Log monitoring and Security Information and Event Management (SIEM) are foundational to Security Operations. This chapter covers how organizations collect, aggregate, and analyze log data to detect and respond to security incidents. For SY0-701, this maps to Objective 4.9, which requires understanding SIEM concepts, log types, and analysis techniques. Mastering this material is critical for the exam and for real-world SOC roles.
Jump to a section
Imagine a major international airport's security control center. Multiple data streams flow in: passenger manifests (firewall logs), baggage screening results (IDS alerts), access card swipes (authentication logs), CCTV feeds (endpoint logs), and flight schedules (network traffic). Each stream is monitored by separate teams—analogous to individual log sources. The control center's SIEM is the central console that aggregates all these feeds into a unified display. A correlation rule might be: if a passenger (user) appears on a no-fly list (threat intel) AND attempts to board a flight to a restricted destination (unusual destination IP), trigger an alert. The SIEM normalizes data: different airlines use different formats for passenger records, just as logs from Windows, Linux, and Cisco devices have different formats. The SIEM parses and normalizes them into a common schema. When an alert fires, the analyst drills down: they see the exact timestamp, the gate (port), the flight number (session ID), and can replay the CCTV footage (packet capture). Without SIEM, the airport would have dozens of separate screens—impossible to correlate a suspicious passenger who used a stolen badge to access the tarmac and then boarded a plane. The SIEM's dashboard shows a timeline of events, and the analyst can pivot from the alert to related logs. This mechanistic analogy mirrors how a SIEM ingests logs from diverse sources, normalizes them, correlates events based on rules, and provides a single pane of glass for incident response.
What is Log Monitoring and SIEM?
Log monitoring is the process of collecting and analyzing log data generated by systems, networks, and applications to identify security events. A SIEM (Security Information and Event Management) system is a centralized platform that aggregates logs from multiple sources, normalizes them into a common format, correlates events, and generates alerts. The primary threat addressed is the inability to detect malicious activity when logs are scattered across hundreds of devices—attackers exploit this by hiding in the noise. For SY0-701, know that SIEM combines SIM (Security Information Management, long-term storage and reporting) and SEM (Security Event Management, real-time monitoring and alerting).
How SIEM Works Mechanically
A SIEM operates in a pipeline: (1) Log ingestion: Agents or syslog (UDP 514 or TCP 6514) send logs to the SIEM collector. Common log formats include Syslog (RFC 5424), Windows Event Log (EVTX), and JSON. (2) Normalization: The SIEM parses logs and maps fields to a common schema (e.g., source IP, destination IP, user, action). This is crucial because a Cisco ASA log and a Windows Security log use different field names. (3) Correlation: The SIEM applies correlation rules. A rule might be: 'If more than 5 failed logins from the same source IP within 60 seconds, then alert.' More complex rules use time windows and thresholds. (4) Alerting: When a rule matches, the SIEM generates an alert with severity (e.g., low, medium, high, critical). (5) Dashboard and Reporting: Analysts view dashboards showing top alerts, event timelines, and trends. (6) Storage: Logs are retained for compliance (e.g., PCI DSS requires 1 year) and forensic analysis.
Key Components, Variants, and Standards
Log Sources: Firewalls, IDS/IPS, servers (Windows Event Log, syslog), endpoints (EDR), cloud services (AWS CloudTrail, Azure Audit Logs), databases, and applications. For SY0-701, know that network logs (from routers/switches) show connections, while security logs show authentication and policy violations.
SIEM Components: Collectors (lightweight agents), correlation engine, database (often Elasticsearch), and web UI. Examples: Splunk (uses Search Processing Language), ELK Stack (Elasticsearch, Logstash, Kibana), and ArcSight.
Log Formats: Syslog (RFC 5424) is the standard for Unix/Linux devices; Windows Event Log uses XML; CEF (Common Event Format) by ArcSight; LEEF (Log Event Extended Format) by IBM. Know that CEF and LEEF are proprietary but widely used.
Log Levels: Syslog severity levels 0 (Emergency) to 7 (Debug). Windows Event levels: Critical, Error, Warning, Information, Verbose.
Time Synchronization: NTP (UDP 123) is critical—without synchronized clocks, correlation across devices fails. The exam may test that NTP ensures accurate timestamps.
How Attackers Exploit and Defenders Deploy
Attackers target SIEM systems to blind defenders. Common techniques: (1) Log flooding: Generate massive logs to overwhelm the SIEM or hide malicious events in noise. (2) Time manipulation: Modify system clocks to break correlation. (3) Log deletion: Delete or alter logs on endpoints before they are sent to SIEM. Defenders deploy SIEM with redundancy, use secure logging (TLS for syslog, TCP 6514), and implement log integrity (e.g., write-once storage, digital signatures). For SY0-701, know that SIEM can detect brute-force attacks (multiple failed logins), malware beaconing (regular outbound connections to known bad IPs), and privilege escalation (unusual admin account usage).
Real Command/Tool Examples
Syslog configuration: On Linux, edit /etc/rsyslog.conf to forward logs: *.* @siem-server:514 (UDP) or *.* @@siem-server:6514 (TCP with TLS).
Windows Event Forwarding: Use wecutil to configure subscriptions; logs are sent via WinRM (HTTP 5985/5986).
Splunk Search: index=main sourcetype=WinEventLog:Security EventCode=4625 | stats count by src_ip counts failed logins by source IP.
Correlation Rule Example (Splunk): index=* sourcetype=* (EventCode=4625 OR EventCode=4624) | stats count by src_ip, user | where count > 10 triggers on brute force.
SIEM Dashboard: Shows top talkers, geographic map of attacks, and real-time event count.
Log Analysis Techniques
Baseline vs. Anomaly: Establish normal behavior (e.g., average logins per hour) and alert on deviations. Anomaly-based detection uses machine learning to find outliers.
Trend Analysis: Look for patterns over time, such as gradual increase in failed logins before a breach.
Chain of Custody: For forensic use, logs must be preserved with integrity (hash values).
False Positive Reduction: Tune rules to reduce noise; use whitelists (e.g., known admin IPs).
SIEM Deployment Considerations
On-premises vs. Cloud: Cloud SIEM (e.g., Azure Sentinel, AWS Security Hub) reduces infrastructure management but requires careful data egress costs.
Log Retention: Compliance requirements dictate retention periods (e.g., HIPAA: 6 years, PCI DSS: 1 year).
Scalability: Estimate logs per second (LPS); for a large enterprise, 10,000+ LPS is common. Use load balancers and multiple collectors.
Cost: SIEM licensing often based on data volume (GB/day). Splunk, for example, charges per GB ingested.
For the exam, focus on understanding the flow of logs, common log sources, and how correlation rules work. Be able to identify which log source would contain evidence of a specific attack (e.g., failed login attempts appear in Windows Security log Event ID 4625).
Define Log Sources and Objectives
Identify all systems that generate security-relevant logs: domain controllers (authentication), firewalls (network traffic), web servers (HTTP requests), endpoints (process execution). Determine compliance requirements (e.g., PCI DSS requires logging all access to cardholder data). Document the retention period and storage capacity. For SY0-701, know that log sources include network devices, servers, endpoints, and cloud services.
Deploy Log Collectors and Forwarders
Install SIEM agents or configure syslog forwarding on each source. For Windows, enable Event Log forwarding via WinRM. For Linux, configure rsyslog to send to the SIEM collector. Use secure transport (TLS) to prevent interception. Verify connectivity by checking that the SIEM receives test events. In a SOC, this step ensures all critical devices are sending logs; missing a firewall is a common mistake.
Normalize and Parse Logs
The SIEM parses incoming logs and maps fields to a common schema. For example, a Cisco ASA log 'Deny TCP src inside:10.0.0.1/1234 dst outside:8.8.8.8/80' is parsed into source IP, source port, destination IP, destination port, action. Normalization allows correlation across different vendors. In Splunk, this is done via sourcetype definitions and field extractions. Without normalization, rules would break.
Create Correlation Rules and Alerts
Write rules that detect specific attack patterns. Example: 'If more than 10 failed logins from a single IP within 5 minutes, then alert medium severity.' More complex rules use time windows, thresholds, and lookup tables (e.g., known malicious IPs). Tune rules to minimize false positives. In a SOC, analysts review alerts and adjust rules based on feedback. For the exam, understand that correlation is the key value of SIEM.
Monitor Dashboards and Investigate Alerts
Analysts use dashboards to monitor real-time events. When an alert fires, they investigate by pivoting from the alert to related logs. For example, a brute-force alert leads to checking the user’s subsequent activity (did they log in successfully?). They may use a timeline view to sequence events. Common mistake: ignoring low-severity alerts that could indicate a slow, stealthy attack. Document findings and escalate if necessary.
Scenario 1: Brute-Force Attack Detection A SOC analyst sees a SIEM alert: 'Multiple failed logins from external IP 203.0.113.5 to the VPN gateway.' The analyst opens the SIEM dashboard and sees 500 failed attempts (Event ID 4625) in 10 minutes. They check the firewall logs and see the same IP hitting the VPN concentrator. The analyst blocks the IP on the firewall and checks if any successful logins occurred after the brute force—none did. The correct response: block the IP, notify the VPN team, and create a rule to alert on >10 failed logins from any external IP in 5 minutes. A common mistake: assuming the brute force failed and taking no further action, missing that the attacker might have used a different IP for successful access.
Scenario 2: Malware Beaconing An endpoint logs show a process 'svchost.exe' making outbound connections every 60 seconds to an IP in a known malicious threat intel feed. The SIEM correlates the endpoint process logs with firewall logs and threat intel. The analyst sees the connection pattern and identifies the process as a beacon. They isolate the endpoint, capture a memory dump, and block the IP on the firewall. The correct response: use EDR to kill the process and perform forensic analysis. A common mistake: treating the connections as legitimate Windows updates without verifying the destination IP.
Scenario 3: Insider Threat - Privilege Escalation A user with standard privileges suddenly runs 'net localgroup Administrators user /add' on a server. The SIEM correlates the command execution (Windows Event ID 4688) with the user's previous activity (no admin rights). The analyst sees the alert and verifies that the user should not have admin rights. They disable the account and investigate. The correct response: revoke any temporary privileges and escalate to HR. A common mistake: assuming the command was a mistake and ignoring it, leading to a persistent backdoor.
SY0-701 tests Objective 4.9: 'Given a scenario, use appropriate log monitoring and SIEM tools.' The exam expects you to identify log sources, understand SIEM components, and interpret logs. Key sub-objectives: (1) Differentiate between SIEM, SIM, and SEM. (2) Know common log types (syslog, Windows Event Log, CEF, LEEF). (3) Understand correlation rules and alerting. (4) Identify log sources for specific attacks (e.g., failed logins in Windows Security log). (5) Know the purpose of time synchronization (NTP).
Common Wrong Answers and Why 1. 'SIEM only stores logs for compliance' – Candidates choose this because they think SIEM is archival. Reality: SIEM provides real-time monitoring and correlation, not just storage. The exam emphasizes detection. 2. 'Syslog is only for Linux/Unix' – Candidates think syslog is Unix-only. Reality: Many network devices (Cisco, Juniper) use syslog, and Windows can forward logs via syslog agents. 3. 'Correlation rules are static and never need tuning' – Candidates think rules are set-and-forget. Reality: False positives require constant tuning. The exam may ask about reducing false positives. 4. 'All logs should be sent to SIEM without filtering' – Candidates think more data is better. Reality: Log volume can overwhelm SIEM; filtering and prioritization are essential.
