SIEM Systems: Enterprise Security Monitoring Guide

Core Elements:

• Data Collectors: Agents, syslog, API integrations
• Normalization Engine: Common Event Format (CEF)
• Correlation Engine: Rule-based analytics
• Storage: Hot/Warm/Cold data tiers

Enterprise Deployment Models:

• On-Prem: Splunk Enterprise Security
• Cloud: Microsoft Sentinel
• Hybrid: IBM QRadar

Data Volume Example:

A mid-sized enterprise typically processes 50-100GB of logs daily

Critical Log Sources:

• Network: Firewalls, IDS/IPS, NetFlow
• Endpoints: EDR, Windows Event Logs
• Cloud: AWS CloudTrail, Azure AD

Normalization Example:

# Raw Syslog
May 15 10:23:45 firewall01 %ASA-6-302013: Built outbound TCP connection 12345 for dmz:10.1.1.1/443 to internet:203.0.113.5/54321

# CEF Normalized
CEF:0|Cisco|ASA|9.12|302013|TCP connection|6|
src=10.1.1.1 dst=203.0.113.5 proto=TCP spt=443 dpt=54321
        

Collection Methods:

Syslog, WEF, API polling, agent-based (Splunk UF, Wazuh)

Common Detection Rules:

• Brute Force: 5+ failed logins in 5 minutes
• Data Exfiltration: 50MB+ outbound transfers
• Lateral Movement: Multiple host logins in short time

Splunk SPL Example:

index=wineventlog EventCode=4625 
| stats count by _time, user, src_ip 
| where count > 5
| lookup geoip src_ip AS src_ip OUTPUT country_name
        

MITRE ATT&CK Mapping:

Tag rules with T1078 (Valid Accounts) or T1110 (Brute Force)

Hunting Methodologies:

• Hypothesis-Driven: "Are there signs of DNS tunneling?"
• Indicator-Based: Known malicious IPs/hashes
• Anomaly Detection: Statistical outliers

Sentinel KQL Example:

SecurityEvent
| where EventID == 4688 and CommandLine contains "powershell"
| summarize ExecutionCount=count() by Account, CommandLine
| sort by ExecutionCount desc
        

Enterprise Tools:

Splunk ES, Microsoft Sentinel, Elastic Security