TryHackMe: Introduction to SIEM Walkthrough (SOC Level 1)

Welcome to this walkthrough of the Introduction to SIEM Room on TryHackMe. If you have been following along with the SOC Level 1 Path, you have just finished the Endpoint Security series, great job! Now it is time to learn about SIEMs, Security Information and Event Management systems.

Room URL:
https://tryhackme.com/room/introtosiem

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Now, let’s move on! This is going to be a long one!

Task 1: Introduction

SIEM stands for Security Information and Event Management system. It is a tool that collects data from various endpoints/network devices across the network, stores them at a centralized place, and performs correlation on them. This room will cover the basic concepts required to understand SIEM and how it works.

Learning Objective

Some of the learning objectives covered in this room are:

• What is SIEM, and how does it work?
• Why is SIEM needed?
• What is Network Visibility?
• What are Log Sources, and how is log ingestion done?
• What are the capabilities a SIEM provides?

Questions

What does SIEM stand for?

Nothing to explain here 🙂

Answer: Security Information and Event Management system

Task 2: Network Visibility through SIEM

In a network with various components (e.g., Linux/Windows endpoints, a data server, and a website), each device generates logs. These logs help detect activities and potential threats.

Types of Log Sources:

1. Host-Centric Logs:
   • Capture events on individual devices (e.g., user login, file access, PowerShell execution).
   • Examples: Windows Event Logs, Sysmon, Osquery.
2. Network-Centric Logs:
   • Capture communication between devices or with the internet (e.g., SSH sessions, web traffic, VPN access).

Importance of SIEM (Security Information and Event Management):

SIEM systems collect and correlate logs from multiple sources in real time to help detect, investigate, and respond to threats more efficiently.

Key Features of SIEM:

• Real-time log ingestion
• Alerting on abnormal activities
• 24/7 monitoring and visibility
• Early threat detection
• Visualizations and insights
• Ability to investigate past incidents

Questions

Is Registry-related activity host-centric or network-centric?

Registry information is related to an endpoint, therefore it is host-centric.

Answer: host-centric

Is VPN related activity host-centric or network-centric?

VPN information is all about communication over a network, therefore we are talking about network-centric information here.

Answer: network-centric

Task 3: Log Sources and Log Ingestion

Every device on a network generates logs when activities occur—like website visits, SSH connections, or logins. These logs are essential for monitoring and detecting potential security threats.

Common Devices and Their Logs:

• Windows Machines:
  • Uses Event Viewer to store and view logs.
  • Each event has a unique ID.
  • Logs are forwarded to the SIEM for visibility and analysis.
• Linux Workstations:
  • Logs are stored in specific files, such as:
    • /var/log/httpd: Web requests/responses and errors
    • /var/log/cron: Cron job events
    • /var/log/auth.log or /var/log/secure: Authentication logs
    • /var/log/kern: Kernel-related events
• Web Servers:
  • Monitor incoming/outgoing traffic for attacks.
  • Apache logs typically found in /var/log/apache or /var/log/httpd.

Log Ingestion into SIEM

To analyze and monitor logs effectively, SIEM tools collect them using different ingestion methods:

1. Agent/Forwarder:
   Lightweight tool installed on endpoints to send logs to SIEM (e.g., Splunk Forwarder).
2. Syslog:
   Protocol used to send real-time logs from devices like servers and firewalls to SIEM.
3. Manual Upload:
   Some SIEMs support uploading offline data for analysis (e.g., Splunk, ELK).
4. Port Forwarding:
   SIEM listens on a port where devices send their log data.

Questions

In which location within a Linux environment are HTTP logs stored?

HTTP logs are stored at /var/log/httpd.

Answer: /var/log/httpd

Task 4: Why SIEM

SIEM (Security Information and Event Management) helps detect and respond to threats by correlating logs from various sources. When suspicious activity is detected or thresholds are crossed, alerts are generated for analysts to investigate.

Key Capabilities of SIEM:

• Correlates events from different log sources
• Provides visibility into both host- and network-level activities
• Enables analysts to investigate and respond to threats
• Supports threat hunting beyond predefined rules

SIEM in the SOC Ecosystem

SIEM is a core component of the Security Operations Center (SOC). It continuously ingests logs and checks for rule matches or anomalies to detect potential threats.

Responsibilities of a SOC Analyst Using SIEM:

• Monitoring and investigating security alerts
• Identifying and minimizing false positives
• Fine-tuning detection rules
• Ensuring reporting and regulatory compliance
• Spotting and addressing gaps in network visibility

Questions

Read the task above.

