SIEM, UEBA, and Threat Hunting: How SOC Teams Detect the Undetectable

Modern security operations have evolved from reactive event monitoring to proactive threat detection. The CISSP exam tests Domain 7's security operations concepts at the managerial level: understanding the capabilities and purpose of key monitoring technologies, how they complement each other, and the governance decisions that affect their effectiveness. SIEM, UEBA, and threat hunting are the three interconnected pillars of advanced threat detection that the exam tests together.

SIEM Architecture: Log Aggregation, Correlation, and Alerting

A Security Information and Event Management (SIEM) system is the central nervous system of a modern Security Operations Centre (SOC). It collects log and event data from across the organisation's infrastructure, applies correlation rules to identify security events, and generates alerts for analyst review.

SIEM log sources include: network devices (firewalls, routers, switches), servers (Windows event logs, syslog from Linux/Unix), endpoints (EDR agents, antivirus logs), applications (web servers, databases, identity providers), cloud platforms (AWS CloudTrail, Azure Monitor), and security devices (IDS/IPS, proxies, email security gateways).

Log normalisation is the process of transforming logs from different sources (each with their own format) into a common schema that the SIEM can process consistently. Without normalisation, correlating events from a Windows server (XML event log format) with a Linux server (syslog format) and a firewall (vendor-specific format) would be impossible.

Correlation rules define the conditions that constitute a security event worth investigating. A simple rule might be: "five failed login attempts followed by a successful login from the same source IP within ten minutes triggers a brute force alert." Complex rules may involve events from multiple systems: failed login followed by VPN connection from an unusual country followed by large data transfer to an external IP.

Alerts generated by the SIEM are reviewed by SOC analysts. Alert triage — determining whether an alert is a true positive (real attack), false positive (rule incorrectly fired), or noise (expected behaviour that was not excluded from the rule scope) — is the primary work of Tier 1 SOC analysts.