Security Information and Event Management (SIEM)

What Is SIEM?

SIEM is a security solution that collects, analyzes, and manages logs and security data from across your IT environment. It helps detect and respond to threats in real time by:

• Collecting logs from systems, applications, and network devices

• Analyzing events to detect unusual behavior

• Alerting security teams of suspicious activity

• Supporting incident response with forensic data and timelines

It's a central tool in any modern Security Operations Center (SOC), acting as both a watchtower and command center for cyber defense.

How SIEM Works

• Data Collection: Gathers logs from servers, firewalls, IDS/IPS, antivirus tools, and more

• Normalization: Converts logs into a common format for analysis

• Correlation & Detection: Looks for patterns and flags possible attacks

• Alerting: Notifies analysts of high-risk activity via email, dashboards, etc.

• Response: Helps teams investigate and respond to incidents quickly

SIEM Use Case Lifecycle

The lifecycle of developing a use case includes several key steps:

• Requirements: Define the purpose. What are you trying to detect? (e.g., brute-force login attempts).

• Data Points: Identify sources generating relevant logs—servers, endpoints, VPNs, applications.

• Log Validation: Ensure logs contain essential fields like timestamp, user, source/destination IP, etc.

• Design & Implementation: Build the rule using conditions (e.g., 10 logins in 4 minutes), and set aggregation logic and alert priority.

• Documentation: Develop an SOP with steps for handling alerts, escalation paths, and response protocols.

• Onboarding: Test the rule in a staging environment. Reduce false positives before going live.

• Fine-Tuning: Regularly update based on analyst feedback. Whitelist known safe activities to reduce noise.

To build effective use cases, align them with:

• MITRE ATT&CK techniques or the Cyber Kill Chain

• TTD (Time to Detect) and TTR (Time to Respond)

• Defined SOPs and Incident Response Plans (IRPs)

• SLAs and OLAs for cross-team coordination

Real-World Examples

Example 1: MSBuild Started by Office Application (High Severity)

• Risk: Attackers may abuse MSBuild (Microsoft Build Engine) to run malicious code through Office apps (e.g., Word, Excel).

• Detection Logic: Alert when MSBuild is launched by a parent process like Word.exe.

• Mapped MITRE Techniques:

  • Tactic: Defense Evasion (TA0005) & Execution (TA0002)

  • Technique: Trusted Developer Utilities Proxy Execution (T1127) → Sub-technique: MSBuild (T1127.001)

• Severity: HIGH (LoLBins threat)

• SOP Actions:

  • Analyze process.name, parent.process.name, event logs, user behavior, AV logs.

  • Engage with the user to validate behavior and collect endpoint evidence.

• Fine-Tuning Tip: Whitelist legitimate developer tool usage to avoid false positives.

Example 2: MSBuild Making Network Connections (Medium Severity)

• Risk: MSBuild establishes an outbound connection, potentially to a malicious IP.

• Detection Logic: Alert on outbound traffic with MsBuild.exe as the source process.

• Mapped MITRE Techniques:

  • Tactic: Execution (TA0002)

• Severity: MEDIUM (due to possible false positives like legitimate updates).

• SOP Actions:

  • Focus on event.action, destination IP reputation, and associated logs.

  • Determine if the activity is suspicious or business-related.