List of Sample Use Cases – Draft version 2

Windows
Server Shutdown/ Reboot
Removable media detected
Windows abnormal shutdown
Login attempts with the same account from different source desktops
Detection of Server shutdown-reboot after office hours
Administrative Group Membership Changed
Unauthorized Default Account Logins
Interactive use of service account
Remote access login - success & failure
Windows Service Stop-Restart
ACL Set on Admin Group members
Windows Account Enabled Disabled
Multiple Windows Account Locked out
Multiple Windows Logins by Same User
Brute force attempt from same source
Logins outside normal business hours
Logins to multiple user accounts from the same source.
Brute force attempt from same source with successful login
Windows Account Created Deleted
Windows Hardware Failure
Failed Login to Multiple Destination from Same Source
Administrative Accounts- Multiple Login failure
Detection of user account added/removed in admin group
Detection of system time changes (Boot time)
Detection of use of default product vendor accounts
User Deleted Within 24hrs of Being Created
Critical service stopped on Windows Servers
Windows Security Log is full
Multiple Password Changes in Short time period
Windows group type was changed.
Audit Policy change
Audit Log cleared
Windows Security Log is full
Detection of user account added
Logon Failure-A logon attempt was made using an expired account
High number of users created/ removed within a short period of time
Outbound Traffic observed from Severs to Internet.
Failed Logins/Attempt with Disabled/Ex-Employee/Expired Accounts
Windows File-Folder Delete
Windows-File Folder Permission Changes
High number of users created/removed within a short period of time

Unix
Unix FTP File Import and Export Events
Unix File system full
Server shutdown
Users Created /Deleted within short period
Users Group Created /Removed within short period
Unix-Login attempts with the same account from different source desktops
Failed Logins
Failed Logins with disabled accounts
Unix FTP Login Access
Unix multiple SFTP Connection
Failed logins from root access
Unix Multiple SU login failures
Remote Logon Attempts using Root User on Production Node
Sudo access from Non sudo users
Detection of use of default product vendor accounts
Adding or Removing users to the group "root"
Critical Service Stop
Unix-High number of login failure for the same account within a short time
Password Changed
Adding, removing and modifying cron jobs
SU login failures.
Detection of change in syslog configuration
Detection of change in network configuration

ASA
Administrator Login Failure
Brute force with Successful Configuration Changes
Firewall Failover event.
Successful connection from internet IP after repetitive blocks in firewall
Access attempts on unidentified protocols & port
Exploit Event followed by Scanning Host
Outbound access to invalid destination Ips
Successful logon between Non-Business Hours
Firewalls reboot.
Detection of user account/group modifications
User Added/Deleted to Firewall Database.
Detection of insecure traffic like FTP, telnet, on critical servers
Detection of adding/deletion of a Firewall admin
Login Denied (Brute Force)
High number of Denied events.
Configuration Change detected.
The link to peer device is down either because of physical cabling issue or NSRP configuration
issue
Network and Host Port Scan Attempts
Detection of Primary-Secondary Switch Over
An admin has allowed/removed access to the firewall from a particular IP
Detected P2P traffic
Alerting high CPU utilization on firewall
Firewall failed to allocate RAM memory
Detection of any kind of failure related to Standby FW
Top dropped traffic from DMZ, FW
Outbound Traffic observed on Important Ports.
Successful Outbound Traffic to Blacklisted Threat IP Address
Multiple Failed Outbound Traffic to Blacklisted Threat IP Address

Checkpoint
Firewall critical alert observed
VPN configuration change observed
Administrator Login Failure detected
Successful logon between Non- Business Hours
Successful access from Suspicious Countries
Checkpoint Service restarts
Firewall Cluster/Gateway Configuration Change
CPU Utilization High
Checkpoint Policy Installed
High number of denied events
Smart-Defense Signature Based Alert
VPN Certificate Verification Failure
Configuration Change detected
Firewalls reboot.

Exchange
Top 10 users sending mails to external domains
Top 10 Email Receivers/Senders
Data Leakage Identified through
Large file send via mail
Malicious/Suspicious attachments identified
Email Usage Group IDs
Monitoring mails going out from the company domain to other domains after Office Hours
High Email Bandwidth utilization by individual users
Detection of Undelivered Messages
Mailbox Access by Another user
User sending a Message as another user
User Sending a Message on behalf another user
Detection of Users login to the Mail Box which is not their Primary Account
Detection of Auto Redirected Mails
Top 10 users sending mails internally
SMTP gateway sudden spike in Incoming mails
High number of rejected mails from single “from” address
Detection of Users login to the Mail Box which is not their Primary Account
Detection of Auto Redirected Mails

Wireless/VPN
Rouge Network Traffic Detected.
Top VPN Account Logged in from Multiple Remote Locations
Top VPN Account Logged in From VPN and on Local Network
Wireless unauthorized login attempts
Wireless authorization server is down.
Anonymous login from unknown IP address
VPN Account logged in from multiple locations in short span of time, or from suspicious
countries
Simultaneous Login from Multiple Locations for Single User
VPN Connection beyond 24 Hour
VPN Access from Internal IP Address
VPN access from overseas
Rogue AP detected.
Wireless AP rebooted
Wireless unsecure AP detected
VPN access from onshore team
VPN access and Access card on Onshore observed

Cisco IPS
UNIX Password File Access Attempt
IPS High Alert
Possible Exploit of Vulnerability
Probable Port Scanning in the network
SQL Injection Attempt
Virus Traffic in the network
Signature Based Attacks

Proxy
Access attempts on unidentified protocols & port
Malware Domain Access Report
Proxy Category based Summary Report
Malware IP Access Report
Potentially Unwanted Software access
Dynamic DNS Host
Malicious Sources/Malnets
Malicious Outbound Data/Botnets
Peer-to-Peer (P2P)
Proxy Avoidance
Remote Access Tools
Access from unusual User Agent
Post request to uncategorized sites after office hours
Unwanted Internet Access
Proxy configuration changes
Proxy failed login attempt
Content access violation
Anonymous proxy access
Hacker tool website access
Access attempts by BOTNET identified by HTTP Request header

Oracle/DB
Oracle password expired
Critical command usage
Critical commands executed on the database during non-business hours
Oracle- Update or Insert Commands
Oracle user Created/Deleted
Multiple login failures observed for database
Database Schema Creation/Modification
Top Query Execution Failures.
Monitoring login attempts on database
Use of default vendor accounts against policy
Database access during non-business hours
Login failures for sys/system or privileged accounts
Connection to production databases from disallowed network segments

Router and Switches

Emergency router error messages
BGP Neighbor Relationship Status Change
Router-Power supply failure
Configuration Change
Critical messages observed from the SWITCH
Alert messages observed from the SWITCH
Detection of Antispam
File Dropped due to large size
Detection of application process proxy
Detection of land attack
Detection of Ping of death attack
Detection of new policy addition
Detection of policy violation
Virus traffic
Content filtering detected
Authentication failure/success

AV
AV Virus Detected
AV Detection of Backdoor traffic in the network
Removable Storage Identified
AV Malware Infection Identified (Not quarantined/cleaned/deleted/moved)
Multiple AV Malware Infection Identified from Same Host
Multiple Sources accessing the same Malware URL
Multiple Types of AV Malware Infection Identified from Same Host
Detection failure of Antivirus DAT update in end user machines
Detection of Worm outbreak in the network
Detection of Virus Outbreak
Attempt to stop the Adhoc/daily scan schedules
Detection of Backdoor traffic in the network
Attempt to stop the AV Services
Attempt to stop the critical AV modules
AV identified the Rogue machines in the network
Detection of the scan which is stopped before it completes
Detection of the scheduled scan is stopped/paused (delayed)
Detection of the computer which is not protected with latest definitions
Detection of the new client software installed
Detection of the client software uninstalled
AV Malware Breakout Identified across multiple machines on same Subnet/ Different Subnet
Multiple re-occurrence of same Infection identified from same machine (AL and Trend -
Historical)
Multiple re-occurrence of unique Infection identified from same machine (AL and Trend -
Historical)
Blacklist Domain/IP Addresses monitoring of traffic emerging to/from the Infected machine (AL
and Trend - Real Time)
Brute Force/port or host scan/privilege elevation access attempt from the Infected machine (AL
and Trend - Real Time)
Attempt to restart AV service or process, AV modules from Infected machine.
Access to critical file share, network path, SSH or Remote RDP attempt from the Infected Host.

