What is SIEM? (Security Information and Event Management)- Example – Sentinel- SPLUNK
SIEM is a centralized platform that collects, normalizes, correlates, and analyzes security logs/events from across an organization to provide:Real-time threat detection=Incident investigation=Compliance reporting=Forensics and root-cause analysis
1. Log Sources =Endpoints (Windows Event Logs, Sysmon, Linux auditd)=Servers (Application logs, database logs)Network Devices (Firewall, switch, IDS/IPS)=Cloud Platforms (AWS CloudTrail, Azure Activity Logs, GCP Audit Logs)=Security Tools (EDR logs, vulnerability scanners, DLP, IAM)=Applications (Web apps, APIs, custom apps)
METHODS OF LOG INGESTION
A. Agent-based ingestion=Logs are collected using lightweight agents installed on endpoints/servers.Examples:Splunk Universal Forwarder–Sentinel Log Analytics Agent / AMA agent—CrowdStrike Falcon Agent (event streaming)-The Agent → parses log → sends to SIEM endpoint.
B. Agentless ingestion The SIEM collects logs without installing any agent.
Methods include: Syslog (UDP 514 / TCP 514 / TCP 6514 TLS) → Most common for network/security devices==API Pull → Cloud logs, SaaS logs=Webhook / Event Subscriptions → O365, Okta, AWS EventBridge=Windows Event Forwarding (WEF) → Native Windows log forwarding=Database connectors → ODBC/JDBC to fetch logs=File-based ingestion (CSV, JSON logs dropped to S3/Blob/FTP)
C. Cloud-native ingestion (Modern SIEMs)=Cloud SIEMs ingest data using integrated connectors.
3. Normalization & Parsing=Once logs reach the SIEM:Logs are parsed into fields (source.ip, destination.port, user.name, etc.)Logs are normalized into a common schema Splunk: CIM (Common Information Model===Sentinel: ASIM (Advanced Security Information Model)
4. Log Enrichment=SIEM enriches logs with:Threat intelligence feeds=Geo-IP=Asset metadata=User identity info=CMDB / EDR data
5. Correlation & Analytics=SIEM applies rules such as:Use-case based correlation (multiple failed logins → suspicious)Behavior-based detection (UEBA)Machine-learning analytics
6. Alerts, Dashboards & Incident Response=After correlation:Alerts reach SOC or Incident Response team=Dashboards show security posture=Automated playbooks (SOAR) can respond (block IP, disable account, isolate device)
In Interviews Say this in Short- SIEM is a centralized platform that collects and correlates security logs from multiple sources for threat detection and incident response. Logs are ingested using agents, agentless methods like Syslog, API connectors, and cloud-native integrations. Once ingested, logs are parsed, normalized (CIM/UDM/ASIM), enriched with threat intel, and fed to correlation rules and analytics for alerts and dashboards.