SIEM Architektur & Detection Engineering

Architektur (High Level)

• Sources: Firewall, VPN, IAM, EDR, Server, Cloud
• Ingest: Agent/Forwarder, Syslog, API Collector
• Normalize: Parser, enrichment (asset, user, geo)
• Store: Hot/Warm/Cold tiers + retention
• Detect: rules, baselines, anomaly, UEBA (optional)
• Respond: tickets, SOAR, runbooks

Log-Quellenliste (Startpaket)

• Auth: AAD Sign-in logs, AD security events, VPN auth
• Privileged Actions: role assignments, group changes, sudo
• Network: firewall allow/deny, DNS, proxy, netflow
• Endpoint: EDR alerts, process start, persistence indicators

Use-Case Beispiele (so formulieren, dass man sie bauen kann)

• „Neuer Global Admin“ → alert + ticket + immediate review
• „Impossible travel“ + „MFA fatigue“ pattern
• „New service installed“ auf Servern außerhalb Maintenance
• „DNS to newly registered domains“ + egress spikes

Tuning & Betrieb

• False Positives dokumentieren (why) + suppression rules
• Regel-Owner & Review Datum
• Detection-as-Code (Git) für Versionierung
• Monthly metrics: alerts, MTTR, top noisy sources