📒
Book of VanLuong
  • 👨‍💻About the Author
  • Cryptography
    • Cryptanalysis
      • RSA & RSA ATTACK
      • DES (Data Encryption Standard)
      • AES (Advanced Encryption Standard)
      • ECC ( Elliptic Curve of Cryptography)
      • Group-based Cryptography
      • Lattice-based Cryptography
      • ChaCha20-Poly1305
      • Hash Function
      • Wargame CTF
  • C2
    • Practical with Havoc Framework
  • Blue Teaming
    • SIEM & SOC
      • SIEM
      • SOC
      • Splunk
    • Cybersecurity Lab & Threat Intelligence
      • Build ELK Lab
        • Configure Elasticsearch and Kibana setup in ubuntu
        • Fluent Bit – Sending Logs to ELK with Fluent Bit
        • Winlogbeat – Collecting and Forwarding Windows Event Logs.
        • Filebeat – Collecting and Forwarding Windows Event Logs.
        • Send Logs from Winlogbeat through Logstash to ELK
        • Audit policy & Winlogbeat
      • Sysmon configuration
    • PowerShell in Incident Response and Threat Hunting
      • PowerShell For Incident Response
      • PowerShell For Threat Hunting
  • Techniques used in malware
    • DLL side loading
    • DLL Unhooking
    • Call stack spoofing
  • Wazuh App Dashboards for Splunk
  • Windows
    • 70 Vital Windows Commands
    • Windows Registry Forensics
  • Guide to Installing Kali Linux, DVWA, and bWAPP
    • Phần 1. CÀI ĐẶT HỆ ĐIỀU HÀNH KALI LINUX
    • Phần 2. CÀI ĐẶT DVWA
    • Phần 3. CÀI ĐẶT BWAPP
  • CTF
    • CTF-writeup-in-KCSC
Powered by GitBook
On this page
  • Work with SIEM
  • Data collection
  • Log Normalization & Parsing
  • Event Correlation & Threat Detection
  • Alerting & Incident Response

Was this helpful?

  1. Blue Teaming
  2. SIEM & SOC

SIEM

PreviousSIEM & SOCNextSOC

Last updated 27 days ago

Was this helpful?

Security Information and Event Management (SIEM) systems provide real-time threat detection, log correlation, and incident response by aggregating security data from across an organization. This report explores how SIEM works, its key components, and advanced analytics through interactive visualizations.

Work with SIEM

SIEM systems collect, analyze, and respond to security events across an organization’s IT infrastructure.

Data collection

SIEM gathers security logs from multiple sources, including:

  • Network devices (firewalls, routers, switches)

  • Servers & endpoints (Windows/Linux logs, antivirus alerts)

  • Cloud services (AWS, Azure, Office 365)

  • Security tools (IDS/IPS, EDR, vulnerability scanners)

Log Normalization & Parsing

Raw logs come in different formats (e.g., JSON, CSV, syslog). The SIEM:

  • Parses logs to extract key fields (IPs, usernames, timestamps)

  • Normalizes data into a standard format for analysis

Example: A firewall log: "Deny TCP 192.168.1.1 → 192.168.1.5 port 22"

→ Normalized as: { "action": "Deny", "src_ip": "192.168.1.1", "dst_ip": "192.168.1.5", "port": "22" }

Event Correlation & Threat Detection

SIEM uses rules, machine learning (ML), and behavioral analytics to detect threats:

  • Rule-based detection (e.g., "10 failed logins in few minutes = brute force attack")

  • Anomaly detection (e.g., "User logging in at 3 AM from a new country")

  • Threat intelligence matching (e.g., "IP is on a known malware list")

Example Attack Detection:

  • Step 1: Multiple failed logins → Brute force alert

  • Step 2: Successful login followed by unusual file access → Potential insider threat

Alerting & Incident Response

When a threat is detected:

  • Alerts are sent to SOC (Security Operations Center)

  • Automated actions (block IP, disable account) via SOAR integration

  • Case management for investigation