SIEM Architecture: Log Ingestion, Parsing, and Correlation
Understand how SIEM platforms (Splunk, Sentinel, QRadar) ingest and normalize logs from disparate sources and apply correlation rules to surface true positives.
What Is a SIEM?
A Security Information and Event Management (SIEM) platform aggregates log data from across an organization's infrastructure and analyzes it for signs of security incidents. SIEM combines two capabilities: Security Information Management (SIM) — storing and analyzing historical log data — and Security Event Management (SEM) — real-time monitoring and alerting. Together they give security teams visibility across the entire environment from a single interface.
Log Sources and Ingestion
A SIEM ingests logs from diverse sources: firewalls and IDS/IPS, operating systems (Windows Event Logs, Linux syslog), authentication systems (Active Directory, RADIUS, Okta), endpoints (EDR agents), cloud platforms (AWS CloudTrail, Azure Activity Log), applications (web servers, databases), and network devices (switches, routers, VPN gateways). The breadth of ingestion determines the SIEM's detection coverage.
# Common SIEM log sources:
# Firewalls: connection allow/deny with src/dst IP and port
# AD/LDAP: authentication success/failure (Event ID 4624/4625)
# Endpoints: process creation, file modification, network connections
# Web servers: HTTP requests, status codes, user agents
# DNS servers: query logs showing domain resolutions per host
# VPN gateway: user connect/disconnect with source IPAll lessons in this course
- Threat Hunting Methodology and Hypothesis Generation
- SIEM Architecture: Log Ingestion, Parsing, and Correlation
- Writing SIEM Detection Rules and Alerts
- UEBA and Behavioral Analytics for Insider Threats