02
16 min read · 5 briefings

The SOC, Logging & SIEM

You cannot defend what you cannot see. This is the room where defenders learn to see.

01 What a SOC actually does

A Security Operations Center (SOC) is the team — and sometimes the physical room — responsible for continuously monitoring, detecting, investigating, and responding to threats. Think of it as the defender's air-traffic control: a stream of signals from across the estate, a set of humans and automation watching that stream, and a mandate to act when something looks wrong.

SOCs run in different shapes. Large enterprises staff a 24x7 in-house SOC; others outsource to a Managed Security Service Provider (MSSP) or a modern MDR (Managed Detection and Response) vendor. Many run a hybrid, keeping incident command in-house while offloading overnight triage.

The daily work is less Hollywood than it sounds. It is triage: an alert fires, an analyst decides whether it is a true positive, a false positive, or a benign true positive, gathers context, and either closes it or escalates. Woven through that are threat hunting, tuning detections, maintaining playbooks, and reporting metrics to leadership.

Insight A SOC's real product is not "alerts closed" — it is reduced dwell time, the window between an attacker getting in and getting caught. Everything else is instrumentation in service of shrinking that number.

02 Log sources: the raw material

Detection begins with telemetry — the logs and events systems emit as they operate. The breadth of your logging determines the ceiling of what you can ever detect; a gap in coverage is a blind spot an attacker can walk through.

The workhorse sources include:

  • Endpoint — process creation, command lines, registry changes, and on Windows the invaluable Sysmon and Security event log (e.g. 4688 process creation, 4624/4625 logons).
  • Network — firewall logs, DNS queries, NetFlow, proxy logs, and full packet capture where budget allows.
  • Identity — authentication events, MFA prompts, directory changes, impossible-travel signals from the IdP.
  • Cloud — control-plane audit logs such as AWS CloudTrail, Azure Activity/Entra sign-in logs, GCP Audit Logs.
  • Application — web server access logs, database audit logs, WAF events.
Pro tip Command-line and process-lineage logging (parent/child process) is the single highest-value telemetry for catching modern intrusions, because so much attacker activity is "living off the land" with legitimate binaries. On Windows, deploy Sysmon and enable command-line auditing before you buy anything fancier.

Logs are only useful if they are collected, time-synchronized (via NTP), retained long enough to investigate historically, and protected from tampering — attackers clear logs to cover their tracks, so shipping them off-host in real time matters.

03 SIEM: correlation and alerting

A SIEM — Security Information and Event Management — is the platform that centralizes all that telemetry, normalizes it into a common schema, and lets analysts search, correlate, and alert across it. Splunk, Microsoft Sentinel, Elastic, and Google Chronicle are common examples. The magic word is correlation: individually boring events become a story when combined.

A failed login is noise. Five hundred failed logins followed by one success and a new admin account is an incident.

The SIEM does the heavy lifting: ingestion and parsing, enrichment (adding geolocation, threat-intel context, asset criticality), correlation rules that watch for defined patterns, and alerting that pushes candidates to analysts or a case-management queue. Modern platforms fold in UEBA (User and Entity Behavior Analytics) to flag statistical anomalies — a service account suddenly browsing file shares at midnight — that no static rule anticipated.

SIEMs are frequently paired with SOAR (Security Orchestration, Automation, and Response), which executes playbooks automatically: enrich an alert, quarantine a host, disable an account, open a ticket. Automation is how a small team keeps up with a large alert volume without drowning.

04 EDR and XDR at the endpoint

Where the SIEM sees the whole estate at arm's length, EDR — Endpoint Detection and Response — lives on the host itself. It records granular endpoint activity (process trees, file writes, network connections, in-memory behavior), detects malicious patterns locally, and gives responders the ability to act remotely: isolate the machine from the network, kill a process, pull a file, or collect a forensic package.

EDR was a leap beyond legacy antivirus. Signature AV asks "does this file match known-bad?" — useless against novel or fileless attacks. EDR asks "is this behavior suspicious?" — for example, Word spawning PowerShell that reaches out to a rare domain and injects into another process.

CapabilityAntivirusEDRXDR
Primary signalFile signaturesEndpoint behaviorEndpoint + network + identity + cloud
ResponseQuarantine fileIsolate host, kill processCoordinated cross-domain response
Investigation depthMinimalRich host timelineCorrelated across data sources

XDR — Extended Detection and Response — stitches endpoint telemetry together with network, identity, email, and cloud signals into one correlated view, aiming to give a single narrative of an attack instead of siloed alerts. The line between a well-integrated SIEM+EDR stack and "XDR" is often more marketing than architecture, so evaluate the integrations, not the acronym.

05 Analysts, alert fatigue, and metrics

Classic SOCs organize people into tiers. Tier 1 analysts triage the alert queue and close or escalate. Tier 2 investigators dig into escalations, pivot across data sources, and scope the incident. Tier 3 — threat hunters, detection engineers, and IR specialists — proactively hunt, build new detections, and handle the hardest cases. Many mature teams are flattening this into a more collaborative model, but the skill progression still holds.

Watch out The occupational hazard of the SOC is alert fatigue. When analysts face thousands of low-fidelity alerts a day, the real one gets buried, dismissed, or auto-closed. Tuning out noise is not laziness — it is survival — but it is exactly how a genuine detection gets ignored. Fidelity beats volume, always.

Leadership steers the SOC with two headline metrics:

  • MTTD (Mean Time To Detect) — how long from compromise to discovery.
  • MTTR (Mean Time To Respond/Remediate) — how long from detection to containment or full resolution.

Both feed the number that actually matters to an attacker's success: dwell time. Industry reports have tracked median dwell time falling dramatically over the past decade — from many months to a couple of weeks — as EDR and managed detection matured, though ransomware crews now aim to detonate in hours or days, compressing the defender's window hard.

Field Glossary

SOC
Security Operations Center; the team and tooling responsible for continuous monitoring, detection, investigation, and response.
SIEM
Security Information and Event Management; a platform that centralizes, normalizes, correlates, and alerts on security telemetry from across the environment.
EDR
Endpoint Detection and Response; host-based tooling that records granular endpoint activity, detects malicious behavior, and enables remote response like host isolation.
XDR
Extended Detection and Response; correlates telemetry across endpoint, network, identity, email, and cloud into a single detection and response view.
SOAR
Security Orchestration, Automation, and Response; executes automated playbooks to enrich, contain, and remediate alerts at machine speed.
Alert fatigue
The desensitization that occurs when analysts face overwhelming volumes of low-fidelity alerts, causing genuine detections to be missed or dismissed.
Dwell time
The elapsed time between an attacker's initial compromise and their detection; the metric MTTD and MTTR ultimately serve to reduce.

Knowledge Check

Field Assessment

0 / 3

01 What is the primary function of a SIEM?

02 How does EDR fundamentally differ from signature-based antivirus?

03 Why is alert fatigue considered a serious SOC risk?

ESC
↑↓ navigate jack in