Threat Use Cases by Log Source Type

External log sources feed raw events to the JSA system that provide different perspectives about your network, such as audit, monitoring, and security. It's critical that you collect all types of log sources so that JSA can provide the information that you need to protect your organization and environment from external and internal threats.

Click a check mark in the following matrix to go to the log source that you're most interested in. For each log source, the relevant ATT&CK framework categories are listed. The Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework was developed by Mitre Corp. The public knowledge base of threat tactics and techniques helps your security analysts to understand hacker threats and how to prevent adversarial attacks from happening to your organization's networks. These tactics can become your weaknesses if you're not collecting that type of log source.

Table 1: Log sources in JSA with Use Cases
Log sources	Advanced Persistent Threat	Insider Threat	Critical Data Protection	Incident Response	Compliance	Risk and Vulnerability Management
Firewall/Router	(√)		(√)	(√)	(√)	(√)
IDS/IPS (Intrusion Detection System/Intrusion Protection System)	(√)		(√)	(√)		(√)
Web Proxy	(√)	(√)	(√)		(√)
VPN	(√)
DNS	(√)	(√)				(√)
DHCP	(√)	(√)		(√)
Mail Logs	(√)	(√)	(√)
DLP (Data Loss Prevention)	(√)	(√)	(√)		(√)
Endpoint	(√)	(√)	(√)		(√)	(√)
Identity/ Authentication (LDAP/AD/ Radius)	(√)	(√)		(√)
Anti Virus	(√)		(√)	(√)	(√)	(√)
Netflow	(√)	(√)	(√)	(√)	(√)	(√)
Database Logs	(√)	(√)	(√)	(√)	(√)
EDR	(√)			(√)		(√)
Office 365				(√)	(√)

Firewall/Router

The following table provides examples of use cases that are affected by firewall/router log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

Defense Evasion
Discovery
Command and Control
Exfiltration

Table 2: Firewall/Router Log Source and Use Case Examples
Use case	Examples
Advanced Persistent Threat	Firewall data helps detect command control issues. Use it for external recon and prevent malicious IP communications from entering your environment.
Critical Data Protection	Discover and protect against abnormal database connection attempts.
Incident Response	See which hosts communicated with an infected host so that you can stop the spread of data infection.
Compliance	Monitor for unauthorized or unexpected firewall configuration changes to allow access to critical business assets. For example, PCI requires all critical assets that contain “banking information” to communicate through an internal DMZ with no direct access to the outside world.
Risk and Vulnerability Management	Discover assets that are actively communicating on vulnerable ports

Intrusion Detection System (IDS)/Intrusion Protection System (IPS)

The following table provides examples of use cases that are affected by IDS/IPS log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

Defense Evasion
Persistence Mechanism
Discovery
Command and Control

Table 3: IDS/IPS Log Source and Use Case Examples
Use case	Examples
Advanced Persistent Threat	Correlate threat events with vulnerabilities, and then escalate those threat events. Perform more acute offense detection.
Critical Data Protection	SQL, XSS Injection
Incident Response	See which hosts are infected and watch for potential epidemics so that you can stop the spread of data infection.
Risk and Vulnerability Management	Validate and assess threats to prioritize by correlating with asset and vulnerability data.

Web Proxy

The following table provides examples of use cases that are affected by web proxy log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

Defense Evasion
Persistence Mechanism
Data Exfiltration
Command and Control
Privilege Escalation
Credential Access

Table 4: Web Proxy Log Source and Use Case Examples
Use case	Examples
Advanced Persistent Threat	Monitor for malicious domain communication, data exfiltration, and command and control activities. Detect attempts to bypass normal user restrictions by surfing with a service account.
Insider Threat	Track malicious activity such as crypto mining that uses corporate resources.
Critical Data Protection	Monitor for unauthorized data exfiltration.
Compliance	Monitor for critical asset communication with the outside world.

VPN

The following table provides examples of use cases that are affected by VPN log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

Credential Access
Lateral Movement

Table 5: VPN Log Source and Use Case Examples
Use case	Examples
Advanced Persistent Threat	Monitor for logins from suspicious locations.
Insider Threat	Detect the use of VPN for users outside of normal usage patterns or from abnormal geographical areas.

DNS

The following table provides examples of use cases that are affected by DNS log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

Defense Evasion
Persistence Mechanism
Command and Control
Exfiltration
Credential Access (note: Technique T1171)

Table 6: DNS Log Source and Use Case Examples
Use case	Examples
Advanced Persistent Threat	Monitor for malicious DNS usages such as domain name generation, tunneling, and squatting.
Insider Threat	Detect tunneling of traffic through DNS records.

DHCP

The following table provides examples of use cases that are affected by DHCP log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

Table 7: DHCP Log Source and Use Case Examples
Use case	Examples
Advanced Persistent Threat	Detection of rogue access points or other unexpected device presence on corporate network.
Insider Threat	Detection of rogue access points or other unexpected device presence on corporate network
Incident Response	Identification of which host had a specific IP address at the time of an incident.

