Category Sub Category Use Case Log Source RSA Supported

Business Use Cases

Integrating Windows AD
Active Directory ,
and monitoring for event
Identity Monitor for use of Databases,
ID's for User login attempts
Management disabled usernames Applications, Web
and correlating with Status
Proxy, HR data
of user in AD
Possible successful
brute force attack All event sources
detected OOB
Password
Possible successful Criticality context to be
Guessing
brute force attack Critical devices and incorporated using Feed
detected on critical servers integration from secops
devices/servers EM
Increase in failed
Access/Authen Enterprise
domain admin User activity Trend
tication Services Access All event sources
account logins Dashboard monitoring for
Management
detected User login activity
windows, Unix,
Increase in failed
Perimeter & Firewalls, IDS & IPS, User activity Trend
remote login
Network Security Access controls & Dashboard monitoring for
attempts detected
VPN. User login activity
Unusual number of User activity Trend
Enterprise All Network, Host,
failed/successful Dashboard
Services Access Server & Security
vendor/default user monitoring/Alerting for
Management devices
login attempts Privilege User login activity
Password change on All windows, Unix, Provilege account
Perimeter &
a known privileged VPN, Database, monitoring
Network Security
account detected Firewall & FIM. Alert/Dasboard/Chart
Integration of SA Audit logs
Tampering of system with decoder for
Audit Trail System Health All event sources
audit logs detected monitoring user audit
activity
Integration of HID Access
Card DB and AD last login
Employee details with Feeds from
Physical Access logs
absenteeism – Badge Leave Management system
& AD logs
sharing detection to monitor employee
movements and access
Physical Security requests
Policy Time from Access Control
violation time tracker and matching
VPN, My Time
attendance policy with HID Access intime and
Application &
violation out time for employee
Physical Access logs
work hours policy
monitoring
Enterprise Password Sharing – Same User login from
Services Access Policy access All event sources different machines or
Management violation locations in a specific time
 or any such attempts being
made more than once
Unauthorized use of Monitoring service
Windows OS
service account accounts monitoring
Enterprise Monitoring remote
Windows account Desktop port usage and
Management RDP attempts from identifying any such
Windows OS
local admin account attempts by providing
Dashboard or report for
such admin activities
Server access from
unauthorized IP Firewall logs
Address
List of such users to be
Internet access by Internet Firewall,
provided for Web activity
unauthorized server Proxy
monitoring
Policy Violation -
Internet Firewall,
Internet access from Proxy policy violation
Network Security Proxy
authorized server reorts user wise
Any access requests to
Reverse Proxy
Web servers or
bypass - Application Internet Firewalls
applications not published
accesed externally
to external internet
Non standard port using
Insecure application
Firewall logs known service, like FTP
access - non https
over http protocol
Device Stopped Proposed solution Health and wellness built in
Sending logs logs system
Log source stopped
sending logs after All event sources Health and wellness built in
reboot system
Disk Array capacity
Proposed solution
approaching Health and wellness built in
logs
threshold system
System Health Possible system
instability state All event sources Health and wellness built in
detected system
Proposed solution Health and wellness built in
Operational / System shutdown
logs system
Functional
Backup and Proposed solution Health and wellness built in
recovery: failed logs system
Backup and Proposed solution Health and wellness built in
recovery: cancelled logs system
Network Nusing netflows we can
Perimeter & performance All router, switch & having session monitoring
Network Security degradation firewalls. to detect any deviations in
detected usage
Windows service Monitoring windows Event
Windows OS
state change logs
System metrics
Successful or Failed Proposed solution Enable windows logging for
Installation/ logs auditing with file audits
 Updating any and folder audits in
package addition to Application,
Security and system logs
On Screen Nag screens and
EPS Warning – EPS Proposed solution notifications can be
approaching limit logs configured for such
monitoring

