CyberSec Lab — SIEM Dashboard & Alert Correlation

OBJECTIVES

Review the SIEM dashboard metrics

Investigate a critical severity alert

Acknowledge 3 alerts

Run a KQL / search query

Identify the correlated attack chain

Escalate the attack chain to IR

Identify the false positive alert

Submit the incident report

📊

SIEM Dashboard

🔍

Alert Detail

🔗

Correlations

🔎

KQL Search

📖

Reference

📝

Notepad

📋

IR Report

NETWORK SECURITY — SIEM ANALYSIS

SIEM DASHBOARD & CORRELATION

SIEM: APEXCORP-SIEM — Elastic Security 8.x

SCENARIO

You are a SOC Tier-2 analyst. The SIEM has generated a spike in alerts over the last 2 hours. Review the dashboard, investigate the critical alerts, correlate related events into attack chains, run targeted searches, and escalate anything that warrants IR attention.

ENVIRONMENT

Asset	IP / Detail
WEB-01	10.10.16.10 — Apache web server
WKSTN-016	10.10.14.22 — User workstation
DC01	10.10.18.10 — Domain Controller
FILESVR-01	10.10.15.20 — File server
External	185.220.101.45 — Attacker IP

YOUR TASKS

Review the Dashboard — understand the threat landscape
Click alerts to view detail in the Alert Detail panel
Acknowledge alerts as you work through them
Use KQL Search to dig deeper into events
Open Correlations to see grouped attack chains
Escalate confirmed incidents and write up the IR Report

SIEM DASHBOARD — APEXCORP — Last 2 Hours

ALERT QUEUE

— alerts

Time

Sev

Source

Dest

Alert Name

Action

ALERT DETAIL

Click an alert in the Dashboard to inspect it here

ALERT CORRELATION — ATTACK CHAINS

Alerts automatically grouped by shared IOCs (source IP, host, timeframe). Click a chain to view events, then escalate if confirmed.

KQL SEARCH — ELASTIC / SPLUNK

attacker IP

WEB-01 processes

lateral movement

network logons

C2 ports

brute force

suspicious paths

C2 DNS beacon

Enter a KQL query or select a preset to search the SIEM...

REFERENCE — SIEM ANALYSIS

KQL SYNTAX

field:value exact match field:"value with spaces" phrase field:*wildcard* wildcard field:[1 TO 100] range field:A AND field:B boolean AND field:A OR field:B boolean OR NOT field:value negation source.ip:10.10.0.0/16 CIDR range

USEFUL FIELDS

source.ip / destination.ip source.port / destination.port host.name event.id event.category event.severity rule.name process.name / process.parent.name file.path dns.question.name winlog.logon.type

ALERT CORRELATION

Group alerts by: same source IP across multiple rules, same destination host hit by multiple sources, same user account across multiple hosts, similar timing (events within minutes of each other).

A single alert is rarely meaningful — patterns across alerts tell the story.

FALSE POSITIVE INDICATORS

Source is a known internal tool (scanner, backup agent)
Alert fires on schedule (same time daily)
No correlated alerts from same source
Destination is a monitoring system
Alert has fired hundreds of times with no confirmed incidents

ESCALATION CRITERIA

Confirmed multi-stage attack chain
Data exfiltration indicators
Privileged account compromise
Lateral movement confirmed
Domain Controller or critical asset involved