SIEM and Analyst Relationship

What is SIEM?

SIEM stands for Security Information and Event Management. It's a type of security solution that works by logging events happening in an IT environment in real-time. The main goal of this event logging is to detect security threats.

SIEM products offer many features, but for SOC (Security Operations Center) analysts, the most important ones are those that collect and filter data, and then create alerts for any suspicious events they find.

Example of a SIEM Alert:

Imagine a situation on a Windows computer where someone tries to enter an incorrect password 20 times within just 10 seconds. This is considered suspicious behavior because it's unlikely that a person who simply forgot their password would make so many attempts in such a short timeframe. To catch this, a specific rule or filter is created in the SIEM to detect when such activity goes over a set threshold. When this rule is triggered by such an event, the SIEM generates an alert.

Some well-known SIEM solutions include IBM QRadar, ArcSight ESM, FortiSIEM, and Splunk. You can see an example of a SIEM interface by looking at the “Monitoring” page on a platform like LetsDefend.

Relationship Between a SOC Analyst and SIEM

Even though SIEM solutions have a broad range of capabilities, SOC analysts primarily focus on tracking and analyzing the alerts generated by the SIEM. The tasks of developing SIEM configurations and creating the correlation rules that define what triggers an alert are usually handled by other specialized teams or individuals.

As mentioned, alerts are produced when data passes through these predefined filters or rules. Once an alert is generated, it's the SOC analyst who first examines it. This is where the core responsibility of a SOC analyst begins in the security operations center. Their main task is to investigate each alert and determine if it represents a genuine security threat or if it's a false alarm (a false positive).

To understand this better, if you look at a "Monitoring" page in a SIEM (like in LetsDefend), you'll see a list of various alerts. A SOC analyst needs to dive into the details associated with each of these alerts. They do this by using other SOC tools and resources, such as Endpoint Detection and Response (EDR) systems, Log Management tools, and Threat Intelligence Feeds. Through this investigation, they make the final judgment on whether an alert indicates a real threat or not.

Alert Handling Process:

• Newly created alerts often appear in a shared area, sometimes called a "Main Channel". In a real-world scenario, all team members can see this channel.

• When an analyst decides to investigate a particular alert, they would typically "Take Ownership" of it. This action often moves the alert to an "Investigation Channel" or flags it so that other team members know who is working on which alert.

• This process helps ensure that the team can efficiently review all incoming alerts without duplicating effort.

• Clicking on an alert allows the analyst to see its details, which includes important information needed for the investigation, such as hostname, IP address, file hash information, and more.