0076 Search Logic


| tstats allow_old_summaries=true count values("DNS.query") as queries from datamodel=Network_Resolution where nodename=DNS "DNS.reply_code"!="No Error" "DNS.reply_code"!="NoError" DNS.reply_code!="unknown" NOT "DNS.query"="*.arpa" "DNS.query"="*.*" by "DNS.src","DNS.query" | `drop_dm_object_name("DNS")` | lookup cim_corporate_web_domain_lookup domain as query OUTPUT domain | where isnull(domain) | lookup alexa_lookup_by_str domain as query OUTPUT rank | where isnull(rank) | stats sum(count) as count mode(queries) as queries by src | `get_asset(src)` | where count>50

Drilldown

| tstats allow_old_summaries=true count from datamodel=Network_Resolution where nodename=DNS "DNS.src"="$src$" "DNS.reply_code"!="No Error" "DNS.reply_code"!="NoError" DNS.reply_code!="unknown" NOT "DNS.query"="*.arpa" "DNS.query"="*.*" by "DNS.src","DNS.query" | `drop_dm_object_name("DNS")` | lookup cim_corporate_web_domain_lookup domain as query OUTPUT domain | where isnull(domain) | lookup alexa_lookup_by_str domain as query OUTPUT rank | where isnull(rank) | stats sum(count) as count by src query | `get_asset(src)`

Compliance YES Container App DA-ESS-SecKit-NetworkProtection

Related articles


UC0077 Detection Risky Referral Domains Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less than 48 hours after first seen


Risk Addressed

Event Data Sources


RV3-MaliciousCode


Enrichment



Adoption Phase SME


APC-Mature

APS-Proposed

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load


System LoadAnalystLoad-Low

AnalystLoad-Low


Response Implementation Details Effectiveness Monitoring Metrics Captured 1. N/A Metrics Review 1. N/A Artifacts

Detection Activities Rule Name - UC0072-S01-V001 Potential unauthorized device detected by wpad resolution Notable Title - UC0072-S01 $gov$-$src_ip$ Unauthorized device detected by wpad resolution Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0072 Search Logic - TBD Compliance YES Container App DA-ESS-SecKit-NetworkProtection

Related articles


UC0079 Use of accountable privileged identity to access new or rare sensitive resource Use of an identity identified as privileged to access a system for the first time within a rolling time period will trigger a notable event for review of access reason. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess




Adoption Phase SME

APC-Mature

APS-Proposed

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-High

System Load

Analyst Load


LOAD-High

TBD

TBD

Enrichment DE001AssetInformation CAT-gov_identifier DE002IdentityInformation CAT-privileged


Response RP009 Unauthorized (actual or attempted) access by employees or contractors

Implementation Details Effectiveness Monitoring Metrics Captured 1. Time to investigate 2. Time to close 3. Number of re-portable incidents Metrics Review 1. Review thresholds determine if adjustments to reduce thresholds should be made Artifacts Dependencies DDT002 Logon Tracker Correlation Search "New/Rare Login"

|inputlookup logon_tracker | `get_asset(dest_dns)` | `get_identity(user_nick)` | search user_category="privlidged" | where _time<24hours OR isnotnull(mvfind("gov\:",dest_category) Suppress by dest_dns,user_nick time 86400

Dashboard Conditions nick time Display Distinct hosts Distinct gov categories involved (word cloud) Time chart of access count and dc(dest_dns) Map of access sources geo coded


Reporting Daily produce report by managed_by Roll up of users and systems accessed Roll up of critical changes by user Time of day by user

Related articles


UC0080 Trusted Individual exceeds authorization in observation of other users Evaluate queries executed by authorized trusted individuals to determine if the user is observing the behavior of other users for reasons not authorized as part of the user's job function. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS006UserActivity-ET06Search



Adoption Phase SME

APC-Mature

APS-Proposed

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low

TBD

TBD

Response TBD


Related articles



Enrichment DE002IdentityInformation Actor Title List values for user_category requiring review when observed List of eventtypes on access logs requiring review

UC0081 Communication with unestablished domain Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose reputation score exceeds acceptable norms will be flagged. Problem Types Addressed

Risk Addressed

Event Data Sources


RV3-MaliciousCode

DS002DNS-ET01QueryRequest DS005WebProxyRequest-ET01Requested


Adoption Phase SME

APC-Maturing

APS-Accepted

API-Distinctive

Initial Severity

Occurrence

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low



Enrichment DDE001 Asset Information CAT-svc:dnsresolver CAT-svc:mailgw CAT-svc:webproxy DDE017 Legitimate DNS command and control domains DDE010 Alexa TOP 1 million sites DDE022 Domain Reputation Score Provider DDT004 New Domain Tracker





Related articles


UC0082 Communication with enclave by default rule Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit permission for communication has been granted and should be reviewed. Consider ingress communication allowed by the default rule, and egress communication allowed or blocked. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess


Enrichment DDE001 Asset Information



Adoption Phase SME


APC-Maturing

APS-Accepted

API-Distinctive

Initial Severity

Occurrence

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low



Response



Related articles


UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall rule Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when a rule is named in a allowed communication where the reviewed time is null or prior to the last known modification time. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess


Enrichment DDE001 Asset Information



Adoption Phase SME


APC-Maturing

APS-Accepted

API-Distinctive

Initial Severity

Occurrence

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low



Response



Related articles


UC0084 Monitor Execution of Triage Activtity Define and maintain eventypes for unsuppressed notable events separately identifying review work flow, and triage SLA required. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS013TicketManagement-ET01

Enrichment TBD



Adoption Phase SME


APC-Mature

APS-Accepted

API-Distinctive

Initial Severity

Occurrence

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low



Response



Related articles


UC0085 Alert per host where web application logs indicate a source IP not classified as WAF Communication to any web application server without filtering by a network web application firewall indicates a security misconfigration. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess


Enrichment DDE001 Asset Information CAT-svc:waf



Adoption Phase SME


APC-Maturing

APS-Accepted

API-Distinctive

Initial Severity

Occurrence

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low



Response



Related articles


UC0086 Detect Multiple Primary Functions Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac). Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess




Adoption Phase SME

APC-Maturing

APS-Accepted

API-Distinctive

Initial Severity

Occurrence

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low



Enrichment DDE001 Asset Information List of accepted administrative functions


Response



Related articles


UC0087 Malware signature not updated by SLA for compliance asset Malware signature last updated on a asset designated as compliance such as PCI, CIP or Hippa beyond SLA limits Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV3-MaliciousCode

DS004EndPointAntiMalware-ET02UpdatedSig



Adoption Phase SME


APC-Edge

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer



Related articles



UC0088 User account sharing detection by source device ownership Detection of logon device by asset name (may require resolution from IP) when logon user does not match the owner and the number of unique owned devices is greater than two in the prior 24 hours. Exclude assets identified as loaner, and public or shared. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS004EndPointAntiMalware-ET02UpdatedSig



Adoption Phase SME

APC-Maturing

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response


Related articles




UC0089 Detection of Communication with Algorithmically Generated Domain Using an algorithm determine text of the registration domain is likely to be generated by a computer excluding known cloud hosting domains, Alexa TOP 1 M domains and domains with long established communication with the organization. Problem Types Addressed

