A large company generates 1 Terabyte of logs per day. Firewall logs, Windows Event logs, Antivirus alerts, Proxy logs. No human can read this. A SIEM (Security Information and Event Management) collects all these logs, aggregates them, and applies logic to find anomalies.
Correlation Rules
A SIEM connects the dots.
Event A: John logs in via VPN from New York (GeoIP: USA).
Event B (1 minute later): John logs into the Database from Moscow (GeoIP: Russia).
SIEM Alert: "Impossible Travel Detection". Unless John moves at Mach 50, one of these is a hacker.
1. The Tools
Splunk: The market leader. Expensive but powerful.
ELK Stack (Elasticsearch, Logstash, Kibana): Open Source. Popular with developers.
Wazuh: Open Source EDR and SIEM. Great for smaller teams.
2. IOCs (Indicators of Compromise)
Threat Intelligence feeds provide lists of bad IPs and file hashes.
The SIEM ingests these feeds in real-time.
If any computer in your network connects to a known C2 (Command & Control) IP, the SIEM triggers a Critical Alert immediately.