Hi all,
I'm new with LEM and consider it as a central console for future SOC in my current company
I just want to leave here my list of use cases and share in a future "how to" realize them
Don't hesitate to share your use cases (and description how you implemented them) that can be useful for community
I'd be glad to discuss this topic as detailed as possible
So, my list (is updating):
Encryption
- Encryption traffic identified (List of sources that are allowed to receive encryption traffic is needed)
- SSL-certificate of web-site XXX is expired soon
- Remote user (VPN) is trying to use expired SSL-certificate
User activity monitoring
- Any activity after working hours
- New user created (OS/Application/Device): Who (admin/service account name) / where 'who' account created new user (AD, app etc.) / Date:Time when 'who' account entered to the 'where' / Connection type to 'where' (intranet, VPN) / IP:DNS:OS of remote host that was used to connect to 'where' / Object that was read:modified / What exactly was entered / Date:Time of exit:disconnection
- User added into Administrative group
- User changed his password very soon (X days after last change)
- User changed his password during virus/DDos/etc/ attack
- User privileges were changed
- User was deleted
- Unsuccessful Logon is more then X times per minute
- Unsuccessful Logon with expired/blocked credentials is more then X times per minute
- Successful root (Unix OS) Logon
- Root: Logging every command / shell command
- Logon without AD/Radius/Kerberos etc. (e.g. local accounts)
- Unregistered external device connected
- Workstation Logon under one account and then logon to the target system under another (e.g. login attempt not under the account from the list of admins)
- Connection via VPN under one account and further access to the target system under another one
- Attempt to connect a user to a website with a low reputation
- Running TeamViewr-like connection (notification before connection is established). Attempting to connect to specific ports (TeamViewer = 5938)
- Similar account login from different geographical places
- Multiple login failures from the same username ip address to the same destination and followed by success
- If on leave/ex-employee user credentials have been used in anyway
- Often use admin accounts logon on the same host
- Sudo actions (“sudo: … COMMAND=…” “FAILED su”)
- Service failure (“failed” or “failure”)
- Changing the user certificate
- Authentication with a revoked certificate
- User left an office but his account is in use
Information systems
- Start, stop or pause logging of events on each IS
- Create or delete system-level objects, such as database tables or stored procedures
- Changing the integrity of files and detecting changes to the event logs
- Changing the configuration of the OS and / or service
- The time difference between NTP1 and NTP2 compared to an external source is greater than X s
- NTP1 / 2 became inaccessible to host
- Integration with vulnerability scanners
- Increased viral activity -> active sessions on the IP
- Exceeding the average load of external channels by 10%
- Excess of the average antivirus response rate for a certain period
- The rule is triggered on IDS / IPS
- XSS Attacks identified
- SQL injection identified
- Hostile email attachments identified
- Restart/Shutdown critical servers
- Any config changed
- LEM Agent has been tampered
- If an infected machine receives an SSH log in attempt
- What recent servers were attacked with an exploit against a recent scan of the same server
- OS fingerprint event has occurred by an attacker
- Auditing has been removed, changed or altered
- Access to any device from other than the admin or authorized users
- if the firewall has critical policy change (now this differ from one brand to another as you might not find the same naming of the event in all brands the same)
- If x number of changes have been made on a firewall over x period of time by x user
- If machine's time has changed
- Track on each new virus detected on the environment
Networks
- Channels between sites went down
- Unsuccessful attempts to connect to a VPN hub
- Attempts to break into L2VPN / IPSec tunnels
- Network scanning (nmap, scanners, bruteforce, epidemics, DDOS, etc.)
- Mass attempts to connect to IS from an untrusted network
- Mass attempts to connect to IP with IP not from the whitelist
- Installing a VPN connection from untrusted countries
- Changing the configuration of network equipment
- Ping Sweep
- If a new port has opened on the firewall for in/out traffic
- If FTP site has been accessed from unknown address
- If tunneled data is detected on the network
- If RAR files are being continuously uploaded in some fixed partition size format
- If online messengers are used to chat and transfer files
- If malicious traffic is seen hitting critical servers of the infra
- detecting bit torrent or P2P traffic
- If a remote session was taken to a critical server for more than an hour
- Network resources have been accessed in non working hours
- taking sessions ssh, telnet etc on non standard port
- Attacks on internet gateways
- Bandwidth and protocol usage (“limit … exceeded”, “CPU utilization”)
- Detected attack activity (“attack from”)
- Administrator access (“AAA user …”, “User … locked out”, “login failed”)