SIEM
Definition
Security Information and Event Management - software that collects and analyzes security data from across an organization to detect threats.
Use Cases
- Microsoft: Detecting and investigating account compromise and lateral movement across cloud and enterprise environments. — Uses Microsoft Sentinel to ingest identity, endpoint, and cloud telemetry; applies analytics rules and threat intelligence; and automates triage/response with playbooks. (Faster detection and investigation through centralized visibility and automated workflows, reducing manual effort for security operations.)
- Google: Enterprise-scale threat detection and incident investigation across large volumes of security telemetry. — Uses Google Security Operations (Chronicle) to retain and search security logs at scale, correlate events, and support investigations with detection rules and threat intelligence. (Improved ability to search and correlate high-volume telemetry for faster investigations and more consistent detections across environments.)
- Capital One: Centralized security monitoring and investigation across AWS workloads. — Uses AWS-native logging (for example, CloudTrail and VPC Flow Logs) and centralizes security-relevant data in AWS services (commonly a security data lake approach) to support correlation, alerting, and investigations, often integrating with SIEM tooling. (Better centralized visibility into cloud activity and faster security investigations by consolidating logs and security signals.)
Provider Equivalents
- AWS: Amazon Security Lake
- Azure: Microsoft Sentinel
- GCP: Google Security Operations (Chronicle)
- OCI: OCI Logging Analytics
Frequently Asked Questions
- What's the difference between SIEM and SOAR?
- SIEM focuses on collecting, normalizing, and correlating security data (logs and events) to detect threats and support investigations. SOAR focuses on orchestrating and automating response workflows (for example, opening tickets, enriching alerts, disabling accounts, or isolating endpoints). Many modern platforms combine both, but SIEM is primarily about detection and visibility, while SOAR is primarily about automated response.
- When should I use a SIEM?
- Use a SIEM when you need centralized visibility across many systems (cloud, endpoints, identity, network), consistent detection rules, and an investigation trail for incidents or compliance. It’s especially useful if you have multiple log sources, need correlation across them (for example, identity + network + endpoint), or must meet audit requirements that require log retention and monitoring.
- How much does SIEM cost?
- SIEM cost typically depends on data volume and retention (GB/day ingested, storage duration), analytics/detection features, and the number of users or monitored assets. Cloud SIEMs often charge based on ingestion and retention, while some vendors also price by events per second (EPS) or nodes. Costs can rise quickly if you ingest high-volume logs (like verbose network flow logs) without filtering, so budgeting usually starts with estimating daily log volume, required retention, and which sources truly need real-time analytics.
Category: security
Difficulty: advanced
Related Terms
See Also