🔍 A Beginner’s Guide to SIEM: How It Works, Why It’s Important, and Key Concepts

📌 Introduction — What is SIEM?

SIEM (Security Information and Event Management) is like a security control room 🖥️🔒 for your network.
It:

• 🗂️ Collects logs from different devices

• 🏦 Stores them in one place

• 🕵️ Analyses them to detect suspicious activity

In short: SIEM helps security teams see everything happening in the network in real time ⏳ and respond quickly to threats ⚡.

---

🌐 Why Network Visibility Matters

A network might have:
💻 Windows & Linux computers
🗄️ Data servers
🌍 A company website
📡 A router connecting everything

Each device generates logs 📝 when something happens — logins, file transfers, web visits.
By seeing all logs in one place, you can spot threats faster 🚨.

---

📂 Types of Log Sources

🖥️ Host-Centric Logs

Logs from inside a device:

• Windows Event Logs 🪟

• Sysmon ⚙️

• Osquery 🔎

Examples:
📁 File access
🔑 Login attempts
⚡ Program execution
🛠️ Registry changes
💻 PowerShell commands

🌐 Network-Centric Logs

Logs from communication between devices or internet:

• SSH 🔑

• FTP 📤📥

• HTTP/HTTPS 🌍

• VPN 🔒

• Network file sharing 📂

---

🗂️ Log Sources and Log Ingestion

💻 Windows Machines

• Uses Event Viewer to record events.

• Each activity has a unique Event ID.

• Example: 104 → Event logs removed 🗑️.

🐧 Linux Systems

Stores logs in:

• /var/log/httpd → 🌐 Web requests & errors

• /var/log/cron → ⏲️ Scheduled tasks

• /var/log/auth.log → 🔐 Authentication logs

• /var/log/kern → ⚙️ Kernel events

🌍 Web Servers

Apache logs stored in /var/log/apache or /var/log/httpd track requests/responses — useful for detecting attacks 🛡️.

---

📥 How SIEM Ingests Logs

1. Agent / Forwarder 📦 – Installed on devices to send logs to SIEM.

2. Syslog 📡 – Protocol for sending logs in real time.

3. Manual Upload 📤 – Import offline logs for analysis.

4. Port-Forwarding 🔌 – SIEM listens on a port for incoming logs.

---

🛡️ Why SIEM is Important

• 🔗 Correlates events from multiple sources.

• 🚨 Sends alerts on suspicious activity.

• 🖥️ Gives complete visibility of the network.

• ⏱️ Helps respond quickly to incidents.

---

⚙️ Key SIEM Capabilities

• 🔍 Event Correlation – Linking related events.

• 👀 Visibility – Host + Network monitoring.

• 🕵️ Threat Investigation – Digging deeper into alerts.

• 🏹 Threat Hunting – Finding hidden threats.

---

👨‍💻 SOC Analysts & SIEM

SOC Analysts use SIEM for:

• 📊 Monitoring & investigating alerts

• 🚫 Finding false positives

• 🎛️ Tuning noisy rules

• 📑 Reporting & compliance checks

• 🔦 Identifying visibility gaps

---

🧐 Analysing Logs and Alerts

🔔 How Alerts are Triggered

1. Logs ingested 📥

2. Rules applied 📜

3. Condition met ✅ → Alert raised 🚨

---

📊 Dashboards in SIEM

Dashboards give a quick overview:

• 🚨 Alert highlights

• 📢 System notifications

• 🩺 Health alerts

• ❌ Failed logins

• 🔢 Event counts

• 📜 Rules triggered

• 🌍 Top visited domains

---

🧠 Correlation Rules Examples

• ❌ Multiple Failed Logins → More than 5 in 10 seconds

• 🔓 Login After Failures → Possible brute-force

• 💽 USB Insertion → Alert if restricted

• 📤 Large Data Transfer → Above company limits

Event Examples:

• 104 🗑️ → Event logs cleared

• 4688 + whoami 💻 → WHOAMI command detected

---

🕵️ Alert Investigation Steps

1. Review events & conditions

2. Decide if False Positive 🚫 or True Positive ✅

If False Positive:

• 🔧 Tune rules to reduce noise

If True Positive:

• 🔍 Investigate further

• 📞 Contact asset owner

• 🔒 Isolate device

• 🚫 Block malicious IP

---

📌 Quick Facts

• 🗑️ Event ID for logs removed → 104

• 🚫 Alerts that may need tuning → False Positives