Log Source Proposed solution

added/deleted logs Built in system to notify on
any new integrations
User added to
“remote user group” Active Directory AD user activity log
AD group monitoring
User added as part
of “domain
administrator“ & Active Directory
“local administrator” AD user activity log
group monitoring
New windows Windows system and
Windows OS
service installation appliaction security logs
User added to VPN VPN service and activity log
Active Directory
administrative group monitoring
Changes to
Integrity databases holding Database System
Monitoring customer data by Logs
unauthorized users DB Fine Grain Auditing
Configuration Configuration Changes on
change on network IDS, IPS, Firewall & assets listed to be
Integrity & security device VPN. monitored for any
intercepted deviations
Perimeter &
Monitor any changes on
Network Security Host checker
VPN device Host checker
configuration
VPN device logs service on clients through
changed on VPN
Windows application logs
device
or host checker logs
Elevation of account
privilege followed by
restoration of All event sources
previous state within
Enterprise a period of 24 hrs. Privilege user monitoring
Privilege
Services Access All windows, Unix,
Access
Management Firewall, IDS &
Revocation of user Network
privileges detected Configuration
Management
Solution. Changes in privilege access
Using netflows and logs
correlation session size
Large files transfer to All Firewall & Web
Usage Activity Data transfer through FTP uploads or any
3rd Party Sites proxy
such transfers on other
protocols to be monitored
 Monitoring over
ports not permitted
by policy on
All Internet facing
Internet-facing Using Watchlist of such
Firewalls
firewalls, non- ports we can monitor
compliant traffic traffic of such users and
activity. report or alert on same
IDS, IPS, Web logs, Using Network session
Use of clear-text
Mail server logs, Clear text confidential
confidential
Database, Unix & information can be
information detected
Windows detected
Trend report on session
and flow including firewall
Excessive inbound
Firewall logs logs to identify what
denied connections
content and date is being
Perimeter & transmitted in sessions
Network Security Increase in file
transfer activity All IDS, IPS, Router & Monitor IM traffic for any
using instant Firewall. kind of file sharing
messaging detected activities
Active syn flood
This rule works with
attack detected by
all IDS, IPS, and
network & security
Firewall
devices OOB
Possible arp
poisoning or All IDS, IPS, Firewalls,
spoofing activity Switch & Unix
detected OOB
Remote data VPN user activity
VPN device logs
harvesting monitoring
High Volume of TCP
All firewalls
Resets OOB and customizable
Communication
between internal All IDS, IPS, Firewalls,
hosts and known web proxy & Threat
Threat Perimeter & malware distribution Intelligence feed OOB. Monitoring using
Intelligence Network Security site threat intelligence feeds
A connection from a All IDS, IPS, Firewalls
server with a known & Threat Intelligence OOB. Monitoring using
spam sending host feed threat intelligence feeds
Monitor Peer to peer
Perimeter & Increase in peer to IDS, IPS, Firewall &
protocols, networks and
Network Security peer traffic detected VPN
hosts
Unintended Using packets any
download of downloads can be
Malicious Web Proxy solution
computer software monitored and reported
Activity
from internet out for any such anomalies
Monitoring
Network Security Based on the analyis and
fusing threat intelligence
Successful backdoor All IDS, IPS, Firewalls
feeds backdoor activity can
attack & Antivirus
be tracked. Also any such
patterns can be
 customized