Specific Terms and Acronyms - CEF: Common Event Format (ArcSight) - LEEF: Log Event Extended Format (IBM) - Syslog: RFC 5424 (UDP 514, TCP 6514) - NTP: Network Time Protocol (UDP 123) - WEC: Windows Event Collector - EVTX: Windows XML Event Log format
Decision Rule for Scenario Questions When asked 'Which log source would contain evidence of X?', ask: What type of activity is it? Authentication: Windows Security log (Event IDs 4624/4625) or syslog from VPN. Network traffic: Firewall or router logs. Process execution: Windows Event ID 4688 or Linux auditd. File access: File server audit logs. If the question involves correlation, the answer is SIEM. If it's about real-time monitoring, the answer is SEM. If it's about long-term storage and reporting, the answer is SIM.
SIEM = SIM (long-term storage) + SEM (real-time monitoring).
Common log sources: firewalls, servers, endpoints, cloud services.
Syslog uses UDP 514 (default) or TCP 6514 (TLS).
Windows Security Event ID 4625 = failed logon; 4624 = successful logon.
NTP (UDP 123) ensures synchronized timestamps for correlation.
CEF (ArcSight) and LEEF (IBM) are proprietary log formats.
Correlation rules use time windows and thresholds to detect attacks.
Log retention periods vary by regulation (e.g., PCI DSS: 1 year).
False positives are reduced by tuning rules and whitelisting.
SIEM can detect brute force, malware beaconing, and privilege escalation.
These come up on the exam all the time. Here's how to tell them apart.
SIEM (Security Information and Event Management)
Real-time correlation and alerting
Normalization and parsing of logs
Dashboards and visualizations
Incident response integration
Uses correlation rules and threat intel
Log Management
Only collects and stores logs
May store raw logs without parsing
Basic search and retrieval
No automated alerting
No correlation or analysis
Mistake
SIEM and log management are the same thing.
Correct
Log management only collects and stores logs. SIEM adds real-time correlation, alerting, and analysis. SY0-701 distinguishes between SIM (long-term storage) and SEM (real-time monitoring).
Mistake
Syslog is only for security events.
Correct
Syslog can carry any type of log (system, application, security). It is a generic transport protocol. Security logs are just one category.
Mistake
More logs always improve security.
Correct
Excessive logs can overwhelm storage and analysts, leading to missed alerts. Tuning and filtering are necessary to focus on relevant events.
Mistake
Correlation rules detect all attacks automatically.
Correct
Correlation rules only detect known patterns. Advanced attacks (zero-days, slow attacks) may bypass rules. Anomaly detection and human analysis are still needed.
Mistake
Windows Event Logs are only accessible locally.
Correct
Windows Event Forwarding (WEF) and agents can forward logs to a SIEM over the network. Event logs can be collected remotely via WinRM.
Log management is simply collecting and storing logs for compliance or troubleshooting. SIEM adds real-time correlation, alerting, and analysis. For example, log management stores 10,000 failed logins; SIEM correlates them and alerts on a brute-force attack. SY0-701 tests this distinction.
The Windows Security log (Event ID 4625). For a domain-joined server, the domain controller also logs authentication events (Event ID 4776 for NTLM). On the exam, if the question mentions a Windows server, look for 'Security log' or 'Event ID 4625'.
NTP synchronizes clocks across devices so that logs from different sources have accurate timestamps. Without NTP, correlation rules might miss events because timestamps are off by seconds or minutes. The exam may ask why timestamps are important for SIEM.
A SIEM uses a correlation rule that counts failed login attempts from a single source IP within a time window (e.g., 10 failures in 5 minutes). When the threshold is exceeded, an alert fires. The rule can also check for successful logins after the failures to see if the attack succeeded.
Both are standardized log formats used by SIEMs. CEF (Common Event Format) is from ArcSight, while LEEF (Log Event Extended Format) is from IBM. They define field names and delimiters for easy parsing. The exam may ask which format a specific SIEM uses.
Yes, by correlating user activity logs. For example, a user accessing files at unusual hours or attempting to escalate privileges. SIEM rules can baseline normal behavior and alert on anomalies. However, insider threats often require additional context from HR or other sources.
Sending all logs without filtering. This leads to high storage costs and alert fatigue. Instead, prioritize critical sources (e.g., domain controllers, firewalls) and tune rules to reduce false positives. The exam may ask about best practices for SIEM deployment.
You've just covered Log Monitoring and SIEM — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?