Listen to this Post

Introduction
Security Information and Event Management (SIEM) systems are crucial for real-time threat detection, log analysis, and incident response. With evolving cyber threats, mastering SIEM tools like Splunk, QRadar, and Microsoft Sentinel is essential for cybersecurity professionals. This guide compiles free SIEM training resources and provides hands-on commands, configurations, and best practices to enhance your SOC skills.
Learning Objectives
- Understand core SIEM functionalities and log analysis techniques.
- Configure and deploy SIEM solutions like Wazuh, Splunk, and QRadar.
- Implement threat detection rules, incident response, and threat hunting.
1. Windows Logging Basics for SIEM Integration
Command:
Enable PowerShell script block logging (for detecting malicious scripts) Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1
Step-by-Step Guide:
1. Open PowerShell as Administrator.
- Run the command above to log PowerShell script execution.
- Forward logs to your SIEM (e.g., Splunk or Wazuh) for analysis.
Why It Matters:
Malicious actors often abuse PowerShell. Enabling script logging helps detect attacks like fileless malware.
2. Splunk Search Queries for Threat Hunting
Query:
source="WinEventLog:Security" EventCode=4625 | stats count by src_ip, user | sort -count
Step-by-Step Guide:
1. Log into Splunk.
- Paste the query to detect failed login attempts (Brute Force attacks).
3. Analyze top attacking IPs and usernames.
Why It Matters:
Identifying brute-force attempts early prevents account compromise.
3. Wazuh: Detecting SSH Brute-Force Attacks
Rule Configuration (Wazuh Manager):
<rule id="100101" level="10"> <if_sid>5716</if_sid> <match>Failed password</match> <description>SSH brute-force attempt detected</description> </rule>
Step-by-Step Guide:
1. Edit `/var/ossec/etc/rules/local_rules.xml`.
2. Add the rule above.
3. Restart Wazuh: `systemctl restart wazuh-manager`.
Why It Matters:
Automatically alerts on repeated failed SSH logins.
4. QRadar: Creating a Custom Ariel Query
Query:
SELECT DATEFORMAT(starttime,'yyyy-MM-dd HH:mm:ss') as Time, username, sourceip
FROM events
WHERE devicetype IN ('Linux', 'Windows') AND eventid=4625
ORDER BY starttime DESC
LIMIT 50
Step-by-Step Guide:
1. Open QRadar’s Ariel Query interface.
2. Run the query to find failed logins.
3. Export results for further investigation.
Why It Matters:
Helps SOC teams quickly identify attack patterns.
5. Microsoft Sentinel: Detecting Suspicious Azure Activity
KQL Query:
AzureActivity
| where OperationName == "Create VM"
| where CallerIpAddress !in ("192.168.1.1", "10.0.0.0/8")
| project TimeGenerated, CallerIpAddress, Caller
Step-by-Step Guide:
1. Navigate to Microsoft Sentinel’s Logs section.
- Run the query to detect unauthorized VM creation.
Why It Matters:
Prevents cloud resource abuse by attackers.
6. Suricata IDS Integration with Wazuh
Suricata Rule Example:
alert http any any -> any any (msg:"Possible SQL Injection"; content:"' OR 1=1"; sid:1000001;)
Step-by-Step Guide:
1. Add the rule to `/etc/suricata/rules/local.rules`.
2. Restart Suricata: `systemctl restart suricata`.
3. Integrate alerts into Wazuh for correlation.
Why It Matters:
Detects SQL injection attempts in web traffic.
7. Elastic SIEM: Creating Detection Rules
Elastic Rule (YAML):
name: "Suspicious Process Execution" description: "Detects unusual process execution" risk_score: 70 severity: "high" query: "process.name: powershell.exe AND event.action: Process Create"
Step-by-Step Guide:
1. Navigate to Elastic Security > Detection Rules.
2. Import the rule to monitor PowerShell execution.
Why It Matters:
Identifies potential malicious PowerShell activity.
What Undercode Say:
- Key Takeaway 1: SIEM mastery requires hands-on practice—use free labs and real-world datasets.
- Key Takeaway 2: Automation (rules, queries) is critical for efficient threat detection.
Analysis:
SIEM tools are evolving with AI-driven analytics, but fundamental log analysis remains crucial. The rise of cloud SIEM solutions (Microsoft Sentinel, Elastic) demands hybrid SOC skills. Organizations must prioritize continuous training to combat sophisticated attacks.
Prediction:
By 2026, AI-powered SIEMs will dominate, reducing false positives and automating responses. However, human expertise will remain vital for interpreting complex threats. Free training (like the resources above) will bridge the skills gap, creating a new wave of elite SOC analysts.
Ready to level up? Bookmark these free courses and start practicing today! 🚀
IT/Security Reporter URL:
Reported By: Ouardi Mohamed – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


