SIEM
What is SIEM?
SIEMA platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting.
Security Information and Event Management (SIEM) is the central log analytics platform of a SOC. It ingests logs and telemetry from firewalls, endpoints, identity providers, cloud APIs, applications and network sensors, then normalizes and stores them so that correlation rules, statistical baselines and machine-learning models can produce prioritized alerts. Modern SIEMs (Splunk, Microsoft Sentinel, Elastic, Chronicle, QRadar) also support detection-as-code, UEBA, threat-intelligence enrichment and integration with SOAR for automated response. The SIEM is the system of record for incident investigations, compliance reporting and long-term forensic retention.
● Examples
- 01
Microsoft Sentinel correlating Azure AD sign-in failures with EDR alerts to detect password spraying.
- 02
A Splunk correlation search that fires when a service account logs in from an unusual country.
● Frequently asked questions
What is SIEM?
A platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting. It belongs to the Defense & Operations category of cybersecurity.
What does SIEM mean?
A platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting.
How do you defend against SIEM?
Defences for SIEM typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for SIEM?
Common alternative names include: Security Information and Event Management.