Advanced Defense (Blue Team)
SIEM and Event Correlation
A SIEM (Security Information and Event Management) is the Blue Team’s central hub. It aggregates logs from multiple sources, applies correlation rules, and fires alerts when suspicious patterns emerge.
Ingestion architecture
Firewall ──┐
IDS/IPS ──┤──► Agent/Syslog ──► Ingestor ──► Parser ──► Index ──► Correlation
Servers ──┘Common sources: syslogs (syslog-ng, rsyslog), cloud APIs (AWS CloudTrail, Azure Monitor), EDR, DNS, web proxy.
Normalization and parsing
Before correlating, each log is parsed into structured fields.
Raw: "Jun 25 10:14:32 fw01 kernel: DROP IN=eth0 SRC=203.0.113.9 DST=10.0.1.5 DPT=22"
Parsed:
timestamp: 2026-06-25T10:14:32Z
host: fw01
action: DROP
src_ip: 203.0.113.9
dst_ip: 10.0.1.5
dst_port: 22Tools: Logstash, Fluentd, Cribl. Common unified format: ECS (Elastic Common Schema).
Correlation rules
Correlation links separate events that together indicate an attack.
RULE: "SSH Brute Force"
Condition: action=FAIL AND dst_port=22
Group by: src_ip
Threshold: count >= 10 within 60 seconds
Action: HIGH ALERT + block IP via firewall APIMore complex correlation examples:
- Failed login → successful login → access to sensitive data (lateral movement)
- Port scan + exploit attempt + reverse shell from the same src_ip within 5 minutes
Alert management and tuning
False positives destroy trust in the SIEM. Strategies:
- Dynamic whitelist: IPs of internal scanners, CI/CD pipelines.
- Behavior baseline: alert on deviation from normal (UEBA).
- Severity scoring: CVSS + context of the affected asset.
- Timed suppression: silence alerts during maintenance windows.
Dashboards and metrics
SOC Panel:
- Open alerts by severity (HIGH/MED/LOW)
- MTTD: mean time to detect
- MTTR: mean time to respond
- Top 10 source IPs in DROP rules
- Log volume ingested per sourcePopular tools
| Tool | Type | Highlight |
|---|---|---|
| Elastic SIEM | Open/Cloud | Native ECS, KQL, ML alerts |
| Splunk | Commercial | Powerful SPL, app marketplace |
| Wazuh | Open | XDR + SIEM, lightweight |
| Microsoft Sentinel | Cloud | Azure/M365 integration |
Best practices
- Centralize all logs before starting to correlate.
- Define retention SLA (minimum 90 days online, 1 year cold storage).
- Version detection rules in Git (Detection-as-Code).
- Review rules monthly: the environment changes, rules must change with it.