SIEM

Application Log Use Cases

Grouped by Detection Method

Aggregate Count

Blacklist Alert

Whitelist Alert

Levenshtein Score Alert

Rolling Whitelist Alert

• Newly Observed Host IPS Signature
• Newly Observed Host IPS Signature per System/User
• Newly Observed IPS Signature
• Newly Observed IPS Signature per Source System
• Newly Observed IPS Signature per Target System
• Newly Observed IPS Source System
• Newly Observed IPS Target System

Shannon Entropy Score Alert

Threshold Alert

• Signature Name where Count exceeds threshold

Log Source Examples

• DHCP Server Logs
• Reverse Web Proxy Logs
• Host IDS Logs
• Microsoft-Windows-Windows Defender/Operational Event ID 1115
• Microsoft-Windows-Windows Defender/Operational Event ID 1116

Possible False Positives

This site is open source. Improve this page.