SIEM and SOAR

SIEM and SOAR are fundamental technologies for modern SOC operations, providing centralized visibility and incident response automation.

What is SIEM?

Security Information and Event Management (SIEM) collects, aggregates, and analyzes logs from multiple sources to identify threats and compliance violations.

Core Components

  • Log Collection: Aggregate logs from the entire infrastructure
  • Normalization: Standardize different formats
  • Correlation: Identify patterns across events
  • Alerting: Notify about critical events
  • Dashboards: Real-time security visualization
  • Reporting: Compliance and forensic analysis

SIEM Data Sources

  • Network: Firewalls, IDS/IPS, routers, switches
  • Endpoints: Workstations, servers, mobile devices
  • Applications: Web servers, databases, business apps
  • Security Tools: EDR, email security, DLP
  • Cloud: AWS CloudTrail, Azure AD logs, GCP logs
  • Identity: AD, LDAP, SSO platforms

Correlation Rules

Rules that identify suspicious patterns across multiple events.

Rule Examples

  • Multiple failed logins followed by a success
  • Logins from geographically impossible locations
  • Privilege escalation followed by lateral movement
  • Data exfiltration after hours
  • Unusual process execution patterns

Types of Correlation

  • Time-based: Events within a time window
  • Count-based: Event threshold
  • Pattern-based: Specific sequence of events
  • Statistical: Deviation from baseline

SIEM Use Cases

Threat Detection

  • Malware infections
  • Brute force attacks
  • Data exfiltration
  • Insider threats
  • Advanced persistent threats (APTs)

Compliance

  • PCI-DSS: Access logging and monitoring
  • HIPAA: Audit trails for PHI access
  • LGPD/GDPR: Logging of personal data access
  • SOX: Changes to financial systems

Forensics and Investigation

  • Timeline reconstruction
  • Root cause analysis
  • User activity analysis
  • Evidence preservation

Leading SIEM Solutions

Enterprise SIEM

  • Splunk: Market leader, powerful search
  • IBM QRadar: AI-powered analytics
  • Microsoft Sentinel: Cloud-native SIEM
  • LogRhythm: All-in-one SIEM and SOAR
  • Elastic Security: Open-source based

Cloud SIEM

  • Sumo Logic: Cloud-native analytics
  • Exabeam: Integrated UEBA
  • Rapid7 InsightIDR: Detection and response

What is SOAR?

Security Orchestration, Automation, and Response (SOAR) automates incident response processes and orchestrates security tools.

Core Capabilities

  • Orchestration: Integrate diverse tools
  • Automation: Run playbooks automatically
  • Case Management: Track investigations
  • Collaboration: Workflow across teams
  • Threat Intelligence: Automated enrichment

SOAR Playbooks

Predefined workflows that automate the response to types of incidents.

Example: Phishing Response Playbook

  1. Receive a phishing email alert
  2. Extract IOCs (URLs, IPs, hashes)
  3. Query threat intelligence feeds
  4. Check whether other users received it
  5. Block IOCs at the email gateway
  6. Quarantine similar emails
  7. Reset credentials for users who clicked
  8. Generate an incident response ticket
  9. Send an awareness email to users

Example: Malware Detection Playbook

  1. EDR detects malware
  2. Isolate the endpoint from the network
  3. Collect forensics data
  4. Submit the hash to VirusTotal
  5. Query the SIEM for other affected endpoints
  6. Block the hash in EDR policy
  7. Initiate endpoint reimaging
  8. Update the threat intelligence platform

Leading SOAR Platforms

  • Palo Alto Cortex XSOAR: Market leader
  • Splunk Phantom: Integrated with Splunk
  • IBM Resilient: Incident response focus
  • Swimlane: Low-code automation
  • Tines: No-code automation
  • Siemplify (Google): Security orchestration

Common Integrations

SOAR integrates with hundreds of tools via APIs:

  • SIEM: Splunk, QRadar, Sentinel
  • EDR: CrowdStrike, SentinelOne, Carbon Black
  • Firewalls: Palo Alto, Fortinet, Cisco
  • Threat Intel: VirusTotal, MISP, ThreatConnect
  • Ticketing: ServiceNow, Jira
  • Email: Office 365, Gmail, Proofpoint
  • Cloud: AWS, Azure, GCP

Benefits of SOAR

  • Speed: Automated response in seconds
  • Consistency: The same response every time
  • Efficiency: Frees analysts for complex work
  • Scalability: Handle more alerts without more people
  • Documentation: Automated audit trail
  • MTTR Reduction: Mean Time To Respond

SOC Operations

Tier Structure

  • Tier 1: Initial alert triage
  • Tier 2: Deep investigation
  • Tier 3: Threat hunting and advanced analysis
  • SOC Manager: Coordination and metrics

Typical Workflow

  1. Alert generated by SIEM/EDR/etc.
  2. Tier 1 validates whether it is a true positive
  3. If true, escalate to Tier 2
  4. Tier 2 investigates in depth
  5. If an incident is confirmed, activate the IR process
  6. Tier 3 performs threat hunting based on findings

SOC Metrics

  • MTTD: Mean Time To Detect
  • MTTA: Mean Time To Acknowledge
  • MTTC: Mean Time To Contain
  • MTTR: Mean Time To Resolve
  • Alert Volume: Per day/week
  • False Positive Rate: Percentage
  • Dwell Time: Time an attacker stays in the network

UEBA Integration

User and Entity Behavior Analytics (UEBA) uses machine learning to detect behavioral anomalies.

Use Cases

  • Insider threat detection
  • Compromised account identification
  • Privilege abuse
  • Lateral movement detection

Challenges

Alert Fatigue

  • Excessive alert volume
  • High false positive rate
  • Continuous tuning required

Skill Gap

  • Shortage of qualified analysts
  • Steep learning curve
  • Talent retention is difficult

Cost

  • Licensing based on data volume
  • Infrastructure costs
  • 24/7 operations staffing

Best Practices

  • Start with priority use cases
  • Continuous tuning of correlation rules
  • Automate repetitive responses with SOAR
  • Integrate threat intelligence
  • Document playbooks and procedures
  • Conduct tabletop exercises
  • Measure and optimize metrics
  • Invest in team training

SIEM and SOAR are pillars of the modern SOC. SIEM provides centralized visibility and threat detection, while SOAR automates response and orchestrates tools. Together, they enable scalable and efficient security operations. With a growing volume of alerts, automation via SOAR becomes not just desirable but necessary to maintain effective security.