Uncategorized:
Default User Account Usage
Inactive User Accounts
After Hour VPN Assess Monitoring
Firewall Top Talkers
P2P Traffic
Distributed Host Port Scan
Distributed Network Host Scan
SYN Flood by IDS/Firewall
High Number of Denied Connections for a Single Host
Worm/Virus Outbreak Detected
Outbound/Inbound Network Sweep
AV Update Failed
Malware IP Access
Malware URL Access
Hacking attempt on web portal
Data Leakage
Detection of BOTNET infection in Internal LAN
Unauthorised access from Third Party or vendor networks
Infected Host Activities
Suspicious, Adware, Phishing and Hacking Activities
Unwanted Software’s
AV Malware Breakout Identified across multiple machines
Monitor Development team’s access to Production systems
Blacklisted IP
Blacklisted IP Pass after multiple Firewall Block
Blacklisted URL
Data Overview Trend
Outbound Traffic to Suspicious Countries
Outbound Traffic to Suspicious port
Outbound Traffic to Suspicious Services
Terminated User Activity
Malicious Traffic to Vulnerable Asset
Communications to Bad Domains
Communications to Blacklisted Domains/IP’s
Data Transfer involved on Blacklisted Domains/IP’s
Outbound traffic involving Database
Cross Site Scripting
Script Injection
Malicious Activity
Detection of FW Interface Status Changes/Failures
Insecure Protocol Usage - Detection of insecure traffic like FTP, telnet ,VNC on critical servers.
VPN Access from Outside Country
Suspicious VPN Login Attempts
Detection of service stop on ESX servers
Detection of multiple user failed logins on ESX servers from the same source
Detection of ESX server shutdown/restart
Detection of virtual machine start/stop/resume/reboot
Detection of addition/removal of a host on vCenter
Detection of virtual machine creation/removal on vCenter
Probable XSS attack observed
Probable Directory Traversal attack observed
Suspicious HTTP methods observed
HTTP Request Other Than GET, POST, HEAD and OPTIONS
Probable SQL Injection attack observed
Web Attack- Vulnerability scanning using Nessus

Use Case Form

Use Case ID
Use Case Name
Submitter Name
Submission Date
Problem Description / Overview – What are you trying to detect?

Description: What security issue is there a concern about? What bad security event are you
attempting to detect? Can it be clearly defined? If the description is vague, there can be no
clear solution.

Good Examples:

1 – A security log on a Windows Server should not be cleared. If one is cleared, that can indicate
a hacker clearing traces of their attack and should be detected.

2 – If a user who is no longer employed at the company (terminated, retired, deceased, etc.)
logs in to a UNIX server, that action is bad and should be detected.

Bad Examples:

1 – Monitor the UNIX servers and make sure no one does anything that they shouldn’t.
Problem: What shouldn’t they do?

Current Solution – How is the problem being addressed today?

Description: Is this an improvement to an existing solution, or is this a new solution? Is there

currently a workaround or other method whereby some or all of the requirements are being
met? Is it a manual review of log files? Is it a periodic spot check?

Good Examples:

1 – The login failures are being printed out in a report from the UNIX servers, and Jack Black is
manually reviewing them for possible exposed passwords. This process is very time and
resource consuming, is not near-real time, and is prone to mistakes or oversights.

2 – There is currently no solution for this problem. This is a gap.

Bad Examples:

1 – I think that someone might be looking at this, but I am not sure.

Problem: Possible duplication of effort.

Priority / Risk – What is the cost of NOT solving this problem?

Description: What is the risk or penalty for not doing this effort? Is there an open audit finding
for this issue? Is this required to meet a legal or regulatory compliance effort? Is there a known
attack or exploit that this could detect? Is a specific VP requesting that this be accomplished?