Risk Addressed

Event Data Sources


RV3-MaliciousCode

DS002DNS-ET01Query


Adoption Phase SME

APC-Maturing

APS-Accepted

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Enrichment DE001AssetInformation CAT-svc:dnsresolver CAT-svc:mailgw CAT-svc:webproxy DDE017 Legitimate DNS command and control domains DDE010 Alexa TOP 1 million sites


Response RP005 Malicious Code detected on endpoint Implementation Details Effectiveness Monitoring Metrics Captured Count notables generated Count resolution Indicator value Metrics Review Per Quarter review indicator values impacting false positive resolutions and determine if thresholds should be adjusted Artifacts Rule Name - UC0089-S01-V001 Potential DGA interaction

Related articles


UC0090 User account cross enclave access Detection of logon with the same account to a production and a non production environment. If an account (not user) has logged into more than one account access management controls have failed and must be remediated Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance





Adoption Phase SME

APC-Maturing

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response


Related articles



Enrichment DDE001 Asset Information net_enclave:value

UC0091 Validate Execution of Vulnerability Scan Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners, Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance




DS020HostIntrustionDetection-ET01SigDetected


Adoption Phase SME

APC-Maturing

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response


Related articles



Enrichment DDE001 Asset Information CAT-gov CAT-svc:scanvuln

UC0092 Exception to Approved Flow for Web Applications Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices ensure the first "x-forwardedfor" entry is the address of the WAF Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance




DS020HostIntrustionDetection-ET01SigDetected


Adoption Phase SME

APC-Maturing

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response


Related articles



Enrichment DDE001 Asset Information CAT-gov CAT-svc:waf CAT-svc:nlb

UC0093 Previously active account has not accessed enclave/lifecycle Identify accounts no longer in use with access to high/critical or enclave systems and remove access when no longer required. Implement a tracking list of accounts and the accessed enclave or business service identifier, maintain the last accessed time and alert when the last access time is more than 90 days from current date. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV2-Access





Adoption Phase SME

APC-Maturing

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response


Related articles




UC0094 Insecure authentication method detected For each authentication technology in the network identify the values of authentication events that positively ensure that secure authentication is in use. Alert per authentication technology where a successful event occurs without the required indicators Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV2-Access


Enrichment



Adoption Phase SME

APC-Maturing

APS-Proposed

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low


Response


Related articles



none

Adoptable IT Operations Use Cases

How-to article Provide step-by-step guidance for completing a task.

Add how-to article A-C

D-M

N-T

U-Z




ucd-access


Enterprise Service Availability



D-M

N-T

U-Z




ucd-access


ITOAUC-0001 Enterprise Service Availability Messaging


ITOAUC-0002 Enterprise Service Availability Authentication


Product Enterprise Security Use Cases This section describes each correlation search provided by Splunk Enterprise Security 4.1.1


UCESS002 Abnormally High Number of Endpoint Changes By User Detects an abnormally high number of endpoint changes by user account, as they relate to restarts, audits, filesystem, user, and registry modifications. For the past 24 hours starting on the hour, using all summary data even if the model has changed, generate a count of user and change type (filesystem, AAA, etc) combinations and compare that count against the previous day and trigger if the change type is above high


Risk Addressed

Event Data Sources

Enrichment


RV1-AbuseofAccess

DS009EndPointIntel


RV3-MaliciousCode

DS009EndPointIntel-ET01ObjectChange



Adoption Phase SME


APC-Edge

APS-Productized

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV1 - Low

RATED2-Frequent

FIDELITY-Low

System Load

Analyst Load


LOAD-High

AnalystLoad-High


Response RP005 Malicious Code detected on endpoint Implementation Details Effectiveness Monitoring Metrics Captured Metrics Review

Artifacts Correlation Search - Abnormally High Number of Endpoint Changes By User


UCESS003 Abnormally High Number of HTTP Method Events By Src Alerts when a host has an abnormally high number of HTTP requests by http method. For the past 24 hours starting on the hour, using all summary data even if the model has changed, generate a count of the source of the network traffic and the HTTP method used in the request (Get, Post, etc) combinations and compare that count against the previous day and trigger if the HTTP Method is above high


Risk Addressed

Event Data Sources

Enrichment

PRT02-SecurityVisibilityEndpoint

RV1-AbuseofAccess

DS005WebClientRequest-ET01Requested


RV3-MaliciousCode RV4-ScanProbe


Adoption Phase SME


APC-Edge

APS-Productized

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Moderate


SKILLI-Customer

Response RP018 Asset or Service under denial of Service attack Implementation Details Effectiveness Monitoring Metrics Captured 1. Review website to make sure that everything is functioning properly, also check network status on SIEM for anomalous patterns

Artifacts Correlation Search - Concurrent Login Attempts Detected


UCESS004 Account Deleted Detects user and computer account deletion. Looking across a realtime window of +/-5 minutes, search for the value delete within the tag field (autogenerated field in datamodels) and show the following aggregated values when the count is greater than 0: Last Time seen, Original Raw Event Data, Results (Vendor specific change, renamed to signature), the associated list of Source IPs, the associated list of Destination IPs grouped by unique Source User and User. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess

DS006UserActivity-ET05Delete

DDE013 Critical Policy Objects

RV2-Access

DDE016 Critical or Risky Groups


Adoption Phase SME


APC-Mature

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low


SKILLI-Customer

Response RP013 Change to critical access control detected Implementation Details Effectiveness Monitoring Metrics Captured 1. Track and trend account activity per change control process Metrics Review 1. Review service tickets based on account activity Artifacts TBD


UCESS005 Activity from Expired User Identity Alerts when an event is discovered from a user associated with identity that is now expired (that is, the end date of the identity has been passed). Looking across a realtime window of +/-5 minutes, search for Last Time, Original Raw Event Data, user and a count of times an expired user was seen. Expired user is based on the end data in the identity_lookup Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment


RV1-AbuseofAccess



RV3-MaliciousCode


Adoption Phase SME


APC-Essential

APS-Productized

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV1 - Low

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low


Response RP005 Malicious Code detected on endpoint Implementation Details Effectiveness Monitoring Metrics Captured Metrics Review Artifacts Correlation Search - Activity from Expired User Identity


UCESS006 Anomalous Audit Trail Activity Detected Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log files in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking across a realtime window of +/-5 minutes, search for action equaling cleared or stopped and show the following values: Last Time seen, Original Raw Event Data, Destination (where change occurred), Result (Vendor specific change, renamed to signature) and count of occurences grouped by Destination and Result. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess

DS007AuditTrail-ET01Clear



RV2-Access

DS007AuditTrail-ET02Alter

DDE004 Threat List

RV3-MaliciousCode


Adoption Phase SME


APC-Maturing

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Moderate


SKILLI-Customer

Response RP007 Potentially Unauthorized change detected on endpoint Implementation Details Effectiveness Monitoring Metrics Captured 1. Track for signs of malicious behavior for log files and other critical tracking mechanisms Metrics Review 1. Review for signs of log tampering such as incorrect timestamps, etc. Artifacts TBD


UCESS007 Anomalous New Process Alerts when an anomalous number hosts are detected with a new process.Local Processes tracker contains destination, first and last time seen and process. If any data is returned, add it to the localprocesses_tracker file. Evaluate the time range and return values where the first time is between the evaluated time fields. Return a distinct count of destination grouped by process when the count is greater than 9. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV3-MaliciousCode




RV4-ScanProbe

DDE004 Threat List DDE012 Service State by platform DDE013 Critical Policy Objects


Adoption Phase SME


APC-Edge

APS-Accepted

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Moderate


SKILLI-PS-General

Response RP011 Unwanted/Unauthorized Code detected on endpoint Implementation Details Effectiveness Monitoring Metrics Captured 1. Review and track notable events for new processes on endpoints Metrics Review 1. Review change control logs and open an investigation if activity is missing Artifacts TBD


UCESS008 Anomalous New Service Alerts when an anomalous number hosts are detected with a new service. Service tracker contains destination, first and last time seen, service and start_mode (auto, disabled). If any data is returned, add it to the services_tracker file. Evaluate the time range and return values where the first time is between the evaluated time fields. Return a distinct count of destination grouped by service when the count is greater than 9. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

Select PRT Values

RV3-MaliciousCode

DS009EndPointIntel



DS009EndPointIntel-ET01ServiceChange

DDE004 Threat List DDE012 Service State by platform


Adoption Phase SME


APC-Mature

APS-Proposed

API-Socializing

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Undetermined



Response RP001 New web application or network protocol detected Implementation Details Effectiveness Monitoring Metrics Captured 1. Track and trend new services on endpoints Metrics Review 1. Review services list on existing endpoints and determine if new services have been be added Artifacts TBD


UCESS009 Asset Ownership Unspecified Alerts when there are assets that define a specific priority and category but do not have an assigned owner. Return all assets where the priority is not null and the length of the value in priority is greater than 0 and the category is not null and the length of the value in category is greater than 0 and the asset owner is null or the asset owner length is equal to 0 and the asset IP is null or the length of the asset IP is equal to 0 or the value in the IP field is a single value. Count the assets returned and return if count is greater than 0. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance


DS015ConfigurationManagement-ET01General



Adoption Phase SME


APC-Mature

APS-Proposed

API-Socializing

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED9-Undetermined

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Undetermined


SKILLI-PS-General

Response RP001 New web application or network protocol detected Implementation Details Effectiveness Monitoring Metrics Captured 1. Track and trend positive versus false positive rate Metrics Review 1. Review prohibited protocol list and determine if new protocols should be added Artifacts TBD


UCESS010 Anomalous New Listening Port Alerts a series of hosts begin listening on a new port within 24 hours. This may be an indication that the devices have been compromised or have had new (and potentially vulnerable) software installed. Listening ports tracker contains destination IP and port, first and last time seen and transport protocol. If any data is returned, add it to the listeningports_tracker file. Evaluate the time range and return values where the first time is between the evaluated time fields. Return a distinct count of destination IP grouped by transport and destination port when the count is greater than 10.


Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV3-MaliciousCode






Adoption Phase SME

APC-Edge

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED9-Undetermined

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Moderate


SKILLI-PS-General


Response RP001 New web application or network protocol detected Implementation Details Effectiveness Monitoring Metrics Captured 1. Track and trend known ports on all systems Metrics Review 1. Investigate nature of new port and update lists and/or open a new investigation

Artifacts TBD


UCESS011 Brute Force Access Behavior Detected Detects excessive number of failed login attempts along with a successful attempt (this could indicate a successful brute force attack)Looking across the prior 60 minute period starting 5 minutes ago, search for tags, applications, count of failures and count of successes and group by source (host, IP, name). Return rows where success is greater than 0 and then return values where the failures compared to the previous hour are. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment


RV1-AbuseofAccess



RV3-MaliciousCode

DS003Authentication-ET02FailureBadFactor


Adoption Phase SME


APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load


LOAD-High

AnalystLoad-Low

SKILLI-Customer

Response RP005 Malicious Code detected on endpoint Implementation Details Effectiveness Monitoring Metrics Captured Metrics Review Artifacts Correlation Search - Brute Force Access Behavior Detected


UCESS012 Brute Force Access Behavior Detected Over One Day Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this could indicate a successful brute force attack)Looking across the prior 24 hours starting 1 hour ago, search for application, count of failures and count of success and group by source(host, IP, name). Return rows where success is greater than 0 and then return values where the failures compared to the previous day are above medium Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment


RV1-AbuseofAccess



RV3-MaliciousCode



Adoption Phase SME


APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response RP010 Contain potentially compromised account Implementation Details Effectiveness Monitoring Metrics Captured Metrics Review Artifacts Correlation Search - Brute Force Access Behavior Detected Over One Day


UCESS013 Cleartext Password At Rest Detected Detects cleartext passwords being stored at rest (such as in the Unix password file). Looking across a realtime window of +/-5 minutes, search for Last Time, Original Raw Event Data, tag and count grouped by destination(host, IP, name), user and password. Add a pipe between the tags. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess

DS009EndPointIntel


RV2-Access



Adoption Phase SME


APC-Edge

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED9-Undetermined

FIDELITY-High

System Load

Analyst Load


LOAD-Low



Response RP010 Contain potentially compromised account Implementation Details Effectiveness Monitoring Metrics Captured 1. Track all passwords that are sent in the clear for all endpoints Metrics Review 1. View all activity for this notable event Artifacts TBD


UCESS014 Completely Inactive Account Discovers accounts that are no longer used. Unused accounts should be disabled and are oftentimes used by attackers to gain unauthorized access. Access tracker contains destination (host, IP, name), first and last time seen, 2nd to last time seen and user. If any data is returned, add it to the access_tracker file. Evaluate the difference between now and the last time, divide the result by 86400 seconds (1 day) and return values that are greater than 90. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess



RV2-Access



Adoption Phase SME


APC-Mature

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED9-Undetermined

FIDELITY-Undetermined

System Load

Analyst Load


LOAD-Low

LOAD-Low

SKILLI-Customer

Response RP001 New web application or network protocol detected Implementation Details Effectiveness Monitoring Metrics Captured 1. Track and trend account activity Metrics Review 1. Review policy objects for user lists and determine if new policies should be added Artifacts TBD


UCESS015 Concurrent Login Attempts Detected Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time, application, source (host, IP, name) and user and provide a count for that combination of values that occur within a one second window. Calculate a distinct count of source by application and user. Take the last two events with the same app and user combination where the source does not match and compute the difference in their timestamps and return values where the time difference is less than 300 seconds Problem Types Addressed

Risk Addressed

Event Data Sources


RV1-AbuseofAccess


RV3-MaliciousCode



Adoption Phase SME


APC-Mature

APS-Productized

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low


SKILLI-Customer

Response RP010 Contain potentially compromised account Implementation Details Effectiveness Monitoring Metrics Captured Metrics Review Artifacts Correlation Search - Concurrent Login Attempts Detected


Enrichment DE001AssetInformation DE002IdentityInformation DDE021 Commercially maintained Geo IP Database

UCESS016 Default Account Activity Detected Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords and are therefore commonly targeted by attackers using brute force attack tools. Looking across a realtime window of +/-5 minutes, return lastTime, tag, and count grouped by destination(host, IP, name), user and application. Place a pipe between each value in the tag field. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess



RV2-Access



Adoption Phase SME


APC-Maturing

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-High

System Load

Analyst Load


LOAD-Low


SKILLI-Undetermined

Response RP001 New web application or network protocol detected Implementation Details Effectiveness Monitoring Metrics Captured 1. Track and trend all accounts that do not conform to established policies Metrics Review 1. Review prohibited account list and determine if new (or updated) policies should be added Artifacts TBD


