Cloud SIEM — Sentinel, Security Hub & Chronicle Guide
In this tutorial, you'll learn about Cloud SIEM. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
Cloud SIEM platforms aggregate security logs from across your cloud environment using tools like Microsoft Sentinel, AWS Security Hub, and Google Chronicle to detect, investigate, and respond to threats in real time.
What You Will Learn
How to deploy a cloud-native SIEM, write detection rules, integrate threat intelligence feeds, and automate Incident Response across AWS, Azure, and GCP.
Why It Matters
Without a SIEM, security teams drown in alerts from dozens of services. A cloud SIEM correlates events across accounts, regions, and providers to find real attacks among the noise.
Real-World Use
DodaTech's security team ingests 50 TB of logs daily into Sentinel. Custom analytics rules detect privilege escalation within seconds and trigger automatic remediation playbooks.
SIEM Data Flow
flowchart LR Sources[Cloud Sources\nCloudTrail, VPC Flow Logs\nAzure Activity, GCP Audit Logs] --> Ingestion[Log Ingestion] Ingestion --> Normalization[Parsing & Normalization] Normalization --> Detection[Detection Engine\nAnalytics Rules] Detection --> Alert[Alert Generation] Alert --> Incident[Incident Management] Incident --> Response[Automated Response\nPlaybooks] ThreatIntel[Threat Intelligence Feeds] --> Detection style Detection fill:#f90,color:#fff
AWS Security Hub
Security Hub aggregates findings from GuardDuty, Inspector, Macie, Firewall Manager, and third-party tools. It applies Compliance standards like CIS and PCI DSS.
# Enable Security Hub
aws securityhub enable-security-hub \
--enable-default-standards
# Ingest findings from GuardDuty
aws securityhub batch-import-findings \
--findings '[
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:guardduty:...:finding/abc123",
"ProductArn": "arn:aws:securityhub:...:product/aws/guardduty",
"GeneratorId": "guardduty-detector",
"AwsAccountId": "123456789012",
"Types": ["TTPs/PrivilegeEscalation"],
"Severity": {"Product": 7.5, "Label": "HIGH"},
"Title": "IAM role escalation detected",
"Description": "User admin attempted to PassRole with elevated privileges"
}
]'
# List active findings by severity
aws securityhub get-findings \
--filters '{"SeverityLabel": [{"Value": "HIGH", "Comparison": "EQUALS"}]}' \
--query 'Findings[*].[Title,Severity.Label,FirstObservedAt]' \
--output table
Microsoft Sentinel
Sentinel is Azure's cloud-native SIEM built on Log Analytics. It uses Kusto Query Language for detection rules and Logic Apps for automation.
# Deploy Sentinel on a Log Analytics workspace
az sentinel create \
--resource-group prod-rg \
--workspace-name prod-loganalytics
# Create an analytics rule detecting multiple failed logins
az sentinel alert-rule create \
--resource-group prod-rg \
--workspace-name prod-loganalytics \
--rule-name "Multiple Failed Logins" \
--display-name "Detect brute force attempts" \
--query-frequency PT5M \
--query-period PT5M \
--severity Medium \
--trigger-operator GreaterThan \
--trigger-threshold 10 \
--query 'SigninLogs | where ResultType != "0" | summarize FailedCount = count() by IPAddress, UserPrincipalName | where FailedCount > 10'
# List installed threat intelligence indicators
az sentinel threat-indicator list \
--resource-group prod-rg \
--workspace-name prod-loganalytics
# Output:
# [
# {
# "name": "suspicious-ip-1", "# "pattern": "203.0.113.0/24"", "# "patternType": "ipv4-addr"",
# "threatTypes": ["malicious-activity"]
# }
# ]
Google Chronicle
Chronicle is Google's security analytics platform that ingests logs from GCP, on-premises, and third-party sources with built-in threat intelligence.
# Create a log ingestion rule for VPC flow logs
gcloud chronicle rules create \
--project my-project \
--location us \
--rule-file vpc-flow-rule.yaml
# vpc-flow-rule.yaml content:
# rule:
# name: detect_port_scanning
# description: Detects port scanning activity
# events:
# - event_type: NETWORK_CONNECTION
# conditions:
# - destination_ip: $dest_ip
# - destination_port: $dest_port
# - source_ip: $source_ip
# condition:
# - event.destination_port != 0 and event.timestamp > 30m
# outcome:
# - $source_ip = $source_ip
# - $destination_ports = array_distinct(collection(event.destination_port))
# Search for a domain in threat intelligence
gcloud chronicle udm search \
--query 'security_result.threat_name = "EMOTET" AND metadata.event_type = "NETWORK_CONNECTION"' \
--start-time 2026-06-01T00:00:00Z
Detection Rule Best Practices
Write rules that minimize false positives. Start with high-severity, low-volume signals like privilege escalation. Tune threshold-based rules over time using historical data.
Common Mistakes
- Ingesting all logs without filtering: Raw log ingestion explodes costs and noise. Focus on high-value sources like CloudTrail, Azure Activity, and VPC flow logs.
- Not normalizing log formats: Different sources use different field names. Normalize to a common schema like OCSF or CEF before analysis.
- Alert fatigue from poorly tuned rules: Every alert should require human review. Tune rules to reduce false positives before enabling production notifications.
- Missing cross-cloud correlation: Threats often span multiple clouds. A SIEM that only sees AWS misses Azure or GCP activity from the same attacker.
- No automated response playbooks: Detection without response wastes time. Integrate with SOAR tools or cloud automation to contain threats automatically.
Practice Questions
- What is the difference between AWS Security Hub and Amazon GuardDuty?
- How does Microsoft Sentinel use KQL for threat detection?
- What log sources should you prioritize ingesting into a cloud SIEM?
- How can threat intelligence feeds improve SIEM detection rates?
- What is the role of playbooks in Incident Response automation?
Challenge
Deploy a Multi-Cloud SIEM architecture. Ingest AWS CloudTrail logs into Security Hub, Azure Activity logs into Sentinel, and GCP Audit Logs into Chronicle. Write at least one detection rule per platform that alerts on suspicious IAM activity. Design a playbook that automatically disables a compromised IAM user across all three clouds.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro