Further Reading: SIEM, Logging, and Correlation

Curated, annotated resources for going deeper. Each entry notes which learning path it best serves: ๐Ÿ›ก๏ธ SOC ยท ๐Ÿ—๏ธ Engineer ยท ๐Ÿ“‹ GRC ยท ๐Ÿ“œ Cert. Tier-1 (verified canonical) and Tier-2 (attributed) sources only. A suggested reading order is at the end.

Standards & primary documents (Tier 1)

NIST Special Publication 800-92, Guide to Computer Security Log Management. The foundational government guidance on building a log-management program: what to log, how to collect and store it, retention, and operational roles. Older than the modern SIEM/SOAR vocabulary but still the clearest articulation of why and how to manage logs centrally. (๐Ÿ“‹ GRC, ๐Ÿ—๏ธ Engineer โ€” read first.)

NIST Special Publication 800-53 Rev. 5, control family AU (Audit and Accountability). The control catalog's logging requirements โ€” what auditors and frameworks actually map to: audit event selection, content, storage capacity, protection of audit information, and time stamps. Pair AU-3 (content), AU-6 (review/analysis/reporting), AU-9 (protection), and AU-12 (generation) with this chapter. (๐Ÿ“‹ GRC, ๐Ÿ“œ Cert.)

NIST Cybersecurity Framework (CSF) 2.0 โ€” DETECT (DE) function. Situates continuous monitoring and detection within a whole program; DE.CM (continuous monitoring) and DE.AE (adverse event analysis) are the SIEM's home in the framework. Useful for connecting SOC work to governance language. (๐Ÿ“‹ GRC, ๐Ÿ“œ Cert.)

MITRE ATT&CK (attack.mitre.org). The shared catalog of adversary tactics and techniques that detection use cases map to. Every correlation rule in this chapter cites an ATT&CK technique; learning to think in ATT&CK is how you reason about coverage (what you can and cannot detect). Indispensable, free, and the backbone of Chapter 22. (๐Ÿ›ก๏ธ SOC, ๐Ÿ“œ Cert โ€” read second.)

PCI-DSS v4.0, Requirement 10 (Log and monitor all access to system components and cardholder data). The concrete compliance driver for logging at an organization like Meridian: what must be logged, how logs must be protected and time-synchronized (10.6 addresses time synchronization), and minimum retention. Shows that logging is the floor, not just good practice. (๐Ÿ“‹ GRC, ๐Ÿ“œ Cert.)

Microsoft, Kusto Query Language (KQL) documentation (learn.microsoft.com). The authoritative reference for KQL, used by Microsoft Sentinel and Microsoft 365 Defender. Start with the tutorial and the where/summarize/join operators โ€” the pipeline verbs this chapter introduced. (๐Ÿ›ก๏ธ SOC, ๐Ÿ—๏ธ Engineer.)

Splunk, Search Reference and Search Tutorial (docs.splunk.com). The canonical SPL documentation; the stats, eval, transaction, and tstats commands cover the aggregation and correlation this chapter sketched. The Common Information Model (CIM) docs explain Splunk's normalization model. (๐Ÿ›ก๏ธ SOC, ๐Ÿ—๏ธ Engineer.)

Detection-as-code & rules (Tier 1)

Sigma โ€” Generic Signature Format for SIEM Systems (github.com/SigmaHQ/sigma). The open, vendor-neutral YAML format for writing detection rules that compile to Splunk, Elastic, Sentinel, and more โ€” the lingua franca of detection-as-code introduced here and developed in Chapter 22. Browse the rule repository to see hundreds of real, peer-reviewed detections you can read and adapt. (๐Ÿ›ก๏ธ SOC, ๐Ÿ—๏ธ Engineer โ€” essential next step.)

Elastic Common Schema (ECS) documentation (elastic.co). A widely-used published schema for normalizing fields across sources; even if you do not run Elastic, ECS is a model worth studying for how to design a common schema (field naming, categorization). (๐Ÿ—๏ธ Engineer.)

