SIEM Overview

Security Information and Event Management

1What is SIEM?
2Data Pipeline
3Correlation
4Quiz

What is SIEM?

Security Information and Event Management (SIEM) combines two capabilities:

  • SIM (Security Information Management): Long-term storage and analysis of log data
  • SEM (Security Event Management): Real-time monitoring, correlation, and alerting

Modern SIEMs aggregate logs from across the enterprise, normalize them into a common format, and apply rules to detect threats.

Why SIEM Matters

Without SIEM, analysts would need to manually check dozens of systems. SIEM provides a "single pane of glass" for security visibility.

Popular SIEM Solutions

Solution Type Strength
Splunk Commercial Powerful SPL query language, extensive integrations
Microsoft Sentinel Cloud-native Azure integration, built-in SOAR, ML detection
Elastic Security Open Source+ Scalable, ELK stack integration, free tier
QRadar Commercial Strong correlation, network flow analysis
Wazuh Open Source Free, HIDS integration, compliance modules

Your First Day in the SIEM

When you start as a Tier 1 SOC analyst, the SIEM is your primary workspace. Here is what a typical shift looks like:

1. Check the Dashboard

Review open alerts sorted by severity. Check alert volume — is today normal or is there a spike? Note any alerts assigned to you from the previous shift.

2. Triage Alerts

For each alert: read the rule that fired, check source/destination, look at the raw logs, determine true positive vs false positive. Document your finding.

3. Investigate

For confirmed true positives: pivot on the source IP across all log sources. Check if the same IP triggered other alerts. Build a timeline. Determine scope.

4. Escalate or Close

If you can handle it, contain and document. If it exceeds your scope, escalate to Tier 2 with your findings, timeline, and recommended next steps.

Common SIEM Search Patterns
Splunk: index=firewall src_ip="10.0.5.102" action=deny | stats count by dest_ip
Sentinel: SecurityEvent | where EventID == 4625 | summarize count() by TargetAccount
Elastic: event.action:"denied" AND source.ip:"10.0.5.102"

SIEM Data Pipeline

Click each stage to learn how data flows through a SIEM:

Collection

Parsing

Normalization

Correlation

Alerting

SIEM Correlation in Action

Correlation is the SIEM's superpower — connecting related events across systems to identify attacks. Here's an example:

Scenario: Detecting Password Spray Attack

The SIEM receives these events from different sources:

[10:15:01] auth.log | Failed login for user 'jsmith' from 192.168.1.50
[10:15:02] auth.log | Failed login for user 'mjones' from 192.168.1.50
[10:15:03] auth.log | Failed login for user 'twilliams' from 192.168.1.50
[10:15:04] auth.log | Successful login for user 'admin' from 192.168.1.50
[10:15:30] firewall.log | 192.168.1.50 → 10.0.0.5:445 (SMB connection)

SIEM Alert: Password Spray Attack Detected

Rule triggered: >3 failed logins + 1 success from same IP within 60 seconds

Risk: High — Attacker may have compromised 'admin' account

Action: Investigate 192.168.1.50, review 'admin' activity, check SMB destination

Correlation Types

  • Time-based: Events within a time window
  • Threshold-based: Count exceeds limit (e.g., >5 failed logins)
  • Sequence-based: Events in specific order (failed → success)
  • Statistical: Deviation from baseline behavior

SIEM Overview Quiz

Test your understanding. You need 80% (4/5) to pass.

Q1. What does "SIM" stand for in SIEM?
Security Incident Management
System Integration Module
Security Information Management
Secure Identity Management
Q2. Which SIEM pipeline stage converts logs to a common format?
Collection
Normalization
Correlation
Alerting
Q3. A rule triggers when >5 failed logins occur within 1 minute. This is what type of correlation?
Threshold-based
Sequence-based
Statistical
Geographic
Q4. Which is NOT a common SIEM solution?
Splunk
Microsoft Sentinel
Elastic Security
Nessus
Q5. What is the primary benefit of SIEM for SOC analysts?
Automatic patching of vulnerabilities
Single pane of glass for security visibility
Replacing the need for firewalls
Managing user passwords

Quiz Complete!

0/5