> For the complete documentation index, see [llms.txt](https://muhammed-hatem.gitbook.io/muhammed-hatem/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://muhammed-hatem.gitbook.io/muhammed-hatem/siem-and-soc/siem.md).

# SIEM

## <mark style="color:orange;">What is SIEM ?</mark>

Security Information and Event Management (SIEM) systems provide **real-time threat detection, log correlation, and incident response** by aggregating security data from across an organization. This report explores how SIEM works, its key components, and advanced analytics through **interactive visualizations**.

## <mark style="color:orange;">How does it work ?</mark>

<figure><img src="/files/c12IvspC6PLc8FASnFIg" alt=""><figcaption><p>siem steps</p></figcaption></figure>

SIEM systems collect, analyze, and respond to security events across an organization’s IT infrastructure. Here’s a detailed breakdown of how they function:

***

### <mark style="color:orange;">**1. Data Collection**</mark>

SIEM gathers security logs from multiple sources, including:

* **Network devices** (firewalls, routers, switches)
* **Servers & endpoints** (Windows/Linux logs, antivirus alerts)
* **Cloud services** (AWS, Azure, Office 365)
* **Security tools** (IDS/IPS, EDR, vulnerability scanners)

📌 **Key Point:**\
SIEMs use **agents, APIs, or syslog** to pull logs in real time.

***

### <mark style="color:orange;">**2. Log Normalization & Parsing**</mark>

Raw logs come in different formats (e.g., JSON, CSV, syslog). The SIEM:

* **Parses** logs to extract key fields (IPs, usernames, timestamps)
* **Normalizes** data into a standard format for analysis

📌 **Example:**\
A firewall log:\
`"Deny TCP 192.168.1.1 → 10.0.0.5 port 22"`\
→ Normalized as:\
`{ "action": "Deny", "src_ip": "192.168.1.1", "dst_ip": "10.0.0.5", "port": "22" }`

***

### <mark style="color:orange;">**3. Event Correlation & Threat Detection**</mark>

SIEM uses **rules, machine learning (ML), and behavioral analytics** to detect threats:

* **Rule-based detection** (e.g., "10 failed logins in few minutes = brute force attack")
* **Anomaly detection** (e.g., "User logging in at 3 AM from a new country")
* **Threat intelligence matching** (e.g., "IP is on a known malware list")

📌 **Example Attack Detection:**

* **Step 1:** Multiple failed logins → **Brute force alert**
* **Step 2:** Successful login followed by unusual file access → **Potential insider threat**

***

### <mark style="color:orange;">**4. Alerting & Incident Response**</mark>

When a threat is detected:

* **Alerts** are sent to SOC (Security Operations Center)
* **Automated actions** (block IP, disable account) via **SOAR** integration
* **Case management** for investigation


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://muhammed-hatem.gitbook.io/muhammed-hatem/siem-and-soc/siem.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.