Enterprise SOC Setup: SIEM, SOAR and Threat Intel Pipeline Architecture

Enterprise cybersecurity has undergone a fundamental transformation in the past five years. We have entered an era where the perimeter defence model (firewall + antivirus + IPS) is no longer enough and the zero-trust + continuous monitoring + rapid response model has become dominant. The operational core of this transformation is the SOC (Security Operations Center) — a security function that runs 24/7, collects telemetry, detects anomalies, responds to incidents and continuously matures. In Türkiye, the KVKK Personal Data Protection Law, the BDDK Information Systems Regulation, EPDK regulations and cyber-insurance contracts now position a SOC not as good to have but as must have.

Within our SOC operations setup engineering, incident response services and threat intelligence services, we have delivered 11 enterprise SOC projects over the past 24 months — in finance, healthcare, energy and e-commerce. In this article we walk through seven practical steps for building an enterprise SOC architecture from scratch: scope definition, log collection, SIEM selection, MITRE ATT&CK mapping, threat intel pipeline, SOAR automation, and the continuous maturity process.

1. Strategic decision — scope, model and maturity target

The first question is not Splunk or Wazuh?; it should be what are we protecting, against whom, and at what maturity level? Three core dimensions:

Scope: which assets fall under SOC monitoring? Typical layers: (1) endpoint (user machines, servers), (2) network (firewall, router, switch, IDS/IPS), (3) cloud (AWS/Azure/GCP control plane + workload), (4) identity (Active Directory, Azure AD, MFA), (5) application (web applications, API gateway), (6) SaaS (Microsoft 365, Google Workspace, Slack). Each layer requires its own log source, detection rules and tuning. The monitor everything approach is destructive — focus on the 2-3 most critical layers at the start and expand as you mature.

Model (in-house / MSSP / hybrid):

• In-house: full control, maximum privacy, but for 24/7 shifts you need at least 6-8 analysts (annual TRY 4-7M in personnel) and a long ramp-up. Mandatory for sensitive sectors (defence, critical infrastructure, large finance).
• MSSP (Managed Security Service Provider): fast start (4-8 weeks), ready 24/7 shift, annual TRY 1.5-3.5M. Drawback: logs flow to an external organisation — for KVKK a DPA + log location must be written into the contract. A domestic MSSP is preferred.
• Hybrid: MSSP L1 (alert triage) + L2 (initial investigation) plus in-house L3 (deep investigation) + incident response + threat hunting. The dominant model for mid-to-large enterprises — best cost/scope balance.

Maturity target: SOC maturity develops over years. The SANS SOC maturity model defines five levels:

Level	Definition	Enterprise threshold
Level 1	Ad-hoc, undocumented	First 6 months
Level 2	Repeatable, basic KPIs	6-18 months
Level 3	Defined process, MITRE ATT&CK mapped, threat intel	18-36 months
Level 4	Measured and continuously improved, active threat hunting	3-5 years
Level 5	Optimised, AI-augmented detection, proactive	5+ years

Practical target: Level 2-3 in the first 12 months; Level 3-4 in 24-36 months. Do not be swayed by Level 5 marketing claims — true Level 5 SOCs exist at very few organisations (big tech, government cyber defence).

2. Log collection — telemetry quality determines everything

The least glamorous yet most critical step of a SOC is log collection. With incomplete or low-quality telemetry, even the world's best SIEM will run dry. Five critical sources:

Endpoint logs (EDR): process creation, file modification, registry change, network connection, PowerShell execution. Microsoft Defender for Endpoint, CrowdStrike Falcon, SentinelOne, Wazuh agent — enterprise options. Sysmon (Microsoft) is a free alternative; with a proper sysmon-config (e.g. SwiftOnSecurity) it delivers 80% of EDR value.

Network logs: firewall (deny/allow with source/dest), proxy (HTTP request, user-agent), DNS (query log — critical for DNS exfiltration detection), NetFlow/IPFIX (traffic baseline). DNS logs are often skipped but they are the most valuable source for lateral movement and C2 callback detection.

Identity logs: Active Directory event log (4624 login, 4625 failed login, 4688 process, 4720 user created), Azure AD sign-in log, MFA challenge, privileged access. This is where pass-the-hash, golden ticket and kerberoasting attacks are detected.

Cloud logs: AWS CloudTrail (API call log), Azure Activity Log, GCP Audit Log — who did what to which resource and when. Events like making an S3 bucket public, IAM policy changes and VPC changes show up here.

Application logs: web application access logs, API gateway (rate limit violations, auth failures), database (query audit), SaaS (Microsoft 365 unified audit log, Google Workspace admin log).

Log collection architecture, standard pattern:

[Log source]
    ↓ (syslog, agent, API)
[Log shipper: Fluent Bit / Logstash / Wazuh agent]
    ↓ (normalisation, enrichment)
[Buffer: Kafka / Redis] (for high volume)
    ↓
[SIEM: Wazuh / ELK / Splunk / Sentinel]
    ↓
[Long-term archive: S3 / Azure Blob / MinIO]

Two critical points from the KVKK perspective: (1) if logs contain personal data (username, IP, email), as the Data Controller you must declare the processing purpose (security monitoring) in a written policy and define the retention period (usually 6-12 months hot, 12-24 months archive). (2) Log location should be kept within Türkiye or the EU; if US cloud services are used, a DPA + Standard Contractual Clauses are mandatory.

Data engineering infrastructure is often critical for the SOC log pipeline — sustainable SOC cannot be built without knowledge of Kafka clusters, ETL jobs and archive policies.

3. SIEM selection — Wazuh, ELK, Splunk, Sentinel decision matrix

The SIEM (Security Information and Event Management) is the brain of the SOC — it runs logs through correlation rules and produces alerts. A wrong SIEM choice produces a migration project within 1-2 years; the right choice lasts 5-7 years.

Wazuh (open source, free):

• Strengths: free, on-prem KVKK-compliant, strong agent-based collection, built-in MITRE ATT&CK rule mapping; FIM (File Integrity Monitoring) + SCA (Security Configuration Assessment) + vulnerability detection in one package.
• Drawbacks: raw UI (Wazuh Dashboard is usable but not at Splunk's level), scaling above 5K EPS (events per second) requires Elasticsearch tuning, team needs Linux + Elasticsearch operations.
• Best fit: SMBs and mid-size organisations (200-2,000 users), KVKK-critical sectors, open-source philosophy.

ELK Stack / OpenSearch:

• Strengths: very strong log analytics, custom dashboards, good scaling.
• Drawbacks: not a SIEM on its own — correlation rules must be written manually; Elastic Security (X-Pack) features are paid (~USD 125/host annually).
• Best fit: organisations already on ELK, those with high custom analytics needs.

Splunk Enterprise Security:

• Strengths: UI and search language (SPL) are industry standard, broad app marketplace (1,500+ integrations), Enterprise Security premium add-on (correlation, threat intel, asset framework).
• Drawbacks: license is expensive — perpetual or term-based, USD 500-2,000 per GB-day; for 10TB/day, annual cost is USD 1.8M-7.3M. Ingestion-based pricing puts it out of reach for SMBs.
• Best fit: large finance, telco, retail (5,000+ users) with multi-million security budgets.

Microsoft Sentinel (cloud-native, Azure):

• Strengths: integration with the Azure ecosystem, strong KQL (Kusto Query Language), AI-driven UEBA + Fusion correlation, pay-per-ingestion (~USD 2-5/GB), native integration with Microsoft 365 / Defender.
• Drawbacks: Azure-bound; for KVKK an EU region (West Europe / North Europe) must be selected + DPA. Not suitable for on-prem-only organisations.
• Best fit: Microsoft 365 / Azure-heavy organisations, cloud-first strategies, mid-to-large scale.

