MicrosoftCybersecuritySecurity ArchitectureIntermediate23 min read

What Is SIEM and SOAR Design? Security Definition

Also known as: SIEM and SOAR design, SIEM SOAR architecture, Microsoft Sentinel design, SC-100 exam, security operations design

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

SIEM stands for Security Information and Event Management. It is a system that collects logs and alerts from all your computers, servers, and apps to help you see what is happening in your network. SOAR stands for Security Orchestration, Automation, and Response. It takes the alerts from SIEM and automatically takes action, like blocking a suspicious IP address or resetting a compromised user account. Together, SIEM and SOAR Design means planning how these systems will work together to detect and respond to cyber threats as quickly as possible.

Must Know for Exams

SIEM and SOAR design is a critical topic in the Microsoft SC-100 exam: Microsoft Cybersecurity Architect. This exam tests your ability to design security solutions across identity, endpoints, data, applications, and infrastructure. The exam objectives include designing a SIEM and SOAR strategy using Microsoft Sentinel, which is Microsoft's cloud-native SIEM and SOAR platform. Specifically, you must understand how to design Log Analytics workspaces, plan data retention, configure data connectors, and create analytics rules. You also need to know how to design SOAR playbooks using Azure Logic Apps or Sentinel Automation rules.

The exam expects you to be able to recommend whether to use a single workspace or multiple workspaces for Sentinel, and to justify that choice based on cost, compliance, and operational requirements. For example, a multinational company might need separate workspaces for different regions to meet data residency laws. You also need to understand the difference between scheduled queries and Microsoft Security Incident Creation rules, and when to use each. Another common exam topic is the integration of Sentinel with Microsoft 365 Defender and Azure Defender to provide a unified security operations center (SOC).

Beyond SC-100, SIEM and SOAR concepts appear in the Microsoft SC-200 (Security Operations Analyst) exam, which focuses on using Sentinel to detect and respond to threats. The SC-200 exam tests your ability to create analytics rules, investigate incidents, and build automated playbooks. It also covers how to use threat intelligence feeds with Sentinel. For those pursuing the CompTIA Security+ or CISSP certifications, understanding SIEM and SOAR basics is essential, though the depth is less than in the Microsoft architect exam. In the exam, you will likely see questions that ask you to choose the best solution for a given scenario, such as: Your company needs to reduce the time it takes to respond to phishing emails. What should you implement? The correct answer would involve creating a SOAR playbook that automatically removes phishing emails from all mailboxes and blocks the sender.

Simple Meaning

Imagine you work in a large office building with thousands of people coming and going every day. At the front door, there is a security guard who checks every badge. That guard is like your SIEM system: he watches everyone who enters, records their ID, and notes the time they came in.

If someone tries to enter without a badge, the guard writes down the incident and flags it. But the guard alone cannot do anything more than report what he sees. Now imagine that when the guard spots someone without a badge, he instantly calls a second security team that runs to the door, escorts the person out, and locks the door behind them.

That second team is like your SOAR system: it takes the alert from the guard and automatically takes action without waiting for a manager to approve. In cybersecurity, a SIEM gathers information from every computer, server, firewall, and cloud service. It reads logs and events like a guard reads badges.

It then shows all this information on a dashboard so security analysts can see if something is wrong. A SOAR system connects to that SIEM and, based on rules you set ahead of time, performs actions automatically. For example, if the SIEM sees a user typing the wrong password ten times in a minute, the SOAR can automatically disable that user account and send a notification to the IT team.

Designing these two systems together means deciding what logs to collect, how to organize them, what rules trigger automatic actions, and how to make sure the whole process does not accidentally block a legitimate user. It is like planning the entire security guard and response team system for a building, from the cameras at the door to the locked doors and the phone calls to the police. You need to think about what kinds of threats are most likely, how fast you need to respond, and what actions are safe to automate.

