SIEM Fundamentals

intermediate30 minWriteup

Understanding SIEM systems and their role

Learning Objectives

  • Understand SIEM architecture
  • Learn log normalization
  • Know common SIEM platforms
  • Understand correlation rules

A SIEM (Security Information and Event Management) is the central nervous system of a security operations center. It collects logs from everywhere - firewalls, endpoints, servers, applications - normalizes them into a common format, and helps you find the needle in the haystack of millions of events.

Imagine you're a detective and every device in your network keeps its own diary in its own language. The firewall writes in German, Windows speaks English, and your Linux servers journal in French. A SIEM translates all these into one language and helps you search through years of diaries in seconds.

SIEM vs Log Management

Log management just stores logs. SIEM adds correlation, alerting, and analysis. It's the difference between a filing cabinet and a detective with a filing cabinet.

SIEM Core Functions

1SIEM Core Capabilities:
2 
31. LOG COLLECTION
4   ├── Collect logs from diverse sources
5   ├── Agents (installed on endpoints)
6   ├── Syslog (network devices)
7   ├── API integrations (cloud services)
8   └── File-based (read log files)
9 
102. NORMALIZATION
11   ├── Convert all logs to common format
12   ├── Standardize field names
13   ├── Parse different log formats
14   └── Enrich with additional context
15 
163. STORAGE
17   ├── Index for fast searching
18   ├── Retain for compliance periods
19   ├── Compress for efficiency
20   └── Archive for long-term
21 
224. CORRELATION
23   ├── Connect related events
24   ├── Detect multi-step attacks
25   ├── Link events across sources
26   └── Identify patterns
27 
285. ALERTING
29   ├── Real-time detection rules
30   ├── Threshold-based alerts
31   ├── Anomaly detection
32   └── Notification workflows
33 
346. DASHBOARDS & REPORTING
35   ├── Visual monitoring
36   ├── Compliance reports
37   ├── Trend analysis
38   └── Executive summaries
39 
407. INVESTIGATION
41   ├── Search across all logs
42   ├── Timeline reconstruction
43   ├── Pivot between data sources
44   └── Case management

Popular SIEM Solutions

1Major SIEM Platforms:
2 
3COMMERCIAL
4─────────────────────────────────────────────────────────────────
5Splunk Enterprise
6├── Industry leader, very powerful
7├── SPL query language
8├── Extensive app ecosystem
9├── Cost: $$$$ (licensed by data volume)
10└── Best for: Large enterprises
11 
12Microsoft Sentinel
13├── Cloud-native (Azure)
14├── KQL query language
15├── Integrates with Microsoft 365
16├── Cost: $$$ (pay per GB ingested)
17└── Best for: Microsoft environments
18 
19IBM QRadar
20├── Traditional enterprise SIEM
21├── AQL query language
22├── Strong compliance features
23├── Cost: $$$
24└── Best for: Regulated industries
25 
26CrowdStrike Falcon LogScale
27├── Very fast, handles massive scale
28├── Formerly Humio
29├── Cost: $$$
30└── Best for: High-volume environments
31 
32OPEN SOURCE / FREE
33─────────────────────────────────────────────────────────────────
34Elastic Security (ELK Stack)
35├── Elasticsearch + Kibana + Beats
36├── KQL/Lucene queries
37├── Free tier available
38├── Cost: Free (or $$ for features)
39└── Best for: Budget-conscious, DIY
40 
41Wazuh
42├── Open source SIEM + XDR
43├── Based on OSSEC
44├── Agent-based collection
45├── Cost: Free
46└── Best for: Small/medium orgs
47 
48Graylog
49├── Log management + SIEM features
50├── Open source core
51├── Cost: Free (or $$ for enterprise)
52└── Best for: Log-focused use cases
53 
54Security Onion
55├── Network security monitor + SIEM
56├── Includes Zeek, Suricata, Elastic
57├── Cost: Free
58└── Best for: Network-centric defense

Start Small

Don't try to ingest everything on day one. Start with critical sources: firewalls, authentication logs, endpoint detection. Add more as your processes mature.