Similar worm alerts

Worm propagation triggered over Lan /WAN
All IDS, IPS &
in the internal using netflows can be
Firewalls
network monitored using lateral
movements
SQL injection attack
Web server logs
detection OOB pattern available
MDS monitoring, with IPS
Attack exploiting
signature trigger and
Microsoft Directory
All IDS/IPS corrleating with
service vulnerability
Vulnerability CVE ID for
detected
correlation
Using packet and netflow
Streaming Media All Firewall ,Web
such downloading activities
detected proxy & IDS/IPS
can be monitored
Using Threat feeds we can
Possible intruder
All IDS, IPS, Firewalls, detect any communication
trying to gain
VPN & Threat to known malwares or
unauthorized access
Intelligence feed spam hosts including
to network
blackisted IP's
Successful
Connections after
All firewalls & IDS
Denied Attempts
/IPS
from same external
source OOB can be customized
Aggressive database OOB monitoring on DB
All firewalls
scan ports
Virus deletions failed Monitoring Antivirus Client
Antivirus System
on system side scan Actions
Report on Virus actions
System getting and alerts by using lookup
infected by same Antivirus System and add function against
virus unique Virusname and
Hostname/IP
High number of
Denial of Service
All IDS, IPS & firewall.
(DoS) attack
detected OOB
IPS alarms to be correlated
with Vulnerability scan
Vulnerability Vulnerability Data,
results for achieveing
correlation alerts IPS/IDS
vulnerabiliuty based
correlations
Any activity / actions
Malicious Activity - notified by system
Active Directory
VPN access evaluated by Threat feeds
on VPN System
Malicious Activity - Network Monitoring Trend report on bandwidth
Deviation of network tool utilization over a period of
 utilization of time or against a threshold
resources
Active directory Window Security
schema change Event Logs AD change logs
Active Directory
Active directory Window Security GPO policy change
policy modified Event Logs notifications
Increase in the
number of non- Monitor the Mail
Microsoft delivery report notifications and report on
Processes/serv Window Event Logs
Exchange messages collected NDR status for each
ices
from Microsoft source and recipient
Exchange malboxes
Use patch management
server logs to see patch
Patch & update Patch Management
System Health status and any Actions
failures Server
based on patch
deployment jobs
Attack Life Cycle based Use Cases
Internet Facing
Horizontal port Scan
Firewalls OOB
Horizontal port scan
Internet Facing
on well known
Firewalls
vulnerable ports OOB
Horizontal port scan
Internet Facing
on critical assets
Firewalls
(PDMZ) OOB
Horizontal port scan
Internet Facing
on existing
Firewalls,
vulnerable ports on
Vulnerability
critical assets
Management Reports
(PDMZ) OOB
Internet Facing
Vertical Port Scan
Firewalls OOB
Vertical port scan on
Port Scan from Internet Facing
Initial Recon well known
outside Firewalls
vulnerable ports OOB
Vertical port scan on
Internet Facing
critical assets
Firewalls
(PDMZ) OOB
Vertical port scan on
existing vulnerable Internet Facing
ports on critical Firewalls
assets (PDMZ) OOB
IDS/IPS port scan on
well known Internet IPS/IDS
vulnerable ports OOB
IDS/IPS port scan on
critical assets Internet IPS/IDS
(PDMZ) OOB
IDS/IPS port scan on
Internet IPS/IDS
well known OOB
 vulnerable ports

Internet - Firewalls
Vulnerability Scan
and IDS/IPS OOB
Vulnerability Scan
Internet - Firewalls Using Criticality context to
from outside Vulnerability Scan on
and IDS/IPS, Server identify the Port scan on
critical assets
HIDS/HIPS vulnerable ports
Can use data from FW, IPS
Communication Communication
Internet - Firewalls & IDS and use GeoIP
traffic that is from traffic observed from
and IPS/IDS, VPN enrichment to identify any
an unusual geo an unusual geo
Devices communication to or from
location source. location source.
unusual Geo's
Communication
Communication
traffic that is Can use data from FW, IPS
traffic observed from
known to be from Firewalls, IPS/IDS, & IDS and use Threat
bad or blacklisted
bad or blacklisted VPN intelligence to identify any
source host
source host communication to or from
addresses.
addresses. unusual Geo's
Using logs and Packets
Internet - Firewalls with threat intelligence to
Slow Horizontal Scan
and IDS/IPS detect any beaconing
traffic
Using logs and Packets
Internet - Firewalls with threat intelligence to
Slow Scans Slow Vertical Scan
and IDS/IPS detect any beaconing
traffic
Slow Box Scan Using logs and Packets
(Combination of Internet - Firewalls with threat intelligence to
horizontal and and IDS/IPS detect any beaconing
Vertical Scan) traffic
Using Packet capture to
Malware
Spear phishing AV analyse the downloaded
downloaded
file for malicious content
Using Packet capture to
Weaponized Malware
AV analyse the downloaded
document downloaded
Initial file for malicious content
Compromise Using Packet capture to
Watering Hole Malware
proxy analyse the downloaded
attack downloaded
file for malicious content
Using Threat intelligence
C&C communication Proxy/Firewall Threat
System Exploit identify known CnC
attempts feed
communication attempts
The installation of package
can be identified by system
logs but the actual
Endpoint forensics can be
Establish install backdoor Malware has been achieved from Endpoint
AV
Foothold malware installed solution ECAT. Without
endpoint forensics we
cannot confirm the
installed software is
malicious or not unless
 Threat feeds already have
the data

