Threat use cases by log source type

External log sources feed raw events to the QRadar® system that provide different perspectives about your network, such as audit, monitoring, and security. It's critical that you collect all types of log sources so that QRadar can provide the information that you need to protect your organization and environment from external and internal threats. For example, if your organization adopts cloud services and begins to onboard Amazon Web Services (AWS), or Azure cloud services, or Microsoft Office 365, add the log sources to QRadar so that you continue to have visibility into all malicious activity and compliance breaches.

Click a check mark in the following matrix to go to the log source that you're most interested in. For each log source, the relevant ATT&CK framework categories are listed. The Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework was developed by Mitre Corp. The public knowledge base of threat tactics and techniques helps your security analysts to understand hacker threats and how to prevent adversarial attacks from happening to your organization's networks. These tactics can become your weaknesses if you're not collecting that type of log source.

Table 1. Log sources in QRadar with use cases
Log sources Advanced Persistent Threat
Advanced threat icon
 Insider Threat
Insider threat icon
 Securing the Cloud
Cloud icon
 Critical Data Protection
Critical data protection icon
 Incident Response
Incident response icon
 Compliance
Compliance icon
 Risk and Vulnerability Management
Risk and vulnerability management icon
Firewall/Router  
IDS/IPS

(Intrusion Detection System/Intrusion Protection System)

      
Web Proxy    
VPN            
DNS        
DHCP        
Mail Logs        
DLP (Data Loss Prevention)      
Endpoint    
Identity/Authentication

(LDAP/AD/Radius)

      
Anti Virus    
QRadar Network Insights/Netflow
Database Logs  
EDR        
Cloud Infrastructure/Audit

(AWS CloudTrail, Azure Event Hubs)

    
Office 365        

Firewall/Router

The following table provides examples of use cases that are affected by firewall/router log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
  • Defense Evasion
  • Discovery
  • Command and Control
  • Exfiltration
Table 2. Firewall/Router log source and use case examples
Use case Examples
Advanced Persistent Threat Firewall data helps detect command control issues. Use it for external recon and prevent malicious IP communications from entering your environment.
Securing the Cloud Identify risky internet service provider connections, such as connections to TOR.
Critical Data Protection Discover and protect against abnormal database connection attempts.
Incident Response See which hosts communicated with an infected host so that you can stop the spread of data infection.
Compliance Monitor for unauthorized or unexpected firewall configuration changes to allow access to critical business assets. For example, PCI requires all critical assets that contain “banking information” to communicate through an internal DMZ with no direct access to the outside world.
Risk and Vulnerability Management Discover assets that are actively communicating on vulnerable ports.

Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)

(Back to top)

Intrusion detection system (IDS)/Intrusion protection system (IPS)

The following table provides examples of use cases that are affected by IDS/IPS log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
  • Defense Evasion
  • Persistence Mechanism
  • Discovery
  • Command and Control
Table 3. IDS/IPS log source and use case examples
Use case Examples
Advanced Persistent Threat Correlate threat events with vulnerabilities, and then escalate those threat events. Perform more acute offense detection.
Critical Data Protection SQL, XSS Injection
Incident Response See which hosts are infected and watch for potential epidemics so that you can stop the spread of data infection.
Risk and Vulnerability Management Validate and assess threats to prioritize by correlating with asset and vulnerability data.

Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)

(Back to top)

Web proxy

The following table provides examples of use cases that are affected by web proxy log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
  • Defense Evasion
  • Persistence Mechanism
  • Data Exfiltration
  • Command and Control
  • Privilege Escalation
  • Credential Access
Table 4. Web proxy log source and use case examples
Use case Examples
Advanced Persistent Threat Monitor for malicious domain communication, data exfiltration, and command and control activities. Detect attempts to bypass normal user restrictions by surfing with a service account.
Insider Threat Track malicious activity such as crypto mining that uses corporate resources.
Securing the Cloud Detect shadow IT, unapproved cloud service usage, and potential data exfiltration from corporate environments.
Critical Data Protection Monitor for unauthorized data exfiltration.
Compliance Monitor for critical asset communication with the outside world.

Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)

(Back to top)

VPN

The following table provides examples of use cases that are affected by VPN log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
  • Credential Access
  • Lateral Movement
Table 5. VPN log source and use case example
Use case Examples
Advanced Persistent Threat Monitor for logins from suspicious locations.
Insider Threat Detect the use of VPN for users outside of normal usage patterns or from abnormal geographical areas.

Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)

(Back to top)

DNS

The following table provides examples of use cases that are affected by DNS log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
  • Defense Evasion
  • Persistence Mechanism
  • Command and Control
  • Exfiltration
  • Credential Access (note: Technique T1171)
Table 6. DNS log source and use case examples
Use case Examples
Advanced Persistent Threat Monitor for malicious DNS usages such as domain name generation, tunneling, and squatting.
Insider Threat Detect tunneling of traffic through DNS records.

Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)

(Back to top)

DHCP

The following table provides examples of use cases that are affected by DHCP log sources. Data from this type of log source is important for detecting adversarial the techniques in the Defense Evasion ATT&CK category.

Table 7. DHCP log source and use case example
Use case Examples
Advanced Persistent Threat Detection of rogue access points or other unexpected device presence on corporate network.
Insider Threat Detection of rogue access points or other unexpected device presence on corporate network.
Incident Response Identification of which host had a specific IP address at the time of an incident.

Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)

(Back to top)

Mail logs

The following table provides examples of use cases that are affected by mail log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
  • Execution
  • Initial Access
  • Collection
Table 8. Mail log source and use case examples
Use case Examples
Advanced Persistent Threat Monitor for phishing and spam.
Insider threat Phishing
Critical Data Protection Phishing, data exfiltration by email

Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)

(Back to top)

DLP (data loss prevention)

The following table provides examples of use cases that are affected by DLP log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
  • Data Exfiltration
  • Collection
Table 9. DLP log source and use case examples
Use case Examples
Advanced Persistent Threat
Data can be exfiltrated through many methods. Identify and track suspicious files such as:
  • DNS abnormalities
  • Sensitive content
  • Aberrant connections
  • Aliases
Insider Threat
Data can be exfiltrated through many methods. Identify and track suspicious files such as:
  • DNS abnormalities
  • Sensitive content
  • Aberrant connections
  • Aliases
Critical Data Protection
Data can be exfiltrated through many methods. Identify and track suspicious files such as:
  • DNS abnormalities
  • Sensitive content
  • Aberrant connections
  • Aliases
Compliance
Data can be exfiltrated through many methods. Identify and track suspicious files such as:
  • DNS abnormalities
  • Sensitive content
  • Aberrant connections
  • Aliases

Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)

(Back to top)

Endpoint

The following table provides examples of use cases that are affected by Endpoint log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
  • Privilege Escalation
  • Initial Access
  • Execution
  • Persistence
  • Credential Access
  • Defense Evasion
  • Discovery
  • Lateral Movement
  • Collection
  • Exfiltration
  • Command and Control
Table 10. Endpoint log source and use case examples
Use case Examples
Advanced Persistent Threat Monitor for malicious hashes, suspicious PowerShell activity, process abuse, or other suspicious endpoint activities.
Insider Threat Detection of persistent malware by using host resources (for example, crypto mining)
Critical Data Protection
Data can be exfiltrated through many methods. Identify and track suspicious files such as:
  • DNS abnormalities
  • Sensitive content
  • Aberrant connections
  • Aliases
Compliance Monitor for adherence to corporate company policy (for example, unapproved software use).
Risk and Vulnerability Management Assess and manage risk through vulnerability.

Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)

(Back to top)

Identity/Authentication (LDAP/AD/Radius)

The following table provides examples of use cases that are affected by LDAP/AD/Radius log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
  • Privilege Escalation
  • Credential Access
  • Initial Access
    Note: You can also track privilege abuse (for example, surf with a super account, privileges that are given to users).
Table 11. LDAP/AD/Radius log source and use case examples
Use case Examples
Advanced Persistent Threat Monitor for activities such as brute force login by malware, lateral movement through the network, or suspicious logins.
Insider Threat Account takeover by malware
Securing the Cloud Provide user-to-IP association to help identify cloud users from data that has only IP source address.
Incident Response Visibility into where a user logged in during the IR process.

Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)

(Back to top)

Anti-virus

The following table provides examples of use cases that are affected by anti-virus log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
  • Persistence
  • Initial Access
  • Defense Evasion
Table 12. Anti-virus log source and use case examples
Use case Examples
Advanced Persistent Threat Monitor for activities such as:
  • Endpoint infection by anti-virus
  • Virus that is not cleaned
  • Reinforcement of other suspicious endpoint behavior
Critical Data Protection Detection of virus outbreak to prevent movement to servers that contain critical business data.
Incident Response Visibility into where a specific virus signature was seen.
Compliance Ensuring up-to-date AV definitions on critical hosts/servers.
Risk and Vulnerability Management Malicious WWW domain connections indication of a vulnerable host that is compromised.

Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)

(Back to top)

QRadar Network Insights/Netflow

The following table provides examples of use cases that are affected by QRadar Network Insights/Netflow log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
  • Lateral Movement
  • Discovery
  • Persistence Mechanism
  • Defense Evasion
  • Data Exfiltration
  • Credential Access
  • Command and Control
Table 13. QRadar Network Insights/Netflow log source and use case examples
Use case Examples
Advanced Persistent Threat Monitor for activities such as:
  • Recon
  • Malicious download
  • Lateral movement
  • Phishing
Insider Threat Phishing detection
Securing the Cloud Monitor for activities such as:
  • Data exfiltration
  • Expired WWW certificates
  • Self-signed WWW certificates
  • Phishing
  • Risky WWW domain connections
Critical Data Protection
Data can be exfiltrated through many methods. Identify and track suspicious files such as:
  • DNS abnormalities
  • Sensitive content
  • Aberrant connections
  • Aliases
Incident Response Provides a huge pool of investigative data to determine the spread of an attack from domain communication, hashes that are downloaded, IP addresses that are communicated with, file names, data volumes transferred.
Compliance Monitor for critical asset communications (for example, crown jewel communicate to the open internet).
Risk and vulnerability management Prioritize host vulnerability remediation based upon the level of risk that hosts are communicated with.

Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)

(Back to top)

Database logs

The following table provides examples of use cases that are affected by database log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
  • Credential Access
  • Collection
  • Initial Access
  • Discovery
  • Data Exfiltration
  • Privilege Escalation
Table 14. Database log source and use case examples
Use case Examples
Insider Threat Detect unauthorized database access and data theft.
Critical Data Protection Databases often include sensitive corporate information and require monitoring for most compliance standards. Monitor for unauthorized user permission changes.
Incident Response Evidence of what data was accessed, and by whom, during a breach.
Compliance Databases often include sensitive corporate information and require monitoring for most compliance standards.
Risk and Vulnerability Management Prioritize vulnerabilities on hosts with active databases that potentially contain critical data. Detect default accounts and passwords that are enabled.

Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)

(Back to top)

EDR (endpoint detection and response)

The following table provides examples of use cases that are affected by EDR log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
  • Credential Access
  • Privilege Escalation
  • Discovery
Table 15. EDR log source and use case examples
Use case Examples
Advanced Persistent Threat Monitor for activities such as:
  • Compromised endpoints
  • Suspicious endpoint behavior
Incident Response Rapidly determine existence of IOCs at endpoints, including hashes and file names.
Risk and Vulnerability Management Correlate vulnerability information with endpoint data.

Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)

(Back to top)

Cloud Infrastructure/Audit (AWS Cloudtrail, Azure Event Hubs)

The following table provides examples of use cases that are affected by Cloud Infrastructure/Audit log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
  • Credential Access
  • Privilege Escalation
Table 16. Cloud Infrastructure/Audit log source and use case examples
Use case Examples
Advanced Persistent Threat Multi-vector attacks that impact multiple cloud environments, crypto jacking (Hijacking cloud properties/computing resources for crypto currency mining).
Insider Threat Detection of compromised cloud accounts, escalated role/user privilege, altering network security group access policies.
Securing the Cloud Monitor for activities such as:
  • Misconfiguration of S3 buckets and user policies
  • Visibility into cloud environments
  • Enforcing best cloud security practices
  • Continuous monitoring of network interface traffic
Critical Data Protection Lock down and isolation of sensitive data repositories.
Compliance Retention of cloud audit trail logs and ensuring log integrity

Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)

(Back to top)

Microsoft Office 365

The following table provides examples of use cases that are affected by Microsoft Office 365 log sources. Data from this type of log source is important for detecting adversarial techniques in the following ATT&CK categories:
  • Initial Access
  • Execution
  • Persistence
Table 17. Office 365 log source and use case examples
Use case Examples
Securing the Cloud Monitor for activities such as:
  • Brute force logins
  • Suspicious logins from multiple locations
  • Blocklisted countries and locations
  • Excessive file access attempts
Incident Response Evidence of what data was accessed during a breach.
Compliance Continuous monitoring of file activity and user access.

Find out more about each technique and tactic: ATT&CK Technique matrix (https://attack.mitre.org/wiki/Technique_Matrix)

(Back to top)