UCESS017 Default Account At Rest Detected Discovers the presence of default accounts even if they are not being used. Default accounts should be disabled in order to prevent an attacker from using them to gain unauthorized access to remote hosts. Looking across a realtime window of +/-5 minutes, return lastTime, original Raw Log, tag and count grouped by destination (host, IP, name) and user where the enabled is not 0 or False (case-insensitive) and status is not degraded and shell program doesn't end with nologin or false and user is not root. Place a pipe between each value in the tag field. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess

DS009EndPointIntel


RV2-Access



Adoption Phase SME


APC-Edge

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED9-Undetermined


System Load

Analyst Load


LOAD-Low



Response RP001 New web application or network protocol detected Implementation Details Effectiveness Monitoring Metrics Captured 1. Track any default or template accounts and ensure that they are sufficiently copied or changed Metrics Review 1. All template accounts should not be accessed directly or used, monitor these accounts for access Artifacts TBD


UCESS018 Excessive DNS Failures Alerts when a host receives many DNS failures in a short span. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count where the reply code for DNS is not No Error and group by Source IP. Only show counts that are more than 100. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS002DNS-ET01QueryResponse


RV3-MaliciousCode



Adoption Phase SME

APC-Maturing

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low



Enrichment DDE001 Asset Information CAT-svc:dnsresolver CAT-svc:mailgw CAT-svc:webproxy DDE017 Legitimate DNS command and control domains DDE010 Alexa TOP 1 million sites DDE019 CIM Corporate Web Domains


Response RP002 Endpoint generating suspicious network activity Implementation Details Effectiveness Monitoring Metrics Captured a. Track all occurrences, check for misconfiguration, or possible infection Metrics Review a. Review current blacklists and determine if new services are used to possibly create these queries, check SIEM for additional alerts Artifacts TBD


UCESS019 Excessive DNS Queries Alerts when a host starts sending excessive DNS queries. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count where the message type for DNS is QUERY and group by Source IP. Only show counts that are more than 100 Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS002DNS-ET01QueryRequest


RV3-MaliciousCode



Adoption Phase SME

APC-Maturing

APS-Proposed

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low



Enrichment DDE001 Asset Information CAT-svc:dnsresolver CAT-svc:mailgw CAT-svc:webproxy DDE017 Legitimate DNS command and control domains DDE010 Alexa TOP 1 million sites DDE019 CIM Corporate Web Domains


Response RP001 New web application or network protocol detected Implementation Details Effectiveness Monitoring Metrics Captured 1. Track all occurrences, check for misconfiguration, or possible infection Metrics Review 1. Review current blacklists and determine if new services are used to possibly create these queries, check SIEM for additional alerts Artifacts TBD


UCESS020 Excessive Failed Logins Detects excessive number of failed login attempts (this is likely a brute force attack)For the past 1 hour starting 5 minutes after realtime, search for failure in the tag field and return values of app and Source IP, tags, distinct user count, distinct destination count and overall count grouped by app and Source(host, IP, name) where the count is greater than 6 and place a pipe between each value in the tag field Problem Types Addressed

Risk Addressed

Event Data Sources


RV1-AbuseofAccess


RV3-MaliciousCode



Adoption Phase SME

APC-Maturing

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

AnalystLoad-Undetermined

SKILLI-Customer

Enrichment DDE001 Asset Information DDE002 Identity Information


Response RP010 Contain potentially compromised account Implementation Details Effectiveness Monitoring Metrics Captured 1. Track and trend excessive login failures from all sources Metrics Review 1. Correlate to particular network activity such as a bad service account password, and bad password attempts Artifacts Correlation Search - Multiple Login Attempts Detected


UCESS021 Excessive HTTP Failure Responses Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count where status is one of the following (400, 403, 404, 411, 500, 501) grouped by dest and the count is greater than 50 Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment


RV1-AbuseofAccess



RV3-MaliciousCode RV4-ScanProbe


Adoption Phase SME


APC-Mature

APS-Proposed

API-Socializing

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Moderate

AnalystLoad-Low

SKILLI-Customer

Response RP001 New web application or network protocol detected Implementation Details Effectiveness Monitoring Metrics Captured 1. Track and trend positive versus false positive rate Metrics Review 1. Review website to make sure that everything is functioning properly, also check network status on SIEM for anomalous patterns Artifacts TBD


UCESS022 Expected Host Not Reporting Discovers hosts that are longer reporting events but should be submitting log events. This rule is used to monitor hosts that you know should be providing a constant stream of logs in order to determine why the host has failed to provide log data.Every 15 minutes, execute the host_eventcount macro and look across the time range of less than 30 days ago and greater than 2 hours ago. The macro returns time values of min and max and count events seen grouped by host. Get associated asset information for the host as well as identity information for the asset owner (via macros). Calculate the date difference between now and the lastTime the host was seen and sort. The remainder of the correlation search evaluates the is_expected value in the asset to be true, the time is formated and the host, last time, is_expected and day difference is returned when the orig_time equals last time that was calculated in the macro. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment



DS007AuditTrail



Adoption Phase SME


APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

AnalystLoad-Automation

SKILLI-Customer

Response Implementation Details Effectiveness Monitoring Metrics Captured Metrics Review Artifacts Correlation Search - Expected Host Not Reporting


UCESS023 Alerts on access attempts that are improbably based on time and geography. Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this could indicate a successful brute force attack)For the past 18 hours starting 5 minutes after realtime, list the application, user business unit and group by user, source (host, IP, name) and time with a time span of 1 second. Generate a distinct count of source by user, and return if count is greater than 1. Sort the output by time. Execute the macro get_asset based on the source to collects values from the asset list that maps to the source and perform an IP lookup on the source. Gather latitude, longitude and city and populate from event or asset. Take the last two events with the same user where the source does not match and calculate the distance, time difference and speed between and return values where the speed is greater than 500 Problem Types Addressed

Risk Addressed

Event Data Sources


RV1-AbuseofAccess


RV3-MaliciousCode


Adoption Phase SME


APC-Mature

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low


SKILLI-Customer

Response RP010 Contain potentially compromised account Implementation Details Effectiveness Monitoring Metrics Captured Metrics Review Artifacts Correlation Search - Geographically Improbable Access Detected


Enrichment DE002IdentityInformation DDE021 Commercially maintained Geo IP Database

UCESS024 High Number of Hosts Not Updating Malware Signatures Alerts when a high number of hosts not updating malware signatures have been discovered. These hosts should be evaluated to determine why they are not updating their malware signatures.Execute the malware operations tracker macro and calculate the time_signature_version and return results that the day difference between the time_signature_version and the time is greater than 7 days. Return count and the destination (host, IP, name) when the count is greater than 10 Problem Types Addressed

Risk Addressed

Event Data Sources


RV1-AbuseofAccess


RV3-MaliciousCode


Adoption Phase SME


APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low


SKILLI-Customer

Response Implementation Details Effectiveness Monitoring Metrics Captured Metrics Review Artifacts Correlation Search - High Number of Hosts Not Updating Malware Signatures



UCESS025 High Number Of Infected Hosts Alerts when a high total number of infected hosts is discovered.For the past 15 days, using all summary data even if the model has changed, return and estimated distinct count of destination (host, IP, name) where nodename is Malware_Attacks where the infected hosts are greater than 100 Problem Types Addressed

Risk Addressed

Event Data Sources


RV1-AbuseofAccess


RV3-MaliciousCode


Adoption Phase SME


APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low


SKILLI-Customer

Response Implementation Details Effectiveness Monitoring Metrics Captured Metrics Review Artifacts Correlation Search - High Number Of Infected Hosts



UCESS026 High Or Critical Priority Host With Malware Detected Alerts when an infection is noted on a host with high or critical priority.Looking across a realtime window of +/-5 minutes, search for destination priority (assigned in asset table) of high or critical and return most recently seen time, original raw log, destination priority and count grouped by destination (host, IP, name) and signature Problem Types Addressed

Risk Addressed

Event Data Sources


RV1-AbuseofAccess


RV3-MaliciousCode


Adoption Phase SME


APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low


SKILLI-Customer

Response Implementation Details Effectiveness Monitoring Metrics Captured Metrics Review Artifacts Correlation Search - High Or Critical Priority Host With Malware Detected



UCESS027 High or Critical Priority Individual Logging into Infected Machine Detects users with a high or critical priority logging into a malware infected machineUsing all summary data even if the model has changed, search for user over a 60 minute window starting 5 minutes after realtime where user priority (assigned in identity table) is high or critical and group by destination (host, IP, name). Join these results via an inner join on destination to another Problem Types Addressed

Risk Addressed

Event Data Sources


RV1-AbuseofAccess


RV3-MaliciousCode


Adoption Phase SME


APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low


SKILLI-Customer

Response Implementation Details Effectiveness Monitoring Metrics Captured Metrics Review Artifacts Correlation Search - High or Critical Priority Individual Logging into Infected Machine



UCESS028 High Process Count Alerts when host has a high number of processes. This may be due to an infection or a runaway process. For the past 24 hours, get the most recent time and group by destination (host, IP, name) and process. Get the max time by destination and compare the two time stamps and keep the matches. Calculate the distinct count of process by destination and return those that have a count greater than 200. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV3-MaliciousCode






Adoption Phase SME

APC-Maturing

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer


Response RP017 Asset Symptomatic of abnormal condition Implementation Details Effectiveness Monitoring Metrics Captured 1. Track and trend normal process list for asset Metrics Review 1. Identify new or modified process tree Artifacts TBD


UCESS030 High Volume of Traffic from High or Critical Host Observed Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate that the host has been compromised.For the past 60 minutes starting 5 minutes after realtime, using all summary data even if the model has changed, calculate the sum of the number of outbound bytes transferred where the total numberof bytes transferred is greater than 0 and the source priority (asset table) is critical or high and group by source of the network traffic and destination (host, IP, name) where the bytes out is greater than 1MB (10485760 bytes) Problem Types Addressed

Risk Addressed

Event Data Sources


RV1-AbuseofAccess


RV3-MaliciousCode


Adoption Phase SME


APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-Low

System Load

Analyst Load


LOAD-Low


SKILLI-Customer

Response Implementation Details Effectiveness Monitoring Metrics Captured Metrics Review Artifacts Correlation Search - High or Critical Priority Individual Logging into Infected Machine



UCESS031 Host Sending Excessive Email Alerts when an host not designated as an e-mail server sends excessive e-mail to one or more target hosts.For the past 60 minutes starting 5 minutes after realtime, using all summary data even if the model has changed, calculate the sum of the recipient count, the distinct count of dest where source category is not an email server or * and group by Source IP over a 1 hour time window. Compare this count to the recipient by source and return the value if it is above medium or the dest_count compared to destinations by source is above medium Problem Types Addressed

Risk Addressed

Event Data Sources


RV1-AbuseofAccess

DS001Mail-ET03Send

Enrichment

RV3-MaliciousCode


Adoption Phase SME


APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low


SKILLI-Customer

Response Implementation Details Effectiveness Monitoring Metrics Captured Metrics Review Artifacts Correlation Search - Host Sending Excessive Email



UCESS032 Host With A Recurring Malware Infection Alerts when a host has an infection that has been re-infected remove multiple times over multiple days.For the past 10080 minutes (7 days) starting 5 minutes after realtime, using all summary data even if the model has changed, return a distinct count of the date to get a day count and group by destination system that was affected by the malware event (host, IP, name) and signature. Alert when the count is greater than 3 Problem Types Addressed

Risk Addressed

Event Data Sources


RV1-AbuseofAccess


RV3-MaliciousCode


Adoption Phase SME


APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low


SKILLI-Customer

Response Implementation Details Effectiveness Monitoring Metrics Captured Metrics Review Artifacts Correlation Search - Host With A Recurring Malware Infection



UCESS033 Host With High Number Of Listening ports Alerts when host has a high number of listening services. This may be an indication that the device is running services that are not necessary (such as a default installation of a server) or is not running a firewall. For the past 24 hours, using all summary data even if the model has changed, return a distinct count of the transport destination ports and group by destination (host, IP, name). Alert when the count is greater than 20. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV4-ScanProbe




DDE005 Prohibited Network Protocol/Application List DDE006 Acceptable Network Protocol/Application List


Adoption Phase SME


APC-Edge

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-High


SKILLI-Customer

Response RP002 Endpoint generating suspicious network activity Implementation Details Effectiveness Monitoring Metrics Captured 1. Track and monitor port activity on endpoints Metrics Review 1. Review inventoried list of port and alert activity for anomalies Artifacts TBD


UCESS034 Host With High Number Of Services Alerts when host has a high number of services. This may be an indication that the device is running services that are not necessary (such as a default installation of a server). For the past 24 hours, using all summary data even if the model has changed, return a distinct count of the service and group by destination (host, IP, name). Alert when the count is greater than 100. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV4-ScanProbe





DDE012 Service State by platform DDE014 Service Account process name/hash


Adoption Phase SME


APC-Edge

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Moderate


SKILLI-Customer

Response RP007 Potentially Unauthorized change detected on endpoint Implementation Details Effectiveness Monitoring Metrics Captured 1. Track services on all endpoints within the organization against a list of known good services. Metrics Review 1. Review prohibited service list and determine if unauthorized services were added. Artifacts TBD


UCESS035 Host With Multiple Infections Alerts when a host with multiple infections is discovered.For the past 24 hours, using all summary data even if the model has changed, return a distinct count of signatures and group by destination (host, IP, name). Alert when the count is greater than 1 Problem Types Addressed

Risk Addressed

Event Data Sources


RV1-AbuseofAccess


RV3-MaliciousCode


Adoption Phase SME


APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low


SKILLI-Customer

Response Implementation Details Effectiveness Monitoring Metrics Captured Metrics Review Artifacts Correlation Search - Host With Multiple Infections



UCESS036 Host With Old Infection Or Potential Re-Infection Alerts when a host with an old infection is discovered (likely a re-infection).For the past 60 minutes starting 5 minutes after realtime, calculate the max time (lastTime) by signature and destination. Perform a lookup against the malware_tracker and match on destination and signature. If a match exists, output the time as firstTime. Calculate the difference between the firstTime and lastTime and return values where the day difference is greater than 30 Problem Types Addressed

Risk Addressed

Event Data Sources


RV1-AbuseofAccess


RV3-MaliciousCode


Adoption Phase SME


APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low


SKILLI-Customer

Response RP005 Malicious Code detected on endpoint Implementation Details Effectiveness Monitoring Metrics Captured Metrics Review Artifacts Correlation Search - Host With Old Infection Or Potential Re-Infection



UCESS037 Inactive Account Activity Detected Discovers previously inactive accounts that are now being used. This may be due to an attacker that successfully gained access to an account that was no longer being used. Execute the inactive_account_usage macro and look across the time range of less than 90 days ago and greater than 1.25 hours ago. The macro returns time values of firstTime, second2lastTime and lastTime grouped by user. Get associated identity information for the user (via macros). Calculate the day difference between now and the second2lastTime. The remainder of the correlation search sets tags to include access, formats the lastTime (now) value and outputs the user,tags, the number of inactive days and last time when the orig_time equals last time that was calculated in the macro. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess






Adoption Phase SME


APC-Maturing

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED9-Undetermined

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response RP017 Asset Symptomatic of abnormal condition Implementation Details Effectiveness Monitoring Metrics Captured 1. Track and maintain account activity and flag for customer defined inactivity period. Metrics Review 1. Review inactive account list on regular basis. Artifacts TBD


UCESS038 Insecure Or Cleartext Authentication Detected Detects authentication requests that transmit the password over the network as cleartext (unencrypted). Looking across a realtime window of +/-5 minutes, calculate the max time and return time, original raw, tags and count grouped by the application and destination (host, IP, name). Separate tags with pipes. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV2-Access




RV4-ScanProbe




Adoption Phase SME


APC-Mature

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED9-Undetermined

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response RP002 Endpoint generating suspicious network activity Implementation Details Effectiveness Monitoring Metrics Captured 1. Identify and track accounts that are using insecure authentication. Metrics Review 1. Review account list and trend the accounts that are using insecure authentication. Artifacts TBD


UCESS039 Multiple Primary Functions Detected The primary_functions_tracker macro gathers all local procceses, services and listening ports from their trackers and associates identity and asset information with each. Looking back over the past 24 hours, return values of the function and their distinct count grouped by destination (host, IP, name) where is_primary is equal to true and count is greater than 1. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess





Adoption Phase SME


APC-Mature

APS-Accepted

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low



Response RP017 Asset Symptomatic of abnormal condition Implementation Details Effectiveness Monitoring Metrics Captured 1. Track and count notables generated Metrics Review 1. Monthly review threshold score where false positive resolution was noted to determine if tolerance should be adjusted Artifacts TBD


UCESS040 Network Change Detected Looking across a realtime window of +/-5 minutes, calculate the max time and return time, original raw and count grouped by the device that reported the change dvc (host, IP, name), the action performed on the resource and the command that initiated the change. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess

DS006UserActivity-ET04Update



RV4-ScanProbe

DDE003 Public Network attributes DDE008 Network CIDR Details


Adoption Phase SME


APC-Maturing

APS-Accepted

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low


SKILLI-Customer

Response RP007 Potentially Unauthorized change detected on endpoint Implementation Details Effectiveness Monitoring Metrics Captured 1. Track all occurrences of network changes Metrics Review 1. Review metrics of network changes on hosts on a regular basis. Review change logs for scheduled events. Artifacts TBD


UCESS041 Network Device Rebooted For the past 1 hour, using all summary data even if the model has changed, provide a count of device restarts grouped by the device that reported the change dvc (host, IP, name) and time where the time span is 1 second. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT02-SecurityVisibility

RV2-Access

DS015ConfigurationManagement


RV3-MaliciousCode

DDE012 Service State by platform

RV4-ScanProbe



Adoption Phase SME


APC-Edge

APS-Accepted

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response RP007 Potentially Unauthorized change detected on endpoint Implementation Details Effectiveness Monitoring Metrics Captured 1. Track for frequency of reboots, trend any patterns and notable events Metrics Review 1. Check against change control logs and open an investigation if not scheduled for maintenance Artifacts TBD


UCESS042 New User Account Created On Multiple Hosts Useraccounts_tracker returns destination (host, IP, name), user, firstTime, lastTime and is_interactive. Create earliestQual based on 24 hours ago, snapped to the top of the hour and latestQual which is now. Return values where firstTime is greater than or equal to earliestQual and firstTime is less than or equal to latestQual. Generate a distinct count of those results based on destination (host, IP, name) grouped by user where the destination count is greater than 3. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess

DS006UserActivity-ET03Create


RV2-Access



Adoption Phase SME


APC-Maturing

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Moderate


SKILLI-Customer

Response RP013 Change to critical access control detected Implementation Details Effectiveness Monitoring Metrics Captured 1. Track each account that is created on endpoints Metrics Review 1. Review change control logs for this event and open an investigation if not present Artifacts TBD


UCESS043 Outbreak Detected Alerts when a potential outbreak is observed based on newly infected systems all exhibiting the same infectionFor the past 24 hours, using all summary data even if the model has changed, generate a distinct count of the system that was affected by the malware event dest (host, IP, name) and group by signature and trigger if the count is greater than 10 Problem Types Addressed

Risk Addressed

Event Data Sources


RV1-AbuseofAccess


RV3-MaliciousCode


Adoption Phase SME


APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low


SKILLI-Customer

Response RP005 Malicious Code detected on endpoint Implementation Details Effectiveness Monitoring Metrics Captured Metrics Review Artifacts Correlation Search - Outbreak Detected



UCESS044 Personally Identifiable Information Detected Looking across a realtime window of +/-5 minutes, find integer sequences and lookup against luhn_like_lookup and output fields pii and piiclean. Lookup iin_issuer in the iin_lookup table based on the pii_clean string and length of the string. Output event id (macro that creates hash of indexer, time and raw event), original_raw log, host, PII value, IIN Issuer (Visa, masterCard, etc), SHA1 hash of PII value. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess

ALL


PRT01Compliance-PCI

RV2-Access

PRT04-FFIEC


Adoption Phase SME


APC-Edge

APS-Accepted

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Excessive

AnalystLoad-Low

SKILLI-Customer

Response Implementation Details Effectiveness Monitoring Metrics Captured 1. Track all instances of unencrypted PII on endpoints Metrics Review 1. If PII is unencrypted open an investigation Artifacts TBD


UCESS045 Potential Gap in Data Detects gaps caused by the failure of the search head. If saved searches do not execute then there may be gaps in summary data.For the past 5 minutes starting 5 minutes after realtime, return scheduled searches that were successful where the app context is like Splunk_ or SAor DA- or equal to SplunkEnterpriseSecuritySuite or SplunkPCIComplianceSuite, and count the values. Return events where count is equal 0. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance


DS006UserActivity-ET06Search


Adoption Phase SME

APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response Implementation Details Effectiveness Monitoring Metrics Captured Metrics Review Artifacts Correlation Search - Potential Gap in Data


Enrichment



UCESS046 Prohibited Process Detected Looking across a realtime window of +/-5 minutes, run the macro get_interesting_processes and return processes that is_probhibited is set to true. Run the macros get_event_id and map_notable_fields and add the following fields to the output: orig_event_id (macro creates hash of indexer, time and raw event), orig_raw, dest, process and note. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess




RV3-MaliciousCode



Adoption Phase SME


APC-Maturing

APS-Accepted

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare


System Load

Analyst Load


LOAD-Moderate

AnalystLoad-Low


Response RP011 Unwanted/Unauthorized Code detected on endpoint Implementation Details Effectiveness Monitoring Metrics Captured 1. Review and track notable events for prohibited processes on endpoints Metrics Review 1. Review threat lists and additional notables for endpoints that are affected, open investigation (if necessary) Artifacts TBD