C&C communication Using Threat intelligence

Firewalls/Proxy -
denied by identify known CnC
create command Threat Feed
firewall/proxy. communication attempts
and control
Using Threat intelligence
infrastructure Successful C&C Firewalls/Proxy -
identify known CnC
communication Threat Feed
communication attempts
The installation of package
can be identified by system
logs but the actual
Endpoint forensics can be
achieved from Endpoint
Unauthorized
solution ECAT. Without
install keyloggers software installed - AV
endpoint forensics we
Key loggers.
cannot confirm the
installed software is
malicious or not unless
Threat feeds already have
the data
Privilege escalation Any privilege escalations
Windows OS
alerts monitored for changes
The installation of package
can be identified by system
logs but the actual
Endpoint forensics can be
Dump password Unauthorized achieved from Endpoint
hashes software installed - solution ECAT. Without
AV / EDR
password hash endpoint forensics we
dumping tool. cannot confirm the
installed software is
malicious or not unless
Threat feeds already have
the data
The installation of package
can be identified by system
logs but the actual
Endpoint forensics can be
achieved from Endpoint
Successful Privilege solution ECAT. Without
Rootkits Windows OS
escalation alerts endpoint forensics we
cannot confirm the
installed software is
malicious or not unless
Threat feeds already have
the data
 The installation of package
can be identified by system
logs but the actual
Endpoint forensics can be
achieved from Endpoint
solution ECAT. Without
Rootkits installed AV
endpoint forensics we
cannot confirm the
installed software is
malicious or not unless
Threat feeds already have
the data
Using Parser for content
NIDS/NIPS(Signature
analysis packet capture can
Retrieve Password hash to capture NTLM
detect the cleartext
password hashes transport detected password hash in
transport of hashes or
clear text)
other data
Network adaptor
going in promiscus
traffic sniffing mode (white list for Windows/UnixOS
apps like Symantec
HIDS) OOB
Escalate The installation of package
Privileges can be identified by system
logs but the actual
Endpoint forensics can be
achieved from Endpoint
Unauthorized
solution ECAT. Without
keylogging software installed - AV
endpoint forensics we
Key loggers.
cannot confirm the
installed software is
malicious or not unless
Threat feeds already have
the data
Inside - Horizontal
port Scan OOB
Inside - Horizontal
port scan on well
known vulnerable
ports OOB
Inside - Horizontal
Gather system
port scan on critical
information,
assets (PDMZ) OOB
Internal Recon network Firewalls, IPS/IDS
Inside - Horizontal
information,
port scan on existing
hardware info
vulnerable ports on
critical assets
(PDMZ) OOB
Inside - Vertical Port
Scan OOB
Inside - Vertical port
scan on well known OOB
 vulnerable ports
Inside - Vertical port
scan on critical
assets OOB
Inside - Vertical port
scan on existing
vulnerable ports on
critical assets OOB
Inside - HIDS/HIPS
port scan on well
known vulnerable
ports OOB
Inside - HIDS/HIPS
port scan on critical
assets OOB
Inside - HIDS/HIPS
port scan on well
known vulnerable
ports OOB
Inside - Vulnerability
Scan OOB
Inside - Vulnerability
Scan on critical
assets OOB
Inside - ARP Using Netflow or Packet
broadcast Detected capture
Looks at files and Work station to work Internal communication
documents, station Windows OS, SEPM monitoring user to user
explore file shares communication VLAN
 The solution proposed is
based around the RSA
Security Analytics platform.
This can collect logs as well
as network packet data to
give much greater visibility
into the risk that the
organization may be
exposed to. By combining
not just the log data
collected from the devices
within the infrastructure
but also identifying
anomalies within the
network traffic as well as
using 3rd party feeds from
industry authoritative
sources it is possible to
identify if your
organization is under
attack, exposed to the new
and emerging threats as
well as identifying if the
organization has already
been compromised. This
can be implemented in a
User behavior
phased approach, initially
anomaly detected
focusing on log data,
eventually moving towards
a more pervasive view with
the implementation of
packet capture.At the log
collection level RSA can use
techniques such as base
lining of events across
devices as well as
advanced correlation so
that an organization can be
alerted to an event that
falls outside of normal day
to day activity. This can
help provide insight into
anomalies and areas of
concern that the security
analyst may need to be
aware of. These can be as
simple as multiple failed
logins across a number of
different devices, to more
complicated scenarios such
as unusual activity seen in
web logs from a certain
username combined with
escalation of privileges
from that user and then
failed an successful logins
to resources holding
sensitive data that may in
some circumstances
indicate a breach of the
network.In terms of packet
data there are a number of
techniques and
applications available to
help an organization get
deep visibility into the
health of the
network.Metadata is
assigned to the packets
that are collected to make
the data much easier to
search through as well as
much more humanly
readable. The data that is
collected can also be
referenced against live
feeds from various
authoritative sources to
further enrich your data
and provide intelligence
around the latest threats
as well as blacklisted IPs,
known bad websites etc.
This enables automated
alerting and reporting
against the threats that the
organization is exposed to.
These alerts and reports
are presented on a
dashboard. The alerts and
reports can be customized
to provide intelligence
relevant to the
organization.Another
component of the solution
is the malware analysis
tool that will evaluate the
threat posed by any
executable seen within the
organization. This is done
using a variety of
techniques such as static
file analysis, sandboxing,
next generation analysis,
referencing it against
community information as
 well as allowing the
organization to see if their
antivirus or in fact any
antivirus vendor would
have flagged this as
malicious. This tool is
especially useful when
looking for 0 day malware
that signatures alone
would not have spotted.