Mail Logs

The following table provides examples of use cases that are affected by mail log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

Execution
Initial Access
Collection

Table 8: Mail Log Source and Use Case Examples
Use case	Examples
Advanced Persistent Threat	Monitor for phishing and spam.
Insider Threat	Phishing
Critical Data Protection	Phishing, data exfiltration by email

DLP (Data Loss Prevention)

The following table provides examples of use cases that are affected by DLP log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

Data Exfiltration
Collection

Table 9: DLP Log Source and Use Case Examples
Use case	Examples
Advanced Persistent Threat	Data can be exfiltrated through many methods. Identify and track suspicious files such as: DNS abnormalities Sensitive content Aberrant connections Aliases
Insider Threat	Data can be exfiltrated through many methods. Identify and track suspicious files such as: DNS abnormalities Sensitive content Aberrant connections Aliases
Critical Data Protection	Data can be exfiltrated through many methods. Identify and track suspicious files such as: DNS abnormalities Sensitive content Aberrant connections Aliases
Compliance	Data can be exfiltrated through many methods. Identify and track suspicious files such as: DNS abnormalities Sensitive content Aberrant connections Aliases

Endpoint

The following table provides examples of use cases that are affected by Endpoint log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

Privilege Escalation
Initial Access
Execution
Persistence
Credential Access
Defense Evasion
Discovery
Lateral Movement
Collection
Exfiltration
Command and Control

Table 10: Endpoint Log Source and Use Case Examples
Use case	Examples
Advanced Persistent Threat	Monitor for malicious hashes, suspicious PowerShell activity, process abuse, or other suspicious endpoint activities.
Insider Threat	Detection of persistent malware by using host resources (for example, crypto mining)
Critical Data Protection	Data can be exfiltrated through many methods. Identify and track suspicious files such as: DNS abnormalities Sensitive content Aberrant connections Aliases
Compliance	Monitor for adherence to corporate company policy (for example, unapproved software use).
Risk and Vulnerability Management	Assess and manage risk through vulnerability.

Identity/Authentication (LDAP/AD/Radius)

The following table provides examples of use cases that are affected by LDAP/AD/Radius log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

Privilege Escalation
Credential Access
Initial Access

Table 11: LDAP/AD/Radius Log Source and Use Case Examples
Use case	Examples
Advanced Persistent Threat	Monitor for activities such as brute force login by malware, lateral movement through the network, or suspicious logins.
Insider Threat	Account takeover by malware
Incident Response	Visibility into where a user logged in during the IR process.

Anti-virus

The following table provides examples of use cases that are affected by anti-virus log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

Persistence
Initial Access
Defense Evasion

Table 12: Anti-virus Log Source and Use Case Examples
Use case	Examples
Advanced Persistent Threat	Monitor for activities such as: Endpoint infection by anti-virus Virus that is not cleaned Reinforcement of other suspicious endpoint behavior
Critical data Protection	Detection of virus outbreak to prevent movement to servers that contain critical business data
Incident Response	Visibility into where a specific virus signature was seen
Compliance	Ensuring up-to-date AV definitions on critical hosts/servers.
Risk and Vulnerability Management	Malicious WWW domain connections indication of a vulnerable host that is compromised.

Netflow

The following table provides examples of use cases that are affected by Netflow log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

Lateral Movement
Discovery
Persistence Mechanism
Defense Evasion
Data Exfiltration
Credential Access
Command and Control

Table 13: Netflow Log Source and Use Case Examples
Use case	Examples
Advanced Persistent Threat	Monitor for activities such as: Recon Malicious download Lateral movement Phishing
Insider Threat	Phishing detection
Securing the Cloud	Monitor for activities such as: Data exfiltration Expired WWW certificates Self-signed WWW certificates Phishing Risky WWW domain connections
Critical Data Protection	Data can be exfiltrated through many methods. Identify and track suspicious files such as: DNS abnormalities Sensitive content Aberrant connections Aliases
Incident Response	Provides a huge pool of investigative data to determine the spread of an attack from domain communication, hashes that are downloaded, IP addresses that are communicated with, file names, data volumes transferred.
Compliance	Monitor for critical asset communications (for example, crown jewel communicate to the open Internet).
Risk and vulnerability management	Prioritize host vulnerability remediation based upon the level of risk that hosts are communicated with.

Database Logs

The following table provides examples of use cases that are affected by database log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

Credential Access
Collection
Initial Access
Discovery
Data Exfiltration
Privilege Escalation

Table 14: Database Log Source and Use Case Examples
Use case	Examples
Insider Threat	Detect unauthorized database access and data theft.
Critical Data Protection	Databases often include sensitive corporate information and require monitoring for most compliance standards. Monitor for unauthorized user permission changes.
Incident Response	Evidence of what data was accessed, and by whom, during a breach.
Compliance	Databases often include sensitive corporate information and require monitoring for most compliance standards.
Risk and Vulnerability Management	Prioritize vulnerabilities on hosts with active databases that potentially contain critical data. Detect default accounts and passwords that are enabled.

EDR (Endpoint Detection and Response)

The following table provides examples of use cases that are affected by EDR log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

Credential Access
Privilege Escalation
Discovery

Table 15: EDR Log Source and Use Case Examples
Use case	Examples
Advanced Persistent Threat	Monitor for activities such as: Compromised endpoints Suspicious endpoint behavior
Incident Response	Rapidly determine existence of IOCs at endpoints, including hashes and file names.
Risk and Vulnerability Management	Correlate vulnerability information with endpoint data.

Microsoft Office 365

The following table provides examples of use cases that are affected by Microsoft Office 365 log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:

Initial Access
Execution
Persistence

Table 16: Office 365 Log Source and Use Case Examples
Use case	Examples
Incident Response	Evidence of what data was accessed during a breach
Compliance	Continuous monitoring of file activity and user access.

ON THIS PAGE