OCSF โ€” Open Cybersecurity Schema Framework (ocsf.io). A newer cross-vendor schema initiative for normalizing security telemetry; relevant as the industry converges on shared event models. Read for where normalization standards are heading. (๐Ÿ—๏ธ Engineer.)

Operational practice & analytics (Tier 2)

MITRE, TTP-Based Hunting and the ATT&CK-driven detection literature. MITRE's guidance on building detections and hunts around adversary behavior (rather than brittle indicators) โ€” the conceptual bridge from this chapter's correlation rules to Chapter 22's detection engineering. (๐Ÿ›ก๏ธ SOC.)

Industry writing on risk-based alerting (RBA) and detection engineering (widely discussed in SOC and vendor literature; specifics vary by source). The practice of accumulating weak signals into entity risk scores rather than binary-alerting on each โ€” the antidote to alert fatigue previewed in ยง21.5 and extended in Chapter 34. Search current detection-engineering blogs and conference talks; treat specific numbers as illustrative. (๐Ÿ›ก๏ธ SOC, ๐Ÿ—๏ธ Engineer.)

The SANS reading room and SOC survey material on alert fatigue and SOC operations (attributed, specifics vary). Practitioner-grounded discussions of analyst workload, false-positive rates, and SOC staffing that quantify the fatigue problem this chapter frames. Useful for GRC and leadership building the case for tuning and automation investment. (๐Ÿ“‹ GRC, ๐Ÿ›ก๏ธ SOC.)

Books (Tier 1)

Chris Sanders & Jason Smith, Applied Network Security Monitoring. A practitioner's guide to collection, detection, and analysis โ€” the philosophy of "collect what you can analyze" that underlies this chapter's collect-by-detection-value discipline. Excellent companion to Chapter 10 as well. (๐Ÿ›ก๏ธ SOC, ๐Ÿ—๏ธ Engineer.)

Richard Bejtlich, The Practice of Network Security Monitoring. The case for monitoring as a core discipline, with a clear treatment of why visibility (not just prevention) is essential โ€” the book-length version of "logs are the ground truth." (๐Ÿ›ก๏ธ SOC.)

Chapple & Seidl, CompTIA Security+ Study Guide; Harris & Maymรญ, CISSP All-in-One Exam Guide. Both cover SIEM, logging, monitoring, and security operations at exam depth; use the security-operations chapters alongside this one and the key-takeaways.md crosswalk. (๐Ÿ“œ Cert.)

Talks, labs & tools (Tier 1/2)

Free home-lab SIEMs. Stand one up and ingest your own logs (the ยง21.4 lab): a single-node Elastic Stack (Elasticsearch + Kibana), Splunk Free, or Microsoft Sentinel on a trial tenant. The fastest way to internalize normalization, correlation, and querying is to do it on real data you own. (๐Ÿ›ก๏ธ SOC, ๐Ÿ—๏ธ Engineer.)

Public sample-log datasets (e.g., security-log and ATT&CK-evaluation datasets published by vendors and MITRE). Practice writing detections against labeled malicious and benign data โ€” the foundation of detection testing in the detection-as-code workflow. (๐Ÿ›ก๏ธ SOC.)

Suggested reading order

  1. NIST SP 800-92 โ€” the why and how of log management (foundation).
  2. MITRE ATT&CK (browse a few techniques cited in this chapter) โ€” the language of detection.
  3. Your SIEM's query docs โ€” KQL or SPL tutorial; do the ยง21.4 lab against your own logs.
  4. Sigma rule repository โ€” read real detections; this is detection-as-code made concrete.
  5. Sanders & Smith or Bejtlich โ€” the monitoring philosophy, book-length.
  6. PCI-DSS Req. 10 / NIST 800-53 AU (if GRC) โ€” the compliance floor for logging.

Then proceed to Chapter 22, which turns these rules and sources into a detection-engineering and threat-hunting program โ€” where Sigma, ATT&CK coverage, and hypothesis-driven hunting come together.