SOC (Security Operations Center)
SOAR (Security Orchestration, Automation, and Response)
SIEM (Security Information and Event Management)
🔍 What is SIEM (Security Information and Event Management)?
📌 Definition:
SIEM is a platform that collects, aggregates, normalizes, and analyzes security data from across your infrastructure in real time.
Key Functions:
Function | Description |
Log Collection | Ingest logs from firewalls, servers, endpoints, cloud apps, etc. |
Normalization | Unifies different log formats for easy analysis |
Correlation | Detect patterns and threats across systems |
Alerting | Trigger alerts on suspicious behavior |
Dashboards & Reports | Visualize threats, compliance status, trends |
🧠 Think of it as:
"Your security team's central brain for detection and monitoring."
✅ Popular SIEM Tools:
Splunk (very popular and powerful)
IBM QRadar
Microsoft Sentinel
Elastic Security (ELK Stack)
Sumo Logic
LogRhythm
🤖 What is SOAR (Security Orchestration, Automation, and Response)?
📌 Definition:
SOAR automates the investigation and response to alerts generated by your SIEM or other tools.
Key Functions:
Function | Description |
Playbooks | Automated response workflows (e.g., block IP, isolate host) |
Case Management | Tracks incidents, tickets, and analyst actions |
Threat Intelligence Integration | Uses threat feeds to enrich alerts |
Automation | Reduces manual work and speeds up response |
🧠 Think of it as:
"Your security team's hands, arms, and decision engine to act on threats."
✅ Popular SOAR Tools:
Palo Alto Cortex XSOAR
Splunk SOAR (formerly Phantom)
IBM Resilient
Swimlane
Microsoft Sentinel (has SOAR capabilities)
Siemplify (by Google)
🎯 SIEM vs SOAR – Quick Comparison
Feature | SIEM | SOAR |
Main Focus | Threat detection and monitoring | Automated response and orchestration |
Data Source | Logs, events, alerts | SIEM, threat intel, firewalls, email, etc. |
User | SOC Analyst (Tier 1 & 2) | Incident Responder (Tier 2 & 3) |
Automation? | Limited (e.g., alerting) | Extensive (playbooks, enrichment, response) |
Example Task | Alert if a user logs in from two countries in 1 hour | Automatically disable the account and create a ticket |
💬 Interview-Ready Summary
“SIEM is the eyes and ears of the SOC, collecting and detecting threats in real-time by analyzing logs and events. SOAR is the hands and brain, helping automate investigations and responses using predefined playbooks. Together, they improve detection-to-response time and reduce analyst fatigue.”
📦 Example Scenario
A user logs in from Russia at 2 AM.
Tier 1 analyst sees a SIEM alert.
Tier 2 checks logs and user behavior → confirms it's unauthorized.
SOAR runs a playbook to disable the account and notify the user.
Tier 3 investigates deeper and adds a detection rule for similar behavior.
💬 Interview-Ready Summary
“A SOC is the command center for cyber defense. It brings together people, processes, and technology to continuously monitor and respond to threats. It uses tools like SIEM and SOAR, and involves multiple analyst tiers who handle everything from alert triage to full-blown incident response and threat hunting.”
Part 1: SIEM in AWS + Splunk
🔐 AWS Native SIEM-Like Tools
Tool | Purpose |
Amazon CloudTrail | Logs API calls across AWS accounts |
Amazon GuardDuty | Threat detection (malware, IAM abuse, recon) |
Amazon Security Hub | Centralized findings from GuardDuty, Macie, Inspector |
Amazon CloudWatch Logs + Insights | Custom log analysis and alerts |
VPC Flow Logs | Network-level monitoring and anomaly detection |
AWS Config | Resource configuration and compliance tracking |
These tools together form the "SIEM foundation" in AWS. But they lack advanced correlation, flexible dashboards, and cross-platform integration.
🔁 Integrating AWS with Splunk SIEM
Splunk collects and analyzes logs/events from AWS using:
Splunk Add-on for AWS
Kinesis Firehose + Lambda (for real-time log streaming)
S3 ingestion (CloudTrail, Config logs, etc.)
Data Sources from AWS into Splunk:
CloudTrail → who did what
GuardDuty → threat findings
VPC Flow Logs → network anomalies
Config → compliance state
CloudWatch Logs → app and service logs
Once data is in Splunk:
Splunk correlates events across sources
Detects threats with rules/searches
Creates alerts for SOC analysts
⚙️ Part 2: SOAR in AWS + Splunk
🤖 AWS Native SOAR-Like Automation Tools
Tool | Purpose |
AWS Lambda | Run scripts in response to alerts (e.g., block IP, disable user) |
AWS Systems Manager (SSM) | Automate remediation on EC2 instances |
AWS Step Functions | Orchestrate multi-step automated workflows |
AWS EventBridge | Central rule engine to react to events (e.g., GuardDuty finding triggers Lambda) |
AWS Security Hub Custom Actions | Manually or automatically trigger responses (e.g., run a Lambda to quarantine a resource) |
These form AWS's SOAR-like ecosystem, but still require manual coding and orchestration.
🔁 Splunk SOAR (formerly Phantom)
Splunk SOAR connects to:
AWS GuardDuty
AWS IAM
AWS EC2
AWS S3
Security Hub
Slack, JIRA, ServiceNow, etc.
You create playbooks (visual workflows) that automatically:
Ingest an alert from GuardDuty
Enrich it with threat intel (VirusTotal, AbuseIPDB)
If risky → call AWS API via Lambda or SDK to:
Disable IAM user
Isolate EC2 via Security Groups
Add IP to WAF block list
Send notification to Slack/JIRA
Update case in ServiceNow
🎯 Example: SIEM + SOAR Workflow
Threat: EC2 communicating with known malicious IP (GuardDuty Alert)
Without SOAR:
CloudTrail logs → sent to Splunk via Kinesis Firehose
Splunk detects alert and sends it to SOC
Analyst manually logs into AWS and takes action
With SOAR:
GuardDuty detects the threat
Security Hub forwards finding → Splunk SOAR
Splunk SOAR playbook:
Enriches with threat intel
Checks if IP is critical or repeated
If yes, runs AWS Lambda to quarantine EC2
Posts response to Slack
Opens JIRA ticket
Documents all steps automatically
🧠 Interview-Ready Summary
“In AWS, services like GuardDuty, Security Hub, and CloudTrail form the foundation of SIEM by generating and aggregating threat data. Splunk acts as the centralized SIEM by ingesting, correlating, and alerting on this data. For SOAR, Splunk SOAR automates incident response using playbooks that connect to AWS APIs. Combined, these tools enable faster detection, investigation, and automated response to threats in the cloud.”
No comments:
Post a Comment