GLOSSARY · TOOLING
SIEM
Security Information and Event Management: a platform that collects and correlates logs across systems so analysts can detect and investigate incidents.
A SIEM is the logging backbone of a security operations center. It ingests event data from endpoints, network devices, cloud services, applications, and identity platforms, then applies rules and analytics to surface patterns that suggest something worth investigating. Without a SIEM, each system’s logs sit in isolation: you might know something happened on the firewall, but not that it correlates with a failed authentication on the VPN and an unusual data transfer an hour later.
The operational reality is that a SIEM is only as useful as the content you put into it and the rules you write for it. Default out-of-the-box detection coverage is a starting point, not a destination. Tuning matters enormously: too many alerts and analysts go numb; too few and real incidents get missed. Most organizations underinvest in the human work of correlation rule development and end up with a very expensive log archive.
Cost is the persistent complaint in the market. SIEMs traditionally charged by data ingestion volume, which created perverse incentives to under-log exactly the sources (verbose endpoint and cloud logs) that produce the most useful signals. Newer architectures charge differently or offer tiered storage that separates hot search from cold retention. When evaluating or renewing, map the pricing model against which logs you actually need to query quickly versus which you are retaining for compliance.