SIEM

Definition

Explore More Terms

Examples & Use Cases

## Why It Matters in Practice
In real environments, attacks rarely show up as a single obvious alert. Instead, they appear as small, seemingly unrelated events (e.g. login failure, privilege escalation, unusual outbound traffic). SIEM connects these dots. Without it, defenders are effectively blind to multi-stage attacks.

## How It Works
- Data ingestion (logs from firewalls, endpoints, cloud, identity systems)
- Parsing & normalization (turning raw logs into structured data)
- Correlation (linking multiple events together)
- Alerting (triggering rules or anomalies)
- Investigation (analyst queries and dashboards)

## Key Points
- Acts as a single pane of glass for monitoring
- Detection depends heavily on rule quality and tuning
- High false positives if not properly configured
- Often paired with SOAR for automated response

## Common Usages
- Writing correlation rules (e.g., impossible travel login detection)
- Querying logs using languages like KQL or SPL
- Creating detection use cases aligned with attacker tactics
- Baselining “normal” behavior to identify anomalies

## Real-World Example
An attacker logs in from Singapore, then 5 minutes later from Europe. SIEM flags this as “impossible travel,” triggering an alert for credential compromise.

## Limitations
- Requires significant tuning and maintenance
- Storage and licensing costs can be high
- Detection is only as good as the ingested data

## Further Reading
- [Splunk - What is SIEM](https://www.splunk.com/en_us/data-insider/what-is-siem.html)
- [Microsoft Lean - What is Microsoft Sentinel SIEM](https://learn.microsoft.com/en-us/azure/sentinel/overview)
- [Crowdstrike - What is SIEM](https://www.crowdstrike.com/en-us/cybersecurity-101/next-gen-siem/security-information-and-event-management-siem/)
- [Elastic - What is SIEM](https://www.elastic.co/what-is/siem)

Siem

Definition

Explore More Terms

Examples & Use Cases