Security Operations Center (SOC) and SIEM: monitor cybersecurity 24/7
SOCs and SIEMs form the foundation of any professional threat detection system. This article explains how to set up and operate an SOC, SIEM architecture, use cases, alert triage, and addresses the question: In-house SOC or MSSP?
Table of Contents (8 sections)
A Security Operations Center (SOC) is the control center for cybersecurity monitoring and incident response. The SOC combines people, processes, and technology—with the SIEM as its technological core. Without a functioning SOC, companies detect attacks on average only after 194 days (IBM Cost of a Data Breach 2024)—often not on their own, but through external reports.
What is a SOC?
A SOC is a centralized function (team + infrastructure) that continuously:
- Monitors – all IT systems, networks, and cloud environments
- Detects – attacks, anomalies, and policy violations
- Analyzes – the context, relevance, and severity of an alert
- Responds – containment, forensics, recovery
- Improves – lessons learned, fine-tuning detection rules
SOC Roles
SOC Tier 1 – Alert Triage Analyst
├── Monitors the alert queue 24/7
├── Classifies: True Positive / False Positive?
└── Escalates complex cases to Tier 2
SOC Tier 2 - Incident Responder
├── In-depth analysis of escalated incidents
├── Forensics: What happened? To what extent?
└── Coordinates remediation
SOC Tier 3 - Threat Hunter / Senior Analyst
├── Proactively searches for hidden attackers
├── Develops new detection rules
└── Threat intelligence integration
SOC Manager
├── KPIs and reporting
├── Team development
└── Process optimizationWhat is a SIEM?
A Security Information and Event Management (SIEM) is a platform that centralizes and correlates all security-related logs.
Log sources aggregated by a SIEM:
- Firewalls, IDS/IPS, WAF
- Active Directory / Entra ID (logon events)
- Endpoint Security / EDR
- Cloud logs (AWS CloudTrail, Azure Activity Log, GCP Audit)
- Application logs (web server, database, SAP)
- DNS logs
- Email gateway logs
- VPN logs
SIEM Architecture
Log Sources SIEM Analyst Interface
────────── ──── ─────────────────
Firewall ──────────────→ Collector ↑
EDR ────────────────────→ Normalizer → Correlation Dashboards
Active Directory ───────→ Enrichment Engine → Alert Queue
Cloud Logs ─────────────→ Storage UEBA Threat Hunting
Endpoints ──────────────→ ML Engine InvestigationsUEBA - User and Entity Behavior Analytics
Modern add-on module for SIEM:
- Creates baseline behavior for every user and host
- Detects anomalies: "User never accesses finance server—now suddenly does"
- Useful for insider threats and stolen credentials
SIEM Use Cases: What Is Detected?
Use Case 1: Brute Force / Credential Stuffing
Rule: More than 10 failed login attempts for an account within 5 minutes
AND a subsequent successful login
→ Alert: "Possible Brute Force + Successful Login"
→ Immediate action: Lock account, contact userUse Case 2: DCSync Attack (Active Directory)
Rule: Replication request from DRSUAPI to domain controller
FROM a machine that is not a domain controller
→ Alert: "Possible DCSync Attack (Golden Ticket Preparation)"
→ Immediate action: Isolate system, initiate forensicsUse Case 3: Kerberoasting
Rule: More than 20 TGS requests for different SPNs
within 2 minutes
from a single account
→ Alert: "Possible Kerberoasting Activity"
→ Immediate action: Analyze account, check affected service accountsUse Case 4: Lateral Movement
Correlation across 3 log sources:
1. EDR: "Mimikatz-like activity on Host A"
2. AD log: "Account X" impersonating another user (pass-the-hash)
3. Firewall log: SMB connection from Host A to DC01
→ Alert: "Confirmed Lateral Movement to Domain Controller"
→ Immediate Action: P1 Incident, enable network segmentationUse Case 5: Data Exfiltration
Rule: More than 500MB of outbound data
to a domain that is < 30 days old
between 2:00 AM and 5:00 AM
→ Alert: "Possible Data Exfiltration"
→ Context: Affected host, user, data volumeSIEM Market: Leading Solutions
| Solution | Vendor | Positioning |
|---|---|---|
| Microsoft Sentinel | Microsoft | Cloud-native, excellent for M365/Azure |
| Splunk Enterprise Security | Cisco/Splunk | Powerful enterprise standard, expensive |
| IBM QRadar | IBM | Enterprise, on-premises strength |
| Google Chronicle | Cloud-native, AI integration | |
| Elastic SIEM | Elastic | Open-source foundation, highly flexible |
| LogRhythm | LogRhythm | Mid-market SIEM + SOAR |
| Wazuh | Wazuh (Open Source) | Free, very suitable for SMBs |
SOAR - Security Orchestration, Automation, and Response
SOAR complements SIEM with automated response:
# Example SOAR Playbook: Phishing Alert
trigger: SIEM Alert "Phishing email detected"
actions:
1. Automatically quarantine the email
2. Search for and delete all similar emails in mailboxes
3. Blacklist sender domain
4. Notify affected users
5. Create ticket in ITSM
6. Notify SOC analyst via Slack
# Manual: Analyst confirms and closes ticketSOAR reduces Mean Time to Respond (MTTR) from hours to minutes.
SOC Models: In-House SOC vs. MSSP
In-House SOC
Advantages:
- Full control and data sovereignty
- Deep organizational knowledge (systems, processes, business context)
- No data sharing with third parties
Disadvantages:
- High costs: 3–5 full-time analysts for 24/7 coverage, plus SIEM license
- Difficult recruitment (skills shortage)
- High false positive rate in the early years (tuning required)
Annual costs (estimate, Germany):
- 3 Tier-1 analysts (24/7 in shifts): ~€300,000/year
- 1 Tier-2/3 analyst: ~€90,000/year
- SIEM license (Microsoft Sentinel / Splunk): €50,000–€500,000/year
- Total: €500,000 – €1 million/year
MSSP – Managed Security Service Provider
Advantages:
- Operational immediately (weeks instead of months)
- 24/7 coverage without in-house recruitment challenges
- Comprehensive threat intelligence (multi-tenant visibility)
- Predictable monthly costs
Disadvantages:
- Data sharing with third-party providers (consider data protection)
- Less company-specific knowledge at the outset
- Dependence on the provider
Market leaders in Germany, Austria, and Switzerland (DACH): Telekom Security, NTT Security, Atos, Controlware, DXC.
Hybrid Model (SOC-as-a-Service supplemented internally)
Often ideal for mid-sized businesses:
- Internal IT/Security: Configuration, asset management, business context
- MSSP: 24/7 monitoring and Tier 1 triage
- Escalation to internal experts or MSSP Tier 2
KPIs for SOC Performance
| KPI | Description | Target Value |
|---|---|---|
| MTTD | Mean Time to Detect (How long until an attack is detected?) | < 1 hour |
| MTTR | Mean Time to Respond (How long until a response?) | < 4 hours |
| False Positive Rate | Percentage of alerts that are not actual issues | < 10% |
| Alert Backlog | Unprocessed alerts in queue | 0 |
| Coverage | % of systems sending logs | > 95% |
| Dwell Time | How long was the attacker undetected? | < 7 days |
Compliance Requirements
NIS2 Art. 21: Monitoring and anomaly detection explicitly required for critical infrastructure.
ISO 27001 A.8.15 (Logging): Activity logging; A.5.25 (Incident Response) – SOC is the organizational implementation.
BSI IT-Grundschutz DER.1: Detection of security incidents – detailed requirements for monitoring.
DORA (Financial Sector): Art. 11 – continuous ICT monitoring is mandatory for financial institutions.
Implementation Roadmap: SOC in 12 Months
Months 1–2: SIEM deployment, connect log sources (AD, firewall, EDR)
Months 3–4: Develop basic use cases (15–20 rules), reduce false positive rate
Months 5–6: SOAR integration, initial automations
Months 7–9: Introduce threat hunting, activate UEBA
Months 10–12: 24/7 operation, Tier 1 team trainedAlternative: MSSP for the first 12–24 months, while building internal expertise in parallel.
Sources & References
- [1] NIST SP 800-61r3: Incident Response - NIST
- [2] MITRE ATT&CK for Enterprise - MITRE Corporation
- [3] Gartner Magic Quadrant for SIEM 2024 - Gartner
- [4] BSI: Empfehlungen zum Aufbau eines SIEM - BSI
Questions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
Geschäftsführender Gesellschafter der AWARE7 GmbH mit langjähriger Expertise in Informationssicherheit, Penetrationstesting und IT-Risikomanagement. Absolvent des Masterstudiengangs Internet-Sicherheit an der Westfälischen Hochschule (if(is), Prof. Norbert Pohlmann). Bestseller-Autor im Wiley-VCH Verlag und Lehrbeauftragter der ASW-Akademie. Einschätzungen zu Cybersecurity und digitaler Souveränität erschienen u.a. in Welt am Sonntag, WDR, Deutschlandfunk und Handelsblatt.
10 Publikationen
- Einsatz von elektronischer Verschlüsselung - Hemmnisse für die Wirtschaft (2018)
- Kompass IT-Verschlüsselung - Orientierungshilfen für KMU (2018)
- IT Security Day 2025 - Live Hacking: KI in der Cybersicherheit (2025)
- Live Hacking - Credential Stuffing: Finanzrisiken jenseits Ransomware (2025)
- Keynote: Live Hacking Show - Ein Blick in die Welt der Cyberkriminalität (2025)
- Analyse von Angriffsflächen bei Shared-Hosting-Anbietern (2024)
- Gänsehaut garantiert: Die schaurigsten Funde aus dem Leben eines Pentesters (2022)
- IT Security Zertifizierungen — CISSP, T.I.S.P. & Co (Live-Webinar) (2023)
- Sicherheitsforum Online-Banking — Live Hacking (2021)
- Nipster im Netz und das Ende der Kreidezeit (2017)