If you design it poorly, you might miss important alerts or accidentally lock out your own employees. If you design it well, you can stop a ransomware attack before it spreads, all without a human having to read every single log entry.

Full Technical Definition

SIEM and SOAR design refers to the architecture and planning of two integrated security systems: Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR). A SIEM system performs real-time collection, normalization, correlation, and analysis of security event data from diverse sources including network devices, servers, endpoints, cloud platforms, and applications. It uses agents or API connectors to ingest log data, parse it into a common format (normalization), and apply correlation rules to identify suspicious patterns such as multiple failed logins followed by a successful login from an unusual geographic location. Common SIEM platforms include Microsoft Sentinel, Splunk, and IBM QRadar.

SOAR systems sit on top of the SIEM layer and provide automated response capabilities. They integrate with the SIEM through REST APIs or syslog feeds, receive incident alerts, and execute predefined playbooks. A playbook is a set of automated steps, such as querying threat intelligence databases, isolating a compromised endpoint via network access control, blocking an IP address at the firewall, or resetting a user's password. SOAR platforms like Microsoft Sentinel (which combines SIEM and SOAR), Palo Alto Cortex XSOAR, and Splunk SOAR also support case management, allowing analysts to track incidents from detection to resolution.

In practical implementation, SIEM and SOAR design involves several key technical decisions. First, data ingestion architecture must be planned: what log sources to collect, whether to use agent-based or agentless collection, how to handle high-volume logs like firewall traffic, and how to store data for compliance (e.g., retaining logs for 90 days or one year). Second, correlation rules and detection analytics must be written, tested, and tuned to reduce false positives. Third, SOAR playbooks must be designed for common incident types like phishing, ransomware, and insider threats. Playbooks can be fully automated (no human approval needed) or semi-automated (requiring analyst confirmation before critical actions).

Microsoft Sentinel is a cloud-native SIEM and SOAR solution that runs on Azure. It uses Log Analytics workspaces for data storage, Kusto Query Language (KQL) for queries, and Logic Apps for automation. When designing Sentinel, an architect must decide on data retention policies, workspace design (single vs. multiple workspaces), and integration with Microsoft 365 Defender and Azure Defender. The design must also consider cost, as data ingestion and retention in the cloud are billed per gigabyte. Finally, high availability and disaster recovery should be built in, often by replicating critical log data across multiple Azure regions.

Real-Life Example

Think of a large hospital with many departments: emergency room, surgery, pharmacy, and administration. The hospital has a central security office that monitors every door, elevator, and corridor using cameras and badge readers. This central office is like a SIEM system: it collects video feeds, badge swipes, and door sensor data. Every time someone swipes their badge to enter a restricted area, the system logs who they are, where they went, and when. If someone swipes their badge at a door they are not authorized for, the system records the event and shows a red alert on a monitor. But the security officers cannot run to every door every time an alert pops up. They would be exhausted and slow.

Now imagine the hospital installs an automated response system that connects to the badge readers and doors. When the security system detects an unauthorized badge swipe, the automated system immediately locks that door so the person cannot enter. It also sends a text message to the nearest security guard's phone saying, Go to door 3B now. It even closes the other nearby doors to contain the person. This automated response is the SOAR system. It takes the alert from the monitoring system and performs actions without waiting for a guard to push a button.

In a real hospital, this combination could also handle emergencies. If a fire alarm goes off, the monitoring system (SIEM) sends a signal to the automated system (SOAR), which automatically unlocks all doors, turns on emergency lights, and pages the fire department. The design of this whole system is the SIEM and SOAR Design. A security architect must decide which doors are connected, what alerts trigger automatic locks, and when a human override is needed. If they design it poorly, they might lock the wrong doors during a fire or fail to log a critical badge swipe. If they design it well, the hospital is safer and the security team can focus on unusual threats instead of every minor alert.

