The SOC, Logging & SIEM
You cannot defend what you cannot see. This is the room where defenders learn to see.
01 What a SOC actually does
A Security Operations Center (SOC) is the team — and sometimes the physical room — responsible for continuously monitoring, detecting, investigating, and responding to threats. Think of it as the defender's air-traffic control: a stream of signals from across the estate, a set of humans and automation watching that stream, and a mandate to act when something looks wrong.
SOCs run in different shapes. Large enterprises staff a 24x7 in-house SOC; others outsource to a Managed Security Service Provider (MSSP) or a modern MDR (Managed Detection and Response) vendor. Many run a hybrid, keeping incident command in-house while offloading overnight triage.
The daily work is less Hollywood than it sounds. It is triage: an alert fires, an analyst decides whether it is a true positive, a false positive, or a benign true positive, gathers context, and either closes it or escalates. Woven through that are threat hunting, tuning detections, maintaining playbooks, and reporting metrics to leadership.
02 Log sources: the raw material
Detection begins with telemetry — the logs and events systems emit as they operate. The breadth of your logging determines the ceiling of what you can ever detect; a gap in coverage is a blind spot an attacker can walk through.
The workhorse sources include:
- Endpoint — process creation, command lines, registry changes, and on Windows the invaluable
Sysmonand Security event log (e.g.4688process creation,4624/4625logons). - Network — firewall logs, DNS queries, NetFlow, proxy logs, and full packet capture where budget allows.
- Identity — authentication events, MFA prompts, directory changes, impossible-travel signals from the IdP.
- Cloud — control-plane audit logs such as AWS
CloudTrail, Azure Activity/Entra sign-in logs, GCP Audit Logs. - Application — web server access logs, database audit logs, WAF events.
Logs are only useful if they are collected, time-synchronized (via NTP), retained long enough to investigate historically, and protected from tampering — attackers clear logs to cover their tracks, so shipping them off-host in real time matters.
03 SIEM: correlation and alerting
A SIEM — Security Information and Event Management — is the platform that centralizes all that telemetry, normalizes it into a common schema, and lets analysts search, correlate, and alert across it. Splunk, Microsoft Sentinel, Elastic, and Google Chronicle are common examples. The magic word is correlation: individually boring events become a story when combined.
A failed login is noise. Five hundred failed logins followed by one success and a new admin account is an incident.
The SIEM does the heavy lifting: ingestion and parsing, enrichment (adding geolocation, threat-intel context, asset criticality), correlation rules that watch for defined patterns, and alerting that pushes candidates to analysts or a case-management queue. Modern platforms fold in UEBA (User and Entity Behavior Analytics) to flag statistical anomalies — a service account suddenly browsing file shares at midnight — that no static rule anticipated.
SIEMs are frequently paired with SOAR (Security Orchestration, Automation, and Response), which executes playbooks automatically: enrich an alert, quarantine a host, disable an account, open a ticket. Automation is how a small team keeps up with a large alert volume without drowning.
04 EDR and XDR at the endpoint
Where the SIEM sees the whole estate at arm's length, EDR — Endpoint Detection and Response — lives on the host itself. It records granular endpoint activity (process trees, file writes, network connections, in-memory behavior), detects malicious patterns locally, and gives responders the ability to act remotely: isolate the machine from the network, kill a process, pull a file, or collect a forensic package.
EDR was a leap beyond legacy antivirus. Signature AV asks "does this file match known-bad?" — useless against novel or fileless attacks. EDR asks "is this behavior suspicious?" — for example, Word spawning PowerShell that reaches out to a rare domain and injects into another process.
| Capability | Antivirus | EDR | XDR |
|---|---|---|---|
| Primary signal | File signatures | Endpoint behavior | Endpoint + network + identity + cloud |
| Response | Quarantine file | Isolate host, kill process | Coordinated cross-domain response |
| Investigation depth | Minimal | Rich host timeline | Correlated across data sources |
XDR — Extended Detection and Response — stitches endpoint telemetry together with network, identity, email, and cloud signals into one correlated view, aiming to give a single narrative of an attack instead of siloed alerts. The line between a well-integrated SIEM+EDR stack and "XDR" is often more marketing than architecture, so evaluate the integrations, not the acronym.
05 Analysts, alert fatigue, and metrics
Classic SOCs organize people into tiers. Tier 1 analysts triage the alert queue and close or escalate. Tier 2 investigators dig into escalations, pivot across data sources, and scope the incident. Tier 3 — threat hunters, detection engineers, and IR specialists — proactively hunt, build new detections, and handle the hardest cases. Many mature teams are flattening this into a more collaborative model, but the skill progression still holds.
Leadership steers the SOC with two headline metrics:
- MTTD (Mean Time To Detect) — how long from compromise to discovery.
- MTTR (Mean Time To Respond/Remediate) — how long from detection to containment or full resolution.
Both feed the number that actually matters to an attacker's success: dwell time. Industry reports have tracked median dwell time falling dramatically over the past decade — from many months to a couple of weeks — as EDR and managed detection matured, though ransomware crews now aim to detonate in hours or days, compressing the defender's window hard.
⌘ Field Glossary
- SOC
- Security Operations Center; the team and tooling responsible for continuous monitoring, detection, investigation, and response.
- SIEM
- Security Information and Event Management; a platform that centralizes, normalizes, correlates, and alerts on security telemetry from across the environment.
- EDR
- Endpoint Detection and Response; host-based tooling that records granular endpoint activity, detects malicious behavior, and enables remote response like host isolation.
- XDR
- Extended Detection and Response; correlates telemetry across endpoint, network, identity, email, and cloud into a single detection and response view.
- SOAR
- Security Orchestration, Automation, and Response; executes automated playbooks to enrich, contain, and remediate alerts at machine speed.
- Alert fatigue
- The desensitization that occurs when analysts face overwhelming volumes of low-fidelity alerts, causing genuine detections to be missed or dismissed.
- Dwell time
- The elapsed time between an attacker's initial compromise and their detection; the metric MTTD and MTTR ultimately serve to reduce.
Knowledge Check
Field Assessment
01 What is the primary function of a SIEM?
02 How does EDR fundamentally differ from signature-based antivirus?
03 Why is alert fatigue considered a serious SOC risk?