capture schedule
tasks with taskname Using Event ID's can be
windows OS
"At<number>g" achieved from windows
Use of psexec,
event ID 602,4698. sytem event logs
scheduled tasks
psexec:- monitor
(at command),
event log service
WMI
install 4697 with windows OS Using Event ID's can be
service name achieved from windows
psexesvc sytem event logs
Move Laterally Internal communication
monitoring for user
Anomaly detection User behavior
behaviour changes like
using event logs analysis
multiple login fails and
Use of valid
succeffull logins frequently
credentials over
Internal communication
SMB or RDP
Desktop to Desktop monitoring for user
SEPM/HIDS (personal
communication behaviour changes like
firewall)
observed multiple login fails and
succeffull logins frequently
 The installation of package
can be identified by system
logs but the actual
Endpoint forensics can be
achieved from Endpoint
Application
Backdoor Malware has been solution ECAT. Without
whitelisting, AV, Anti
malware installed endpoint forensics we
Malware solution
cannot confirm the
installed software is
malicious or not unless
Threat feeds already have
Maintain
the data
Presence
Detailed analysis of Trend report on Host
host check failure VPN device checker status of VPN
alerts clients
VPN access Baselining of VPN users
Anomaly detection
User behavior access requests to monitor
for VPN users (user
analysis any behavioural changes or
profiling)
deviations
Using Packet capture files
Executable detected detected as non-standard
NIDS/NIPS
in http/https traffic service over standard
protocol
password Password encoded
encoded zip or Outbound file NIDS, proxy DLP Using Packet Capture
RAR files transfer detected identify zip and rara files.
Detected File
transfer over FTP
FTP Firewalls
(white list for FTP Whitelisting of key listed
allowed Ips) FTP sites
Connection
established over port Using Threat intelligence
Firewalls - threat
smb SMB ports (139, 445) and SMB ports to identify
feed
towards known bad threats and SMB traffic
IP within internal network