Why This Term Matters

SIEM and SOAR design matters in real IT work because modern organizations face an overwhelming volume of security alerts. A medium-sized company with 500 employees can generate millions of log entries per day from firewalls, email servers, cloud apps, and endpoint antivirus software. Without a SIEM, an analyst would have to manually check each log file, which is impossible. The SIEM automatically collects and correlates these logs, showing only the events that are likely to be real threats. This saves time and reduces the risk of missing an attack.

SOAR matters because even with a SIEM, analysts can be flooded with hundreds of alerts per day. Manually investigating each alert and taking action (like blocking an IP or disabling a user) can take 15 to 30 minutes per alert. With SOAR, many of these actions happen in seconds. For example, if a SIEM detects a known malware signature on a workstation, the SOAR can immediately isolate that workstation from the network, preventing the malware from spreading to other computers. This rapid response can stop a ransomware attack before it encrypts critical files.

In cloud environments like Microsoft Azure, SIEM and SOAR design is even more important because the attack surface is larger and more dynamic. Resources can be spun up and down quickly, and identities from any location can access data. A well-designed SIEM and SOAR solution helps security teams maintain visibility across hybrid and multi-cloud environments. It also supports compliance with regulations like GDPR, HIPAA, and PCI-DSS, which require organizations to monitor access, detect breaches, and respond within specified timeframes. For example, a healthcare provider might need to prove that they detected and responded to a data breach within 72 hours. A properly designed SIEM and SOAR system logs the detection time, the automated response actions taken, and the final resolution, providing auditable evidence for regulators.

How It Appears in Exam Questions

In certification exams, especially SC-100 and SC-200, questions about SIEM and SOAR design appear in several familiar patterns. Scenario-based questions are the most common. The exam describes a company with specific requirements, and you must select the best design choice. For example, a question might describe a global organization with offices in Europe, Asia, and the Americas. The chief security officer wants to centralize security monitoring but also needs to comply with GDPR in Europe and local data residency laws in Asia. You are asked to recommend a Sentinel workspace design. The options might include one global workspace, three regional workspaces, or a workspace per country. The correct answer is usually regional workspaces to meet compliance requirements while still maintaining centralized visibility via cross-workspace queries.

Configuration questions ask you to identify the correct settings for a specific task. For instance, you might be asked: You need to create an analytics rule that detects when a user from an untrusted IP address signs into a sensitive application. Which Kusto Query Language (KQL) statement should you use? You would need to know how to filter for specific IP address ranges and correlate with user activity logs. Another common pattern is troubleshooting questions. These present a situation where a Sentinel playbook is not working as expected. For example, an automated response to block a user account fails. You must identify the likely cause: perhaps the playbook does not have the right permissions to modify Active Directory, or the Logic App connector is misconfigured.

Architecture questions test your understanding of how SIEM and SOAR fit into a broader security strategy. A question might ask: Which Microsoft security solution would you use to automatically respond to a detected ransomware outbreak by isolating affected endpoints? The answer would be Microsoft Sentinel's SOAR capabilities combined with Microsoft Defender for Endpoint. Some questions also focus on cost optimization. For example, you might be asked how to reduce data ingestion costs in Sentinel while still maintaining security monitoring for critical servers. The correct answer would involve using basic logs for low-sensitivity data sources and analytics logs for high-priority sources. Finally, licensing and feature comparison questions appear. You may need to distinguish between Microsoft Sentinel, Azure Sentinel (older name), and other SIEM vendors. The exam will expect you to know that Sentinel is cloud-native and has built-in SOAR capabilities, whereas traditional on-premises SIEMs require separate SOAR tools.

Study sc-100

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Company ABC is a mid-size e-commerce company with 2,000 employees and a cloud infrastructure running on Microsoft Azure. They have recently suffered a phishing attack that compromised the email account of a finance manager, leading to a fraudulent wire transfer of $50,000. The IT director wants to prevent this from happening again.

She decides to implement a SIEM and SOAR solution using Microsoft Sentinel. The first step is to design the data collection. She plans to connect Sentinel to Azure Active Directory to collect sign-in logs, to Microsoft 365 Defender to get email threat data, and to all Azure virtual machines via the Azure Monitor Agent.

Next, she creates an analytics rule that detects when a user clicks a known phishing link in an email. The rule triggers an incident in Sentinel. Then, she designs a SOAR playbook using Azure Logic Apps.

The playbook does three things: it automatically deletes the malicious email from the user's inbox, it blocks the sender's email address in Exchange Online, and it sends a notification to the security team. Finally, she tests the playbook to ensure it works correctly without blocking legitimate emails. After deployment, when another phishing email arrives, the SIEM detects the link, the SOAR removes it from all mailboxes that received it within 60 seconds, and the security team is notified.

This rapid response prevents any finance manager from falling for the same trap again.

Common Mistakes

Thinking SIEM and SOAR are the same thing or interchangeable.

SIEM focuses on collecting and analyzing logs; SOAR focuses on automating responses. They serve different functions and need to be integrated, not replaced.

Remember SIEM is the 'eyes' that see the problem, and SOAR is the 'hands' that fix it. Both are needed for a complete security operations solution.

Designing a SIEM to collect all possible logs without considering cost or storage.

Ingesting every log from every device can lead to massive cloud costs and slow query performance. Not all logs are equally valuable.

Prioritize high-value log sources like authentication logs, critical server logs, and cloud activity logs. Use basic logs for less critical sources to save money.

Creating SOAR playbooks that take irreversible actions without human approval.

Automated actions like disabling a user account or blocking a network port can accidentally impact legitimate users or critical services if the alert is a false positive.

Design playbooks with a manual approval step for high-impact actions. Use automatic approval only for low-risk actions like collecting additional data or sending notifications.

Assuming a single Log Analytics workspace is always the best design.

While one workspace simplifies queries, it can violate data residency laws in some regions and cause cross-region data transfer costs.

Assess compliance requirements and data residency laws. Use multiple workspaces for different geographic regions or business units, but link them for cross-workspace queries when needed.

Not testing SIEM correlation rules before going into production.

Untested rules can generate thousands of false positive alerts, overwhelming analysts and causing them to ignore real threats.

Run correlation rules against a small set of historical data first. Tune thresholds and filters until false positives are minimal, then deploy to production.

Exam Trap — Don't Get Fooled

In an exam question, you are asked to recommend a solution for reducing alert fatigue in a SOC. An option suggests 'implementing a SIEM' as the primary solution. Learners often choose this because they think SIEM reduces alerts by correlating them.

The correct solution is to implement a SOAR platform alongside the SIEM. SOAR automates responses to common alerts, significantly reducing the number of alerts that require human action. In the exam, always look for answers that mention automation or playbooks when the question is about reducing analyst workload.

Commonly Confused With

SIEM and SOAR DesignvsEndpoint Detection and Response (EDR)

SIEM collects logs from many sources across the entire network, while EDR focuses specifically on individual endpoint devices like laptops and servers. SIEM gives a broad view; EDR gives deep detail on one machine.

Imagine a stadium security system. SIEM is like the camera at every gate and hallway. EDR is like a security guard standing right next to a single VIP box, watching everything that happens there.

SIEM and SOAR DesignvsNetwork Traffic Analysis (NTA)

SIEM analyzes logs and events, while NTA analyzes the actual data packets flowing across a network. SIEM tells you who logged in; NTA tells you what data that user sent to a server.

SIEM is like a librarian checking who borrowed which book. NTA is like the librarian reading every page of the book to see what the borrower underlined.

SIEM and SOAR DesignvsManaged Detection and Response (MDR) service

SIEM and SOAR are technology platforms. MDR is a service where a third party operates those platforms for you. The terms are often confused because MDR providers use SIEM and SOAR tools.

