πŸ› οΈ What is SIEM?

SIEM is a platform that collects, aggregates, and analyzes security data from across an organization’s digital environment.

πŸ” Core Functions of a SIEM:

  • Log Aggregation: Collects logs from firewalls, servers, applications, and endpoints.
  • Event Correlation: Connects related events across multiple sources.
  • Alerting: Triggers alerts when suspicious patterns are detected.
  • Visualization: Offers dashboards for monitoring and investigation.
  • Forensics Support: Helps during incident investigations.

πŸ“‹ Common SIEM Tools

ToolDescription
πŸ”· SplunkEnterprise-grade SIEM with powerful analytics and ML.
βš™οΈ ELK StackOpen-source suite (Elasticsearch, Logstash, Kibana).
🧠 IBM QRadarUsed by large enterprises; strong correlation engine.
🧰 GraylogLightweight and user-friendly; perfect for learning.

Each of these platforms helps SOC Analysts turn raw log data into actionable insights.

πŸ“‚ What is Log Analysis?

Log Analysis is the process of reviewing system-generated log entries to detect anomalies, attacks, or errors. It’s a critical part of incident detection and response.

πŸ—‚οΈ Typical Log Sources:

  • πŸ” Firewall Logs
  • 🧱 IDS/IPS Logs
  • πŸ’» Windows Event Logs
  • 🐧 Linux Syslogs
  • 🌐 Web Server Logs (e.g., Apache, Nginx)
  • πŸ‘₯ Authentication & Login Logs

πŸ§‘β€πŸ’» How SOC Analysts Use SIEM for Log Analysis

SOC Analysts interact with SIEM platforms to:

  1. πŸ“ˆ Monitor systems in real-time
  2. πŸ”Ž Search logs using queries (e.g., Splunk SPL, Kibana KQL)
  3. 🧩 Correlate events to find attack patterns
  4. πŸ§ͺ Investigate incidents with supporting evidence
  5. 🧠 Improve detection rules based on findings

πŸ§ͺ Sample Query (Splunk)

index=windows sourcetype=WinEventLog:Security EventCode=4625
| stats count by Account_Name, host, _time
| where count > 5

πŸ” This Splunk SPL query finds failed login attempts (EventCode 4625) grouped by user and host, flagging accounts with more than 5 failures β€” a common sign of brute-force attacks.

βœ… Summary βœ… SIEM provides the intelligence. βœ… Logs provide the evidence. βœ… You, the SOC Analyst, provide the expertise.

Mastering SIEM and log analysis is a foundational skill for any SOC Analyst. By understanding what’s happening across your systems, you can detect threats faster, respond more effectively, and protect your organization from cyber attacks.

πŸš€ What’s Next? In the next article, we’ll explore real-world log examples and show how to investigate potential attacks using SIEM tools.

Stay tuned, blue teamer! πŸ§’πŸ›‘οΈ