UCESS047 Prohibited Service Detected Looking across a realtime window of +/-5 minutes, run the macro service and return services where is_probhibited is set to true. Run the macros get_event_id and map_notable_fields and add the following fields to the output: orig_event_id (macro creates hash of indexer, time and raw event), orig_raw, dest, service and note. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess




RV3-MaliciousCode



Adoption Phase SME


APC-Maturing

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Moderate



Response RP011 Unwanted/Unauthorized Code detected on endpoint Implementation Details Effectiveness Monitoring Metrics Captured 1. Review and track notable events for prohibited service(s) on endpoints Metrics Review 1. Review threat lists and additional notables for endpoints that are affected, open investigation (if necessary) Artifacts TBD


UCESS048 Same Error On Many Servers Detected For the past 60 minutes starting 5 minutes after realtime, find all events where tag is equal to error and tag is not equal to authentication. Gather the first raw log file, the distinct count of host and group by sourcetype and punct where the distinct count is greater than 100. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV3-MaliciousCode

ALL



RV4-ScanProbe

DDE004 Threat List

PRT02-SecurityVisibilityZeroDayAttacks

RV5-DenialofService

DDE012 Service State by platform DDE013 Critical Policy Objects


Adoption Phase SME


APC-Edge

APS-Accepted

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare


System Load

Analyst Load


LOAD-Moderate



Response RP018 Asset or Service under denial of Service attack Implementation Details Effectiveness Monitoring Metrics Captured 1. Review and track notable events for suspicious errors on endpoints Metrics Review 1. Review error list and determine if additional investigation is necessary Artifacts TBD


UCESS049 Short-lived Account Detected For the past 4 hours, find all events that action is equal to created or deleted. Look at the time range across user and destination and use only two events and only return events where the count is greater than 1 and the time range is less than the useraccount_minimal_lifetime (3600 seconds as defined in macro). Generate a relative time frame in minutes based on time range, generate the orig_event_id, orig_raw, user, dest, delta, timestr (relative time in minutes) Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess

DS006UserActivity-ET03Create



RV2-Access

DS006UserActivity-ET05Delete



Adoption Phase SME


APC-Mature

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low


SKILLI-Customer

Response RP013 Change to critical access control detected Implementation Details Effectiveness Monitoring Metrics Captured 1. Track and trend account activity via notable events Metrics Review a. Review service tickets for scheduled change, open an investigation (if necessary) Artifacts TBD


UCESS050 Should Timesync Host Not Syncing Detects when hosts that are required to synchronize their clocks have failed to do so. Time synchronization is important because it ensures that the event logs are stamped with the proper time. Additionally, this is required by some regulatory compliance standards (such as PCI). For the past 30 days, find lastTime, a true/false value of an asset based on if the system should time sync (should_timesync) where the action equals failure and should_timesync equals true grouped by destination (host, IP, name). Calculate the hour difference between now and the lastTime and return lastTime, destination, should_timesync and hour difference if the hour difference is greater than 2. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT06-SecureConfigurationMgmtUpdateManagement


DS007AuditTrail-ET03TimeSync

DDE001 Asset Information DDE012 Service State by platform


Adoption Phase SME


APC-Maturing

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-High

System Load

Analyst Load


LOAD-Low


SKILLI-Customer

Response RP017 Asset Symptomatic of abnormal condition Implementation Details Effectiveness Monitoring Metrics Captured 1. Track and trend positive versus false positive rate Metrics Review 1. Review prohibited protocol list and determine if new protocols should be added Artifacts TBD


UCESS051 Substantial Increase In Events Alerts when a statistically significant increase in a particular event is observed. For the past hour, using all summary data even if the model has changed, generate a count by signature and compare that count against the previous hour and trigger if the signature is above medium. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment


RV1-AbuseofAccess



PRT06-SecureConfigurationMgmtUpdateManagement

RV3-MaliciousCode

DDE004 Threat List


DDE012 Service State by platform DDE013 Critical Policy Objects


Adoption Phase SME


APC-Maturing

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response RP017 Asset Symptomatic of abnormal condition Implementation Details Effectiveness Monitoring Metrics Captured 1. Track and trend positive versus false positive rate Metrics Review 1. Review prohibited protocol list and determine if new protocols should be added Artifacts TBD


UCESS052 Substantial Increase In Port Activity Alerts when a statistically significant increase in events on a given port is observed. For the past hour, using all summary data even if the model has changed, generate a count by destination port and compare that count against the previous hour and trigger if the destination port is extreme. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess




RV3-MaliciousCode

DDE005 Prohibited Network Protocol/Application List

RV4-ScanProbe DDE006 Acceptable Network Protocol/Application List


Adoption Phase SME


APC-Edge

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Moderate


SKILLI-Customer

Response RP002 Endpoint generating suspicious network activity Implementation Details Effectiveness Monitoring Metrics Captured 1. Track and monitor port activity on endpoints Metrics Review 1. Review inventoried list of port and alert activity for anomalies, open an investigation (if necessary) Artifacts TBD


UCESS053 Threat Activity Detected For the past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the event_id and return _raw, orig_source (Saved Search), src, dest and all threat intel data model fields. Depending on the match field, set the risk_object type to system, user or other and assign the risk_object the value of the threat_match_value (IP, host, name).


Risk Addressed

Event Data Sources


RV1-AbuseofAccess

DS001Mail-ET03Send

RV3-MaliciousCode


RV4-ScanProbe

DS002DNS-ET01Query DS003Authentication-ET01Success DS005WebProxyRequest-ET01Requested DS009EndPointIntel-ET01ProcessLaunch DS010NetworkCommunication-ET01Traffic DS011MalwareDetonation-ET01Detection


Adoption Phase SME

APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV1 - Low

RATED2-Frequent

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low


Response Implementation Details Effectiveness Monitoring Metrics Captured Metrics Review Artifacts Correlation Search - Threat Activity Detected




UCESS056 Unapproved Port Activity Detected Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor or a system communicating with a botnet). Looking across a realtime window of +/-5 minutes, return values where destination port is greater than 0 and is_prohibited is not false. Generate a count grouped by the device that reported the traffic dvc (host, IP, name), layer 4 transport protocol, destination port and is_prohibited. Get the associated asset values for dvc and the identity information of the dvc owner and write out notable fields. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV3-MaliciousCode




RV4-ScanProbe

DDE005 Prohibited Network Protocol/Application List DDE013 Critical Policy Objects


Adoption Phase SME


APC-Mature

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response RP002 Endpoint generating suspicious network activity Implementation Details Effectiveness Monitoring Metrics Captured 1. Track and trend positive versus false positive rate Metrics Review 1. Review prohibited protocol list and determine if new protocols should be added Artifacts TBD


UCESS057 Unroutable Activity Detected Alerts when activity to or from a host that is unroutable is detected. For the past 60 minutes starting 5 minutes after realtime, return values from the macro src_dest_tstats that are of action equals allowed. This macro returns sourcetype, count grouped by source (host, IP, name) and destination (host, IP, name) for the following data models: Network_Traffic, Intrusion_Detection and Web and appends them together. This list is then compared to the bogon lookup to determine if the destination or source is bogon (not routable or allocated) and that it is not internal space. Generate an output of the follwing fields: sourcetype, source, destination and bogon_ip. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT06-SecureConfigurationMgmt

