• Kaushal Patel

SOC (Security Operation Center) - SIEM

Hello Readers ! Today I am giving you an overview of SOC (Security operation Center)

Here, I am giving you the short information which helps you for easy to remember. You can easily find the brief description over the internet but here you can make an easy note to remember.

I introduce here the life cycle of SOC ! Basics behind of SOC.

- Real-Time Monitoring Environment

- To Reduce false positive

- Investigations

- To investigate incident logs according to severity (Low, Medium, High, Critical)

- Hunt

- To hunt for unknown threats with deep analytics and machine learning techniques.

- IOC (Indication of Compromise)

- Intelligent Feeds

- Threat center and others

- forensic evidence of potential intrusions on a host system or network

Basically in SOC, they collect the log from various components and here the most possible areas,

Log Collection From:

  1. User's Systems

  2. Clouds Platform

  3. Applications

  4. Servers and Workstations

  5. Network

  6. Endpoints

  7. IoT (Internet Of Things)

Here, I defined the work role of SOC in Level accordingly...

  1. Level 1

  2. Level 2

  3. Level 3

SOC level 1:

- Alert-queue monitoring

- Incident qualification

- Triage and escalation

SOC level 2:

- Incident investigations

- Remediation advice

SOC level 3:

- Detection and use case

- Optimization

- Hunting

- Investigation threats intelligence and analysis

I have a bit of talk about SOC Level and Logs collection but the main point is "where all the logs stored in a well organized way ?"

SIEM - Security Information And Event Management

SIEM-Tools comes in a picture if we talk about log collector, observe and monitor

Basically, SIEM tool used for identifying threats, anomalies cyberattacks from gigs of data with correlation rules in real time.

Top most vendors who provide services of SIEM

  1. Solarwinds security event manager

  2. Datadog security Monitoring

  3. Manage Engine EventLog Analyzer

  4. UnderDefence Co-manged SIEM

  5. Splunk Enterprise Security

  6. OSSEC

  7. LogRhythm Next-Gen SIEM Platform

  8. Alien Vault (AT&T)

  9. RSA Net Witness

  10. IBM QRadar

  11. McAfee Enterprise Security Manager

  12. ArcSight SIEM

Evolution of SIEM

Prior to 2005, There were two major tools available for event monitoring and analysis generate by the systems. Named SIM(Security Information Management) and SEM(Security Event Management). Thereafter, Amrit Williams and Mark Nicollet define a new technology called SIEM comes in picture which is providing a combination of both SIM + SEM.

SIM - Security Information Management

- Collect, monitoring and analysis of security related data from computers

- Log management

- Easy to deploy

- Strong log management capabilities

- e.g. OSSIM (Alien Vault)

SEM - Security Event Management

- Practice of network event management include real-time threat analysis,

visualization and incident response

- More complex to deploy

- Real-time monitoring capabilities

- e.g. NetIQ Sentinel

SIEM - Security Information & Event Management

- Combine both SIM + SEM

- More complex to deploy

- Complete functionality capabilities

- e.g. SolarWinds Log & Event Management, Splunk Enterprise Security,

IBM QRadar

Now, I am giving you the basic architecture of SIEM Tool

SIEM Architecture

There are three main components of SIEM

  1. Receiver

  2. Manager

  3. Logger


First component in SIEM that collect the logs from, Windwos, Linux, Applications, Routers, Switches, Firewalls, VPN Servers, Email Servers, and IoT devices.


(i) Extract Logs

(ii) Log Parsing

(iii) Normalization

(iv) Aggregation

(i) Extract Logs

- This is the process done by tool after receiving the logs from receiver

(ii) Log Parsing

- Used for understanding log format in SIEM

- Thousand of devices generate different format logs so, SIEM has to

parse and understand these different logs and mapped them in

the different fields accordingly

(iii) Normalization

- Common event format

- It correlates the rule based on normalization

e.g. Firewall logs and IDS logs

- Correlate both logs into one format as both is generated

similar kind of logs

(iv) Aggregation

- It is used to reduce the similar events by showing aggregation count

- For e.g. If it received the 10 or 20 similar kinds of logs it will aggregate

In one format and represent the counts only with log.


- Heart of SIEM

- It has functionality like,

- Correlation Engine

- Create alerts

- Dashboard Creation

- Report configuration

- Resources management


- It will store the parsed Events

- Users data like Alerts, Dashboard and Reports

Thanks for reading, I hope you liked this blog.

Happy Learning!!!

  • Twitter
  • Facebook
  • LinkedIn

This blog is for those who are beginner in Cyber Security . ​Please Subscribe for more update

© 2021 by CyberMetrix