SIEM Dashboard

The SIEM (Security Information and Event Management) dashboard aggregates logs from multiple sources and helps you detect threats through correlation and analysis.

Interface Overview

The SIEM dashboard consists of four main sections:

1. Log Viewer

The central panel displays logs from various sources:

• Timestamp - When the event occurred
• Source - Where the log came from (firewall, endpoint, server)
• Event Type - Category of the event
• Severity - Info, Low, Medium, High, Critical
• Message - Event details

2. Query Bar

Search and filter logs using the query bar:

source:firewall AND action:blocked AND severity:high

Common query operators:

• AND, OR, NOT - Logical operators
• field:value - Field-specific search
• field:* - Wildcard matching
• "exact phrase" - Exact string match

3. Data Sources

View connected log sources:

4. Correlation Rules

Pre-built rules that detect attack patterns:

• Brute Force - Multiple failed logins from same source
• Lateral Movement - Authentication across multiple hosts
• Data Exfiltration - Large outbound transfers
• Privilege Escalation - Unexpected admin access

Key Features

Alert Correlation

When the SIEM detects a pattern, it creates a correlated alert:

1. Individual log events are grouped
2. A correlation rule matches the pattern
3. A single alert is generated with context
4. Related events are linked for investigation

Threat Hunting

Proactively search for threats:

1. Use the query bar to filter logs
2. Look for anomalies or suspicious patterns
3. Drill down into specific events
4. Create custom correlation rules

Timeline View

See events in chronological order:

1. Click on any alert
2. Select "View Timeline"
3. See all related events in sequence
4. Identify the attack chain

Tips for Success

1. Start with high-severity alerts
2. Check the source IP/user across all logs
3. Look for temporal patterns (events close in time)
4. Use saved queries for common investigations