RV4-ScanProbe



RV5-DenialofService

DDE018 Network zone communication authorization matrix



Adoption Phase SME


APC-Edge

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response Implementation Details Effectiveness Monitoring Metrics Captured 1. Track and trend positive versus false positive rate Metrics Review 1. Review prohibited protocol list and determine if new protocols should be added Artifacts TBD


UCESS058 Untriaged Notable Events Alerts when notable events have not been triaged. For the past 48 hours starting 4 hours after realtime, return notable events that have a status group of New or the owner is unassigned. Return the values time, owner, status, rule name and rule ID. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance



DDE001 Asset Information DDE012 Service State by platform


Adoption Phase SME


APC-Mature

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Low

System Load

Analyst Load


LOAD-Low


SKILLI-Customer

Response Implementation Details Effectiveness Monitoring Metrics Captured 1. Track and trend positive versus false positive rate Metrics Review 1. Review prohibited protocol list and determine if new protocols should be added Artifacts TBD


UCESS059 Unusual Volume of Network Activity Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all summary data even if the model has changed, generate a distinct count by source (host, IP, name) and a count against the Network_Traffic data model. localop requires the rest of the search to run locally and not on remote peers. Return output if the count against the previous 30 minutes is extreme or the source count against the previous 30 minutes source count is extreme. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment


RV4-ScanProbe


DDE003 Public Network attributes

PRT02-SecurityVisibilityLateralMovement

RV5-DenialofService DDE008 Network CIDR Details


Adoption Phase SME


APC-Maturing

APS-Accepted

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Moderate


SKILLI-Customer

Response RP002 Endpoint generating suspicious network activity Implementation Details Effectiveness Monitoring Metrics Captured 1. Track and trend positive versus false positive rate Metrics Review 1. Review prohibited protocol list and determine if new protocols should be added Artifacts TBD


UCESS060 Vulnerability Scanner Detected (by events) Detects a potential vulnerability scanner by detecting devices that have triggered a large number of unique events. Vulnerability scanners generally trigger a high number unique events when scanning a host since each vulnerability check tends to trigger a unique event.For the past 60 minutes starting 5 minutes after realtime, return tag, distinct count of signature grouped by source (host, IP, name) where the distinct count is greater than 25. Place a pipe between each value in the tag field. Problem Types Addressed

Risk Addressed


Event Data Sources DS012NetworkIntrusionDetection-ET01SigDetection

RV4-ScanProbe


Adoption Phase SME


APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV1 - Low

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response Implementation Details Effectiveness Monitoring Metrics Captured Metrics Review Artifacts Correlation Search - Vulnerability Scanner Detected (by events)



UCESS061 Vulnerability Scanner Detected (by targets) Detects a potential vulnerability scanner by detecting devices that have triggered events against a large number of unique targets. Vulnerability scanners generally trigger events against a high number of unique hosts when they are scanning a network for vulnerable hosts.For the past 60 minutes starting 5 minutes after realtime, return tag, distinct count of destination (host, IP, name) grouped by source (host, IP, name) where the distinct count is greater than 25. Place a pipe between each value in the tag field. Problem Types Addressed

Risk Addressed

Event Data Sources


RV4-ScanProbe



Adoption Phase SME


APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV1 - Low

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response Implementation Details Effectiveness Monitoring Metrics Captured Metrics Review Artifacts Correlation Search - Vulnerability Scanner Detected (by targets)



UCESS062 Watchlisted Event Observed Alerts when an event is discovered including text has been identified as important. This rule triggers whenever an event is discovered with the tag of "watchlist". For the past 5 minutes starting 5 minutes after realtime, find all events that tagged watchlist and are not of sourcetype stash. Return raw log, event_id, host, source, sourcetype, src (source host, IP, name), dest (destination host, IP, name), device, source user, and user. Depending if user, src_user, src or dest is not null, make the risk_object the user name or asset address (source or destination depending). Apply the same logic to the risk_object_type to make this value system or user. If the eventtype is website_watchlist, make the risk score 50. Problem Types Addressed

Risk Addressed

PRT01-Compliance RV3-MaliciousCode

Event Data Sources

Enrichment

Special Case any event with a tag=watchlist is reported. Extreme prejudice should be used in implementation and ongoing use of this search.

DDE004 Threat List DDE005 Prohibited Network Protocol/Application List DDE006 Acceptable Network Protocol/Application List


Adoption Phase SME


APC-Edge

APS-Rejected

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED9-Undetermined


System Load

Analyst Load


LOAD-High

AnalystLoad-Low


Response RP001 New web application or network protocol detected Implementation Details Effectiveness Monitoring Metrics Captured 1. Track the notable events generated for a given watchlist Metrics Review 1. Review watchlist results, open an investigation (if needed) Artifacts TBD


UCESS063 Web Uploads to Non-corporate Sites by Users Alerts on high volume web uploads by a user to non-corporate domains. For the past 60 minutes starting 5 minutes after realtime, sum the total number of bytes transferred where the HTTP_method is POST or PUT and the domain is not in the corporate web domain lookup grouped by user. Identify best concept of byte value against web volume for 1 hour going to non-corporate addresses (outputs values such as extreme, high,medium, etc). Return a risk score based on the best concept value of above values where risk is greater than 0 Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichments Required


RV1-AbuseofAccess

DS005WebProxyRequest-ET01Requested



Adoption Phase SME


APC-Mature

APS-Productized

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load


LOAD-Low


SKILLI-Customer

Response Potential Data Exfiltration Implementation Details Effectiveness Monitoring Metrics Captured 1. Track and trend positive versus false positive rate Metrics Review 1. Review prohibited protocol list and determine if new protocols should be added Artifacts TBD


Product Splunk PCI App Security Use Cases Use case domains reflect the data domain used to support a specific use case. Subject matter expertise will align closely with each individual domain or a sub domain.

The repository will be segmented into domains aligning with those defined within Splunk Enterprise Security. Access - Use cases related to the use of access, authorized or unauthorized activity which may identify a threat to the organization. Endpoint - Use cases related to the use or modification of an endpoint device in such a way that may be a threat to the organization. Network - Use cases utilizing data from network communications to identify a threat to the organization. User/Identity - Use cases using information about an asset or identity to assign the priority, risk level, impact, and categorization for the object to better inform analysts with context when reviewing notable events.

Each use case will contain an information block as follows: Utilizes Events: Description of the types of events utilized in this use case. For example "authentication" or connection accepted by firewall Event Sources: Description of the technology sources such as operating system security, firewall, or anti virus Enrichment: External data required to complete the assessment of this event. Severity: Low - an event with minimal impact, additional risk, or high false positive rate should it go unresolved. Such events would not be handled by analyst should any higher priority event exist as open status. Often low events provide additional information when considered in light of higher severity events opened at a latter point. Medium - an event with low impact, moderate risk, and is more likely to be positive than false positive, Such events are expected to be reviewed by an analyst prior to closure within the SLA High - an event with impact, moderate to high risk, low false positive rates. Such events are expected to be handled promptly during business hours by an analyst prior to closure within the SLA. An analyst must turn over the event if unresolved on shift change. Critical - an event with significant impact, risk, very low false positive rate. Such events require immediate attention during or after hours and management oversight.



D-M

N-T

U-Z




ucd-access


Splunk Use Case Library 2016-09-29

Recommend Documents