security
SIEM
Security Information and Event Management — a platform that aggregates logs and detects threats in real time.
Also known as
Security Information and Event Management
SIEM (Security Information and Event Management) is a platform that collects, normalises, and correlates log and event data from across an IT environment — servers, network devices, endpoints, cloud services — and generates alerts when suspicious patterns emerge.
Core capabilities
- Log aggregation — ingests syslog, Windows Event Log, cloud audit logs, etc.
- Normalisation — maps heterogeneous log formats to a common schema (e.g. ECS, CEF).
- Correlation rules — detects multi-event attack patterns (e.g. brute-force → success → lateral movement).
- Alerting & dashboards — surfaces detections to SOC analysts.
- Retention — stores logs for compliance and forensic investigation.
Popular SIEM platforms
| Platform | Type |
|---|---|
| ELK Stack | Open-source |
| Wazuh | Open-source XDR |
| Splunk | Commercial |
| Microsoft Sentinel | Cloud-native |
| IBM QRadar | Commercial |
See also
SOC MITRE ATT&CK XDR