SIEM

Also known as: Security Information and Event Management

A platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting.

Security Information and Event Management (SIEM) is the central log analytics platform of a SOC. It ingests logs and telemetry from firewalls, endpoints, identity providers, cloud APIs, applications and network sensors, then normalizes and stores them so that correlation rules, statistical baselines and machine-learning models can produce prioritized alerts. Modern SIEMs (Splunk, Microsoft Sentinel, Elastic, Chronicle, QRadar) also support detection-as-code, UEBA, threat-intelligence enrichment and integration with SOAR for automated response. The SIEM is the system of record for incident investigations, compliance reporting and long-term forensic retention.

Examples

Microsoft Sentinel correlating Azure AD sign-in failures with EDR alerts to detect password spraying.
A Splunk correlation search that fires when a service account logs in from an unusual country.

SIEM

Examples

Related terms

Security Operations Center (SOC)

SOAR

UEBA (User and Entity Behavior Analytics)

Log Analysis

Threat Intelligence

Indicator of Compromise (IoC)

Definition

Examples

Related terms

Security Operations Center (SOC)

SOAR

UEBA (User and Entity Behavior Analytics)

Log Analysis

Threat Intelligence

Indicator of Compromise (IoC)