Top Use Cases for SIEM solutions

A security information and event management (SIEM) system is an essential tool for monitoring and detecting organizational security threats with the help of a use case framework. An effective use case framework is always aligned with an organization’s security, compliance, and business requirements to provide strong detection capabilities consistent with the organization’s threat landscape.

In this article, we will discuss the importance of SIEM as a security solution and what organizational use cases it covers, followed by an in-depth discussion of how to create, manage, and implement a use case framework for SIEM.

Summary of key SIEM use cases 

In the journey to develop a holistic SIEM use case framework, we need to consider industry standards like PCI DSS, use case drivers, and management of the use case life cycle, each of which must be based on the nature of the organization.

SIEM Use Case Framework

Reference Standards MITRE ATT&CK
Cyber Kill Chain
Key Drivers Business drivers
Threat drivers
Compliance drivers
Lifecycle Management Implementation
Change management
Measurement matrixes

SIEM use case framework

Let’s start by first looking at SIEM, which is a centralized security management platform that collects, aggregates, and analyzes security log data from different sources within an organization’s IT infrastructure, like firewalls, applications, servers, and proxies. The goal of SIEM is to provide real-time visibility into security events and help organizations detect and respond to security incidents in a timely manner.

There are multiple requirements that push organizations to procure SIEM solutions, which are mostly motivated by the need to deal with compliance and security threats. For example, a bank should have a SIEM solution to ensure compliance with PCI DSS requirements. If an organization is planning to develop a security operation center (SOC), special attention should be provided to the SIEM solution as it enables the SOC to provide comprehensive reporting and log correlation.

Implementation of a SIEM solution requires a comprehensive SIEM use case framework that defines what assets should be integrated, what logs should be ingested, and what rules should be created. Drafting a comprehensive use case framework is critical for achieving optimized SIEM, reducing alert fatigue, and managing the threat landscape. 

Many reference frameworks are available over the internet that were developed by communities to provide the baseline for an organization’s SIEM use case framework. These should be studied before drafting your organization’s use case framework:

  • MITRE ATT&CK: A comprehensive framework that describes the tactics, techniques, and procedures (TTPs) used by adversaries during different stages of a cyber-attack. The framework is based on real-world observations of cyber-attacks and is continually updated to include new TTPs. MITRE ATT&CK is widely used by security teams to identify and mitigate risks, develop threat intelligence, and improve incident response.
  • MITRE D3FEND: This framework was developed by the National Security Agency (NSA) to help organizations improve their cybersecurity postures. The framework includes a series of best practices that organizations can follow to strengthen their defenses against cyber-attacks. D3FEND is designed to be scalable and adaptable, and it focuses on five key areas: prioritize, identify, protect, detect, and respond.
  • Cyber Kill Chain: This framework, developed by Lockheed Martin, describes the stages of a cyber-attack from the perspective of an attacker. The framework consists of seven stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. By understanding each stage of the Cyber Kill Chain, security teams can develop strategies to detect and disrupt attacks at each stage, reducing the impact of an attack and limiting the attacker’s ability to achieve their objectives.

These standards provide guidance for identifying and prioritizing use cases based on threats. However, additional use case context should also be incorporated into the organization’s SIEM use case framework, such as the following:

  • Business use cases: These use cases focus on business logic and context. For example, if the organization does not operate 24/7, the use case of SIEM should include observing administrative and configuration changes outside normal office hours.
  • Industry-specific use cases: These use cases are focused on the specific industry where the SIEM system is being implemented. For example, for a manufacturing industry, a use case should be implemented when any programmable logic controller (PLC) is observed to be connected to the Internet or sending browsing requests.
  • Threat-specific use cases: These use cases are focused on addressing specific threats. For example, a bank should implement a use case to detect all the techniques used by APT 38 in the MITRE ATT&CK framework, since APT 38 targets the financial sector.
  • Compliance-specific use cases: These use cases are focused on monitoring and detecting specific compliance requirements. For example, monitoring access to SWIFT messaging systems to ensure that only authorized users are accessing the system is a mandatory use case for a bank.
Alert Fatigue? Try Devo SOAR

You’re minutes away from deploying AI-driven decision automation. Start your Devo SOAR trial.

Management of SIEM use cases 

Once you have incorporated all the relevant contexts, you can start drafting the list of use cases in your use case framework. However, such information should be managed properly as well, so the implementation of the use case can be tracked and measured. The Management, Growth, Metrics & Assessment (MaGMa) use case lifecycle management framework provides a practical approach to managing use cases by dividing them into stages.

MaGMa use case framework lifecycle

MaGMa use case framework lifecycle (source)

After drafting the framework and creating a high-level management flow, it’s necessary to assign attributes and contexts to each use case:

  • Business driver: The business driver is the primary motivation behind the use case: the business problem or need that the use case aims to address. The business driver is the starting point for any use case and ensures that the use case is aligned with the organization’s overall strategy and objectives.
  • Threat driver: The threat driver is the specific threat or risk that the use case aims to address. This could be a cyber-attack, insider threat, fraud, or any other potential threat to the organization. The threat driver helps ensure that the use case is focused on addressing a specific threat and that it is effective at detecting that threat.
  • Change management: The change management attribute describes how the use case will be integrated into the organization’s existing processes and procedures. This involves updating documentation or communicating changes to stakeholders.
  • Measurement matrix: The measurement matrix attribute describes how the effectiveness of the use case will be measured and evaluated over time. This could involve tracking specific metrics, such as the number of security incidents detected or the time to respond to an incident. The measurement matrix helps ensure that the use case is achieving its intended goals and that any necessary adjustments or improvements can be made over time.

MaGMa use case framework layers (source)

See here for further elaboration on the usage of the MaGMa use case framework, or follow this link to download the MaGMa use case framework tool.

Devo SOAR: Reduce MTTR by 10x

See the difference AI-driven security automation can make. Start your Devo SOAR trial now.

Use case – Denial of service attack

A SIEM should be able to monitor for signs of a DOS attack. The extent to which the SIEM can integrate with other services to consume logs and issue alerts varies depending on which tool you select. Devo, for example, offers a web-based UI from which you can set up DOS monitoring and even inject mock data that simulates a DOS attack to make sure your SIEM is running correctly. 

Simply launch the DoS Detection receptor alert pack from the web interface. Once this is setup, you can consume the data in a number of ways. For example, you can visualize DOS data as a graph as an ActiveBoard:

Alternatively you can send it via email alerts, or any of the many other alert mechanisms available with Devo. Launching both the DOS monitoring receptor as well as an injector to simulate the attack can both be accomplished with just a few clicks from Devo’s web UI.

AI-driven decision automation

Effectively automate alert triage and response

Expedite repetitive security tasks and focus on high-priority threats

Increase security team productivity and reduce alert fatigue


A SIEM solution is a key component of a modern security strategy that must be tailored to the organization’s specific needs and objectives. Implementing SIEM requires a comprehensive use case framework that defines the business objectives and creates correlation rules that align with reference frameworks. This framework should define the organization’s business objectives and identify the data sources that are relevant to achieving those objectives. 

To ensure that the use case framework is effective and sustainable, organizations should follow reference standards, such as MITRE ATT&CK and Cyber Kill Chain, which provide common language and best practices for developing use cases.

Like this article?

Subscribe to our LinkedIn Newsletter to receive more educational content

Subscribe now