SIEM and SOAR are like owning a kitchen with an oven and a mixer. MDR is like hiring a chef to use that kitchen to prepare meals for you.

SIEM and SOAR DesignvsUser and Entity Behavior Analytics (UEBA)

UEBA is a feature often built into SIEMs that uses machine learning to detect unusual user behavior. SIEM is the broader platform; UEBA is one of its analytical techniques.

SIEM is the whole security camera system. UEBA is a specific smart camera that learns when a specific person usually arrives and raises an alarm if they show up at 3 a.m.

Step-by-Step Breakdown

1

Log Source Identification

List all devices and applications that generate security logs: firewalls, servers, cloud services (Azure, AWS), domain controllers, email servers, and endpoints. Decide which ones are critical. This step defines what the SIEM will monitor.

2

Data Ingestion Architecture Planning

Choose how to collect logs: agents on servers, API connectors for cloud services, or syslog for network devices. Plan log storage: how long to keep logs, whether to use hot, warm, or cold tiers. In Microsoft Sentinel, this means designing Log Analytics workspaces.

3

Correlation Rule Creation

Write detection rules that look for suspicious patterns, like multiple failed logins or unusual data downloads. Test rules against historical data to reduce false positives. In Sentinel, use Kusto Query Language to build analytics rules.

4

Incident Management Setup

Configure how alerts become incidents. Set up severity levels and assign groups of analysts to handle them. Define SLA targets for response times based on severity. In Sentinel, this includes configuring incident creation rules and classification.

5

SOAR Playbook Development

Design automated response playbooks for common incidents. For example, a playbook for a phishing alert might delete the email and block the sender. Use Azure Logic Apps or Sentinel Automation rules. Decide which actions require human approval and which can run automatically.

6

Integration with Other Security Tools

Connect the SIEM and SOAR to existing security tools like firewalls, threat intelligence feeds, and identity platforms. For example, integrate Sentinel with Microsoft 365 Defender for enriched alerts. This ensures automated actions can reach the actual control points.

7

Testing and Tuning

Simulate attacks (like phishing or brute force) to verify that rules trigger correctly and playbooks execute as expected. Review false positives and adjust thresholds. Document playbook steps for auditor review. This step is ongoing, as threats and environments change.

8

Monitoring and Governance

Continuously monitor SIEM dashboards for operational health, such as log ingestion rates and missing agents. Review SOAR playbook execution logs to catch failures. Enforce change management so that any modifications to rules or playbooks are reviewed and approved.

Practical Mini-Lesson

To design a SIEM and SOAR system effectively, you must first understand the security operations center (SOC) workflow. The SOC is a team of analysts who monitor and respond to security incidents. In a typical SOC, raw logs from across the enterprise flow into the SIEM. The SIEM parses, normalizes, and correlates this data. When a correlation rule triggers, it creates an alert, which is escalated to an incident if it meets certain criteria. The incident is manually reviewed by a Tier 1 analyst, who may gather more information and then decide to contain the threat or escalate to Tier 2. This manual process can take hours. By adding SOAR, many of these steps are automated, shrinking response time to minutes or seconds.

In practice, when configuring SOAR playbooks, you must define triggers. A trigger is the event that starts the playbook—it could be a new incident being created, a new alert being fired, or a specific condition like a high severity incident. Then you define actions: querying other data sources, sending notifications, creating tickets in a service management tool like ServiceNow, or executing remediation commands. For example, a playbook for a compromised user account might: 1) Trigger on an incident where a user account is detected as compromised by Azure AD Identity Protection. 2) Query Azure AD to get the user's manager name and email. 3) Send an email to the manager requesting confirmation of unusual activity. 4) If no response within 30 minutes, automatically disable the user account and reset the password. 5) Log all actions to a separate audit log.

