Security Monitoring and SIEM

Why it matters

A compromised account, malicious insider, or attacker accessing systems is invisible without active monitoring—breaches go undetected for weeks or months. SIEM aggregates logs from disparate sources into a single searchable record with real-time alerts, enabling security teams to detect and respond to incidents before data theft occurs or lateral movement succeeds.

Evidence to collect

• SIEM configuration export showing enabled log sources (e.g., CloudTrail, application servers, IAM logs)
• Alert rule definitions with thresholds (e.g., 'fail_login_count > 5 in 5 min', 'root_account_used', 'iam:CreateAccessKey')
• Screenshots of last 7 days of alert queue with timestamps and resolution notes
• Log retention policy document or SIEM admin panel showing 12-month retention setting and validated retention dates

Testing procedure

Request the SIEM configuration document and validate that (1) log sources include application servers, cloud audit logs, and IAM events; (2) alerts exist for root/service account activity, authentication failures >N threshold, privilege escalations, and sensitive data access; (3) auditor simulates a test event (e.g., failed login loop, API key usage) and confirms alert fires and is reviewed in alert queue within 24 hours; (4) verify 12-month log retention via SIEM retention policy and spot-check a log entry from 11 months prior.

Common gotchas