Use Cases - Collection

Hello everyone!

I’m pretty new in Rapid7IDR & SIEM and hopefully some of you have already gained some experience with it and would like to share some information.

Does somebody have some use cases, custom logs to share or recommendation for any alerts that we can or should add in our system?

Maybe we can create a collection of usefull usecases scenarios :slight_smile:



Hey @ocoscia,

The custom logs is really dependent on what each org decides to upload to the platform so it’s kind of a difficult question to answer completely, but here goes:

Custom logs I’ve seen uploaded:
AD Security Event Log (when setting up the AD event source, check the box for all unfiltered logs)
Palo Alto Cortex

To break down use cases for each, I would suggest looking for activity from any of your log sets, custom or otherwise, that you would like to see or be notified of. Creating dashboards is a great way to see everything in one go with full customization so that you only see what interests you or your team. Should any log activity require notifications that aren’t covered by ABA or UBA, then go ahead and create some custom pattern detections for those.

Take a look at the Dashboard Card Library, in the upper right portion of the screen, when you are in the main dashboard area of IDR and see if anything there is available for you to add right away (ensure you have the logs needed in IDR to power the dashboards so they provide data)

A really popular one for AD is looking under the raw logs, if you have your domain controllers plugged in as event sources with wmi collection method and the unfiltered log box checked in the event source config. This provides the entire domain controller’s security event log and is great for visibility on what’s going on in your Active Directory environment. A lot of users built custom pattern detections from there in order to be notified should end users be doing things they shouldn’t, or just keeping an eye on things.

1 Like