SIEM is a field of cybersecurity that collects, stores and analyze your machine-generated data (Logs) in the form of events to find real-time security threats.
SIEM = SIM + SEM = (Security Incident Management) + (Security Event management)
SIEM collects the logs from every device from an infrastructure, Forex: Firewall, Switch, Router, Endpoints, Antivirus, DMZ, IDS/IPS etc.… Once it collects the logs, the logs are stored in a Centralized database server. Upon these logs, the offences (Alerts/ Incidents) are created concerning each device category.
For example, Let’s take a firewall incident, Potential Malicious IP detected.
This is basically an incident, which triggers whenever a malicious IP is trying to hit your firewall.
Now, What is a Malicious IP?
A Malicious IP Address is suspected of Malicious and has been blacklisted in the Threat- intel like Virustotal.com, IBM X-Force Exchange, AbuseIPDB etc.
Threat intel: It enables to search global security threats, consult with experts and collaborate with peers.
Let’s now discuss how and who is responsible for handling these Incidents,
SIEM team is a part of SOC (Security Operation centre).
A SOC is dedicated to analyzing Network traffic flow and monitoring for threats and attacks. The SOC analysts are responsible for Monitoring these Threats/ Incidents.
How does the SOC teamwork?
The SOC team works 24 * 7 with people in multiple shifts (basically three shifts).
The SOC team is categorized into 3 Levels, L1, L2 and L3.
L1 Analyst: The L1 SOC analysts are responsible for monitoring Security incidents, alerts to potential or active threats, Intrusions and responding to these incidents at the L1 level.
L2 Analyst: L2 techs have more technical skills and experience than L1 tech. They can perform most of your technical tasks. Since these tasks are more complex, L2 support engineers may need access to the server on the back panel (RDP, SSH..etc.). They can also solve your technical issues and can fix most server problems without having to open tickets.
L3 Analyst: L3 is the last support line and usually comprises a developer team that addresses technical issues. Sometimes the problems reported by customers cannot be solved by L1 & L2. In that case, the L3 team analyses the issue and fixes it. The difficulties which the L3 team gets involves code/development related fixes.
So, This is about the brief on SIEM, SOC, SIEM TEAMs.