Deep ThoughtsBlog
← Back to all writing

Network+ Exam

Understanding SIEMS

October 29, 2025

  • #network+

Understanding SIEMS

SIEM - Security Information Event Managemt (SIEM) - Provides real-time or near-real-time analysis of security alerts generated by network hardward and applications.

Cybersecurity Analysts

System Administrators

Network Administrators

conducting log reviews should be something that’s done regurly and routienly

SIEM - combines

log collection - provides important forensic tools and helps address compliance reporting .

normalization - maps log messages into a common data model, enabling the orginizaton

coorelaiton - links the logs and events from different systems into a data fee

aggregration - reduces the volum by merging them

reporting - prevents the coorilated aggragated data in real-time monitirng in dashboards for analysts, or reports.

Software

Hardwar

managed service

1 log all relevent events and filter out

2 establish and document the scope of events

3 develop use cases to devine a threat.

4 plan incident responces for given scenarios or events

5 establish a tickiting process to track all the flagged events

6 schedule regular threat hunting with cybersecurity aynalists

7 provide auditors and analysts an evidence trail.

SIEM (Security Information & Event Management)

Purpose

  • Collects, normalizes, correlates, and aggregates logs/events from multiple network devices, servers, and applications.
  • Provides real-time or near real-time analysis of security alerts.
  • Helps with incident response, compliance, and forensic analysis.

Exam Tip: SIEM is both reactive (alerts) and proactive (threat hunting, log review).

Functions

  1. Log Collection – Pulls logs from devices/services (via Syslog UDP 514 by default, can also use TCP for reliability).
  2. Normalization – Converts logs into a common data model for easier comparison.
  3. Correlation – Links related events from multiple systems (e.g., same IP failing multiple logins across devices).
  4. Aggregation – Reduces event volume by merging duplicates/similar events.
  5. Reporting & Dashboards – Presents alerts, KPIs, and compliance reports.

Deployment Models

  • Software-based (installed on servers)
  • Hardware appliances (turnkey SIEM boxes)
  • Managed services (outsourced SIEM/SOC providers)

Use Cases

  • Detect brute force attacks, malware infections, insider threats.
  • Compliance (HIPAA, PCI DSS, SOX, etc.).
  • Forensics (audit trails for investigators).
  • Threat hunting by analysts.

Best Practices

  1. Log all relevant events (firewalls, IDS/IPS, servers, endpoints).
  2. Document scope – Decide which events matter (not everything).
  3. Develop use cases – Define what “suspicious” looks like (e.g., multiple failed logins, data exfiltration).
  4. Plan incident responses – Predefine actions for common alerts.
  5. Ticketing system – Track alerts until resolved.
  6. Routine log reviews – Analysts should regularly review and tune rules.
  7. Auditor trail – Ensure logs are stored, timestamped, and tamper-proof.

Common Ports

  • Syslog → UDP 514 (default), TCP 514 (reliable)
  • Alternative syslog port → TCP 1468 (secure/optional)

Example Workflow

  1. Firewall sends logs → Syslog server.
  2. SIEM collects & normalizes.
  3. SIEM correlates events (e.g., login from Russia + data download = alert).
  4. Analyst sees alert on dashboard → opens a ticket → begins incident response.

Must Know for Exam

  • SIEM = Log collection + Normalization + Correlation + Aggregation + Reporting.
  • Syslog default port UDP 514 (but can be TCP).
  • SIEM is used by Cybersecurity Analysts, System Admins, and Network Admins.
  • Key feature: real-time monitoring and compliance evidence.

⚡ Quick Flashcards:

Q: Default Syslog port?

A: UDP 514

Q: SIEM’s 4 core functions?

A: Collection, Normalization, Correlation, Aggregation

Q: Who uses SIEM?

A: Cybersecurity Analysts, System Admins, Network Admins

Q: What’s correlation in SIEM?

A: Linking related events across different sources