SIEM and SOC

SIEM (Security Information and Event Management) is a category of platforms that aggregate logs from across an organization's IT infrastructure, normalize them, correlate events across sources, and produce alerts when patterns of concern emerge. SOC (Security Operations Center) is the team that responds to those alerts.

What the SIEM does

• Log collection. Ingest logs from firewalls, endpoints, servers, applications, cloud services, identity providers, network devices — anything that can produce logs.
• Normalization. Convert diverse log formats into a common schema so cross-source correlation is possible.
• Storage. Long-term retention (typically 90 days hot, 1+ years cold) for compliance and investigation.
• Correlation. Apply rules and analytics to spot patterns across multiple sources (failed-login from User A in country X, followed by successful login from country Y, followed by data exfiltration spike).
• Alerting. Generate alerts when correlation rules fire.
• Investigation interface. Tools for analysts to dig into specific incidents, pivoting across event streams.
• Reporting. Dashboards for executives, audit reports for regulators.

Major SIEM products

• Splunk — the market leader. Powerful query language (SPL), broad data-source coverage. Expensive at scale.
• Microsoft Sentinel — cloud-native (Azure), good integration with Microsoft 365 telemetry.
• Elastic SIEM (formerly Elastic Security) — built on the Elastic Stack, popular for teams already running it.
• Google Chronicle / SecOps — Google's offering, strong on threat intelligence integration.
• IBM QRadar — long-established, integrated with IBM's broader security stack.
• LogRhythm, Securonix, Exabeam — second-tier offerings with various differentiators.
• Wazuh — open-source SIEM, popular for budget-constrained organizations.

SOC team structure

A typical large-organization SOC has tiered analysts:

• Tier 1. Triage. Initial alert review, decide if it's worth escalating. High volume, lots of false positives.
• Tier 2. Investigation. Deep-dive into alerts that Tier 1 escalates. Correlate across sources, determine if there's a real incident.
• Tier 3. Incident response and threat hunting. Active investigation, coordination with other teams, proactive search for hidden threats.
• SOC manager. Oversees the team, coordinates with broader IT and management.
• Engineers. Maintain the SIEM, write detection rules, tune signatures.

Smaller organizations collapse this into one or two roles, often supplemented by a managed-detection-and-response (MDR) provider.

The alert fatigue problem

SIEMs generate large alert volumes. Typical large-organization SIEMs produce thousands of alerts per day; most are false positives or low-severity. The Tier-1 analyst's job becomes filtering noise rather than catching real threats.

Modern SIEMs and adjacent products address this:

• Better correlation reducing noise via context
• Machine learning to score alert priority
• SOAR (Security Orchestration, Automation, and Response) platforms that automate Tier-1 work
• UEBA (User and Entity Behavior Analytics) that detects anomalies vs. raw rules
• XDR (Extended Detection and Response) that integrates SIEM, EDR, NDR for cross-domain correlation

SOC vs MDR vs MSSP

• SOC — internal team running internal SIEM. Maximum control, maximum cost. Large enterprises.
• MSSP (Managed Security Service Provider) — outsourced security operations. Provides monitoring and basic response. Cost-effective for mid-size organizations.
• MDR (Managed Detection and Response) — more sophisticated MSSP that does active threat hunting and incident response. Higher cost than MSSP, lower than internal SOC.

The right choice depends on organization size, risk profile, regulatory requirements, and budget. Most organizations under 500 people use MSSP or MDR rather than building internal SOCs.

What gets monitored

Standard SIEM data sources:

• Windows Event Logs / Linux syslog from every server and workstation
• Firewall logs (Palo Alto, Fortinet, Cisco)
• VPN logs
• Identity provider logs (Okta, Microsoft Entra)
• Cloud audit logs (AWS CloudTrail, Azure Activity Logs, GCP Audit Logs)
• Email security logs
• EDR alerts
• Web proxy logs
• Application logs (depending on what apps are critical)

The data volume gets large fast. A mid-size enterprise generates 100GB+/day of log data; large enterprises generate TBs/day. SIEM pricing often relates to ingestion volume; this creates real engineering tension between collecting everything and managing cost.

For individuals

SIEMs and SOCs are enterprise-scale tools. The conceptual equivalent for individuals: pay attention to security notifications from your email provider, your bank, your cloud accounts. The major consumer providers have built-in light versions of what SIEMs do for enterprises — they alert you on suspicious activity. Treat those alerts as you'd want a SOC analyst to treat real alerts: investigate rather than dismiss.