Skip to main content

Intro to SIEM

Shubham
Cybersecurity Enthusiast

1. System Overview

A SIEM (Security Information and Event Management) is the central nervous system of the SOC. Without a SIEM, an analyst has to manually check the logs of every single device (Firewall, Server, Laptop). With a SIEM, all those logs are sent to one place, translated into one language, and checked automatically for threats.

  • Host-Centric Logs: Events from within a single device (e.g., User Login, File Access).
  • Network-Centric Logs: Events about traffic between devices (e.g., VPN connections, Firewall Allows/Denies).

2. The Data Pipeline (Architecture)

The SIEM works in stages. Understanding this pipeline is key to debugging why an alert didn't fire.

  1. Ingestion (Collection):
    • Getting logs off the device and into the SIEM.
    • Methods: Agents (Forwarders), Syslog (for network gear), or Manual Uploads.
    • Key Location (Linux): /var/log/httpd (Apache Web Logs).
  2. Normalization:
    • Every device speaks a different language. A Windows log says "Event ID 4624" (Login). A Linux log says "Accepted password for...".
    • Normalization translates both to a standard field: Action: User_Login.
  3. Correlation (The Brain):
    • The SIEM links events together.
    • Example: "VPN Login from Russia" + "File Download" = Suspicious.
  4. Visualization:
    • Dashboards showing trends (e.g., "Top 10 Failed Logins").

3. Correlation Rules (The Logic)

A SIEM doesn't "know" what a hack looks like. You have to teach it using Rules.

  • The Logic: IF [Condition A] AND [Condition B] THEN [Trigger Alert].
  • Common Rule Types:
    • Brute Force: IF Action=Login_Failed happens > 5 times in 1 minute -> Alert.
    • Log Deletion (Covering Tracks): IF EventID=104 (Log Cleared) -> Alert (Critical).
    • Process Execution: IF ProcessName contains whoami OR miner -> Alert.

4. Lab Analysis: Crypto-Mining Incident

In the lab scenario, you investigated a slow computer.

  • The Trigger: An alert fired for "Suspicious Process."
  • The Evidence:
    • Process Name: cudominer.exe (Mining software).
    • Rule Match: The SIEM rule looked for the string miner.
    • User: Chris.
    • Hostname: HR_02.
  • Verdict: True Positive. The user (or malware) was running unauthorized mining software.

5. Operational Reality vs. Theory

  • Format Issues: In the real world, logs break constantly. If an update changes a log format, the SIEM stops understanding it (Normalization failure).
  • Tuning: The hardest part of the job.
    • Example: You create a rule for "Log Deletion."
    • Reality: The IT Admin has a script that clears logs every Sunday for maintenance.
    • Fix: You must Tune the rule to say "IF Log Deletion AND User is NOT 'IT_Admin_Account'".
  • Blind Spots: If you don't install an agent on a server, the SIEM is blind to it.