Security dashbaord use cases

From Federal Burro of Information
Jump to navigationJump to search

Alerts
Firewall
Multiple ports scanned from single external source
Multiple ports scanned from single internal source
Multiple ports scanned on a single host            come from PAN
High Volume of Firewall Traffic towards critical service ports
High Volume of Firewall Traffic towards mail server ports
High Volume of Firewall Traffic towards common target ports
High Volume of Firewall Traffic towards web-facing ports    Splunk
Statistically high volume of traffic per user
Abnormal Increase of FW Accepts
Abnormal Increase of FW Denies
Attempted Contact with Malicious IP - Inbound
Attempted Contact with Malicious IP - Outbound        based on the in-house list

IDS
Alerts from High Severity Attacker (3 in 5 min)
Alerts to High Severity Target (3 in 5 min)
Same Attacker - 6+ Different Events in 1min from external
Same Attacker - 8+ Different Events in 1min
Same high priority event same attacker (75 over 10 min)
Same high priority event same target (75 over 10 min)
High Number of IDS Alerts for Backdoor                    from PAN IPS high severity event as one case

Failed Login Use Cases - Windows AD/Syslog (Palo Alto, *nix)
Many failed logins to a single account from multiple sources (4 over 5 min)
Many Failed Logins From a Source to Multiple Assets (12 within 10 min)
Many failed logins from an internal source, to unique target user names that do not exist (20 in 10 minutes)
Many failed logins on a Domain Controller to unique target user names (25 in 2 minutes)
Many failed logins on a single host to unique target user names (25 in 30 minutes)
Many failed logins to a single host (250 in 2 minutes)
Successful Logins Involving User Names With Multiple Failures
Log disabled windows account login attempt (10 over 1 hour)
VPN denied many login attempts to a single account
VPN Many Users from Single Source
VPN logins from unlikely sources
VPN logins from unlikely sources following recent login
Concurrent logins from multiple regions
sudo multiple incorrect password attempts

Windows
Audit log cleared
Unable to log events to security log?
Multiple failed attempts to open file without permissions
New account created and deleted in short period

Linux
Audit log cleared

Brocade/Cisco Switches
Traffic on known-disabled ports
Unexpected traffic on specific ports (i.e. common area ports)

Web/Content Filtering
WildFire - Known Malicious Content Downloaded

Sophos Mail Encryption
Failed logins

Symantec
Malware detected
Malware detected and not quarantined

ServiceNow/JIRA/Confluence
Failed logins

Ruckus WiFi Controller
Rogue AP detected
Attempt to logon with revoked certificate

Incapsula
Alert on blocking rules

CVA
New high/critical vulnerability detected

Dashboards
RSA Secure ID
Login/Token Failure/etc.

Palo Alto
Usage Patterns by Category
Geographic location of traffic sources/destinations

IDS
Top IDS event sources
Top IDS event targets
IDS events geographic location

Symantec
Failed signature updates?             Should be an alert

DNS
Query types trend
Statistically abnormal DNS query length
Statistically abnormal DNS entropy
 
CVA
Asset Discovery
Most common vulnerabilities
Vulnerability persistence

Reports
Windows
User added/removed/locked/unlocked/disabled to security group
Security enabled group created
Account added per admin
Account added to admin group


Door Access Logs
Entry into restricted areas
After hours access
Door open on 24 and not closed on 25

CVA
High/critical vulnerability persisting > 1 week (or something)

CIS
Server compliance report