Day 4 – Understanding SIEM, How SIEM Works & Why SOC Depends on SIEM.

🎛️ What Is SIEM? (Explained Very Simply)

SIEM = Security Information and Event Management.

In simple words:

SIEM is the brain of the SOC.
It collects logs from everywhere, detects attacks, and shows alerts.

Real-Life Example:

Think of SIEM like a central CCTV system:

• Every camera = different device (server, firewall, application)
• CCTV screen = SIEM dashboard
• Person watching the screen = SOC Analyst

Without SIEM → SOC cannot see attacks.

🧮 Why Do We Need SIEM?

SIEM helps analysts:

• Collect logs from thousands of devices
• Detect suspicious activity
• Correlate events
• Create alerts
• Respond to attacks quickly
• Generate reports for management

Real Example:

A user logs in from India and 5 minutes later logs in from Dubai.
SIEM detects this unusual behavior → generates alert.

🚀 How SIEM Works;

Here is the simple 4-step SIEM flow:

1️⃣ Log Collection

SIEM collects logs from:

• Windows servers
• Linux servers
• Firewalls
• Routers
• VPN
• Applications
• Cloud services

Example

User login → log created → sent to SIEM.

2️⃣ Log Parsing & Normalization

Logs from different devices look different.
SIEM converts them into one standard format.

Example

Windows log: “4625 failed login”
Firewall log: “Denied TCP 445”
SIEM makes both readable and understandable.

3️⃣ Correlation

SIEM connects related events together.

Example

If the same IP:

• Tried password 20 times
• Accessed a server
• Triggered firewall block

SIEM correlates these → possible brute-force attack.

4️⃣ Alerting & Dashboard

SIEM creates alerts when it sees suspicious activity.

Example alerts:

• “Multiple failed login attempts”
• “Unusual country login”
• “Malware detected”
• “Port scanning attempt”

SOC Analysts monitor these alerts.

🗂️ Common SIEM Tools

• Splunk
• IBM QRadar
• Elastic SIEM (ELK)
• Microsoft Sentinel
• ArcSight

For beginners, Splunk & Sentinel are easiest.

🧪 Simple SIEM Example (For Understanding)

Scenario: Brute Force Attack

Logs show:

• 5 failed logins
• 10 failed logins
• 20 failed logins
  → SIEM correlates
  → Sends alert: “Multiple Login Failures – Possible Brute Force Attack”

What SOC Analyst does:

• Checks IP
• Blocks if malicious
• Resets account if compromised

🔍 Another Example: Suspicious VPN Login

User logs in from Chennai at 2 PM
Same user logs in from US at 2:05 PM
→ Impossible travel
→ SIEM triggers alert

🧠 SIEM Dashboard – How It Looks (Explained Simply)

A SIEM dashboard shows:

• Number of alerts
• Login failures
• Top 10 attacking countries
• Malware alerts
• Firewall blocks
• High-risk users

This helps the SOC analyst monitor attacks in real time.

🧰 Hands-On Activity for Day 4

If possible, show:

Splunk Free Version Demo:

• Upload sample logs
• Search using basic query:

index=_internal | head 20

• Show charts & alerts

Or show a YouTube SIEM dashboard video to help students visualize.

📝 Day 4 Activity for Students

Ask students to write:

“List 5 benefits of SIEM in your own words.”

🏠 Day 4 Homework

Search:
“Top SIEM tools in the market”

Write:

• Name of the tool
• One feature of each

🎤 Trainer Script for Day 4

You can use this while explaining:

“SIEM is the heart of the SOC.
It collects logs, detects attacks, and alerts analysts.

Without SIEM, we cannot monitor thousands of devices.
Today you understood log collection, correlation, and alerting — the core of SOC work.”