cybersecurity monitoring

SIEM (SIEM)

siem monitoring log-analysis threat-detection
Plain English

A SIEM is a security control room for your entire network. It collects logs from every device (firewalls, servers, applications, cloud services) into one place, then looks for patterns that indicate an attack. If someone tries to log in from five different countries in ten minutes, or if a server suddenly starts sending data to an unknown IP, the SIEM detects it and alerts the security team.

Technical Definition

Security Information and Event Management (SIEM) combines two functions: SIM (Security Information Management: log collection, storage, compliance reporting) and SEM (Security Event Management: real-time monitoring, correlation, alerting).

Core capabilities:

  • Log aggregation: ingest logs from firewalls, IDS/IPS, servers, endpoints, cloud services, applications via syslog, API, or agents
  • Normalization: transform disparate log formats into a common schema for consistent querying
  • Correlation: apply rules that connect events across sources (e.g., “failed SSH login from IP X” + “successful login from IP X 5 minutes later” + “large data transfer from that host” = potential breach)
  • Alerting: trigger notifications based on correlation rules, thresholds, or anomaly detection
  • Dashboards: real-time visibility into security posture, threat landscape, and compliance metrics
  • Forensic search: query historical logs to investigate incidents (“show me all activity from IP 203.0.113.50 in the last 30 days”)
  • Compliance reporting: generate audit-ready reports for PCI-DSS, HIPAA, SOC 2, GDPR

Detection approaches:

  • Rule-based: predefined correlation rules (if X and Y within Z minutes, alert)
  • Threshold-based: alert when a metric exceeds a baseline (>100 failed logins per hour)
  • Anomaly/ML-based: statistical models detect deviations from normal behavior (UEBA: User and Entity Behavior Analytics)

SIEM platforms: Splunk, Microsoft Sentinel, Elastic Security, IBM QRadar, Sumo Logic, Wazuh (open-source), Graylog.

SIEM correlation rule (Splunk SPL) 

# Detect brute force followed by successful login
index=auth sourcetype=sshd
| stats count(eval(action="failure")) as failures
        count(eval(action="success")) as successes
        earliest(_time) as first_attempt
        latest(_time) as last_attempt
  by src_ip, dest_host
| where failures > 10 AND successes > 0
| eval duration_minutes = round((last_attempt - first_attempt) / 60, 1)
| where duration_minutes < 30
| table src_ip dest_host failures successes duration_minutes

# Detect data exfiltration: large outbound transfer
index=firewall action=allowed direction=outbound
| stats sum(bytes_out) as total_bytes by src_ip dest_ip
| where total_bytes > 1073741824
| eval gb_transferred = round(total_bytes / 1073741824, 2)
| sort -gb_transferred
In the Wild

SIEMs are the backbone of Security Operations Centers (SOCs). Compliance frameworks (PCI-DSS requirement 10, HIPAA, SOC 2) mandate centralized log collection and review, which effectively requires a SIEM. The challenge is signal-to-noise: a mid-size organization generates millions of log events daily, and most are benign. Poorly tuned SIEMs produce “alert fatigue” where analysts ignore alerts because too many are false positives. Modern SIEMs incorporate UEBA (User and Entity Behavior Analytics) and SOAR (Security Orchestration, Automation, and Response) to automatically triage and respond to common incidents. Splunk dominates the enterprise market but is expensive at scale; Elastic Security and Wazuh are popular open-source alternatives. Cloud-native SIEMs (Microsoft Sentinel, Google Chronicle) integrate directly with cloud provider logs.

← Back to Dictionary