Table of Contents
What is a SIEM?
Security Information and Event Management (SIEM) aggregates logs from across your environment, correlates events, and generates alerts for potential security incidents.
Core SIEM Functions
- Log Collection: Aggregate logs from all sources
- Normalization: Parse and structure data
- Correlation: Connect related events
- Alerting: Notify on suspicious patterns
- Investigation: Search and analyze historical data
- Reporting: Compliance and executive dashboards
Choosing a SIEM
| Splunk | Most powerful, expensive, enterprise-grade |
| Microsoft Sentinel | Cloud-native, Azure integration, pay-per-use |
| Elastic SIEM | Open-source friendly, scalable |
| IBM QRadar | Enterprise, strong analytics |
| Sumo Logic | Cloud-native, modern UI |
Log Collection Strategy
Priority Log Sources
- Authentication: AD, Azure AD, VPN, SSO
- Endpoints: Sysmon, EDR, Windows Security
- Network: Firewall, proxy, DNS, IDS/IPS
- Cloud: AWS CloudTrail, Azure Activity, GCP Audit
- Applications: Web servers, databases, custom apps
Windows Sysmon Configuration
<!-- Key Sysmon events to collect -->
Event ID 1: Process creation
Event ID 3: Network connection
Event ID 7: Image loaded (DLLs)
Event ID 10: Process access
Event ID 11: File creation
Event ID 22: DNS queryDetection Rules
Splunk Detection Example
# Brute Force Detection
index=windows EventCode=4625
| stats count by src_ip, user
| where count > 10
| table _time, src_ip, user, countSigma Rule (Platform-Agnostic)
title: Suspicious PowerShell Download
status: experimental
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'powershell'
- 'downloadstring'
condition: selection
level: highSigma Advantage
Write rules once in Sigma format, then convert to Splunk, Elastic, Sentinel, or any SIEM using sigmac converter.
Dashboards & Reporting
Essential Dashboards
- Security Overview: Alert volume, top threats, trends
- Authentication: Failed logins, unusual locations
- Endpoint Health: EDR coverage, unpatched systems
- Network: Traffic patterns, blocked connections
- Compliance: PCI, SOC2, HIPAA checkboxes
Alert Tuning
Out-of-the-box rules generate too many false positives. Tuning is critical:
- Baseline normal behavior first (30-60 days)
- Whitelist known good (service accounts, monitoring tools)
- Add context (is user an admin? is it business hours?)
- Prioritize by asset criticality
- Review and refine weekly
Updated: December 2024