Log Analysis with SIEM Writeup
- Learn how SIEM solutions can be used to detect and analyse malicious [Link] 1
Introduction
Any modern SOC analyst must be able to effectively use a SIEM to analyse and correlate
logs while quickly identifying malicious activity and compromised assets. Equally important is
understanding the different data sources behind the logs and how each one helps you see
the full picture.
Learning Objectives
● Discover various data sources that are ingested into a SIEM.
● Understand the importance of data correlation.
● Learn the value of Windows, Linux, Web, and Network logs during an investigation.
● Practice analysing malicious behaviour.
Lab Access
Before proceeding, start the lab by clicking the Start Machine button below. You will then
have access to the Splunk Web Interface.
To access Splunk, please follow this link:
[Link] Please wait
4-5 minutes for the Splunk instance to launch. Use Splunk’s All Time range to search. The
indexes where logs are stored for each practical exercise are present in each task.
Task 2 Benefits of SIEM for Analysts
SIEM solutions play a vital role in every Security Operations Centre, and any SOC analyst's
day-to-day life.
Let’s take a moment to understand why SIEM is so valuable and explore its key benefits for
analysis.
Centralisation
One of the first things that makes SIEM so helpful for a SOC is centralisation. Instead of
checking logs in different places, like network devices, cloud services, identity providers, and
more, a SIEM allows you to gather all that data in one place. This means an analyst doesn’t
have to switch between systems during an investigation. Everything is available in a single
solution, making their work much smoother and more efficient.
�Let’s take an example.
We have two SOC Level 1 analysts: Ted and Emily. Ted works in a SOC with a SIEM
solution, but Emily doesn’t.
Both analysts receive similar alerts at the same time:
A suspicious spike in network activity.
A malicious command was detected on a host.
With a SIEM, Ted can investigate both alerts from a single platform. He has access to logs
from the IPS, endpoints, and other systems, all in one place, ready to be searched and
analysed. On the other hand, Emily has to log into each system separately, for example, the
IPS and EDR. She must collect and review data manually from each one.
While Ted quickly sees the bigger picture, Emily spends valuable time just gathering
information. This highlights how centralised visibility through SIEM enables faster and more
effective analysis.
Correlation
Another core strength of SIEM is correlation, the ability to link separate events and piece
them together like pieces of a puzzle to form a complete picture. Let’s walk through a
scenario.
You receive an alert in your SIEM about internal network discovery activity. The only
information you have is the IP address of the host performing the scan. Nothing else. The
alert comes from your IDS logs.
�That’s not much to go on, is it? To make sense of it, you need to enrich the data, find out
which device the IP belongs to, and who triggered the activity.
You can check Windows Event Logs or Sysmon by correlating this with the IDS alert and
build context:
Who performed this activity, where, and possibly which tool was used.
Piece by piece, the puzzle forms, helping you decide if the activity was malicious or just
noise.
Historical Events
SIEM also allows you to look at past events, not just current activity. This helps you spot
patterns or threats that may have started earlier but weren’t noticed at the time.
