Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Threat Use Cases by Log Source Type

 

External log sources feed raw events to the JSA system that provide different perspectives about your network, such as audit, monitoring, and security. It's critical that you collect all types of log sources so that JSA can provide the information that you need to protect your organization and environment from external and internal threats.

Click a check mark in the following matrix to go to the log source that you're most interested in. For each log source, the relevant ATT&CK framework categories are listed. The Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework was developed by Mitre Corp. The public knowledge base of threat tactics and techniques helps your security analysts to understand hacker threats and how to prevent adversarial attacks from happening to your organization's networks. These tactics can become your weaknesses if you're not collecting that type of log source.

Table 1: Log sources in JSA with Use Cases

Log sources

Advanced Persistent Threat

Insider Threat

Critical Data Protection

Incident Response

Compliance

Risk and Vulnerability Management

Firewall/Router

(√)

(√)

(√)

(√)

(√)

IDS/IPS

(Intrusion Detection System/Intrusion Protection System)

(√)

(√)

(√)

(√)

Web Proxy

(√)

(√)

(√)

(√)

VPN

(√)

DNS

(√)

(√)

(√)

DHCP

(√)

(√)

(√)

Mail Logs

(√)

(√)

(√)

DLP (Data Loss Prevention)

(√)

(√)

(√)

(√)

Endpoint

(√)

(√)

(√)

(√)

(√)

Identity/ Authentication

(LDAP/AD/ Radius)

(√)

(√)

(√)

Anti Virus

(√)

(√)

(√)

(√)

(√)

       

Database Logs

(√)

(√)

(√)

(√)

(√)

EDR

(√)

(√)

(√)

Office 365

(√)

(√)

Firewall/Router

The following table provides examples of use cases that are affected by firewall/router log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

  • Defense Evasion

  • Discovery

  • Command and Control

  • Exfiltration

Table 2: Firewall/Router Log Source and Use Case Examples

Use case

Examples

Advanced Persistent Threat

Firewall data helps detect command control issues. Use it for external recon and prevent malicious IP communications from entering your environment.

Critical Data Protection

Discover and protect against abnormal database connection attempts.

Incident Response

See which hosts communicated with an infected host so that you can stop the spread of data infection.

Compliance

Monitor for unauthorized or unexpected firewall configuration changes to allow access to critical business assets. For example, PCI requires all critical assets that contain “banking information” to communicate through an internal DMZ with no direct access to the outside world.

Risk and Vulnerability Management

Discover assets that are actively communicating on vulnerable ports

Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)

Intrusion Detection System (IDS)/Intrusion Protection System (IPS)

The following table provides examples of use cases that are affected by IDS/IPS log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

  • Defense Evasion

  • Persistence Mechanism

  • Discovery

  • Command and Control

Table 3: IDS/IPS Log Source and Use Case Examples

Use case

Examples

Advanced Persistent Threat

Correlate threat events with vulnerabilities, and then escalate those threat events. Perform more acute offense detection.

Critical Data Protection

SQL, XSS Injection

Incident Response

See which hosts are infected and watch for potential epidemics so that you can stop the spread of data infection.

Risk and Vulnerability Management

Validate and assess threats to prioritize by correlating with asset and vulnerability data.

Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)

Web Proxy

The following table provides examples of use cases that are affected by web proxy log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

  • Defense Evasion

  • Persistence Mechanism

  • Data Exfiltration

  • Command and Control

  • Privilege Escalation

  • Credential Access

Table 4: Web Proxy Log Source and Use Case Examples

Use case

Examples

Advanced Persistent Threat

Monitor for malicious domain communication, data exfiltration, and command and control activities. Detect attempts to bypass normal user restrictions by surfing with a service account.

Insider Threat

Track malicious activity such as crypto mining that uses corporate resources.

Critical Data Protection

Monitor for unauthorized data exfiltration.

Compliance

Monitor for critical asset communication with the outside world.

Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)

VPN

The following table provides examples of use cases that are affected by VPN log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

  • Credential Access

  • Lateral Movement

Table 5: VPN Log Source and Use Case Examples

Use case

Examples

Advanced Persistent Threat

Monitor for logins from suspicious locations.

Insider Threat

Detect the use of VPN for users outside of normal usage patterns or from abnormal geographical areas.

Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)

DNS

The following table provides examples of use cases that are affected by DNS log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

  • Defense Evasion

  • Persistence Mechanism

  • Command and Control

  • Exfiltration

  • Credential Access (note: Technique T1171)

Table 6: DNS Log Source and Use Case Examples

Use case

Examples

Advanced Persistent Threat

Monitor for malicious DNS usages such as domain name generation, tunneling, and squatting.

Insider Threat

Detect tunneling of traffic through DNS records.

Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)

DHCP

The following table provides examples of use cases that are affected by DHCP log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

Table 7: DHCP Log Source and Use Case Examples

Use case

Examples

Advanced Persistent Threat

Detection of rogue access points or other unexpected device presence on corporate network.

Insider Threat

Detection of rogue access points or other unexpected device presence on corporate network

Incident Response

Identification of which host had a specific IP address at the time of an incident.

Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)

Mail Logs

The following table provides examples of use cases that are affected by mail log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

  • Execution

  • Initial Access

  • Collection

Table 8: Mail Log Source and Use Case Examples

Use case

Examples

Advanced Persistent Threat

Monitor for phishing and spam.

Insider Threat

Phishing

Critical Data Protection

Phishing, data exfiltration by email

Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)

DLP (Data Loss Prevention)

The following table provides examples of use cases that are affected by DLP log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

  • Data Exfiltration

  • Collection

Table 9: DLP Log Source and Use Case Examples

Use case

Examples

Advanced Persistent Threat

Data can be exfiltrated through many methods. Identify and track suspicious files such as:

  • DNS abnormalities

  • Sensitive content

  • Aberrant connections

  • Aliases

Insider Threat

Data can be exfiltrated through many methods. Identify and track suspicious files such as:

  • DNS abnormalities

  • Sensitive content

  • Aberrant connections

  • Aliases

Critical Data Protection

Data can be exfiltrated through many methods. Identify and track suspicious files such as:

  • DNS abnormalities

  • Sensitive content

  • Aberrant connections

  • Aliases

Compliance

Data can be exfiltrated through many methods. Identify and track suspicious files such as:

  • DNS abnormalities

  • Sensitive content

  • Aberrant connections

  • Aliases

Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)

Endpoint

The following table provides examples of use cases that are affected by Endpoint log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

  • Privilege Escalation

  • Initial Access

  • Execution

  • Persistence

  • Credential Access

  • Defense Evasion

  • Discovery

  • Lateral Movement

  • Collection

  • Exfiltration

  • Command and Control

Table 10: Endpoint Log Source and Use Case Examples

Use case

Examples

Advanced Persistent Threat

Monitor for malicious hashes, suspicious PowerShell activity, process abuse, or other suspicious endpoint activities.

Insider Threat

Detection of persistent malware by using host resources (for example, crypto mining)

Critical Data Protection

Data can be exfiltrated through many methods. Identify and track suspicious files such as:

  • DNS abnormalities

  • Sensitive content

  • Aberrant connections

  • Aliases

Compliance

Monitor for adherence to corporate company policy (for example, unapproved software use).

Risk and Vulnerability Management

Assess and manage risk through vulnerability.

Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)

Identity/Authentication (LDAP/AD/Radius)

The following table provides examples of use cases that are affected by LDAP/AD/Radius log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

  • Privilege Escalation

  • Credential Access

  • Initial Access

Table 11: LDAP/AD/Radius Log Source and Use Case Examples

Use case

Examples

Advanced Persistent Threat

Monitor for activities such as brute force login by malware, lateral movement through the network, or suspicious logins.

Insider Threat

Account takeover by malware

Incident Response

Visibility into where a user logged in during the IR process.

Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)

Anti-virus

The following table provides examples of use cases that are affected by anti-virus log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

  • Persistence

  • Initial Access

  • Defense Evasion

Table 12: Anti-virus Log Source and Use Case Examples

Use case

Examples

Advanced Persistent Threat

Monitor for activities such as:

  • Endpoint infection by anti-virus

  • Virus that is not cleaned

  • Reinforcement of other suspicious endpoint behavior

Critical data Protection

Detection of virus outbreak to prevent movement to servers that contain critical business data

Incident Response

Visibility into where a specific virus signature was seen

Compliance

Ensuring up-to-date AV definitions on critical hosts/servers.

Risk and Vulnerability Management

Malicious WWW domain connections indication of a vulnerable host that is compromised.

Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)

Database Logs

The following table provides examples of use cases that are affected by database log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

  • Credential Access

  • Collection

  • Initial Access

  • Discovery

  • Data Exfiltration

  • Privilege Escalation

Table 13: Database Log Source and Use Case Examples

Use case

Examples

Insider Threat

Detect unauthorized database access and data theft.

Critical Data Protection

Databases often include sensitive corporate information and require monitoring for most compliance standards. Monitor for unauthorized user permission changes.

Incident Response

Evidence of what data was accessed, and by whom, during a breach.

Compliance

Databases often include sensitive corporate information and require monitoring for most compliance standards.

Risk and Vulnerability Management

Prioritize vulnerabilities on hosts with active databases that potentially contain critical data. Detect default accounts and passwords that are enabled.

Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)

EDR (Endpoint Detection and Response)

The following table provides examples of use cases that are affected by EDR log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

  • Credential Access

  • Privilege Escalation

  • Discovery

Table 14: EDR Log Source and Use Case Examples

Use case

Examples

Advanced Persistent Threat

Monitor for activities such as:

  • Compromised endpoints

  • Suspicious endpoint behavior

Incident Response

Rapidly determine existence of IOCs at endpoints, including hashes and file names.

Risk and Vulnerability Management

Correlate vulnerability information with endpoint data.

Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)

Microsoft Office 365

The following table provides examples of use cases that are affected by Microsoft Office 365 log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

  • Initial Access

  • Execution

  • Persistence

Table 15: Office 365 Log Source and Use Case Examples

Use case

Examples

Incident Response

Evidence of what data was accessed during a breach

Compliance

Continuous monitoring of file activity and user access.

Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)