In today's digital landscape, where cyber threats are constantly on the rise, it is essential for organisations to implement effective security measures. Particularly in the area of security monitoring and incident response services, it is important to first clearly define and establish the monitoring objectives. ConSecur recommends establishing a use case framework, which plays a central role in connecting log sources and developing the SIEM rules.

Why do I need a use case framework?

A well-structured use case framework is crucial for the success of a cyber defence centre (CDC). In addition to the right analysis tools, the employees and an effective and efficient correlation logic are particularly important. This correlation logic begins with the derivation and formal description of the development methodology and is based on key aspects that ensure that SIEM use cases:

• are threat-orientated
• cover the IT environment holistically
• can be processed by the SIEM solution
  

In order to fulfil these requirements, ConSecur recommends the establishment and implementation of a SIEM use case framework that is based on the aforementioned aspects. This framework ensures that:

• Use cases can be developed independently of the SIEM solution used
• the "translation" of the formal use case into the SIEM-specific correlation logic is simplified ("build once - use many")
• the defined use cases support the company's compliance requirements
• Use cases can be flexibly adapted to the current threat situation

Another advantage of the SIEM use case framework is that it designs the high-level descriptions of the rules and regulations in such a way that they provide the necessary transparency and comprehensibility outside the Cyber Defence Centre. The clear, comprehensible processes and unambiguous allocation of roles help those responsible to make well-founded decisions. This is done on the basis of increased visibility of the threat situation and a clear highlighting of the necessities in the area of information security.