Home > SOC Analysis

SIEM Use Cases

SIEM use cases define what the SIEM should detect, how it detects it, and which attacker techniques it maps to. A “use case” is not just a rule—it is a complete detection scenario that includes required log sources, attacker behavior, detection logic, correlation, alert details, and analyst actions.
A mature SOC builds dozens to hundreds of use cases across all stages of the attack lifecycle.

This chapter explains SIEM use cases in full depth with practical examples, required logs, detection logic, and how these use cases expose real attacker behavior.

What Is a SIEM Use Case?

A SIEM use case is a defined security scenario the SIEM is designed to detect.
It includes:

  • Threat description

  • Attacker behavior

  • Required log sources

  • Event patterns

  • Detection logic

  • Thresholds

  • Correlation chains

  • MITRE ATT&CK mapping

  • Alert output fields

  • Recommended SOC actions

A use case is a complete detection package—not just a rule.

Why Use Cases Matter

Without use cases:

  • SIEM produces random noise

  • Detection becomes inconsistent

  • Coverage gaps appear

  • Analysts miss true attacks

  • SOC cannot measure maturity

Use cases allow the SOC to focus on the right threats with structured logic.

Core SIEM Use Case Categories

A professional SOC builds use cases in the following areas:

  • Authentication security

  • Endpoint execution

  • Credential access

  • Persistence creation

  • Privilege escalation

  • Lateral movement

  • Data exfiltration

  • Cloud security

  • Network attacks

  • Insider threats

  • Application attacks

  • Malware and exploit behavior

Below is a deep, practical breakdown of the most critical use cases in a real SOC.

Authentication Use Cases

1. Brute Force Attack

Description: Multiple failed logins followed by success.
Log Sources: Windows 4625/4624, Linux auth.log, AD, VPN logs
Detection Logic:

failed_logins >= 10 from same IP in 5 min
AND a successful login follows

Attack Exposed: Credential guessing
MITRE: T1110

2. Impossible Travel

Description: Same user logs in from two distant locations too quickly.
Logs: AD, Azure AD, VPN, cloud login logs
Detection Logic:

login_location1 = India 10:00 AM
login_location2 = UK 10:05 AM

MITRE: T1078 (Valid Accounts)

3. Privileged Account Misuse

Description: An admin account used in unusual places.
Logs: AD, Windows 4624, Azure IAM
Logic:

admin login from host where admin never logged in before

Endpoint Execution Use Cases

4. Suspicious PowerShell Execution

Description: Encoded or obfuscated PowerShell use.
Logs: Sysmon ID 1, PowerShell 4104
Logic:

powershell.exe AND commandline contains "-enc"

MITRE: T1059.001

5. Office Macro Launching Process

Description: Word → Powershell
Logs: Sysmon
Logic:

parent_process = winword.exe AND process = powershell.exe

MITRE: T1204, T1059

6. WMI-Based Persistence or Execution

Logs: Sysmon 19, 20, 21
Logic:

WMI event consumer or WMI command execution

MITRE: T1047

Credential Access Use Cases

7. LSASS Memory Access (Mimikatz)

Logs: Sysmon ID 10, EDR
Logic:

process accesses lsass.exe AND process != legitimate Windows process

MITRE: T1003

8. NTDS.dit / SAM Dump Attempt

Logs: Windows 4662, EDR
Logic:

Access to SAM/SECURITY/NTDS hive

Privilege Escalation Use Cases

9. New Admin User Created

Logs: Windows 4720, 4732, 4728
Logic:

ANY admin group membership change

MITRE: T1068

10. Token Manipulation

Logs: Sysmon, EDR
Logic:

process performing suspicious impersonation/syscalls

Persistence Use Cases

11. Scheduled Task Creation

Logs: Sysmon 1, 13
Logic:

schtasks.exe /create

MITRE: T1053

12. Run Registry Key Modified

Logs: Sysmon 13
Logic:

registry modification under HKLM\...\Run

MITRE: T1547

Lateral Movement Use Cases

13. Pass-the-Hash / Pass-the-Ticket

Logs: 4624 type 3, Kerberos logs, Sysmon
Logic:

logon with no pre-authentication + unusual host access

MITRE: T1550

14. Remote Service Creation

Logs: Sysmon 7, Windows 7045
Logic:

new service created remotely

Data Exfiltration Use Cases

15. Large Outbound Transfer

Logs: Firewall, proxy, VPC Flow Logs
Logic:

outbound_bytes > 1GB AND destination not in whitelist

MITRE: T1041

16. Suspicious Cloud Storage Downloads

Logs: S3 access logs, Azure Blob logs
Logic:

user downloaded unusually high number of objects

Cloud Security Use Cases

17. Cloud Privilege Escalation

Logs: CloudTrail/IAM logs
Logic:

AttachPolicy AdminAccess to non-admin user

MITRE: T1078

18. New Access Keys Created

Logic:

CreateAccessKey AND user not in key-approved list

Insider Threat Use Cases

19. Mass File Access or Deletes

Logs: File server logs, DLP
Logic:

file_access_count > threshold

20. USB Data Transfer Spike

Logs: DLP, device control logs
Logic:

file copied to USB > threshold

Application Security Use Cases

21. SQL Injection Attempts

Logs: WAF logs, web logs
Logic:

query contains ' OR 1=1 --

22. Directory Traversal Attempts

Logs: Web server
Logic:

URI contains ../

Threat Intelligence Use Cases

23. Communication With Known C2 IP

Logs: Firewall, DNS, EDR
Logic:

dest_ip IN threat_intel.bad_ips

24. Malware Hash Detection

Logs: EDR
Logic:

file_hash IN malware_hash_list

Full Attack Kill Chain Use Case (Correlation)

A mature SIEM correlates multiple use cases:

  1. Suspicious email → phishing

  2. Macro → PowerShell

  3. Payload download

  4. Privilege escalation

  5. LSASS access

  6. Lateral movement

  7. Exfiltration

This becomes one Critical SIEM Alert.

Intel Dump

  • SIEM use cases define attacker scenarios the SIEM must detect.

  • Use cases require specific log sources, logic, thresholds, and MITRE mappings.

  • Categories include authentication, execution, credential theft, persistence, lateral movement, exfiltration, cloud security, insider threats, and more.

  • Practical examples include brute force, PowerShell abuse, LSASS access, cloud PrivEsc, large outbound transfers, and correlated kill chains.

  • Strong use cases detect real attacker behavior across the entire attack lifecycle.

HOME COMMUNITY CAREERS DASHBOARD