Good Examples:

1 – In order to meet the PCI audit that will occur on November 15 th this requirement must be
met. Our company’s lead for this effort is Cary Grant and he can be reached at 555-1212.

2 –There is an open internal audit finding (#12345) that I have attached to this ticket. The
resolution requirement is April 15th and the Internal Auditor assigned to this is Myrna Loy.

Bad Examples:

1 – If we don’t detect this, bad things will happen.

Problem: What bad things?

2 – I read about this in a magazine. We should do this.

Problem: Why is what you read relevant to our company? What specific issue will happen if we
do not?

Feed Identification – Where do the Security Events come from or Event Sources?

Description: What events can deliver the information required to meet the requirements set
forth in Section 1? What technology generates these events? What specific systems? (Host
names, IP addresses, etc.) Which contacts can assist in obtaining these events from these
systems?

Good Examples:

1 – The Windows Security events need to be obtained from all of the Windows Servers located
in the Credit Card Enclave. There is a spreadsheet attached with all of the host names and IP
addresses. Brad Pitt on the Windows Server Team is the correct contact.

2 – All UNIX servers need to have their events analyzed for this. The correct contact for this is
Jane Powell on the Midrange Team. The Midrange team maintains a list of all of the servers
and can supply it for this effort. The employee status can be obtained from the PeopleSoft
Database. The contact for that database is Gregory Peck.

Bad Examples:

1 – Look at all of the company’s devices for this hacker activity.

Problem: What are “all of the company’s devices”? What is “hacker activity”?
Sample Events – What does it look like when it occurs or events of interest?

Description: Samples of the events from the correct sources that contain all of the necessary
data to be able to detect when the requirements in Section 1 have occurred must be supplied.
If there are multiple source events that must be correlated together, then all of those event
samples must be supplied.

Note: If an event does not contain enough information to make a decision and determine that
the requirements in Section 1 have been met, then this is not a viable Use Case. The SEM can
only make decisions when it has the data to do so.

Note: If an event may contain enough information to make a decision and determine that the
requirements in Section 1 have been met, but there are no examples of this ever having
occurred, then this is not a viable Use Case. The SEM can only make decisions when it has the
data to do so.

Good Examples:
1 – The Windows Servers generate an event with a security ID of 517. Any events with this ID
are suspect. Enclosed is a screenshot of an event on the Windows Server showing one of
these events.

2 – A syslog event from a UNIX server that shows a successful login with an id that matches an
ID in the PeopleSoft database which is flagged as terminated, retired or deceased would
indicate one of these events. Attached is both a text file of the syslog events showing a
successful login on a UNIX server and a text file showing a CSV extract of the PeopleSoft
database showing examples of active, terminated, retired, and deceased employees.

Bad Examples:

1 – The UNIX server should have some kind of log for this activity.
Problem: If samples can not be provided, then it may not be possible to accomplish this use case.

Action requirements – What needs to be done when it occurs and how the content
operates?

Description: Once the events are seen and the determination that the requirements in Section
1 have been met, what actions need to be taken to remediate the identified issue? Does an
email need to be sent to a specific team? Should the FBI be notified?

Note: If the requestor does not know what needs to be done, the iSOC can work with the
requestor to attempt to determine a viable option. However, if one cannot be determined,
then the Use Case cannot proceed.

Good Examples:

1 – This event is a very rare occurrence. There are very few false positives. When detected, an
alert will go into the iSOC queue and be worked. The iSOC analyst will contact the
appropriate Windows Server Team Member, as identified by the Server Database. That
administrator will either identify a legitimate reason why this occurred, or an Incident will
be declared and the Windows Server will be treated like it has been compromised.

2 – The user ID will be validated if they are a contractor or not. If it is a contractor, the iSOC will
contact the contractor representative, Bing Crosby, and confirm if the contractor’s contract
was extended without a proper PeopleSoft update. If yes, then this is a false positive and
 will be closed. If no, or if this is a full time employee, this will be declared an incident and be
treated like a Breach.

Bad Examples:

1 – The iSOC gets an alert and handles it.