Decision matrix:

Criterion	Wazuh	ELK	Splunk	Sentinel
Annual cost (2K users)	TRY 500K-2M	TRY 1M-3M	USD 250K-1M+	USD 150K-600K
KVKK on-prem	Full	Full	Full	EU region + DPA
Setup time	8-12 weeks	8-14 weeks	16-24 weeks	4-8 weeks
MITRE ATT&CK support	Native	Manual	Native (ES)	Native
Compliance reporting	Medium	Manual	Strong	Strong
Team skill requirement	Linux+Elastic	Elastic+Lucene	SPL+admin	KQL+Azure

Practical recommendation: SMB/mid-size = Wazuh; Microsoft ecosystem = Sentinel; large enterprise = Splunk or Sentinel. The wrong reflex is Splunk is the best — Splunk is strongest with the right team and budget, but for a small team it gets crushed under cost and operational load.

4. MITRE ATT&CK mapping — common language and detection coverage

The MITRE ATT&CK framework is the common security language that classifies real-world attacker behaviour. 14 tactics (Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defence Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact) × 200+ techniques + 600+ sub-techniques. A production SOC must use this framework for three main purposes:

Detection coverage map: you map your SIEM rules to ATT&CK technique IDs and see which techniques are observed and which are blind spots. Example mapping:

Detection rule	ATT&CK technique
PowerShell encoded command execution	T1059.001
Mimikatz signature on disk	T1003.001
LSASS process memory access	T1003.001
New service creation on remote host	T1543.003
Suspicious DNS query (DGA pattern)	T1071.004
Mass file encryption (ransomware)	T1486

The ATT&CK Navigator (free web tool) visualises this mapping — green = covered, yellow = partial, red = uncovered. For a production SOC coverage should target at least 60% (mature enterprise 75-85%). 100% is impossible and unnecessary; some techniques (insider threat with legitimate access) cannot be caught with signature-based detection and are addressed with behaviour analytics + DLP.

Purple team exercise: the red team simulates specific ATT&CK techniques (Atomic Red Team, Caldera, Cobalt Strike) and the blue team validates detections. Monthly loop: red plans → executes → blue checks if seen → blind spot → write new rule → re-test. Our red team simulation service runs this loop as the external team; the in-house team gains validation.

Threat intel mapping: which techniques does a defined threat actor (APT29, FIN7, Conti, Lazarus, MuddyWater) use — the TTPs profile is pulled from the ATT&CK Groups page and organisation-specific detection rules are written. Example: APT29 often uses the chain T1078 (Valid Accounts) + T1098 (Account Manipulation) + T1059.001 (PowerShell); a correlation rule catching this three-technique combination is written.

ATT&CK maturity assessment tool: DeTT&CT (open source) automates coverage gap analysis and detects missing log sources. Organisations running an annual assessment move from 35-40% to 70-75% coverage within 18-24 months.

5. Threat intelligence pipeline — turning external intel into detection

Threat intelligence (TI) is the conversion of external who, what, how is attacking knowledge into detection, prevention and response. Three quality levels:

Strategic TI: sector threat landscape for management — APT trends, country-level attack motives, dark-web underground economy. Annual report format. Microsoft Digital Defense Report, CrowdStrike Global Threat Report, ENISA Threat Landscape, BTK USOM reports.

Operational TI: active-campaign knowledge for SOC analysts — which APT group is currently targeting which sector, which initial access vector is being used, which malware family is active. Recorded Future, Mandiant Advantage, CrowdStrike Falcon Intelligence, open STIX/TAXII feeds (AlienVault OTX, MISP); USOM cyber threat bulletins for Türkiye.

