SIEM
Technology platform for log aggregation, correlation, and real-time alerting. SIEM detects and reports security incidents—SOAR automates the response, and the SOC manages human operations. SIEM is the 'eye,' SOAR is the 'arm,' and the SOC is the 'brain.'
SIEM (Security Information and Event Management) combines two predecessor technologies:
- SIM (Security Information Management): Long-term storage and analysis of log data
- SEM (Security Event Management): Real-time monitoring and correlation of security events
SIEM Functions
Log Collection: Collection of logs from firewalls, IDS/IPS, endpoints, servers, applications, Active Directory, and cloud services
Normalization: Standardization of different log formats into a common schema (e.g., Common Event Format, STIX/TAXII)
Correlation Rules: Linking individual events to attack patterns. Example: Three failed logins + successful login from an unknown IP = Brute-Force Alert
UEBA (User and Entity Behavior Analytics): Learn the baseline of normal behavior and detect deviations—e.g., Hans logs in daily from 8 AM to 6 PM, but today at 3:00 AM with 500 downloads
Alerting: Prioritized alerts to the SOC team based on severity and context
Dashboards & Reporting: Visualization of security metrics, compliance reports for NIS2 and ISO 27001
SIEM Products on the Market
| Product | Features |
|---|---|
| Microsoft Sentinel | Cloud-native, Azure integration, KQL query language, SOAR integrated |
| Splunk Enterprise Security | Market leader, SPL query language, largest ecosystem |
| IBM QRadar | Enterprise-proven, good DACH support |
| Elastic SIEM | Open source, Sigma-compatible, lower entry cost |
SIEM vs. SOAR vs. XDR
| Technology | Focus |
|---|---|
| SIEM | Log aggregation, correlation, alerting |
| SOAR | Automated response to SIEM alerts (playbooks) |
| XDR | Integrated detection across endpoints, networks, and the cloud – cross-silo |
SIEM and SOAR are complementary: SIEM detects a brute-force attack → alerts SOAR → SOAR checks the IP, locks the account, and notifies the analyst.
Modern platforms like Microsoft Sentinel combine SIEM and SOAR in a single product.
SIEM and NIS2/ISO 27001
NIS2 Art. 21 and ISO 27001 A.8.15 explicitly require monitoring and logging of security events. A SIEM is the standard solution for meeting these requirements. For smaller companies, Managed SIEM (MSSP) can be more cost-effective than an in-house system.
