Table of Contents
1. SIEM Basics
💡 What is SIEM?
Security Information and Event Management (SIEM) combines Security Information Management (SIM) and Security Event Management (SEM) for centralized collection, correlation, and analysis of security events.
SIEM Core Functions
Log Collection
Centralized collection of logs from various sources
Event Correlation
Intelligent linking of security events
Alerting
Automatic notification for critical events
Analytics
Statistical analysis and anomaly detection
Reporting
Compliance and executive dashboards
Response
Automated incident response workflows
Leading SIEM Platforms
G-Data Security Center
German SIEM solution with GDPR compliance
Splunk Enterprise Security
Market leader with extensive analytics
IBM QRadar
AI-based threat detection
Microsoft Sentinel
Cloud-native Azure SIEM
LogRhythm NextGen
SIEM with integrated UEBA
2. SIEM-Architektur & Design
⚠️ Scalingsplanung
Plan for growth from the beginning. A typical enterprise SIEM processes 50,000-200,000 events per second (EPS).
Architecture Components
Log Sources & Agents
Parsing & Normalization
Hot/Warm/Cold Data
Correlation Engine
High-Level Architecture
┌─────────────────┐ ┌──────────────────┐ ┌─────────────────┐
│ Log Sources │───▶│ Collectors │───▶│ SIEM Platform │
├─────────────────┤ ├──────────────────┤ ├─────────────────┤
│ • Firewalls │ │ • Syslog │ │ • Correlation │
│ • Servers │ │ • Agents │ │ • Analytics │
│ • Applications │ │ • APIs │ │ • Dashboards │
│ • Network │ │ • Database │ │ • Alerting │
│ • Cloud │ │ • File Monitoring│ │ • Reporting │
└─────────────────┘ └──────────────────┘ └─────────────────┘
│
▼
┌─────────────────┐
│ SOC Analysts │
├─────────────────┤
│ • Investigation │
│ • Escalation │
│ • Response │
└─────────────────┘Capacity Planning
3. Log Management
Critical Log Sources
🌐 Network Infrastructure
- •Firewall Logs (Accept/Deny)
- •Router/Switch Logs
- •IDS/IPS Alerts
- •DNS Query Logs
- •DHCP Lease Information
🖥️ Endpoints & Servers
- •Windows Event Logs
- •Linux Syslog (auth, kernel)
- •EDR/Antivirus Logs
- •File Integrity Monitoring
- •Process Execution Logs
🔐 Identity & Access
- •Active Directory Logs
- •VPN Connection Logs
- •Multi-Factor Authentication
- •Privileged Access Management
- •Single Sign-On Events
🌐 Applications & Cloud
- •Web Server Access Logs
- •Database Audit Logs
- •AWS CloudTrail/Azure Logs
- •Email Security Logs
- •Application Error Logs
Log Normalization
# Example: Syslog Parsing
# Raw Log:
Jan 15 10:30:45 server1 sshd[1234]: Failed password for admin from 192.168.1.100
# Normalized Event:
{
"timestamp": "2024-01-15T10:30:45Z",
"source_host": "server1",
"source_ip": "192.168.1.100",
"event_type": "authentication_failure",
"service": "ssh",
"user": "admin",
"action": "login_failed",
"severity": "medium"
}4. Detection Use Cases
🚨 High-Priority Use Cases
Brute Force Attacks
Detection of repeated login attempts within a short time
IF (failed_logins > 5 AND timespan < 5min) THEN ALERTLateral Movement
Unusual internal network connections and privilege escalation
IF (new_admin_account OR unusual_network_scan) THEN ALERTData Exfiltration
Large data transfers to unusual destinations or at odd hours
IF (data_transfer > baseline_x10 AND time = after_hours) THEN ALERT📊 Behavioral Analytics
User Behavior Analytics (UBA)
- - Unusual registration times
- - New devices/locations
- - Deviating data access
- - Privilege changes
Entity Behavior Analytics (EBA)
- - Server performance anomalies
- - Network traffic patterns
- - Application response times
- - DNS query anomalies
🔍 MITRE ATT&CK Mapping
5. Security Operations Center (SOC) Setup
💡 SOC vs. SIEM
A SOC is the team and process, while SIEM is the technology. An effective SOC requires people, processes, and technology.
SOC Roles & Responsibilities
L1 - SOC Analyst
- • Alert Monitoring
- • Initial Triage
- • Ticket Creation
- • Basic Investigation
L2 - Security Analyst
- • Deep Investigation
- • Forensic Analysis
- • Correlation Analysis
- • Escalation Decisions
L3 - Senior Analyst
- • Complex Investigations
- • Threat Hunting
- • Use Case Development
- • Incident Response
SOC Processes & Playbooks
📋 Standard Operating Procedures (SOPs)
Alert Handling
- Alert Receipt & Acknowledgment
- Initial Assessment (5 min)
- Data Collection & Context
- Impact Assessment
- Escalation Decision
- Documentation & Closure
Incident Response
- Incident Declaration
- Team Assembly
- Containment Actions
- Evidence Collection
- Eradication & Recovery
- Lessons Learned
24/7 Operations Model
# Follow-the-Sun Model
┌─────────────┬─────────────┬─────────────┐
│ EMEA │ Americas │ APAC │
│ 08:00-20:00│ 08:00-20:00│ 08:00-20:00│
├─────────────┼─────────────┼─────────────┤
│ Primary SOC │ Primary SOC │ Primary SOC │
│ Frankfurt │ New York │ Singapore │
└─────────────┴─────────────┴─────────────┘
# Shift Model
- Early Shift: 06:00 - 14:00
- Late Shift: 14:00 - 22:00
- Night Shift: 22:00 - 06:00
- Weekend: 12h Shifts
# Escalation Matrix
L1 → L2 (Complex Events)
L2 → L3 (Critical Incidents)
L3 → CISO (Major Incidents)6. SOC KPIs & Metrics
📊 Operational Metrics
🎯 Quality Metrics
False Positive Rate
Goal: Minimize false alarms
Alert Closure Rate
Complete processing
Escalation Rate
L1 to L2 escalation
📈 Business Metrics
Cost per Event
ROI Calculation
Tavo-IT Managed SOC Services
As certified G-Data Security Partners, we offer professional 24/7 Security Monitoring Services with German security standards.