Tactical TI / IoC (Indicators of Compromise): consumed directly by the SIEM — malicious IP addresses, malware hashes, malicious domains, URL patterns, JA3 fingerprints, Yara rules. STIX 2.1 standard, TAXII 2.1 transport protocol. Sample feeds:

Feed	Type	Cost
AlienVault OTX	Community, broad	Free
Abuse.ch URLhaus / Feodo / SSL BL	Malware C2, ransomware	Free
Spamhaus	Botnet, spam	Free / paid
MISP community sharing	Sector-specific	Free
Recorded Future	Enterprise premium	USD 50K-300K/yr
Mandiant Advantage	APT, deep	USD 100K-500K/yr
USOM Türkiye	Local threat	Free (organisational registration)

Pipeline architecture:

[TI feeds: STIX/TAXII, JSON, CSV]
    ↓
[TI platform: MISP / OpenCTI / ThreatConnect]
    ↓ (deduplication, scoring, tagging)
[SIEM enrichment: context when alert IoC matches]
    ↓
[SOAR playbook: automated block / quarantine / alert escalation]

Important practice: IoC quality is measured by age + source + validation. Feeding an unvalidated feed directly into the SIEM creates a false-positive explosion — SOC analyst workload spikes for hours while real threats are missed. Scoring (high confidence / medium / low) and TTL (e.g. expire after 30 days) on IoCs is mandatory discipline.

MISP (Malware Information Sharing Platform, open source) is popular in Turkish SOCs — sector-sharing communities (the closed MISP of BDDK-member banks, the TÜBİTAK BİLGEM-USOM coordination) organise IoC sharing.

Our threat intelligence service provides the advisory layer that enriches this pipeline with organisation-specific TTPs analysis.

6. SOAR automation — playbooks and MTTR reduction

SOAR (Security Orchestration, Automation and Response) is the SOC's muscle memory — it automates repetitive incident response steps via playbooks, reduces MTTR (Mean Time To Respond) and offloads L1 analyst work.

Typical playbook examples:

Phishing email response:

1. User-reported phishing email lands in Inbox
2. Automated: scan URLs in sandbox (URLscan, VirusTotal, ANY.RUN)
3. Check attachment hash in MISP/VT
4. If malicious: delete the same email from all user mailboxes (Microsoft 365 Compliance API)
5. Block sender domain at the email gateway
6. Notify users
7. Close ticket as resolved, update dashboard metrics
8. Manual: 30 min. SOAR: 2-3 min.

Malware detection on endpoint:

1. EDR alert → SIEM correlation
2. Automated: isolate the endpoint host from the network (CrowdStrike/Defender API)
3. Pull process tree + file hash
4. Query VirusTotal + Hybrid Analysis
5. Notify the user's manager
6. Assign ticket to L2 analyst (with artefacts attached)
7. Prepare user communication note

Failed login burst (brute force):

1. SIEM detection: 50+ failed logins for the same user within 10 minutes
2. Automated: temporary block of source IP for 1 hour (firewall API)
3. Temporary lock of user account (AD API) — only if source is insider
4. Force MFA challenge
5. SMS notification to user
6. Ticket to L1 analyst — manual review

Popular SOAR platforms:

Platform	Type	License
Cortex XSOAR (Palo Alto)	Enterprise, market leader	USD 100K-500K/yr
Splunk SOAR	Splunk ecosystem	USD 60K-300K/yr
Microsoft Sentinel playbooks	Azure-native, Logic Apps	Pay-per-execution
Tines	Modern, no-code	USD 20K-100K/yr
Shuffle	Open source	Free
n8n + custom	General workflow	Free / hosted

Critical warning — playbook design requires discipline:

• A badly-designed auto-ban suspicious IP playbook can ban the corporate VPN or a customer IP in production. This is called automation self-DoS.
• Pattern: in the first 6 months it runs as decision support — playbook steps run automatically and the last step blocks on an L2 analyst approval gate. Gates are removed as trust accumulates.
• Each playbook needs a rollback path: whatever you did you must be able to undo (e.g. restore a file accidentally quarantined).
• Audit log is mandatory: which playbook took which action and when — for KVKK + forensic review.

