Security Operations Monitoring Pipeline
Telemetry flows top to bottom: sources to collection to SIEM to SOAR to analyst, with a feedback loop. Hover any box for detail.
flowchart TD
SRC["Stage 1 — Sources
Endpoints + EDR · Cloud control-plane logs
Network devices, IDS/IPS · Identity provider · SaaS apps"]:::slate COLL["Stage 2 — Collection layer
log shipper / agent / API pull
normalize, timestamp, enrich"]:::collect SIEM["Stage 3 — Log Management and SIEM
Index and store · Correlation rules
Detection logic · Dashboards"]:::blue SOAR["Stage 4 — SOAR
Playbooks · Case management
Automated containment"]:::amber SOC["Stage 5 — Analyst / SOC
triage, investigate, escalate"]:::soc SRC --> COLL --> SIEM --> SOAR --> SOC SOC -- "tune rules, suppress noise" --> SIEM classDef slate fill:#455a64,stroke:#263238,stroke-width:2px,color:#ffffff,font-size:13px classDef collect fill:#cfd8dc,stroke:#455a64,stroke-width:2px,color:#263238,font-size:13px classDef blue fill:#1565c0,stroke:#0d3a73,stroke-width:2px,color:#ffffff,font-size:13px classDef amber fill:#ffa000,stroke:#b26a00,stroke-width:2px,color:#3e2723,font-size:13px classDef soc fill:#fff8e1,stroke:#455a64,stroke-width:2.5px,color:#37474f,font-size:13px linkStyle default stroke:#607d8b,stroke-width:2px,font-size:12px
Endpoints + EDR · Cloud control-plane logs
Network devices, IDS/IPS · Identity provider · SaaS apps"]:::slate COLL["Stage 2 — Collection layer
log shipper / agent / API pull
normalize, timestamp, enrich"]:::collect SIEM["Stage 3 — Log Management and SIEM
Index and store · Correlation rules
Detection logic · Dashboards"]:::blue SOAR["Stage 4 — SOAR
Playbooks · Case management
Automated containment"]:::amber SOC["Stage 5 — Analyst / SOC
triage, investigate, escalate"]:::soc SRC --> COLL --> SIEM --> SOAR --> SOC SOC -- "tune rules, suppress noise" --> SIEM classDef slate fill:#455a64,stroke:#263238,stroke-width:2px,color:#ffffff,font-size:13px classDef collect fill:#cfd8dc,stroke:#455a64,stroke-width:2px,color:#263238,font-size:13px classDef blue fill:#1565c0,stroke:#0d3a73,stroke-width:2px,color:#ffffff,font-size:13px classDef amber fill:#ffa000,stroke:#b26a00,stroke-width:2px,color:#3e2723,font-size:13px classDef soc fill:#fff8e1,stroke:#455a64,stroke-width:2.5px,color:#37474f,font-size:13px linkStyle default stroke:#607d8b,stroke-width:2px,font-size:12px
Retention policy under the SIEM:
Hot 30 days (fast search) · Warm 90 days · Cold 1 year · Archive 7 years
(compliance). Older data is cheaper to store but slower to query — tiering
balances cost against how far back an investigation may need to reach.