Threat use cases by log source type
External log sources feed raw events to the QRadar® system that provide different perspectives about your network, such as audit, monitoring, and security. It's critical that you collect all types of log sources so that QRadar can provide the information that you need to protect your organization and environment from external and internal threats. For example, if your organization adopts cloud services and begins to onboard Amazon Web Services (AWS), or Azure cloud services, or Microsoft Office 365, add the log sources to QRadar so that you continue to have visibility into all malicious activity and compliance breaches.
Click a check mark in the following matrix to go to the log source that you're most interested in. For each log source, the relevant ATT&CK framework categories are listed. The Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework was developed by Mitre Corp. The public knowledge base of threat tactics and techniques helps your security analysts to understand hacker threats and how to prevent adversarial attacks from happening to your organization's networks. These tactics can become your weaknesses if you're not collecting that type of log source.
Log sources | Advanced Persistent Threat | Insider Threat | Securing the Cloud | Critical Data Protection | Incident Response | Compliance | Risk and Vulnerability Management |
---|---|---|---|---|---|---|---|
Firewall/Router | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
IDS/IPS (Intrusion Detection System/Intrusion Protection System) |
✓ | ✓ | ✓ | ✓ | |||
Web Proxy | ✓ | ✓ | ✓ | ✓ | ✓ | ||
VPN | ✓ | ||||||
DNS | ✓ | ✓ | ✓ | ||||
DHCP | ✓ | ✓ | ✓ | ||||
Mail Logs | ✓ | ✓ | ✓ | ||||
DLP (Data Loss Prevention) | ✓ | ✓ | ✓ | ✓ | |||
Endpoint | ✓ | ✓ | ✓ | ✓ | ✓ | ||
Identity/Authentication (LDAP/AD/Radius) |
✓ | ✓ | ✓ | ✓ | |||
Anti Virus | ✓ | ✓ | ✓ | ✓ | ✓ | ||
QRadar Network Insights/Netflow | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Database Logs | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
EDR | ✓ | ✓ | ✓ | ||||
Cloud Infrastructure/Audit (AWS CloudTrail, Azure Event Hubs) |
✓ | ✓ | ✓ | ✓ | ✓ | ||
Office 365 | ✓ | ✓ | ✓ |
Firewall/Router
- Defense Evasion
- Discovery
- Command and Control
- Exfiltration
Use case | Examples |
---|---|
Advanced Persistent Threat | Firewall data helps detect command control issues. Use it for external recon and prevent malicious IP communications from entering your environment. |
Securing the Cloud | Identify risky internet service provider connections, such as connections to TOR. |
Critical Data Protection | Discover and protect against abnormal database connection attempts. |
Incident Response | See which hosts communicated with an infected host so that you can stop the spread of data infection. |
Compliance | Monitor for unauthorized or unexpected firewall configuration changes to allow access to critical business assets. For example, PCI requires all critical assets that contain “banking information” to communicate through an internal DMZ with no direct access to the outside world. |
Risk and Vulnerability Management | Discover assets that are actively communicating on vulnerable ports. |
Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)
Intrusion detection system (IDS)/Intrusion protection system (IPS)
- Defense Evasion
- Persistence Mechanism
- Discovery
- Command and Control
Use case | Examples |
---|---|
Advanced Persistent Threat | Correlate threat events with vulnerabilities, and then escalate those threat events. Perform more acute offense detection. |
Critical Data Protection | SQL, XSS Injection |
Incident Response | See which hosts are infected and watch for potential epidemics so that you can stop the spread of data infection. |
Risk and Vulnerability Management | Validate and assess threats to prioritize by correlating with asset and vulnerability data. |
Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)
Web proxy
- Defense Evasion
- Persistence Mechanism
- Data Exfiltration
- Command and Control
- Privilege Escalation
- Credential Access
Use case | Examples |
---|---|
Advanced Persistent Threat | Monitor for malicious domain communication, data exfiltration, and command and control activities. Detect attempts to bypass normal user restrictions by surfing with a service account. |
Insider Threat | Track malicious activity such as crypto mining that uses corporate resources. |
Securing the Cloud | Detect shadow IT, unapproved cloud service usage, and potential data exfiltration from corporate environments. |
Critical Data Protection | Monitor for unauthorized data exfiltration. |
Compliance | Monitor for critical asset communication with the outside world. |
Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)
VPN
- Credential Access
- Lateral Movement
Use case | Examples |
---|---|
Advanced Persistent Threat | Monitor for logins from suspicious locations. |
Insider Threat | Detect the use of VPN for users outside of normal usage patterns or from abnormal geographical areas. |
Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)
DNS
- Defense Evasion
- Persistence Mechanism
- Command and Control
- Exfiltration
- Credential Access (note: Technique T1171)
Use case | Examples |
---|---|
Advanced Persistent Threat | Monitor for malicious DNS usages such as domain name generation, tunneling, and squatting. |
Insider Threat | Detect tunneling of traffic through DNS records. |
Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)
DHCP
The following table provides examples of use cases that are affected by DHCP log sources. Data from this type of log source is important for detecting adversarial the techniques in the Defense Evasion ATT&CK category.
Use case | Examples |
---|---|
Advanced Persistent Threat | Detection of rogue access points or other unexpected device presence on corporate network. |
Insider Threat | Detection of rogue access points or other unexpected device presence on corporate network. |
Incident Response | Identification of which host had a specific IP address at the time of an incident. |
Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)
Mail logs
- Execution
- Initial Access
- Collection
Use case | Examples |
---|---|
Advanced Persistent Threat | Monitor for phishing and spam. |
Insider threat | Phishing |
Critical Data Protection | Phishing, data exfiltration by email |
Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)
DLP (data loss prevention)
- Data Exfiltration
- Collection
Use case | Examples |
---|---|
Advanced Persistent Threat |
Data can be exfiltrated through many methods. Identify and track suspicious files such as:
|
Insider Threat |
Data can be exfiltrated through many methods. Identify and track suspicious files such as:
|
Critical Data Protection |
Data can be exfiltrated through many methods. Identify and track suspicious files such as:
|
Compliance |
Data can be exfiltrated through many methods. Identify and track suspicious files such as:
|
Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)
Endpoint
- Privilege Escalation
- Initial Access
- Execution
- Persistence
- Credential Access
- Defense Evasion
- Discovery
- Lateral Movement
- Collection
- Exfiltration
- Command and Control
Use case | Examples |
---|---|
Advanced Persistent Threat | Monitor for malicious hashes, suspicious PowerShell activity, process abuse, or other suspicious endpoint activities. |
Insider Threat | Detection of persistent malware by using host resources (for example, crypto mining) |
Critical Data Protection |
Data can be exfiltrated through many methods. Identify and track suspicious files such as:
|
Compliance | Monitor for adherence to corporate company policy (for example, unapproved software use). |
Risk and Vulnerability Management | Assess and manage risk through vulnerability. |
Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)
Identity/Authentication (LDAP/AD/Radius)
- Privilege Escalation
- Credential Access
- Initial AccessNote: You can also track privilege abuse (for example, surf with a super account, privileges that are given to users).
Use case | Examples |
---|---|
Advanced Persistent Threat | Monitor for activities such as brute force login by malware, lateral movement through the network, or suspicious logins. |
Insider Threat | Account takeover by malware |
Securing the Cloud | Provide user-to-IP association to help identify cloud users from data that has only IP source address. |
Incident Response | Visibility into where a user logged in during the IR process. |
Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)
Anti-virus
- Persistence
- Initial Access
- Defense Evasion
Use case | Examples |
---|---|
Advanced Persistent Threat | Monitor for activities such as:
|
Critical Data Protection | Detection of virus outbreak to prevent movement to servers that contain critical business data. |
Incident Response | Visibility into where a specific virus signature was seen. |
Compliance | Ensuring up-to-date AV definitions on critical hosts/servers. |
Risk and Vulnerability Management | Malicious WWW domain connections indication of a vulnerable host that is compromised. |
Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)
QRadar Network Insights/Netflow
- Lateral Movement
- Discovery
- Persistence Mechanism
- Defense Evasion
- Data Exfiltration
- Credential Access
- Command and Control
Use case | Examples |
---|---|
Advanced Persistent Threat | Monitor for activities such as:
|
Insider Threat | Phishing detection |
Securing the Cloud | Monitor for activities such as:
|
Critical Data Protection |
Data can be exfiltrated through many methods. Identify and track suspicious files such as:
|
Incident Response | Provides a huge pool of investigative data to determine the spread of an attack from domain communication, hashes that are downloaded, IP addresses that are communicated with, file names, data volumes transferred. |
Compliance | Monitor for critical asset communications (for example, crown jewel communicate to the open internet). |
Risk and vulnerability management | Prioritize host vulnerability remediation based upon the level of risk that hosts are communicated with. |
Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)
Database logs
- Credential Access
- Collection
- Initial Access
- Discovery
- Data Exfiltration
- Privilege Escalation
Use case | Examples |
---|---|
Insider Threat | Detect unauthorized database access and data theft. |
Critical Data Protection | Databases often include sensitive corporate information and require monitoring for most compliance standards. Monitor for unauthorized user permission changes. |
Incident Response | Evidence of what data was accessed, and by whom, during a breach. |
Compliance | Databases often include sensitive corporate information and require monitoring for most compliance standards. |
Risk and Vulnerability Management | Prioritize vulnerabilities on hosts with active databases that potentially contain critical data. Detect default accounts and passwords that are enabled. |
Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)
EDR (endpoint detection and response)
- Credential Access
- Privilege Escalation
- Discovery
Use case | Examples |
---|---|
Advanced Persistent Threat | Monitor for activities such as:
|
Incident Response | Rapidly determine existence of IOCs at endpoints, including hashes and file names. |
Risk and Vulnerability Management | Correlate vulnerability information with endpoint data. |
Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)
Cloud Infrastructure/Audit (AWS Cloudtrail, Azure Event Hubs)
- Credential Access
- Privilege Escalation
Use case | Examples |
---|---|
Advanced Persistent Threat | Multi-vector attacks that impact multiple cloud environments, crypto jacking (Hijacking cloud properties/computing resources for crypto currency mining). |
Insider Threat | Detection of compromised cloud accounts, escalated role/user privilege, altering network security group access policies. |
Securing the Cloud | Monitor for activities such as:
|
Critical Data Protection | Lock down and isolation of sensitive data repositories. |
Compliance | Retention of cloud audit trail logs and ensuring log integrity |
Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)
Microsoft Office 365
- Initial Access
- Execution
- Persistence
Use case | Examples |
---|---|
Securing the Cloud | Monitor for activities such as:
|
Incident Response | Evidence of what data was accessed during a breach. |
Compliance | Continuous monitoring of file activity and user access. |
Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)