Implementing SIEM Use Cases for Detection
When to Use
Use this skill when:
- SOC teams need to build or expand their SIEM detection library from scratch
- Threat assessments identify ATT&CK technique gaps requiring new detection rules
- Detection engineers need a structured process for use case design, testing, and deployment
- Compliance requirements mandate specific detection capabilities (PCI DSS, HIPAA, SOX)
Do not use for ad-hoc hunting queries — use cases are formalized, tested, and maintained detection rules, not exploratory searches.
Prerequisites
- SIEM platform (Splunk ES, Elastic Security, or Microsoft Sentinel) with production data
- ATT&CK Navigator for coverage gap analysis
- Log sources normalized to CIM/ECS field standards
- Use case documentation framework (wiki, Git repo, or detection engineering platform)
- Testing environment with attack simulation tools (Atomic Red Team, MITRE Caldera)
Workflow
Step 1: Assess Detection Coverage Gaps
Map current detection rules to ATT&CK and identify gaps:
import json
# Load current detection rules mapped to ATT&CK
current_rules = [
{"name": "Brute Force Detection", "techniques": ["T1110.001", "T1110.003"]},
{"name": "Malware Hash Match", "techniques": ["T1204.002"]},
{"name": "Suspicious PowerShell", "techniques": ["T1059.001"]},
]
# Load ATT&CK Enterprise techniques
with open("enterprise-attack.json") as f:
attack = json.load(f)
all_techniques = set()
for obj in attack["objects"]:
if obj["type"] == "attack-pattern":
ext = obj.get("external_references", [])
for ref in ext:
if ref.get("source_name") == "mitre-attack":
all_techniques.add(ref["external_id"])
covered = set()
for rule in current_rules:
covered.update(rule["techniques"])
gaps = all_techniques - covered
print(f"Total techniques: {len(all_techniques)}")
print(f"Covered: {len(covered)} ({len(covered)/len(all_techniques)*100:.1f}%)")
print(f"Gaps: {len(gaps)}")
# Prioritize gaps by threat relevance
priority_techniques = [
"T1003", "T1021", "T1053", "T1547", "T1078",
"T1055", "T1071", "T1105", "T1036", "T1070"
]
priority_gaps = [t for t in priority_techniques if t in gaps]
print(f"Priority gaps: {priority_gaps}")
Step 2: Design Use Case Specification
Document each use case with a standardized template:
use_case_id: UC-2024-015
name: Credential Dumping via LSASS Access
description: Detects tools accessing LSASS process memory for credential extraction
mitre_attack:
tactic: Credential Access (TA0006)
technique: T1003.001 - LSASS Memory
data_sources:
- Process: OS API Execution (Sysmon EventCode 10)
- Process: Process Access (Windows Security 4663)
log_sources:
- index: sysmon, sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
- index: wineventlog, sourcetype: WinEventLog:Security
severity: High
confidence: Medium-High
false_positive_sources:
- Antivirus products scanning LSASS
- CrowdStrike Falcon sensor
- Windows Defender ATP
- SCCM client
tuning_notes: >
Maintain exclusion list for known security tools that legitimately access LSASS.
Review exclusions quarterly for newly deployed security products.
sla: Alert within 5 minutes of detection
owner: detection_engineering_team
status: Production
created: 2024-03-15
last_tested: 2024-03-15
Step 3: Implement Detection Logic Across Platforms
Splunk ES Correlation Search:
| tstats summariesonly=true count from datamodel=Endpoint.Processes
where Processes.process_name="lsass.exe"
by Processes.dest, Processes.user, Processes.process_name,
Processes.parent_process_name, Processes.parent_process
| `drop_dm_object_name(Processes)`
| lookup lsass_access_whitelist parent_process AS parent_process OUTPUT is_whitelisted
| where isnull(is_whitelisted) OR is_whitelisted!="true"
| `credential_dumping_lsass_filter`
Or using raw Sysmon data:
index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
GrantedAccess IN ("0x1010", "0x1038", "0x1fffff", "0x40")
NOT [| inputlookup lsass_whitelist.csv | fields SourceImage]
| stats count, values(GrantedAccess) AS access_flags by Computer, SourceImage, SourceUser
| where count > 0
Elastic Security EQL Rule:
process where event.type == "access" and
process.name == "lsass.exe" and
not process.executable : (
"?:\\Windows\\System32\\svchost.exe",
"?:\\Windows\\System32\\csrss.exe",
"?:\\Program Files\\CrowdStrike\\*",
"?:\\ProgramData\\Microsoft\\Windows Defender\\*"
)
Microsoft Sentinel KQL Rule:
DeviceProcessEvents
| where Timestamp > ago(1h)
| where FileName == "lsass.exe"
| where ActionType == "ProcessAccessed"
| where InitiatingProcessFileName !in ("svchost.exe", "csrss.exe", "MsMpEng.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName,
InitiatingProcessCommandLine, AccountName
Step 4: Test with Attack Simulation
Validate detection rules using Atomic Red Team:
# Install Atomic Red Team
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing)
Install-AtomicRedTeam -getAtomics
# Execute T1003.001 - Credential Dumping
Invoke-AtomicTest T1003.001 -TestNumbers 1,2,3
# Execute T1053.005 - Scheduled Task
Invoke-AtomicTest T1053.005 -TestNumbers 1
# Execute T1547.001 - Registry Run Key
Invoke-AtomicTest T1547.001 -TestNumbers 1,2
Verify detection in SIEM:
index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
earliest=-1h
| stats count by Computer, SourceImage, GrantedAccess
| where count > 0
Document test results:
TEST RESULTS — UC-2024-015
Atomic Test T1003.001-1 (Mimikatz): DETECTED (alert fired in 47s)
Atomic Test T1003.001-2 (ProcDump): DETECTED (alert fired in 32s)
Atomic Test T1003.001-3 (Task Manager): FALSE NEGATIVE (excluded by whitelist — expected)
False Positive Rate (7-day backtest): 2 events (CrowdStrike scan — added to whitelist)
Step 5: Deploy and Monitor Use Case Health
Track detection rule effectiveness:
-- Use case firing frequency
index=notable
| stats count AS fires, dc(src) AS unique_sources,
dc(dest) AS unique_dests
by rule_name, status_label
| eval true_positive_rate = round(
sum(eval(if(status_label="Resolved - True Positive", 1, 0))) /
count * 100, 1)
| sort - fires
| table rule_name, fires, unique_sources, unique_dests, true_positive_rate
-- Detection latency monitoring
index=notable
| eval detection_latency = _time - orig_time
| stats avg(detection_latency) AS avg_latency_sec,
perc95(detection_latency) AS p95_latency_sec
by rule_name
| eval avg_latency_min = round(avg_latency_sec / 60, 1)
| sort - avg_latency_sec
Step 6: Maintain Use Case Library
Establish lifecycle management for all detection use cases:
USE CASE LIFECYCLE
━━━━━━━━━━━━━━━━━━
1. PROPOSED → New detection need identified (threat intel, gap analysis, incident finding)
2. DEVELOPMENT → Query written, false positive analysis, tuning
3. TESTING → Atomic Red Team validation, 7-day backtest
4. STAGING → Deployed in alert-only mode (no incident creation) for 14 days
5. PRODUCTION → Full production with incident creation and SOAR integration
6. REVIEW → Quarterly review of effectiveness, false positive rate, relevance
7. DEPRECATED → Technique no longer relevant or replaced by better detection
Key Concepts
| Term | Definition | |------|-----------| | Use Case | Formalized detection rule with documented logic, testing, tuning, and lifecycle management | | Detection Engineering | Practice of designing, testing, and maintaining SIEM detection rules as a software development discipline | | Correlation Search | SIEM query that combines events from multiple sources to identify attack patterns | | False Positive Rate | Percentage of alerts that are benign activity — target <20% for production use cases | | Detection Latency | Time between event occurrence and alert generation — target <5 minutes for critical detections | | ATT&CK Coverage | Percentage of relevant ATT&CK techniques with at least one production detection rule |
Tools & Systems
- Splunk ES: Enterprise SIEM with correlation searches, risk-based alerting, and Incident Review
- Elastic Security: SIEM with detection rules, EQL sequences, and ML-based anomaly detection
- Microsoft Sentinel: Cloud SIEM with KQL analytics rules, Fusion ML engine, and Lighthouse multi-tenant
- Atomic Red Team: Open-source attack simulation framework for testing detection rules against ATT&CK techniques
- ATT&CK Navigator: MITRE visualization tool for mapping and tracking detection coverage across techniques
Common Scenarios
- Post-Incident Use Case: After a ransomware incident, build detection for the initial access vector discovered during investigation
- Compliance-Driven: PCI DSS requires detection of admin account misuse — build use cases for 4672/4720/4732 events
- Threat-Intel Driven: New APT group targets your sector — build use cases for their documented TTPs
- Red Team Findings: Purple team exercise identifies blind spots — convert findings into production detection rules
- SIEM Migration: Migrating from QRadar to Splunk — convert and validate all existing use cases on new platform
Output Format
USE CASE DEPLOYMENT REPORT
━━━━━━━━━━━━━━━━━━━━━━━━━
Quarter: Q1 2024
Total Use Cases: 147 (Production: 128, Staging: 12, Development: 7)
New Deployments This Quarter:
UC-2024-012 Kerberoasting Detection (T1558.003) — Production
UC-2024-013 DLL Side-Loading (T1574.002) — Production
UC-2024-014 Scheduled Task Persistence (T1053.005) — Production
UC-2024-015 LSASS Memory Access (T1003.001) — Staging
ATT&CK Coverage:
Overall: 67% of relevant techniques (up from 61%)
Initial Access: 78%
Execution: 82%
Persistence: 71%
Credential Access: 65%
Lateral Movement: 58% (priority gap area)
Health Metrics:
Avg True Positive Rate: 74% (target: >70%)
Avg Detection Latency: 2.3 min (target: <5 min)
Use Cases Deprecated: 3 (replaced by improved versions)