cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 7

SIEM signatures

Hi all,

I'm just wondering if any of you good folks have a list of signatures that can be used in SIEM or a link to these signatures. Basically, to make it easy, I'm looking for a list(s) of any signatures whatsover that could prove useful in ourt efforts to halt attacks.

I apprecaite any and all help in advance. I've already found these forums more than useful as I'm still getting used to this product. There seems to be so much to know!

Kindest regards,

Lee

6 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 7

Re: SIEM signatures

Lee

You'll need to be more specific as to what you are looking for, what types of attacks, etc.

These will be somewhat unique to each environment, you could start by defining the use case you are looking to address, for example malicious website visits, or a malware detection. These again will be specific to your installation of controls, and these sources being setup in SIEM.

A use case should start by defining a problem or request, the desired outcome, such as alert, alarm, report, automated action, and notifications. From here you can determine the data sources needed, activities or signatures and then response or outcome.

Rick

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 7

Re: SIEM signatures

Thanks Rick,

I will revisit this. I was hoping that there may be some sort of lists out that that could be used "off the shelf". Thanks anyway and I will give this a bit more thought.

Regards,

Lee

Former Member
Not applicable
Report Inappropriate Content
Message 4 of 7

Re: SIEM signatures

Lee,

The SIEM supports hundreds of use cases of out the box and more by installing content packs. Use cases are ultimately going to be dictated by the unique variety of data sources that are feeding your SIEM. I recommend starting with your most critical area and after your satisfied with the use cases validating the security in that area, you move on to the next one.

For instance, you mention that you're interested in "halting attacks". Is there a particular category of attack you're concerned about? What other devices do you have to aid you in your mission?    

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 7

Re: SIEM signatures

Hi Andy,

I'm generally interested in any sort of attack but I'm particularly interested in those by nation states attempting to steal information. Sorry if that's a bit general. I have IDS and FW's along with Windows/Linux/Unix boses sending through logs.

Former Member
Not applicable
Report Inappropriate Content
Message 6 of 7

Re: SIEM signatures

Exfiltration is a good and challenging use case. If you actually have crown jewels that you can identify, that's a great start. Best practices will have you storing that data in a segregated area with increased scrutiny for anything crossing the boundaries to access it. Each gate should have some sort of limiting qualifier and you need to have some way to measure that. If you data is stored in a database, it might make sense to do query level logging to provide visibility into every time that data is accessed. Then you can validate those transactions against correlation rules and statistical analysis to understand when more investigation is required. Or there might be a need to implement a DLP solution to track documents or enable Windows object logging.

The key is to find ways for the SIEM to validate that your security posture is operating as you designed it. From that perspective, is there a method for the FW or IDS to detect the exfiltration of data that you're concerned about? Are there signatures in the IDS (IPS?) that would detect/stop the data? What if the data transfer is encrypted? Are all possible egress points controlled and monitored? If so, then we feed events from those tools into the SIEM and display the security state of the data based on the logs and visibility provided.

The SIEM is just the smart guy at the party. Someone else needs to bring the party.

Former Member
Not applicable
Report Inappropriate Content
Message 7 of 7

Re: SIEM signatures

You can google SIEM use cases and get a lot of ideas, brainstorming we've come up with 173 total, with some dupes and some we may never get in. you can look at Malware detection's, account lockouts, alternatives to some of the pre-installed or setup options as well. If you use your imagination, as mentioned a few times here, you'll be surprised. Ask your team, or manager what ae their concerns, getting these in dashboards allow for some quick wins. A reference I found handy was an accelops paper, it also talked about value of the data sources you get into the SIEM.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community