SIEM and SOAR

Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) are critical for modern cloud and hybrid environments. This guide provides actionable steps, real-life examples, and best practices for designing and implementing SIEM and SOAR strategies on AWS, Azure, and GCP.


What is SIEM?

A SIEM solution collects, aggregates, and analyzes logs and events from across your infrastructure (cloud, on-prem, SaaS). It detects threats, provides alerts, and supports compliance.

Popular SIEM Tools:

  • Azure Sentinel (Microsoft Sentinel)

  • AWS Security Hub & Amazon GuardDuty

  • Google Chronicle

  • Splunk, Elastic SIEM, IBM QRadar

Example: Azure Sentinel Setup

az sentinel workspace create --resource-group my-rg --workspace-name my-sentinel
az sentinel alert-rule create --workspace-name my-sentinel --rule-name suspicious-login --display-name "Suspicious Login" --enabled true

Example: AWS Security Hub & GuardDuty Setup

aws securityhub enable-security-hub --region us-east-1
aws guardduty create-detector --enable --region us-east-1

Example: GCP Chronicle Log Forwarding

gcloud logging sinks create chronicle-sink pubsub.googleapis.com/projects/my-project/topics/chronicle-topic --log-filter="resource.type=audited_resource"

What is SOAR?

A SOAR solution automates incident response workflows, integrates with SIEM, and enables rapid, consistent reactions to threats (e.g., isolating a VM, disabling a user, opening a ticket).

Popular SOAR Tools:

  • Azure Logic Apps (integrated with Sentinel)

  • AWS Lambda (triggered by Security Hub/CloudWatch events)

  • Google Cloud Functions

  • Splunk SOAR, Palo Alto Cortex XSOAR

Example: Automated Response with Azure Logic Apps

  • Trigger: Sentinel detects a brute-force login

  • Action: Logic App disables the user in Azure AD and notifies the SOC via Teams

Example: AWS Lambda SOAR Playbook

import boto3

def lambda_handler(event, context):
    # Example: Disable IAM user on alert
    iam = boto3.client('iam')
    user = event['detail']['userIdentity']['userName']
    iam.update_login_profile(UserName=user, PasswordResetRequired=True)
    # Notify via SNS, Slack, etc.

Example: GCP Cloud Function for Incident Response

from google.cloud import iam_v1

def disable_user(event, context):
    # Example: Disable a GCP user on alert
    client = iam_v1.IAMClient()
    user_email = event['attributes']['user_email']
    client.disable_service_account(name=f"projects/-/serviceAccounts/{user_email}")

Step-by-Step: Designing a SIEM & SOAR Strategy

  1. Define Requirements:

    • Compliance (PCI, ISO, HIPAA)

    • Cloud providers (AWS, Azure, GCP)

    • Data sources (VMs, containers, SaaS, firewalls)

  2. Select Tools:

    • Choose SIEM/SOAR solutions that integrate with your cloud and on-prem resources

  3. Centralize Log Collection:

    • Use native agents (Azure Monitor Agent, AWS CloudWatch Agent, GCP Ops Agent)

    • Forward logs to SIEM (Syslog, API, Event Hub)

  4. Develop Detection Rules:

    • Use built-in and custom rules for threats (e.g., impossible travel, privilege escalation)

  5. Automate Response:

    • Create playbooks for common incidents (disable user, quarantine VM, notify team)

  6. Test and Tune:

    • Simulate incidents (red team, purple team)

    • Tune rules to reduce false positives

  7. Monitor and Improve:

    • Review incidents, update playbooks, and document lessons learned


Real-Life Example: Multi-Cloud SIEM & SOAR

  • Logs from AWS CloudTrail, Azure Activity Log, and GCP Audit Log are forwarded to Splunk SIEM.

  • Splunk detects a suspicious login from a new country.

  • SOAR playbook triggers: disables the user in all three clouds, opens a Jira ticket, and notifies the SOC in Slack.


Best Practices

  • Centralize log collection for all environments

  • Automate common responses to reduce mean time to respond (MTTR)

  • Regularly review and update detection rules and playbooks

  • Integrate with ticketing and communication tools (Jira, ServiceNow, Teams, Slack)

  • Use LLMs (Copilot, Claude) to analyze logs and suggest response actions

  • Use Infrastructure as Code (Terraform, Ansible) to deploy and manage SIEM/SOAR resources

  • Document all playbooks and incident response steps in version control


Common Pitfalls

  • Not forwarding all relevant logs (missed data sources)

  • Excessive false positives due to untuned rules

  • Manual response to repeatable incidents

  • Lack of incident documentation and post-incident review

  • Overlooking cloud-specific integrations (e.g., AWS EventBridge, Azure Event Grid)


References

Last updated