loading
Loading content
loading
Also known as Security Information and Event Management
A SIEM (security information and event management platform) is the central log and event store for a security team. It ingests data from endpoints, servers, firewalls, cloud services, and applications, normalizes it into a common schema, and runs correlation rules across the combined stream. When activity on separate systems lines up into a suspicious pattern, the SIEM raises an alert that an analyst can investigate, and it retains the underlying data for later searching.
The platform matters because attacks rarely show up in one log. A failed login here, a new admin account there, and an outbound connection somewhere else look harmless alone but tell a clear story when correlated. The SIEM is also where retention and compliance obligations get met, since it holds searchable history long after the events scroll off individual hosts. Tuning is the constant cost: rules that are too loose drown analysts in noise, and rules too tight miss the real intrusion.
A SIEM is the backbone of a security operations center and the platform where detection engineering writes and tests rules. Its alerts kick off incident response, and pairing it with SOAR automates the repetitive triage and containment steps.
Related terms