Security dashbaord use cases
From Federal Burro of Information
Alerts Firewall Multiple ports scanned from single external source Multiple ports scanned from single internal source Multiple ports scanned on a single host come from PAN High Volume of Firewall Traffic towards critical service ports High Volume of Firewall Traffic towards mail server ports High Volume of Firewall Traffic towards common target ports High Volume of Firewall Traffic towards web-facing ports Splunk Statistically high volume of traffic per user Abnormal Increase of FW Accepts Abnormal Increase of FW Denies Attempted Contact with Malicious IP - Inbound Attempted Contact with Malicious IP - Outbound based on the in-house list IDS Alerts from High Severity Attacker (3 in 5 min) Alerts to High Severity Target (3 in 5 min) Same Attacker - 6+ Different Events in 1min from external Same Attacker - 8+ Different Events in 1min Same high priority event same attacker (75 over 10 min) Same high priority event same target (75 over 10 min) High Number of IDS Alerts for Backdoor from PAN IPS high severity event as one case Failed Login Use Cases - Windows AD/Syslog (Palo Alto, *nix) Many failed logins to a single account from multiple sources (4 over 5 min) Many Failed Logins From a Source to Multiple Assets (12 within 10 min) Many failed logins from an internal source, to unique target user names that do not exist (20 in 10 minutes) Many failed logins on a Domain Controller to unique target user names (25 in 2 minutes) Many failed logins on a single host to unique target user names (25 in 30 minutes) Many failed logins to a single host (250 in 2 minutes) Successful Logins Involving User Names With Multiple Failures Log disabled windows account login attempt (10 over 1 hour) VPN denied many login attempts to a single account VPN Many Users from Single Source VPN logins from unlikely sources VPN logins from unlikely sources following recent login Concurrent logins from multiple regions sudo multiple incorrect password attempts Windows Audit log cleared Unable to log events to security log? Multiple failed attempts to open file without permissions New account created and deleted in short period Linux Audit log cleared Brocade/Cisco Switches Traffic on known-disabled ports Unexpected traffic on specific ports (i.e. common area ports) Web/Content Filtering WildFire - Known Malicious Content Downloaded Sophos Mail Encryption Failed logins Symantec Malware detected Malware detected and not quarantined ServiceNow/JIRA/Confluence Failed logins Ruckus WiFi Controller Rogue AP detected Attempt to logon with revoked certificate Incapsula Alert on blocking rules CVA New high/critical vulnerability detected Dashboards RSA Secure ID Login/Token Failure/etc. Palo Alto Usage Patterns by Category Geographic location of traffic sources/destinations IDS Top IDS event sources Top IDS event targets IDS events geographic location Symantec Failed signature updates? Should be an alert DNS Query types trend Statistically abnormal DNS query length Statistically abnormal DNS entropy CVA Asset Discovery Most common vulnerabilities Vulnerability persistence Reports Windows User added/removed/locked/unlocked/disabled to security group Security enabled group created Account added per admin Account added to admin group Door Access Logs Entry into restricted areas After hours access Door open on 24 and not closed on 25 CVA High/critical vulnerability persisting > 1 week (or something) CIS Server compliance report
