Security Incident and Event management (SIEM)

It is basically monitoring all incoming and outgoing traffic logs using some automated software with human analyzing the alerts generated by system.

SIEM is a capability which consist of tools that are also called SIEM(pretty confusing to be honest).

SIEM works by running all logs fed to it against some rules called USE CASES and then trigger alerts based on those rules. These alerts are 24*7 monitored by SIEM team. SIEM team comprises of Junior Analyst(L1), Analyst(L2), senior analyst(L3), SIEM admin(L3), SIEM manager, Architect.

L1 basically sees if alert is false positive or negative(genuine alert or not).

If L1 is not able to analyze the issue it passes it on to L2 who then identifies important mitigation actions and pass it on to relevant teams in SOC(antivirus team, Firewall team etc).

L3/SIEM admin usually configures the USE CASES, updates new rules against new threats. L3 also solves complicated issues like log source configuration, SIEM configuration, immediate threats, diagnose complex issues.

SIEM manager generally sees health report of system and check team and cross team functioning. SIEM manager is often a technical guy.

Architect is often shared among multiple team. He is the guy who comes into play when they setup SIEM first time or the guy who helps L3 with complicated stuff.

There are diff SIEM in market, mostly divided into Cloud SIEM and conventional SIEM.

Popular cloud SIEM are azure sentinel, splunk cloud etc.

Popular conventional SIEM are splunk, archsight, IBM Qradar etc.

IBM QRadar: IBM QRadar is a modular system and therefore is applicable for medium to large size companies. Furthermore it can be deployed as a standalone system, in a distribute architecture or in the cloud.