Our incident response service matures the SOC's response capability through a playbook library, tabletop exercises and post-incident review loops.

7. Continuous maturity — metrics, threat hunting, training

A SOC is not a project that ends the day it goes live; it is a living discipline. The real work begins after the first six months. Three parallel streams:

Metrics and KPIs: numerical indicators of SOC health. Minimum set:

Metric	Target	Meaning
MTTD (Mean Time To Detect)	<30 min P1, <4 h P2	How quickly threats are detected
MTTR (Mean Time To Respond)	<2 h P1, <8 h P2	How quickly response completes
Alert volume / day	Track trends	Spikes signal tuning need
False positive rate	<15%	High rate means rule tuning needed
Analyst-touched alert rate	70%+	L1 productivity
ATT&CK coverage	60%+	Detection maturity
Closed ticket SLA	90%+	Operational discipline
Threat hunting hours / week	8-20 h	Proactive capacity

Dashboard: visualise SIEM metrics on Grafana + a weekly ops review meeting.

Threat hunting: proactive, non-alert-driven hunt. Hypothesis-based: if APT29 were in our environment, what log patterns would it leave? → manually scan logs → validate findings → write new detection rule. Dedicate 8-20 hours per week, performed by a senior analyst (L3). Threat hunting + ATT&CK coverage gap analysis is the fastest path to maturity gain.

Training: continuous development of the SOC team. Monthly in-house tabletop (fictional incident, role-play, decisions), six-month certification target (SC-200 for Sentinel, Splunk Power User, SANS GCIH/GCFA, Wazuh Certified Security Analyst), annual conference attendance (Black Hat, BSides Istanbul, SOC Forum Türkiye).

Post-incident review: a blameless retro after every P1/P2 incident — what we caught, what we saw late, what we missed, which detection to add. Retrospective notes go into the wiki; quarterly trend analysis follows.

Practical summary — starting checklist

The correct order for your first production SOC:

1. Scope definition: which 2-3 layers go first, which are phase 2.
2. Model decision: under 500 users = MSSP; 500-2,000 = hybrid; 2,000+ sensitive = in-house.
3. Log collection architecture: shipper + buffer + SIEM + archive. KVKK retention policy in writing.
4. SIEM selection: SMB/mid-size = Wazuh; Microsoft-heavy = Sentinel; large enterprise = Splunk/Sentinel.
5. Endpoint EDR: Defender / CrowdStrike / SentinelOne / Wazuh agent. Sysmon configuration (SwiftOnSecurity).
6. MITRE ATT&CK mapping: first target 50%, 70%+ at 12 months. ATT&CK Navigator + DeTT&CT.
7. Threat intel pipeline: start with free feeds (OTX, Abuse.ch, USOM), deploy MISP, discipline scoring + TTL.
8. SOAR: first 5-10 playbooks in decision-support mode, move to full automation after 6 months.
9. Metrics dashboard: Grafana + weekly ops review; monthly KPI report to management.
10. Continuous maturity: threat hunting (weekly), purple team (monthly), tabletop (monthly), certifications (six-monthly), post-incident review (after every P1/P2).

This list is minimum discipline. On top come sectoral additions (extra reporting for the BDDK Information Systems Regulation, integrating the KVKK 72-hour breach notification process, EWCS — Early Warning Cyber System for EPDK critical infrastructure). The value of a SOC is not in being live; it is in being able to prove it matures every week — answering, with documentation, why metrics fall and which process worked when they rise.

Our team in Şanlıurfa Karaköprü has built SOC pipelines in finance, healthcare, energy and e-commerce through SOC operations setup engineering and incident response services. For an enterprise SOC pilot, SIEM selection advisory or maturity assessment of an existing SOC, you can reach us through the contact form — the first assessment call is free of charge.

---

eCloud Tech — A team based in Şanlıurfa, Türkiye, working on enterprise software, AI, blockchain and cybersecurity. Building Tomorrow.