Skip to content

Cloud SIEM — Sentinel, Security Hub & Chronicle Guide

DodaTech Updated 2026-06-24 4 min read

In this tutorial, you'll learn about Cloud SIEM. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Cloud SIEM platforms aggregate security logs from across your cloud environment using tools like Microsoft Sentinel, AWS Security Hub, and Google Chronicle to detect, investigate, and respond to threats in real time.

What You Will Learn

How to deploy a cloud-native SIEM, write detection rules, integrate threat intelligence feeds, and automate Incident Response across AWS, Azure, and GCP.

Why It Matters

Without a SIEM, security teams drown in alerts from dozens of services. A cloud SIEM correlates events across accounts, regions, and providers to find real attacks among the noise.

Real-World Use

DodaTech's security team ingests 50 TB of logs daily into Sentinel. Custom analytics rules detect privilege escalation within seconds and trigger automatic remediation playbooks.

SIEM Data Flow

flowchart LR
  Sources[Cloud Sources\nCloudTrail, VPC Flow Logs\nAzure Activity, GCP Audit Logs] --> Ingestion[Log Ingestion]
  Ingestion --> Normalization[Parsing & Normalization]
  Normalization --> Detection[Detection Engine\nAnalytics Rules]
  Detection --> Alert[Alert Generation]
  Alert --> Incident[Incident Management]
  Incident --> Response[Automated Response\nPlaybooks]
  
  ThreatIntel[Threat Intelligence Feeds] --> Detection
  
  style Detection fill:#f90,color:#fff

AWS Security Hub

Security Hub aggregates findings from GuardDuty, Inspector, Macie, Firewall Manager, and third-party tools. It applies Compliance standards like CIS and PCI DSS.

# Enable Security Hub
aws securityhub enable-security-hub \
  --enable-default-standards

# Ingest findings from GuardDuty
aws securityhub batch-import-findings \
  --findings '[
    {
      "SchemaVersion": "2018-10-08",
      "Id": "arn:aws:guardduty:...:finding/abc123",
      "ProductArn": "arn:aws:securityhub:...:product/aws/guardduty",
      "GeneratorId": "guardduty-detector",
      "AwsAccountId": "123456789012",
      "Types": ["TTPs/PrivilegeEscalation"],
      "Severity": {"Product": 7.5, "Label": "HIGH"},
      "Title": "IAM role escalation detected",
      "Description": "User admin attempted to PassRole with elevated privileges"
    }
  ]'

# List active findings by severity
aws securityhub get-findings \
  --filters '{"SeverityLabel": [{"Value": "HIGH", "Comparison": "EQUALS"}]}' \
  --query 'Findings[*].[Title,Severity.Label,FirstObservedAt]' \
  --output table

Microsoft Sentinel

Sentinel is Azure's cloud-native SIEM built on Log Analytics. It uses Kusto Query Language for detection rules and Logic Apps for automation.

# Deploy Sentinel on a Log Analytics workspace
az sentinel create \
  --resource-group prod-rg \
  --workspace-name prod-loganalytics

# Create an analytics rule detecting multiple failed logins
az sentinel alert-rule create \
  --resource-group prod-rg \
  --workspace-name prod-loganalytics \
  --rule-name "Multiple Failed Logins" \
  --display-name "Detect brute force attempts" \
  --query-frequency PT5M \
  --query-period PT5M \
  --severity Medium \
  --trigger-operator GreaterThan \
  --trigger-threshold 10 \
  --query 'SigninLogs | where ResultType != "0" | summarize FailedCount = count() by IPAddress, UserPrincipalName | where FailedCount > 10'

# List installed threat intelligence indicators
az sentinel threat-indicator list \
  --resource-group prod-rg \
  --workspace-name prod-loganalytics
# Output:
# [
#   {
#     "name": "suspicious-ip-1", "#     "pattern": "203.0.113.0/24"", "#     "patternType": "ipv4-addr"",
#     "threatTypes": ["malicious-activity"]
#   }
# ]

Google Chronicle

Chronicle is Google's security analytics platform that ingests logs from GCP, on-premises, and third-party sources with built-in threat intelligence.

# Create a log ingestion rule for VPC flow logs
gcloud chronicle rules create \
  --project my-project \
  --location us \
  --rule-file vpc-flow-rule.yaml

# vpc-flow-rule.yaml content:
# rule:
#   name: detect_port_scanning
#   description: Detects port scanning activity
#   events:
#     - event_type: NETWORK_CONNECTION
#       conditions:
#         - destination_ip: $dest_ip
#         - destination_port: $dest_port
#         - source_ip: $source_ip
#   condition:
#     - event.destination_port != 0 and event.timestamp > 30m
#   outcome:
#     - $source_ip = $source_ip
#     - $destination_ports = array_distinct(collection(event.destination_port))

# Search for a domain in threat intelligence
gcloud chronicle udm search \
  --query 'security_result.threat_name = "EMOTET" AND metadata.event_type = "NETWORK_CONNECTION"' \
  --start-time 2026-06-01T00:00:00Z

Detection Rule Best Practices

Write rules that minimize false positives. Start with high-severity, low-volume signals like privilege escalation. Tune threshold-based rules over time using historical data.

Common Mistakes

  1. Ingesting all logs without filtering: Raw log ingestion explodes costs and noise. Focus on high-value sources like CloudTrail, Azure Activity, and VPC flow logs.
  2. Not normalizing log formats: Different sources use different field names. Normalize to a common schema like OCSF or CEF before analysis.
  3. Alert fatigue from poorly tuned rules: Every alert should require human review. Tune rules to reduce false positives before enabling production notifications.
  4. Missing cross-cloud correlation: Threats often span multiple clouds. A SIEM that only sees AWS misses Azure or GCP activity from the same attacker.
  5. No automated response playbooks: Detection without response wastes time. Integrate with SOAR tools or cloud automation to contain threats automatically.

Practice Questions

  1. What is the difference between AWS Security Hub and Amazon GuardDuty?
  2. How does Microsoft Sentinel use KQL for threat detection?
  3. What log sources should you prioritize ingesting into a cloud SIEM?
  4. How can threat intelligence feeds improve SIEM detection rates?
  5. What is the role of playbooks in Incident Response automation?

Challenge

Deploy a Multi-Cloud SIEM architecture. Ingest AWS CloudTrail logs into Security Hub, Azure Activity logs into Sentinel, and GCP Audit Logs into Chronicle. Write at least one detection rule per platform that alerts on suspicious IAM activity. Design a playbook that automatically disables a compromised IAM user across all three clouds.

FAQ

What is a cloud SIEM?

A security information and event management system that aggregates logs from cloud services to detect and respond to threats.

How is AWS Security Hub different from GuardDuty?

Security Hub aggregates and correlates findings from multiple services. GuardDuty is a single threat detection service for AWS.

Does Microsoft Sentinel support third-party data sources?

Yes. Sentinel uses the Common Event Format connector for syslog and CEF-compatible sources.

What is Google Chronicle?

Google's cloud-native SIEM platform built on BigQuery with built-in threat intelligence and UDM search.

How much log data should I ingest?

Start with critical security logs and expand based on budget and investigation needs. Most teams ingest 10-50 GB per day.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro