Security Information and Event Management (SIEM)
High-fidelity detection, telemetry normalization and investigative tooling to surface and contextualise threats across your estate.
Overview
SIEM platforms collect, normalise and correlate logs and events from across cloud, identity, network and endpoints to detect suspicious activity, enable investigations and support compliance.
Key activities
- Log onboarding & normalization — ensure consistent schema and reliable ingestion.
- Detection engineering — author, test and tune rules mapped to ATT&CK TTPs.
- Alert triage & enrichment — prioritise signal and attach context for analysts.
- Dashboarding & reporting — surface KPI and business-facing risk views.
- Retention & compliance — manage storage, access and audit requirements.
SIEM Platforms
Familiar with commercial and open-source SIEMs. I choose solutions based on scale, telemetry profiles and operational needs.
Data Sources
Endpoint telemetry, Windows event logs / Sysmon, network and perimeter logs, cloud audit logs, identity logs and application/container logs.
Security use cases (general)
Credential misuse & lateral movement, ransomware detection, persistence and privilege escalation, data exfiltration and cloud misconfiguration monitoring.
Deliverables
- Prioritised detection catalog (mapped to MITRE ATT&CK)
- Onboarding playbooks and parsers
- Investigation runbooks and analyst guides
- Executive dashboards and operational KPIs
Best practices
- Design detections for high fidelity — prefer context-rich, low-noise rules.
- Normalize telemetry early — consistent fields reduce false positives.
- Automate enrichment — use threat intel and asset context to improve prioritisation.
- Measure detection performance — track true/false positives and MTTR.