Security generates data. A lot of it. Firewalls log every connection they allow and block. Endpoints log every process that runs, every file that opens, every network connection that initiates. Active Directory logs every authentication attempt, every privilege escalation, every account modification. Email systems log every message received, every link clicked, every attachment opened.
In isolation, each of these log streams tells you something. Together, correlated across time and systems, they tell you everything — including things that no individual log source could reveal on its own.
A Security Information and Event Management system — SIEM — is the platform that collects all of this data, normalizes it into a common format, and gives security teams the ability to search it, correlate events across sources, set alerts on suspicious patterns, and investigate incidents with full visibility across the environment.
It is the closest thing to a single pane of glass that security operations has. And like most single panes of glass, it requires significant work to keep it clear.
What a SIEM actually does
The acronym breaks down into two historically separate disciplines that modern platforms have merged. Security Information Management (SIM) focused on long-term log storage and compliance reporting. Security Event Management (SEM) focused on real-time event correlation and alerting. SIEM combines both into a single platform.
HOW A SIEM AGGREGATES YOUR ENVIRONMENT
APPLICATIONS
Web servers / DBs
↓ ALL LOGS COLLECTED, NORMALIZED, AND INDEXED ↓
SIEM PLATFORM
Search · Correlate · Alert · Investigate · Report
Core SIEM capabilities
LOG
Log aggregation and normalizationCollecting logs from dozens of sources in different formats and normalizing them into a common schema so they can be searched and correlated together. A firewall log and an Active Directory log use different field names for the same concepts — normalization makes them queryable together.
COR
Event correlationIdentifying relationships between events across different systems and time periods. A failed login from an IP address, followed by a successful login from the same IP, followed by a large data transfer — individually these might not alert. Correlated, they are a potential breach. This is what SIEMs are uniquely capable of.
ALT
Real-time alertingRules and machine learning models that trigger alerts when specific patterns occur. A SIEM alert fires when a user authenticates from two countries within an hour, when a service account starts running interactive processes, or when data exfiltration volumes exceed baseline thresholds.
INV
Incident investigationWhen an alert fires, analysts use the SIEM to investigate — searching across all log sources for context, building a timeline of events, identifying affected systems and accounts, and tracing the attacker's path through the environment.
RPT
Compliance reportingGenerating audit reports, demonstrating control effectiveness, and providing evidence for compliance frameworks like PCI-DSS, HIPAA, SOC 2, and ISO 27001. SIEM log retention and reporting capabilities are often a compliance requirement in regulated industries.
What a SIEM reveals that nothing else can
The value of a SIEM becomes clearest when you consider the types of attacks that are invisible without cross-source correlation.
Credential compromise and lateral movement. A user authenticates to a VPN from an unusual location, accesses a file server they have never touched before, and then authenticates to a domain controller with admin credentials — all within 20 minutes. No individual event is necessarily alarming. The sequence, correlated across VPN logs, file server logs, and Active Directory, is a clear attack pattern.
Data exfiltration. A user downloads 50GB of data from a SharePoint site on a Friday afternoon and then connects to a cloud storage service that the organization has never seen before. Neither event alone is certain evidence of malicious intent. Together, in context, they warrant immediate investigation.
Insider threats. An employee with elevated access begins accessing data outside their normal scope, printing documents they have not printed before, and logging in outside normal business hours in the weeks before their resignation date. These behavioral patterns are invisible without a system that aggregates and analyzes activity over time.
Compliance violations. Privileged accounts being used for routine tasks, administrative access granted without proper change management, data being stored in unauthorized locations — SIEM log analysis makes these visible in ways that manual review cannot.
"A SIEM is not a detection tool — it is a visibility tool. Detection comes from the rules and logic you build on top of it. Without tuned detection rules written for your environment, a SIEM is a very expensive log storage system."
The major SIEM vendors
Splunk Enterprise Security
MARKET LEADER
The dominant SIEM in enterprise security operations. Extremely powerful search language (SPL), massive ecosystem of integrations, and a large community of practitioners. The standard against which other SIEMs are measured. Now owned by Cisco.
Expensive — pricing based on data ingestion volume. Large environments pay six to seven figures annually.
Microsoft Sentinel
STRONG CLOUD-NATIVE
Cloud-native SIEM built on Azure. Deep integration with Microsoft 365, Azure AD, and the broader Microsoft security ecosystem. Pay-as-you-go pricing model. The obvious choice for Microsoft-centric environments. AI-powered detection has improved substantially.
Cost scales with data ingestion. Microsoft 365 E5 licenses include significant Sentinel credits.
IBM QRadar
ENTERPRISE ESTABLISHED
Long-standing enterprise SIEM with strong network flow analysis capabilities. More complex to deploy and manage than newer cloud-native alternatives. Common in large financial services and government environments that have been running it for years.
Losing market share to cloud-native competitors but remains entrenched in large enterprises.
Elastic Security (ELK Stack)
FLEXIBLE / OPEN SOURCE
Built on the open source Elasticsearch, Logstash, and Kibana stack. Highly flexible and customizable. Free to self-host with significant engineering investment. Elastic's commercial offering adds pre-built detection rules and managed capabilities.
Popular with technically capable teams that want control over their data and architecture.
Wazuh
FREE / OPEN SOURCE
Free, open-source SIEM and XDR platform. Combines log management, intrusion detection, vulnerability management, and compliance reporting in one platform. Genuinely capable — not a toy. The right starting point for home labs and budget-constrained organizations.
I run Wazuh in my home lab. Excellent documentation, active community, real detection capability.
Security Onion
FREE / OPEN SOURCE
Purpose-built security monitoring distribution that packages multiple open source tools — Zeek, Suricata, Elasticsearch, and others — into a unified platform. More complex to deploy than Wazuh but more realistic to enterprise SOC environments.
Excellent for home lab use and for learning how enterprise SOC environments are structured.
Real-world SIEM detection use cases
WHAT SIEM DETECTION RULES CATCH
Impossible travel authentication
Login from London at 9:00 AM, login from Tokyo at 9:45 AM. Physically impossible — indicates credential compromise or VPN use. Alerts immediately for investigation.
Brute force credential attacks
50 failed logins to an account within 5 minutes from the same IP address. Clear brute force pattern — alert fires, account can be locked automatically.
Privileged account misuse
Domain admin account used to browse the web or check email — behavior that should never occur with admin accounts. Indicates either compromise or policy violation.
Lateral movement indicators
A workstation authenticating to 20 different servers within 10 minutes using the same credential. Normal workstations do not behave this way — indicates Pass-the-Hash or credential-based lateral movement.
Data staging and exfiltration
Large volume of files compressed into an archive, followed by connection to an external cloud storage service not in the organization's approved list. Pre-exfiltration staging pattern.
Ransomware behavioral indicators
A process rapidly renaming thousands of files with new extensions. File modification at a rate inconsistent with normal user behavior — potential ransomware encryption in progress.
The honest challenges of SIEM implementation
WHAT NOBODY TELLS YOU ABOUT SIEM
⚠
Alert fatigue is real and immediate. A newly deployed SIEM with default rules generates enormous volumes of alerts — most of them false positives. Without dedicated tuning effort, analysts quickly learn to ignore alerts. A poorly tuned SIEM is worse than no SIEM because it creates the illusion of visibility while producing no actionable signal.
⚠
Cost scales with data volume. Most commercial SIEM pricing is based on daily data ingestion volume in gigabytes. Large environments with comprehensive logging generate enormous amounts of data. Splunk licensing for a large enterprise can cost millions annually. Plan your logging strategy carefully — not everything needs to go into the SIEM.
⚠
A SIEM requires dedicated expertise. Deploying a SIEM is the beginning, not the end. Writing detection rules, tuning to reduce false positives, maintaining integrations with log sources, and training analysts to use the query language effectively requires ongoing investment. A SIEM without skilled operators is expensive infrastructure that no one uses effectively.
⚠
Garbage in, garbage out. A SIEM is only as good as the logs it receives. If critical systems are not logging to the SIEM, attacks on those systems are invisible. Log source coverage — ensuring the right systems send the right logs — is as important as the SIEM platform itself.
Do you need a SIEM?
Large organizations and regulated industries — yes, absolutely. Any organization with a meaningful security program, compliance requirements, or a SOC team needs a SIEM. The visibility it provides is not optional at scale. Splunk or Microsoft Sentinel are the standard choices depending on your environment and budget.
Mid-market organizations — probably, with realistic expectations. A SIEM makes sense when you have the log sources worth aggregating and at least one person responsible for reviewing alerts. Microsoft Sentinel with Microsoft 365 E5 licensing is often the most practical path. Start with the most critical log sources and expand gradually.
Small businesses — Wazuh or not yet. Small businesses with limited IT resources often do not have the capacity to operate a SIEM effectively. Wazuh provides genuine capability at no licensing cost and is worth deploying if you have someone to manage it. If you do not, invest first in the controls that do not require ongoing operational attention — MFA, EDR, backups, patching.
Home lab and learning — Wazuh or Security Onion. Both are free, genuinely capable, and widely used in home labs. Setting up Wazuh in a home lab with agents on your VMs is an excellent practical exercise that directly translates to enterprise skills. It is also one of the things that impresses interviewers who understand what it means to have done it.
A SIEM is infrastructure, not a solution. The solution is a security program that uses SIEM as one of its tools. Buying a SIEM without the operational capability to use it is a common and expensive mistake.
THM
TryHackMe
TryHackMe's SOC Level 1 path includes hands-on SIEM labs using Splunk and other platforms. The fastest way to build practical SIEM skills without enterprise access.
START FREE →