Investigation is search. Filter millions of events down to the few that matter, then correlate across sources to turn scattered logs into the story of an attack.
Why: investigation means slicing huge volumes of logs down to the relevant events — by user, host, time, or indicator — so fluency in your SIEM’s query language is the core analyst skill. When: start broad (the affected host and time window), then narrow. Where: every SIEM has its dialect (Splunk SPL, Elastic KQL/EQL), but the pattern — filter, aggregate, sort — is universal.
# Splunk SPL — failed logins, counted per source IP, worst first:
index=auth action=failure
| stats count by src_ip, user
| sort -count
# Elastic KQL equivalent (in Kibana):
# event.category:"authentication" and event.outcome:"failure"
# Pattern everywhere: FILTER (which events) -> AGGREGATE -> SORT.Why: a single log line rarely proves an attack — the signal comes from linking events across sources (a brute-force success, then a new process, then an outbound connection) into one timeline. When: correlate by a shared key (user, host, IP, time) to reconstruct what happened. Where: this is what distinguishes a SIEM from grep — it joins the endpoint, auth, and network stories.
One event = noise. Correlated events = an attack story:
1. auth log: 100 failures then 1 SUCCESS for 'admin' from 5.5.5.5
2. process log: minutes later, 'admin' spawns powershell + a new service
3. network log: that host beacons to an unfamiliar external IP
Correlated on user+host+time, these three become "compromise in progress".
Pivot on the shared keys to follow the thread.Why: raw logs lack context — an IP is just a number until you know it is a known-malicious host or a foreign country — so enrichment (threat intel, geolocation, asset criticality) turns data into judgment. When: enrich events with intel feeds and asset info so analysts triage faster. Where: enrichment is also how automated rules become precise (e.g. "auth success from a country we never operate in").
ENRICH events to add context an analyst (or rule) can act on:
IP -> threat-intel reputation, geolocation, ASN
user -> department, privilege level, normal working hours
host -> asset criticality (crown-jewel server vs. test box)
hash/domain -> known-bad (VirusTotal), known-good (allowlist)
Enrichment converts "an event happened" into "this event MATTERS."