1. What is SIEM?
SIEM stands for Security Information and Event Management.
It is a centralized system used in SOC to collect, analyze, and correlate
security logs from multiple sources.
SIEM is the brain of a SOC.
2. Why SIEM is Required
- Organizations generate millions of logs daily
- Manual log monitoring is impossible
- SIEM detects suspicious patterns automatically
- Required for compliance and audits
3. What is a Log?
A log is a recorded event generated by a system, application,
network device, or security tool.
| Log Source |
Example Event |
| Firewall |
Blocked malicious IP |
| Server |
User login / logout |
| Application |
Failed authentication |
| Endpoint |
Malware detected |
4. SIEM Architecture (Simplified)
- Log Sources (Servers, Firewalls, Apps)
- Log Collectors / Agents
- SIEM Server
- Correlation Engine
- Dashboards & Alerts
5. Common SIEM Tools
| Tool |
Usage |
| Splunk |
Log search, alerts, dashboards |
| IBM QRadar |
Real-time threat correlation |
| ArcSight |
Enterprise SIEM monitoring |
| Elastic (ELK) |
Open-source log analysis |
6. What is Log Correlation?
Log correlation is the process of linking multiple events
to identify a potential attack.
Example: Multiple failed logins + successful login + data download
= Possible brute-force attack
7. Alerts vs Events
| Event |
Alert |
| Any logged activity |
Suspicious or malicious activity |
| Informational |
Requires analyst attention |
8. Role of SOC Analyst in SIEM
- Monitor dashboards
- Analyze alerts
- Validate false positives
- Escalate real incidents
- Create reports
SOC Analysts must think logically, not panic.
9. Skills Required for SIEM & Log Analysis
- Basic networking knowledge
- Understanding of attacks
- Pattern recognition
- Attention to detail
- Documentation skills
10. Learning Path Ahead
- Log formats (syslog, JSON)
- Splunk search queries
- Use-case creation
- Incident handling labs