Essential Log Sources

1Priority Log Sources for SIEM:
2 
3TIER 1 - MUST HAVE (Deploy First)
4─────────────────────────────────────────────────────────────────
5Authentication
6├── Active Directory / Domain Controllers
7├── VPN authentication
8├── SSO / Identity Providers
9└── Key for: Credential attacks, lateral movement
10 
11Perimeter Security
12├── Firewall logs
13├── Web proxy logs
14├── IDS/IPS alerts
15└── Key for: Initial access, C2 detection
16 
17Endpoint Detection
18├── EDR alerts and telemetry
19├── Antivirus events
20└── Key for: Malware, suspicious behavior
21 
22TIER 2 - HIGH VALUE (Deploy Second)
23─────────────────────────────────────────────────────────────────
24Windows Event Logs
25├── Security (4624, 4625, 4688, etc.)
26├── PowerShell (4103, 4104)
27├── Sysmon (if deployed)
28└── Key for: Detailed host activity
29 
30DNS Logs
31├── DNS server query logs
32├── DNS proxy logs
33└── Key for: C2 detection, tunneling
34 
35Email Security
36├── Email gateway logs
37├── Phishing alerts
38└── Key for: Initial access detection
39 
40TIER 3 - VALUABLE (Deploy As Able)
41─────────────────────────────────────────────────────────────────
42Application Logs
43├── Web server access/error logs
44├── Database audit logs
45├── Custom application logs
46 
47Cloud Logs
48├── AWS CloudTrail
49├── Azure Activity Log
50├── GCP Audit Logs
51 
52Network
53├── NetFlow/IPFIX
54├── Network device syslogs

Log Normalization

1Log Normalization - Why It Matters:
2 
3BEFORE NORMALIZATION (Different formats)
4─────────────────────────────────────────────────────────────────
5Windows Security Log:
6EventID=4624, TargetUserName=admin, IpAddress=192.168.1.50
7 
8Linux auth.log:
9Jul 15 14:22:01 server sshd[1234]: Accepted publickey for admin from 192.168.1.50
10 
11Firewall log:
122024-07-15T14:22:01Z ACCEPT src=192.168.1.50 dst=10.0.0.1 user=admin
13 
14AFTER NORMALIZATION (Common format)
15─────────────────────────────────────────────────────────────────
16{
17  606070;">#a5d6ff;">"timestamp": "2024-07-15T14:22:01Z",
18  606070;">#a5d6ff;">"event_type": "authentication",
19  606070;">#a5d6ff;">"action": "success",
20  606070;">#a5d6ff;">"user": "admin",
21  606070;">#a5d6ff;">"src_ip": "192.168.1.50",
22  606070;">#a5d6ff;">"dst_ip": "10.0.0.1",
23  606070;">#a5d6ff;">"source": "windows_security | linux_auth | firewall"
24}
25 
26Now you can search across ALL sources:
27  user=606070;">#a5d6ff;">"admin" AND src_ip="192.168.1.50"
28  → Returns matches from Windows, Linux, and firewall!
29 
30Common Data Models:
31─────────────────────────────────────────────────────────────────
32├── Elastic Common Schema (ECS)
33├── Splunk Common Information Model (CIM)
34├── Open Cybersecurity Schema Framework (OCSF)
35└── Custom models per organization

Garbage In, Garbage Out

If logs aren't parsed correctly, searches won't work. Spend time on normalization and field extraction. A SIEM with bad parsing is just an expensive log storage system.

Correlation Rules

1Correlation - Connecting the Dots:
2 
3WHAT IS CORRELATION?
4─────────────────────────────────────────────────────────────────
5Single event: 606070;">#a5d6ff;">"Failed login for user admin"
6  → Could be typo, could be attack
7 
8Correlated events: 606070;">#a5d6ff;">"50 failed logins for admin, then success"
9  → Brute force attack succeeded!
10 
11CORRELATION RULE EXAMPLES
12─────────────────────────────────────────────────────────────────
13Rule: Brute Force Detection
14├── Condition: > 10 failed logins
15├── Grouped by: src_ip AND target_user
16├── Time window: 5 minutes
17├── Then check: Successful login follows?
18└── Alert: 606070;">#a5d6ff;">"Possible brute force - investigate"
19 
20Rule: Lateral Movement
21├── Event 1: User authenticates from Workstation A
22├── Event 2: Same user authenticates to Server B (type 3)
23├── Event 3: Same user runs command on Server B
24├── Time window: 15 minutes
25└── Alert: 606070;">#a5d6ff;">"Potential lateral movement chain"
26 
27Rule: Data Exfiltration
28├── Event 1: Large DNS TXT queries (>100 bytes)
29├── Grouped by: src_ip
30├── Volume: > 50 queries in 10 minutes
31└── Alert: 606070;">#a5d6ff;">"Possible DNS tunneling/exfiltration"
32 
33Rule: Malware Execution Chain
34├── Event 1: Email attachment opened
35├── Event 2: PowerShell spawned from Office process
36├── Event 3: Network connection to external IP
37├── Time window: 5 minutes
38└── Alert: 606070;">#a5d6ff;">"Possible malware infection from email"
39 
40CORRELATION TECHNIQUES
41─────────────────────────────────────────────────────────────────
42Threshold: Count exceeds limit
43Sequence: Events in specific order
44Aggregation: Group similar events
45Anomaly: Deviation from baseline
46Join: Combine data from multiple sources

Detection Use Cases

1Common SIEM Detection Use Cases:
2 
3AUTHENTICATION ATTACKS
4─────────────────────────────────────────────────────────────────
5UC-001: Brute Force Login
6├── Multiple failed logins from same source
7├── Threshold: >10 failures in 5 minutes
8└── Sources: AD, VPN, application logs
9 
10UC-002: Credential Stuffing
11├── Failed logins across multiple accounts from same source
12├── Pattern: Different users, same source IP
13└── Sources: AD, web application logs
14 
15UC-003: Impossible Travel
16├── User logs in from two geographic locations
17├── Time between logins < travel time
18└── Sources: VPN, cloud identity logs
19 
20MALWARE / C2
21─────────────────────────────────────────────────────────────────
22UC-010: Known Malicious IP/Domain
23├── Connection to threat intel IOC
24└── Sources: Firewall, proxy, DNS, EDR
25 
26UC-011: Beaconing Detection
27├── Regular interval connections to same destination
28└── Sources: Firewall, proxy, NetFlow
29 
30UC-012: DNS Tunneling
31├── High volume DNS queries or large TXT records
32└── Sources: DNS logs, network monitor
33 
34PRIVILEGE ESCALATION
35─────────────────────────────────────────────────────────────────
36UC-020: New Admin Account
37├── User added to Domain Admins or local admin
38└── Sources: AD logs (4728, 4732)
39 
40UC-021: Sensitive Group Changes
41├── Changes to high-privilege groups
42└── Sources: AD logs
43 
44DATA EXFILTRATION
45─────────────────────────────────────────────────────────────────
46UC-030: Large Outbound Transfer
47├── Unusual data volume to external destination
48└── Sources: Proxy, firewall, DLP
49 
50UC-031: Upload to Cloud Storage
51├── Connections to file-sharing services
52├── Combined with: User risk indicators
53└── Sources: Proxy, CASB

SIEM Implementation

1SIEM Implementation Phases:
2 
3PHASE 1: PLANNING (2-4 weeks)
4─────────────────────────────────────────────────────────────────
5├── Define objectives and use cases
6├── Identify log sources (priority list)
7├── Size infrastructure (storage, compute)
8├── Plan network architecture (collectors, forwarders)
9└── Define retention requirements
10 
11PHASE 2: DEPLOYMENT (4-8 weeks)
12─────────────────────────────────────────────────────────────────
13├── Install SIEM platform
14├── Deploy log collectors/agents
15├── Configure log forwarding
16├── Set up index/storage
17└── Test log ingestion
18 
19PHASE 3: CONTENT DEVELOPMENT (Ongoing)
20─────────────────────────────────────────────────────────────────
21├── Create parsers for each log source
22├── Normalize to common data model
23├── Build detection rules
24├── Develop dashboards
25└── Create reports
26 
27PHASE 4: OPERATIONALIZATION (Ongoing)
28─────────────────────────────────────────────────────────────────
29├── Train SOC analysts
30├── Develop response playbooks
31├── Tune rules (reduce false positives)
32├── Integrate with ticketing
33└── Continuous improvement
34 
35Common Mistakes:
36─────────────────────────────────────────────────────────────────
37❌ Ingesting everything immediately (data overload)
38❌ No use cases defined (alerts without purpose)
39❌ Ignoring normalization (can't search properly)
40❌ No tuning (alert fatigue)
41❌ No documentation (knowledge silos)

SIEM Operations Methodology

Daily SIEM Operations

1
MonitorReview dashboards for alert volume and trends
2
TriageAssess new alerts, prioritize investigation
3
InvestigateDig into suspicious alerts using searches
4
RespondTake action on confirmed threats
5
DocumentRecord findings and actions taken
6
TuneAdjust rules to reduce false positives

Knowledge Check

Quick Quiz
Question 1 of 3

What is the primary purpose of log normalization in a SIEM?

Challenges

Design a Correlation Rule

Challenge
🔥 intermediate

Design a correlation rule to detect potential credential stuffing attacks. Consider: what events to correlate, what thresholds, what time window, and what fields to group by.

Need a hint? (4 available)

Key Takeaways

  • SIEM collects, normalizes, correlates, and alerts on security events
  • Normalization is critical - enables searching across all log sources
  • Correlation connects related events to detect attack patterns
  • Start with priority sources: authentication, perimeter, endpoints
  • Detection use cases drive what rules to build
  • Tuning is ongoing - reduce false positives to combat alert fatigue