Definition
Security Information and Event Management (SIEM) is the central platform for aggregating, correlating, and analyzing security event data - endpoint logs, network logs, identity events, application logs, cloud events. Major SIEMs: Splunk, Microsoft Sentinel, IBM QRadar, Elastic Security, Sumo Logic, Chronicle. The SIEM is the operational hub of the security operations center (SOC); detection content runs against the SIEM's data, alerts flow to analysts, investigations happen in the SIEM's search interface. Modern SIEMs increasingly include UEBA (behavior analytics), SOAR (automated response), and threat hunting workspaces. SIEM and EDR are complementary: EDR provides deep endpoint telemetry, SIEM provides cross-source correlation.
Related terms
- EDR (Endpoint Detection and Response) - Endpoint security capability focused on detection, investigation, and response to threats that have evaded prevention.
- SOAR (Security Orchestration, Automation and Response) - Platform that automates security operations workflows: playbook execution, integrations, case management.
- SOC (Security Operations Center) - Centralized team responsible for monitoring, detecting, investigating, and responding to security incidents.
- UEBA (User and Entity Behavior Analytics) - Detection technique that uses ML to baseline normal user/entity behavior and flag anomalies.