RSA Admin

25 or so Starter Use Cases for Monitoring

Discussion created by RSA Admin Employee on Sep 6, 2012
Latest reply on Sep 28, 2012 by RSA Admin

Informer is the best way to automate queries to look for things that concern you.  And the things that concern you are also known as use cases.  Here is a list of 25 or so use cases that every organization should implement.


Uncontrolled Overt Encrypted Channels

  • Ssh outbound to organizations
  • SSH outbound to home computers
  • SSL to gmail, yahoo, other webmail
  • SSL to dropboxes
  • SSL to backup storage sites

Unknown Covert Encrypted Channels

  • Unusual ssl to foreign countries
  • SSL to threat sources
  • SSL over unusual ports
  • Icmp tunnels
  • Tor usage


  • Bittorrent/gnutella
  • Ftp to warez/drop box sites

Passive Vulnerability Awareness

  • Out of date OS
  • Out of date Browsers
  • Bad java versions
  • Bad flash versions


  • Security tools download
  • Clear text passwords
  • Confidential keyword detection (DLP)
  • Snort integration
  • Top subjects in email to detect phishing
  • Protocol anamolies
  • Exfiltration via photography
  • Tuning Reports
  • Analysis of Service Type Other
  • Custom Feed Integration
  • Bandwidth monitoring to partners
  • Email attachment visualization


If you'd like to know how to integrate any of these and are stuck trying to configure your own Informer box, let us know.  And feel free to share some of your own use cases!