Note: If part of the Action Requirements requires notification of a team or person via email,
phone, snmp, etc. then these notification requirements must be specifically spelled out. (Full
names, phone numbers with area codes, alternate contacts, email addresses, etc.)

Known False Positives – Are there scenarios where this is okay?

Description: Sometimes an event that would typically denote that something bad has occurred
can, under the proper context, be proven to have been benign. Sometimes these scenarios are
known beforehand and can be taken into account when building the SEM content and filtered
out to avoid taking action on these. Any efforts taken now can greatly enhance the acceptance
of the new SEM content by those who will be contacted as part of the actions taken. In addition
to wasting valuable resources, a solution that generates a high volume of false positives can
negatively affect morale.

Good Examples:

1 – No users should ever log in to a UNIX server directly using the “root” user account. All logins
should be made with the user’s individual account and then elevate to root level access as
warranted. This provides proper logging of who is performing what actions in the audit logs.
However, when a new UNIX server is in “build” status, the individual accounts have not yet
been created and logging directly in as “root” is acceptable. The server build status can be
obtained from the Enterprise CMDB. The contact for the CMDB is Bob Hope.

2 – A “UDP Host Scan” event can be triggered by a malicious actor (“hacker”) attempting to do
reconnaissance on servers and is typically a precursor to further attacks. However, a dns
server is known to have normal activity that can cause this IDS signature to fire falsely.
Attached is a list of the enterprise’s known internal and external dns servers. Please filter
these source host addresses out from firing this signature.

Bad Examples:
1 – Just assume that they are all bad. We can figure out the false positives as we go.

2 – Just show us when they do something that they don’t normally do.
Problem: You as the SME are in a better position to know normal and not normal activity. The
analyst has no easy way to determine this and respond.

Test Scenarios – Can this action be recreated for testing?

Description: If an event can be recreated in a test scenario, then SEM content can be created
and validated much quicker and more thoroughly. If the analyst must wait for a rare event to
occur naturally then it may not be possible to provide a high level of confidence that the
content will perform as desired. Ideally, test scenarios for both true positives and false positives
can be performed as necessary.

Good Examples:

1 – If a user who is no longer employed at the company (terminated, retired, deceased, etc.)
logs in to a UNIX server, that action is bad and should be detected. For a test, the analyst
can change a UNIX administrator’s status from “active” to “terminated” and have them
login to generate the event. Then the analyst can change a UNIX administrator’s status back
from “terminated” to “active” and have them login to validate the absence of an event.

2 – A security log on a Windows Server should not be cleared. There is a test server,
servername1, which can have its Security log safely cleared on demand, generating the
necessary windows event with the security ID of 517. You can contact Basil Rathbone on the
Windows Server Team to perform this task.

Bad Examples:

1 – There is no way to test this.

Note: The absence of a viable test doe not completely invalidate a use case, however the
submitter must acknowledge that the content will be “best effort” with a lower level of
confidence that it will work as intended.

2 – There is a way to test this, but it will only generate the event some of the time.
Problem: A test that does not generate reliable results cannot be considered a viable test.
Use Case Overview –How you are going to view/present that ?

Description: What security issue is there a concern about? What bad security event are you
attempting to detect? Can it be clearly defined? If the description is vague, there can be no
clear solution. How you are going to present those threat scenarios and how it can be analyzed
by the CSIRT.
Either Dashboards, Reports, Trends and Rules.

Good Examples:

1 – The Baseline and threshold violation are detected using the Trends and Dashboards

2 – If a user who is no longer employed at the company (terminated, retired, deceased, etc.)
logs in to a UNIX server, that action is bad and should be detected as high priority alert.

3 – List of Multiple Failed logins and Account lockouts are not alert/dashboard criteria, but used
by the System administrators.

Bad Examples:

1 – Creating a Dashboard with 1 month buffer to analyse the anomalies.

Problem: Performance issues with the Manager.

Next Release will contain complete list of use cases and the Methods for building complex
Use cases. Stay tuned.

References:
Cindy Jones - SEM Use Case Form - Version 1.1.doc