A Practical Guide for SOC Analysts


Log Analysis with SIEM: A Practical Guide for SOC Analysts

Learn how Security Information and Event Management (SIEM) helps detect cyber attacks using Windows, Linux, and Web logs

Introduction

In today’s threat landscape, cyber attacks are more advanced, stealthy, and persistent than ever. This is why Security Operations Centers (SOCs) rely heavily on SIEM solutions to monitor, detect, and respond to malicious activity in real time.

In this blog, we’ll explore:

  • Why SIEM is essential for SOC analysts

  • Key log sources used in SIEM

  • How attacks are detected using Windows, Linux, and Web logs

  • Real-world attack scenarios using Splunk

Whether you’re a beginner in cybersecurity or preparing for a SOC Analyst role, this guide will give you a solid foundation.

Why SIEM Is Critical for SOC Analysts

1. Centralisation

SIEM platforms collect logs from multiple systems such as:

  • Workstations and servers

  • Firewalls and IDS/IPS

  • Web servers

  • Cloud and identity providers

Instead of checking logs across multiple tools, analysts get everything in one place, saving time and improving response speed.

Benefit: Faster investigations and reduced alert fatigue.

2. Correlation

SIEM correlates events from different log sources to build a complete attack story.

For example:

  • IDS detects a network scan

  • Windows logs show suspicious process execution

  • Sysmon reveals a malicious outbound connection

When combined, these logs reveal the full scope of the attack.

Benefit: Better detection accuracy and fewer false positives.

3. Historical Analysis

SIEM allows analysts to search past events to:

  • Identify attacker dwell time

  • Detect repeated attack patterns

  • Verify whether an event is truly abnormal

Benefit: Stronger threat hunting and incident validation.

Key SIEM Log Sources Explained

Windows Logs

Sysmon

Sysmon provides deep visibility into:

  • Process execution

  • Network connections

  • File creation

  • Registry changes

It’s especially powerful for detecting:

  • Encoded PowerShell commands

  • Malware execution

  • Command-and-control (C2) traffic

Windows Event Logs

Security and System logs help detect:

  • User account creation (persistence)

  • Privilege escalation

  • Malicious services

Example:
An attacker creates a hidden backup user or a malicious service running as SYSTEM.

Linux Logs

Authentication Logs (auth.log)

Used to detect:

  • SSH brute-force attacks

  • Successful logins

  • Privilege escalation using su or sudo

System Logs (syslog)

Used to detect persistence techniques such as:

  • Cron jobs running malicious scripts

  • Reverse shells

  • Suspicious background services

Web Application Logs

Web access logs are one of the most valuable data sources in SIEM.

They help detect:

  • Brute-force attacks

  • Web shells

  • Scanning activity

  • Distributed Denial-of-Service (DDoS) attacks

Common Web Attacks Detected Using SIEM

Brute-Force Attacks

Indicators include:

  • Repeated POST requests

  • Login pages like /wp-login.php

  • High request volume in a short time

  • Tools such as Hydra or WPScan in User-Agent strings

Web Shell Detection

Signs of web shells include:

  • Requests to .php, .jsp, .asp, .exe files

  • Successful responses (HTTP 200)

  • Suspicious filenames like 505.php

DDoS Attacks

Key indicators:

  • HTTP status 503 Service Unavailable

  • Massive request spikes

  • Short time window overload

Real-World SOC Practice Scenarios

Using Splunk SIEM, analysts can:

  • Identify malicious IP addresses

  • Trace attack tools used by threat actors

  • Detect persistence mechanisms

  • Escalate incidents to L2 analysts with confidence

These skills are essential for SOC Level 1 Analysts.

Key Benefits of SIEM (Quick Summary)

✔ Centralised log visibility
✔ Faster incident response
✔ Accurate threat detection
✔ Strong correlation across systems
✔ Effective threat hunting

Conclusion

SIEM is the backbone of modern SOC operations. By understanding log sources such as Windows, Linux, and Web logs, analysts can detect attacks early, reduce damage, and secure organisational assets effectively.

If you’re aiming for a career in cybersecurity, mastering SIEM and log analysis is non-negotiable.

Comments

Post a Comment

Popular Posts