You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Security Information and Event Management (SIEM) is the central nervous system of network security operations. It collects, normalises, correlates, and analyses log data from across the entire infrastructure to detect threats, support investigations, and meet compliance requirements.
Every device, application, and service on a network generates logs. These logs are the evidence trail for security events:
Without centralised logging, security teams are blind. Logs scattered across hundreds of devices are operationally useless.
| Source | Log Types | Security Value |
|---|---|---|
| Firewalls | Allowed/denied connections, rule hits | Perimeter visibility, policy violations |
| IDS/IPS | Alerts, blocked attacks, signatures triggered | Threat detection |
| VPN Concentrators | Connection events, authentication, disconnections | Remote access monitoring |
| DNS Servers | Query logs, resolution failures | Tunnelling detection, malicious domain queries |
| DHCP Servers | IP assignments, lease events | Device tracking and attribution |
| Switches/Routers | Interface status, ACL hits, routing changes | Network infrastructure health |
| Wireless Controllers | Client associations, rogue AP alerts | Wireless security |
| Proxy Servers | URL requests, blocked categories | Web filtering visibility |
| Endpoints (EDR) | Process execution, file changes, registry modifications | Endpoint threat detection |
| Authentication Systems | Login successes, failures, MFA events | Identity and access monitoring |
| Cloud Platforms | API calls, configuration changes, access events | Cloud security visibility |
A SIEM platform performs four core functions:
| Function | Description |
|---|---|
| Collection | Ingests logs from all sources via agents, syslog, APIs, or connectors |
| Normalisation | Converts diverse log formats into a common schema for analysis |
| Correlation | Connects related events across multiple sources to identify patterns |
| Alerting | Generates alerts when events match predefined rules or anomaly thresholds |
Log Sources:
Firewalls ──┐
IDS/IPS ────┤
VPN ────────┤
DNS ────────┤──── Collector / Forwarder ──── SIEM Platform
Endpoints ──┤ │
Cloud ──────┘ ┌─────┴─────┐
│ │
Dashboards Alerts
& Reports & Cases
Correlation rules are the heart of SIEM detection. They combine multiple events to identify threats that individual logs cannot reveal.
| Rule | Logic | Detects |
|---|---|---|
| Brute force | 5+ failed logins from same IP in 5 minutes | Password guessing |
| Impossible travel | Same user logs in from two countries within 1 hour | Credential theft |
| Lateral movement | New admin login on a server never previously accessed | Post-exploitation |
| Data exfiltration | Outbound data transfer > 1 GB to unknown destination | Data theft |
| DNS tunnelling | High volume of DNS TXT queries to same domain | Covert channel |
| Privilege escalation | User added to admin group + immediate sensitive file access | Insider threat |
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.