Answer: No answer needed

Task 5: Analysing Logs and Alerts

Log Ingestion and Detection

SIEM tools ingest logs from various systems using methods like:

• Agents/Forwarders
• Port Forwarding
• Syslog
• Manual Upload

Once logs are ingested and normalized, SIEM applies correlation rules to detect suspicious behavior. If a rule condition is met, an alert is triggered for investigation.

Dashboards

Dashboards are central to SIEM visibility. They provide summarized, actionable insights from the ingested log data.

Common Dashboard Elements:

• Alert Highlights
• System Notifications
• Health Alerts
• List of Failed Login Attempts
• Event Count
• Triggered Rules
• Top Domains Visited

Dashboards can be default (e.g., in QRadar, Splunk) or custom-built for specific needs.

Correlation Rules

Correlation rules are logical expressions set by analysts to detect threats.

Examples of Correlation Rules:

• 5 failed logins in 10 seconds → Multiple Failed Logins Alert
• Successful login after failed attempts → Brute Force Alert
• USB plugged in → USB Access Alert
• Outbound traffic > 25 MB → Potential Data Exfiltration

Use Case 1: Log Deletion

• Event ID: 104 (Windows)
• Rule: If Log source is WinEventLog AND EventID is 104 → Trigger "Event Log Cleared"

Use Case 2: Suspicious Command Execution

• Event ID: 4688 (Process Execution)
• Rule: If Log Source is WinEventLog AND EventCode is 4688 AND NewProcessName contains "whoami" → Trigger "WHOAMI Command Detected"

Why Normalization Matters:
Normalized field-value pairs allow rules to detect activity consistently across systems.

Alert Investigation Workflow

SOC Analysts use dashboards to monitor and investigate alerts:

1. Alert Triggered
   • Review associated events/flows
   • Check which rule condition was met
2. Investigation Outcome:
   • False Positive → Tune the rule
   • True Positive →
     • Deepen the investigation
     • Contact asset owner
     • Isolate affected host
     • Block suspicious IP

Questions

Which Event ID is generated when event logs are removed?

The event that gets trigged when event logs get deleted is event ID 104.

Answer: 104

What type of alert may require tuning?

False Alarm, or in other words false positives. These alerts may require tuning the rule to avoid similar False positives from occurring again.

Answer: False Alarm

Task 6: Lab Work

Click on the View Site button below, which will display the lab on the right side of the screen.View Site

In the static lab attached, a sample dashboard and events are displayed. When a suspicious activity happens, an Alert is triggered, which means some events match the condition of some rule already configured. Complete the lab and answer the following questions.

Questions

Click on Start Suspicious Activity, which process caused the alert?

View the static site. Start by pressing the Start Suspicious Activity button.

A process will start blinking in red:

The process is called cudominer.exe.

Answer: cudominer.exe

Find the event that caused the alert, which user was responsible for the process execution?

Click the process, and you will enter a event log. We now need to find the user which was responsible for executing the cudominer process.

On the fourth row you will see the cudominer process. There is also a UserName column, and in it you will see that the user who executed the process is Chris.fort.

Answer: Chris.fort

What is the hostname of the suspect user?

Next to the UserName is the HostName. The user’s hostname is HR_02.

Answer: HR_02

Examine the rule and the suspicious process; which term matched the rule that caused the alert?

Click the event row, and now you get shown the Rule that triggered the event.

You can see that the rule checks is the process name includes miner or crypt. In this case, with the process called cudominer, the term that matched the rule is miner.

Answer: miner

What is the best option that represents the event? Choose from the following: – False-Positive OR – True-Positive

Press the Go to Analysis / Action button and you get presented with an action window. We need to confirm if the rule is a true-positive or false-positive.

The process is definitely sounds like some kind of crypto mining process, so let’s mark it as a true positive.

Answer: True-Positive

Selecting the right ACTION will display the FLAG. What is the FLAG?

We get shown a flag, YAY!

Answer: THM{000_SIEM_INTRO}

Task 7: Conclusion

In this room, we have covered what SIEM is, its capabilities, and what visibility it provides. To learn in-depth about how Incidents are investigated, explore the following rooms and challenges.

• Jr. SOC Analyst
• Splunk101
• Splunk201
• Benign
• InvestigatingwithSplunk
• InvestgatingwithELK
• ItsyBitsy

Questions

Complete this room

Answer: No answer needed.

Congratulations on completing Introduction to SIEM!!!

Congratulations on completing Introduction to SIEM. This room was a great, but very basic, introduction to SIEM. Let’s keep on moving!

Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.

Find my other walkthroughs here.

Like my articles?

You are welcome to comment on this post, or share my post with friends.I would be even more grateful if you support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg