SOC Analyst

SIEM stands for Security Information and Event Management. It is a platform that collects, aggregates, and analyses log data from across an organisation's entire infrastructure — firewalls, endpoints, servers, cloud services, and applications — to detect threats, generate alerts, and support incident response. How a SIEM works: 1. Log Collection — Agents, API connectors, or syslog forwarders send raw logs from every system to the SIEM platform in real time. 2. Normalisation — The SIEM parses logs from different formats (Windows Event Logs, syslog, JSON, CEF) into a consistent schema so they can be correlated. 3. Correlation — Detection rules and analytics engines match patterns across multiple log sources. Example: a failed login followed by a successful login from a different country within 5 minutes triggers a credential compromise alert. 4. Alerting — When a rule fires, an alert is queued for analyst triage with severity, context, and raw log evidence. 5. Investigation — Analysts drill into timelines, pivot across related events, and determine if it is a true positive or false positive. 6. Reporting — Scheduled reports and dashboards support compliance (PCI-DSS, ISO 27001) and SOC management visibility. Popular SIEMs: Splunk, Microsoft Sentinel, IBM QRadar, Elastic SIEM, LogRhythm, Exabeam.