SIEM & Log Analysis

⏱ 15 min read · 1 quiz question

The SIEM is the nerve center of a SOC. If you work as a SOC analyst, you'll spend more time in a SIEM than any other tool. This module explains what a SIEM is, how logs work, and how to start making sense of what you see.

What is a SIEM?

SIEM stands for Security Information and Event Management. It's a platform that collects log data from every system in an organization — servers, firewalls, workstations, cloud services, applications — aggregates it into one place, and automatically analyzes it for suspicious patterns.

Think of it like air traffic control. Hundreds of planes are in the air at once, each sending data about their position, speed, and status. Air traffic controllers watch a single screen that aggregates all that information and alerts them when something is wrong. A SIEM does the same for network and system activity.

The most common SIEMs you'll encounter:

Splunk — The most widely used enterprise SIEM. Powerful query language, steep learning curve.
Microsoft Sentinel — Cloud-native SIEM for Azure environments. Growing rapidly.
IBM QRadar — Common in large enterprises and government.
Elastic SIEM — Open-source option, popular for home labs and smaller orgs.

What are logs?

A log is a timestamped record of an event. Every time something happens on a computer — a user logs in, a file is accessed, a network connection is made — the operating system or application records it in a log file.

Logs are the raw material of a SOC. They tell you exactly what happened, when, and on which system. Without logs, you're blind.

Common log sources in a SOC

Windows Event Logs — Records logins, logouts, privilege use, process creation, and more on Windows machines.
Firewall logs — Records every connection allowed or blocked at the network perimeter.
DNS logs — Every domain name lookup made on the network. Goldmine for detecting C2 traffic.
Web proxy logs — Records every URL visited by users. Helps detect malware downloading files or data being exfiltrated.
Authentication logs — Login attempts, successes, and failures across all systems.
EDR telemetry — Process creation, file writes, network connections from endpoint security tools.

Reading a log entry

Log entries look intimidating at first. Let's break one down. Here's a simplified Windows login log entry:

          2026-06-15 08:43:21  
          EventID=4624  
          Account=jsmith  
          Domain=CORP  
          LogonType=2  
          SourceIP=192.168.1.45  
          Workstation=DESKTOP-7X2K
        

Breaking it down:

Timestamp — When it happened: June 15, 2026 at 8:43 AM
Event ID — 4624 is a Windows code meaning "successful login"
Account — The user account that logged in: jsmith
Logon Type — Type 2 means interactive (sitting at the keyboard). Type 3 means network logon. Type 10 means remote.
Source IP — Where the login came from

Red flag example: If you see EventID 4624 (successful login) for a user at 3am from a foreign IP address, that's suspicious. Real users rarely log in from overseas in the middle of the night.

Key Windows Event IDs to know

Event ID	What it means	Why it matters
4624	Successful login	Track who's logging in and from where
4625	Failed login	Many failures = brute force attempt
4648	Login with explicit credentials	Can indicate lateral movement
4720	User account created	Attackers create accounts for persistence
4732	User added to admin group	Privilege escalation red flag
4688	Process created	Detect malware execution and suspicious tools

How SIEM alerts work

A SIEM doesn't just store logs — it runs rules against them in real time. A rule might say: "If the same user fails to log in more than 10 times in 5 minutes, create an alert." When that condition is met, the SIEM creates an alert in your queue.

As a tier 1 analyst, you'll spend most of your day working through these alerts. For each one:

Read the alert description — what triggered it?
Look at the raw log data behind the alert
Pivot to related logs — same user, same IP, same time window
Decide: false positive, or real threat?
Document your finding and close or escalate

Practice tip: Splunk has a free version called Splunk Free (up to 500MB/day of data). You can run it on your laptop with sample security data and practice writing queries. TryHackMe also has guided Splunk rooms if you want structured practice.

A simple SIEM query (Splunk SPL)

Most SIEMs have their own query language. Here's a simple Splunk query to find failed logins:

          index=windows EventCode=4625

          | stats count by Account_Name, Source_Network_Address

          | where count > 10

          | sort -count

In plain English: "Find all failed logins (EventCode 4625) from Windows logs, count them by username and source IP, show only accounts with more than 10 failures, and sort by most failures first." This is a basic brute force detection query.

Key Terms

SIEM

Security Information and Event Management. A platform that collects, aggregates, and analyzes log data from across an organization to detect threats.

Log

A timestamped record of an event on a system — a login, a file access, a network connection. The raw material of security investigations.

Event ID

A numeric code in Windows logs that identifies what type of event occurred. Event ID 4624 = successful login, 4625 = failed login.

Alert

A notification generated by a SIEM rule when suspicious activity is detected. The primary thing a tier 1 analyst investigates.

Pivot

During an investigation, pivoting means searching related logs — same user, same IP, same timeframe — to build a fuller picture of what happened.

SPL

Search Processing Language. Splunk's query language, used to search, filter, and analyze log data.

✦ Quick Check

Your SIEM fires an alert: 47 failed login attempts (EventID 4625) for the account "admin" from IP 185.22.14.9 in the last 3 minutes. What attack does this most likely indicate?

Brute force attack

Phishing attack

SQL injection

Insider threat

← Previous

Next: Incident Response →