HomeSOC Operations in 5 DaysDay 1
Day 1 of 5
⏱ ~60 minutes
SOC Operations in 5 Days — Day 1

SIEM Architecture & Log Management

A Security Operations Center (SOC) is the nerve center of enterprise defense. The SIEM (Security Information and Event Management) platform ingests logs from every system and correlates them to detect attacks. Today you learn how SIEMs work and how to set one up.

What Is a SIEM?

A SIEM collects logs from firewalls, servers, endpoints, network devices, and applications, normalizes them into a common schema, stores them for search, and runs correlation rules that generate alerts when attack patterns are detected. Commercial SIEMs: Splunk, Microsoft Sentinel, IBM QRadar, Exabeam. Open source: Elastic SIEM (ELK Stack), Wazuh, OSSIM. A Tier 1 analyst spends their day triaging SIEM alerts.

Log Sources and Collection

Critical log sources: Windows Event Logs (login events, privilege use, process creation), Linux syslog/auditd, firewall logs (allow/deny with IP:port), DNS query logs (detect C2 and data exfiltration), proxy/web gateway logs (URLs visited), and EDR telemetry (file, process, network activity). Collection agents (Beats, NXLog, Splunk UF) forward logs to the SIEM over encrypted channels.

Log Normalization and Parsing

Logs come in dozens of formats: syslog, CEF, LEEF, JSON, Windows XML Event. The SIEM must parse each format and map fields to a common schema. In Splunk this is done with field extractions. In the Elastic Stack, Logstash grok patterns and Filebeat modules handle parsing. Good normalization lets you write one detection rule that works across all log sources.

bash
# Deploy Wazuh SIEM (Docker)
docker-compose -f /path/to/wazuh/docker-compose.yml up -d

# Or: Elastic Stack quick setup
docker run -d --name elasticsearch -p 9200:9200 \
  -e 'discovery.type=single-node' elasticsearch:8.12.0

docker run -d --name kibana -p 5601:5601 \
  --link elasticsearch:elasticsearch kibana:8.12.0

# Filebeat: ship logs to Elasticsearch
# /etc/filebeat/filebeat.yml
# filebeat.inputs:
# - type: log
#   paths: ['/var/log/auth.log', '/var/log/syslog']
# output.elasticsearch:
#   hosts: ['localhost:9200']

filebeat setup --dashboards
systemctl start filebeat

# Query logs in Elasticsearch
curl -X GET 'localhost:9200/filebeat-*/_search' -H 'Content-Type: application/json' -d '
{"query": {"match": {"event.action": "failed-login"}}}'
💡
Log retention is a compliance requirement, not just a nice-to-have. NIST 800-53 recommends 1 year minimum. PCI-DSS requires 1 year with 3 months online. Size your SIEM storage accordingly before deployment.
📝 Day 1 Exercise
Stand Up an ELK SIEM
  1. Deploy Elasticsearch and Kibana using Docker on your lab machine
  2. Install Filebeat on a Linux VM and configure it to ship auth.log and syslog
  3. In Kibana, create an index pattern for filebeat-* and explore the data
  4. Build a simple dashboard showing failed SSH logins by source IP over time
  5. Create an alert that fires when more than 5 failed logins occur from one IP in 60 seconds

Day 1 Summary

  • SIEM ingests, normalizes, and correlates logs from all security-relevant systems
  • Critical log sources: Windows Events, Linux auditd, firewall, DNS, proxy, EDR
  • Beats and Logstash collect and parse logs before ingestion
  • Log normalization maps diverse formats to a common schema for unified searching
  • Retention requirements: minimum 1 year for most compliance frameworks
Challenge

Configure Filebeat to collect logs from 5 different sources on your lab network. Build a Kibana dashboard showing top talkers, failed authentications, and suspicious DNS queries. Screenshot your dashboard.

Next →
Day 2: Alert Triage & Investigation
Finished this lesson?