Threat Use Cases by Log Source Type
External log sources feed raw events to the JSA system that provide different perspectives about your network, such as audit, monitoring, and security. It's critical that you collect all types of log sources so that JSA can provide the information that you need to protect your organization and environment from external and internal threats.
Click a check mark in the following matrix to go to the log source that you're most interested in. For each log source, the relevant ATT&CK framework categories are listed. The Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework was developed by Mitre Corp. The public knowledge base of threat tactics and techniques helps your security analysts to understand hacker threats and how to prevent adversarial attacks from happening to your organization's networks. These tactics can become your weaknesses if you're not collecting that type of log source.
Log sources |
Advanced Persistent Threat |
Insider Threat |
Critical Data Protection |
Incident Response |
Compliance |
Risk and Vulnerability Management |
---|---|---|---|---|---|---|
Firewall/Router |
(√) |
(√) |
(√) |
(√) |
(√) |
|
IDS/IPS (Intrusion Detection System/Intrusion Protection System) |
(√) |
(√) |
(√) |
(√) |
||
Web Proxy |
(√) |
(√) |
(√) |
(√) |
||
VPN |
(√) |
|||||
DNS |
(√) |
(√) |
(√) |
|||
DHCP |
(√) |
(√) |
(√) |
|||
Mail Logs |
(√) |
(√) |
(√) |
|||
DLP (Data Loss Prevention) |
(√) |
(√) |
(√) |
(√) |
||
Endpoint |
(√) |
(√) |
(√) |
(√) |
(√) |
|
Identity/ Authentication (LDAP/AD/ Radius) |
(√) |
(√) |
(√) |
|||
Anti Virus |
(√) |
(√) |
(√) |
(√) |
(√) |
|
Netflow |
(√) |
(√) |
(√) |
(√) |
(√) |
(√) |
Database Logs |
(√) |
(√) |
(√) |
(√) |
(√) |
|
EDR |
(√) |
(√) |
(√) |
|||
Office 365 |
(√) |
(√) |
Firewall/Router
The following table provides examples of use cases that are affected by firewall/router log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
-
Defense Evasion
-
Discovery
-
Command and Control
-
Exfiltration
Use case |
Examples |
---|---|
Advanced Persistent Threat |
Firewall data helps detect command control issues. Use it for external recon and prevent malicious IP communications from entering your environment. |
Critical Data Protection |
Discover and protect against abnormal database connection attempts. |
Incident Response |
See which hosts communicated with an infected host so that you can stop the spread of data infection. |
Compliance |
Monitor for unauthorized or unexpected firewall configuration changes to allow access to critical business assets. For example, PCI requires all critical assets that contain “banking information” to communicate through an internal DMZ with no direct access to the outside world. |
Risk and Vulnerability Management |
Discover assets that are actively communicating on vulnerable ports |
Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)
Intrusion Detection System (IDS)/Intrusion Protection System (IPS)
The following table provides examples of use cases that are affected by IDS/IPS log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
-
Defense Evasion
-
Persistence Mechanism
-
Discovery
-
Command and Control
Use case |
Examples |
---|---|
Advanced Persistent Threat |
Correlate threat events with vulnerabilities, and then escalate those threat events. Perform more acute offense detection. |
Critical Data Protection |
SQL, XSS Injection |
Incident Response |
See which hosts are infected and watch for potential epidemics so that you can stop the spread of data infection. |
Risk and Vulnerability Management |
Validate and assess threats to prioritize by correlating with asset and vulnerability data. |
Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)
Web Proxy
The following table provides examples of use cases that are affected by web proxy log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
-
Defense Evasion
-
Persistence Mechanism
-
Data Exfiltration
-
Command and Control
-
Privilege Escalation
-
Credential Access
Use case |
Examples |
---|---|
Advanced Persistent Threat |
Monitor for malicious domain communication, data exfiltration, and command and control activities. Detect attempts to bypass normal user restrictions by surfing with a service account. |
Insider Threat |
Track malicious activity such as crypto mining that uses corporate resources. |
Critical Data Protection |
Monitor for unauthorized data exfiltration. |
Compliance |
Monitor for critical asset communication with the outside world. |
Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)
VPN
The following table provides examples of use cases that are affected by VPN log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
-
Credential Access
-
Lateral Movement
Use case |
Examples |
---|---|
Advanced Persistent Threat |
Monitor for logins from suspicious locations. |
Insider Threat |
Detect the use of VPN for users outside of normal usage patterns or from abnormal geographical areas. |
Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)
DNS
The following table provides examples of use cases that are affected by DNS log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
-
Defense Evasion
-
Persistence Mechanism
-
Command and Control
-
Exfiltration
-
Credential Access (note: Technique T1171)
Use case |
Examples |
---|---|
Advanced Persistent Threat |
Monitor for malicious DNS usages such as domain name generation, tunneling, and squatting. |
Insider Threat |
Detect tunneling of traffic through DNS records. |
Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)
DHCP
The following table provides examples of use cases that are affected by DHCP log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
Use case |
Examples |
---|---|
Advanced Persistent Threat |
Detection of rogue access points or other unexpected device presence on corporate network. |
Insider Threat |
Detection of rogue access points or other unexpected device presence on corporate network |
Incident Response |
Identification of which host had a specific IP address at the time of an incident. |
Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)
Mail Logs
The following table provides examples of use cases that are affected by mail log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
-
Execution
-
Initial Access
-
Collection
Use case |
Examples |
---|---|
Advanced Persistent Threat |
Monitor for phishing and spam. |
Insider Threat |
Phishing |
Critical Data Protection |
Phishing, data exfiltration by email |
Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)
DLP (Data Loss Prevention)
The following table provides examples of use cases that are affected by DLP log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
-
Data Exfiltration
-
Collection
Use case |
Examples |
---|---|
Advanced Persistent Threat |
Data can be exfiltrated through many methods. Identify and track suspicious files such as:
|
Insider Threat |
Data can be exfiltrated through many methods. Identify and track suspicious files such as:
|
Critical Data Protection |
Data can be exfiltrated through many methods. Identify and track suspicious files such as:
|
Compliance |
Data can be exfiltrated through many methods. Identify and track suspicious files such as:
|
Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)
Endpoint
The following table provides examples of use cases that are affected by Endpoint log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
-
Privilege Escalation
-
Initial Access
-
Execution
-
Persistence
-
Credential Access
-
Defense Evasion
-
Discovery
-
Lateral Movement
-
Collection
-
Exfiltration
-
Command and Control
Use case |
Examples |
---|---|
Advanced Persistent Threat |
Monitor for malicious hashes, suspicious PowerShell activity, process abuse, or other suspicious endpoint activities. |
Insider Threat |
Detection of persistent malware by using host resources (for example, crypto mining) |
Critical Data Protection |
Data can be exfiltrated through many methods. Identify and track suspicious files such as:
|
Compliance |
Monitor for adherence to corporate company policy (for example, unapproved software use). |
Risk and Vulnerability Management |
Assess and manage risk through vulnerability. |
Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)
Identity/Authentication (LDAP/AD/Radius)
The following table provides examples of use cases that are affected by LDAP/AD/Radius log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
-
Privilege Escalation
-
Credential Access
-
Initial Access
Use case |
Examples |
---|---|
Advanced Persistent Threat |
Monitor for activities such as brute force login by malware, lateral movement through the network, or suspicious logins. |
Insider Threat |
Account takeover by malware |
Incident Response |
Visibility into where a user logged in during the IR process. |
Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)
Anti-virus
The following table provides examples of use cases that are affected by anti-virus log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
-
Persistence
-
Initial Access
-
Defense Evasion
Use case |
Examples |
---|---|
Advanced Persistent Threat |
Monitor for activities such as:
|
Critical data Protection |
Detection of virus outbreak to prevent movement to servers that contain critical business data |
Incident Response |
Visibility into where a specific virus signature was seen |
Compliance |
Ensuring up-to-date AV definitions on critical hosts/servers. |
Risk and Vulnerability Management |
Malicious WWW domain connections indication of a vulnerable host that is compromised. |
Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)
Netflow
The following table provides examples of use cases that are affected by Netflow log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
-
Lateral Movement
-
Discovery
-
Persistence Mechanism
-
Defense Evasion
-
Data Exfiltration
-
Credential Access
-
Command and Control
Use case |
Examples |
---|---|
Advanced Persistent Threat |
Monitor for activities such as:
|
Insider Threat |
Phishing detection |
Securing the Cloud |
Monitor for activities such as:
|
Critical Data Protection |
Data can be exfiltrated through many methods. Identify and track suspicious files such as:
|
Incident Response |
Provides a huge pool of investigative data to determine the spread of an attack from domain communication, hashes that are downloaded, IP addresses that are communicated with, file names, data volumes transferred. |
Compliance |
Monitor for critical asset communications (for example, crown jewel communicate to the open Internet). |
Risk and vulnerability management |
Prioritize host vulnerability remediation based upon the level of risk that hosts are communicated with. |
Find out more about each technique and tactic: ATT&CK Technique matrix.
Database Logs
The following table provides examples of use cases that are affected by database log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
-
Credential Access
-
Collection
-
Initial Access
-
Discovery
-
Data Exfiltration
-
Privilege Escalation
Use case |
Examples |
---|---|
Insider Threat |
Detect unauthorized database access and data theft. |
Critical Data Protection |
Databases often include sensitive corporate information and require monitoring for most compliance standards. Monitor for unauthorized user permission changes. |
Incident Response |
Evidence of what data was accessed, and by whom, during a breach. |
Compliance |
Databases often include sensitive corporate information and require monitoring for most compliance standards. |
Risk and Vulnerability Management |
Prioritize vulnerabilities on hosts with active databases that potentially contain critical data. Detect default accounts and passwords that are enabled. |
Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)
EDR (Endpoint Detection and Response)
The following table provides examples of use cases that are affected by EDR log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
-
Credential Access
-
Privilege Escalation
-
Discovery
Use case |
Examples |
---|---|
Advanced Persistent Threat |
Monitor for activities such as:
|
Incident Response |
Rapidly determine existence of IOCs at endpoints, including hashes and file names. |
Risk and Vulnerability Management |
Correlate vulnerability information with endpoint data. |
Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)
Microsoft Office 365
The following table provides examples of use cases that are affected by Microsoft Office 365 log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
-
Initial Access
-
Execution
-
Persistence
Use case |
Examples |
---|---|
Incident Response |
Evidence of what data was accessed during a breach |
Compliance |
Continuous monitoring of file activity and user access. |
Find out more about each technique and tactic: (https://attack.mitre.org/ wiki/Technique_Matrix)