What can go wrong? A common issue is that playbooks may fail to connect to external systems due to expired API keys or service outages. You must include error handling steps, like retry logic or fallback notifications. Another issue is that playbooks can get too complex, becoming difficult to debug. Keep playbooks focused on a single incident type, and use modular playbooks that can be reused. For example, a 'Block IP' playbook can be called by several other playbooks instead of rewriting the blocking logic each time.

From a broader perspective, SIEM and SOAR design is not just a technical task. It is part of a security strategy called defense in depth, where multiple layers of protection work together. The SIEM provides visibility, the SOAR provides speed, and human analysts provide judgment. A well-designed system balances automation with human oversight. For example, automated responses should never be allowed to lock out an entire company domain, because a single false positive could stop all employees from working. Always define a 'break glass' manual override process. Finally, as you study for the SC-100 exam, focus on understanding how Microsoft Sentinel fits into the Azure security ecosystem, especially its integration with Azure Lighthouse for multi-tenant management and Azure Policy for governance.

Memory Tip

SIEM sees the smoke, SOAR calls the fire brigade.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

Do I need both SIEM and SOAR, or can I just use one?

For a complete security operations capability, you need both. SIEM gives you visibility and alerting, while SOAR gives you the ability to respond automatically. Using only SIEM leaves you with manual response times; using only SOAR without SIEM means you have no detection engine to trigger the automation.

Can Microsoft Sentinel replace both SIEM and SOAR?

Yes, Microsoft Sentinel is a cloud-native SIEM and SOAR solution that combines both capabilities in one platform. It uses Log Analytics for data storage and analysis, and Azure Logic Apps or Automation rules for response automation. This eliminates the need for separate products.

How much does it cost to run a SIEM and SOAR like Sentinel?

Costs vary based on data volume. Sentinel charges per gigabyte of data ingested and for each playbook execution. You can reduce costs by using basic logs for less critical sources, setting daily caps, and choosing shorter retention periods for non-compliance logs.

What is a playbook in SOAR?

A playbook is a set of automated steps that a SOAR system follows when a specific incident occurs. It is like a recipe for responding to a threat. For example, a playbook for a ransomware alert might automatically isolate the infected computer, block its network traffic, and notify the security team.

Is it risky to fully automate security responses?

Yes, fully automating high-impact actions like disabling user accounts or blocking network ports can cause harm if the alert is a false positive. Best practice is to design playbooks with manual approval for critical actions and use full automation only for low-risk responses like collecting data or sending notifications.

How long does it take to design and deploy a SIEM and SOAR system?

A simple deployment for a small organization can take a few weeks. Large enterprise deployments with many log sources and complex playbooks can take several months. The design phase includes planning log sources, writing correlation rules, building and testing playbooks, and training analysts.

What skills do I need to design SIEM and SOAR?

You need knowledge of networking, cloud platforms (especially Azure for Sentinel), log analysis, scripting (KQL, PowerShell), and security incident response processes. Certifications like SC-100 and SC-200 are excellent starting points.

Summary

SIEM and SOAR Design is the strategic planning and implementation of systems that detect and automatically respond to cyber threats. The SIEM component collects and correlates logs from all parts of an organization's IT environment, providing visibility and alerting on suspicious activity. The SOAR component sits on top of the SIEM and automates the response, turning hours of manual work into seconds of automated action.

Together, they form the backbone of a modern security operations center. For certification exams like Microsoft SC-100 and SC-200, you must understand how to design workspace architecture, create correlation rules, build playbooks, and integrate with other security tools like Microsoft 365 Defender. Common exam traps include confusing SIEM and SOAR roles, underestimating the importance of testing, and not considering compliance and cost factors.

In the real world, proper SIEM and SOAR design helps organizations stop attacks quickly, reduce analyst burnout, and meet regulatory requirements. As you prepare for your exam, remember that SIEM gives you the view, and SOAR gives you the action. Master both concepts, and you will be well prepared for architecting secure and efficient security operations.