SIEM

Definition

Security Information and Event Management - software that collects and analyzes security data from across an organization to detect threats.

Use Cases

Provider Equivalents

Frequently Asked Questions

What's the difference between SIEM and SOAR?
SIEM focuses on collecting, normalizing, and correlating security data (logs and events) to detect threats and support investigations. SOAR focuses on orchestrating and automating response workflows (for example, opening tickets, enriching alerts, disabling accounts, or isolating endpoints). Many modern platforms combine both, but SIEM is primarily about detection and visibility, while SOAR is primarily about automated response.
When should I use a SIEM?
Use a SIEM when you need centralized visibility across many systems (cloud, endpoints, identity, network), consistent detection rules, and an investigation trail for incidents or compliance. It’s especially useful if you have multiple log sources, need correlation across them (for example, identity + network + endpoint), or must meet audit requirements that require log retention and monitoring.
How much does SIEM cost?
SIEM cost typically depends on data volume and retention (GB/day ingested, storage duration), analytics/detection features, and the number of users or monitored assets. Cloud SIEMs often charge based on ingestion and retention, while some vendors also price by events per second (EPS) or nodes. Costs can rise quickly if you ingest high-volume logs (like verbose network flow logs) without filtering, so budgeting usually starts with estimating daily log volume, required retention, and which sources truly need real-time analytics.

Category: security

Difficulty: advanced

Related Terms

See Also