Detection, Response & GRC
Security Operations & SIEM
4 min read
Security operations center (SOC) skills are essential for defensive security roles. This lesson covers SIEM platforms, detection engineering, and threat hunting.
SIEM Fundamentals
What Is a SIEM?
Security Information and Event Management (SIEM) systems:
- Collect logs from across the environment
- Normalize data into a common format
- Correlate events to detect patterns
- Alert on suspicious activity
- Enable investigation and response
Major SIEM Platforms
| Platform | Strength | Best For |
|---|---|---|
| Splunk | Powerful search, extensive ecosystem | Enterprise, custom analytics |
| Microsoft Sentinel | Azure integration, AI features | Microsoft environments |
| Google Chronicle | Massive scale, threat intel | Large data volumes |
| Elastic SIEM | Open source, cost-effective | Startups, budget-conscious |
| IBM QRadar | Compliance, offense analysis | Regulated industries |
Interview Question
Q: "Walk me through setting up detection for a brute force attack."
Answer:
1. DATA SOURCES
└── Authentication logs (AD, LDAP, SSO)
└── VPN logs
└── Application logs
2. DETECTION LOGIC
└── Count failed logins per user/IP
└── Time window (e.g., 5 minutes)
└── Threshold (e.g., 10 failures)
3. SPLUNK QUERY EXAMPLE:
index=auth sourcetype=windows:security EventCode=4625
| bin _time span=5m
| stats count as failures by src_ip, user
| where failures > 10
| eval severity=case(
failures > 50, "critical",
failures > 20, "high",
true(), "medium"
)
4. ALERT CONFIGURATION
└── Trigger: Real-time or scheduled
└── Throttling: Once per IP per hour
└── Response: Ticket creation, blocking
Detection Engineering
Detection Types
| Type | Description | Example |
|---|---|---|
| Signature | Known bad patterns | Malware hash, specific exploit |
| Behavioral | Anomalous activity | Unusual login times |
| Statistical | Deviations from baseline | Traffic volume spikes |
| Threat Intel | External indicators | Known C2 domains |
MITRE ATT&CK Integration
# Detection rule with ATT&CK mapping
name: Suspicious PowerShell Execution
description: Detects encoded PowerShell commands
mitre:
tactic: Execution
technique: T1059.001
subtechnique: PowerShell
detection:
selection:
EventID: 4104
ScriptBlockText|contains:
- '-EncodedCommand'
- '-enc'
- 'FromBase64String'
condition: selection
severity: high
false_positive_rate: low
Detection Maturity Model
| Level | Characteristics |
|---|---|
| Level 0 | No detection capability |
| Level 1 | Basic vendor rules |
| Level 2 | Custom rules for environment |
| Level 3 | Threat-informed detection |
| Level 4 | Automated hunting and ML |
Threat Hunting
Hunt Hypothesis Framework
HYPOTHESIS STRUCTURE:
"Based on [threat intelligence/trend], attackers may be
using [technique] to [objective]. We can detect this by
looking for [observable]."
EXAMPLE:
"Based on recent ransomware campaigns, attackers may be
using PsExec for lateral movement. We can detect this by
looking for remote service creation events."
Hunting Techniques
| Technique | Description | Data Source |
|---|---|---|
| Stacking | Find rare values | Process names, service names |
| Grouping | Cluster related activity | Network connections |
| Temporal | Time-based correlation | Login times vs working hours |
| IOC Sweep | Search for known bad | Hashes, IPs, domains |
Splunk Hunting Query Example
# Find rare parent-child process relationships
index=sysmon EventCode=1
| stats count by ParentImage, Image
| where count < 5
| sort count
| head 20
Log Management Best Practices
What to Log
| Category | Log Sources | Key Events |
|---|---|---|
| Identity | AD, IAM, SSO | Logins, MFA, privilege changes |
| Network | Firewall, DNS, Proxy | Connections, blocks, queries |
| Endpoint | EDR, Sysmon | Process creation, file changes |
| Cloud | CloudTrail, Activity Log | API calls, configuration changes |
| Application | Web servers, databases | Errors, access, transactions |
Log Retention Strategy
| Log Type | Retention | Reason |
|---|---|---|
| Security events | 1 year | Compliance, investigations |
| Authentication | 90 days | Active Directory requirements |
| Network flows | 30 days | Storage costs |
| Debug logs | 7 days | Troubleshooting only |
SOC Metrics
Track these for interview discussions:
| Metric | Description | Target |
|---|---|---|
| MTTD | Mean Time to Detect | < 24 hours |
| MTTR | Mean Time to Respond | < 4 hours (critical) |
| False Positive Rate | Alerts without incidents | < 10% |
| Alert Volume | Alerts per analyst per day | < 50 |
| Detection Coverage | ATT&CK techniques covered | > 70% |
Interview Tip: When discussing SIEM, emphasize the importance of tuning. Raw out-of-the-box rules generate too many false positives. Show you understand that effective detection requires ongoing refinement.
Next, we'll cover incident response procedures. :::