Skip to content
You can now search across every topic, entity and event.What's new
Security Information and Event Management
Concept

Security Information and Event Management

Platform that aggregates, correlates, and alerts on security event logs across enterprise infrastructure.

Last refreshed: 24 June 2026 · Appears in 1 active topic

Key Question

What log sources do most enterprise SIEMs miss that attackers exploit?

Timeline for Security Information and Event Management

#818 Jun

Mentioned in: Splunk lands its first-ever KEV entry

Cybersecurity: Threats and Defences
#11 Mar

Mentioned in: Google closes $32bn Wiz deal; 38 M&A

Cybersecurity: Threats and Defences
View full timeline →
Common Questions
What is a SIEM and what does it do?
A SIEM (Security Information and Event Management) platform aggregates log data from an enterprise's servers, network devices and applications to detect threats in real time and support compliance reporting.
Why didn't any security tool detect the BRICKSTORM hackers for over a year?
BRICKSTORM ran on VMware ESXi hosts, which are typically not covered by standard EDR or SIEM log ingestion. Its command-and-control traffic ran over Cloudflare Workers and Heroku, appearing as legitimate SaaS traffic. Mandiant documented a 393-day average dwell time as a result.Source: Mandiant M-Trends 2026
What is the difference between a SIEM and a SOC?
A SOC (Security Operations Centre) is the team of analysts responsible for detecting and responding to threats. A SIEM is the platform the SOC uses to collect and analyse log data. A SIEM without a SOC is raw data with no one to act on the alerts; a SOC without a SIEM lacks the data aggregation and correlation that makes large-scale threat detection feasible.Source: NIST SP 800-92

Background

Security Information and Event Management (SIEM) is the log aggregation and threat-detection platform at the centre of a modern Security Operations Centre (SOC). A SIEM collects event logs from servers, network devices, endpoints, cloud services, and identity systems; normalises them to a common schema; applies correlation rules and behavioural analytics to surface anomalies; and generates alerts for analyst review. Most enterprise SIEMs also serve a compliance reporting function, providing audit trails required by frameworks such as ISO 27001, PCI-DSS, and DORA.

The category has gone through three commercial generations. First-generation SIEMs were rule-based log aggregators from vendors such as IBM QRadar, ArcSight, and RSA NetWitness. The second generation added user and entity behaviour analytics (UEBA), with Microsoft Sentinel (cloud-native, 2019) and Splunk (acquired by Cisco in 2024) becoming the dominant enterprise platforms. The third generation integrates AI-assisted detection and natural-language investigation; Databricks launched Lakewatch in March 2026 by acquiring Antimatter and SiftD.ai, positioning the data-lakehouse as the SIEM substrate for organisations already running Databricks for analytics workloads.

The primary operational failure mode for SIEMs is log-source coverage gaps. Virtualisation layers (VMware vCenter, ESXi), OT/ICS devices, and cloud-provider control planes are routinely excluded from SIEM ingestion because they require specialist connectors or generate high log volumes. Mandiant's M-Trends 2026 report documented a 393-day average dwell time for the UNC5221 BRICKSTORM campaign partly because vCenter and ESXi host logs were not ingested into enterprise SIEMs and the C2 traffic ran over trusted cloud platforms (Cloudflare Workers, Heroku) that standard correlation rules do not flag.

More questions
How does a cloud-native SIEM differ from a traditional on-premise SIEM?
Cloud-native SIEMs (such as Microsoft Sentinel) store and process log data in the provider's cloud, scale elastically without hardware provisioning, and receive threat intelligence updates continuously. On-premise SIEMs require dedicated hardware, capacity planning, and manual signature updates. Cloud-native platforms also integrate more natively with SaaS and cloud-provider log sources, which increasingly dominate enterprise environments.Source: Microsoft Sentinel / industry analyst reports
Why do attackers target vCenter and ESXi hosts when they know the victim has a SIEM?
VMware vCenter and ESXi logs are frequently excluded from SIEM ingestion because they require specialist connectors and generate high volumes. Attackers with knowledge of enterprise security tooling deliberately operate through these coverage gaps. Mandiant's M-Trends 2026 report documented the UNC5221 BRICKSTORM campaign achieving a 393-day average dwell time largely because vCenter and ESXi activity was not visible in victims' SIEMs.Source: Mandiant M-Trends 2026
What is UEBA and how does it improve SIEM detection?
User and Entity Behaviour Analytics (UEBA) builds a statistical baseline for how each user and device normally behaves, then alerts when activity deviates significantly. Classic SIEM correlation rules fire on known-bad signatures (e.g. failed logins exceeding a threshold). UEBA catches novel techniques that do not match any rule but are anomalous for the specific user, such as an account accessing a server it has never touched at an unusual hour.Source: Gartner UEBA definition
How does Splunk's acquisition by Cisco affect SIEM buyers in 2026?
Cisco completed its $28 billion acquisition of Splunk in March 2024. Buyers are watching for product-roadmap integration with Cisco's networking and security stack (XDR, Talos threat intelligence). The first Splunk KEV listing (CVE-2026-20253, June 2026) raised questions about patch-response Velocity under the new ownership structure and added a vendor-risk dimension to SIEM procurement decisions.Source: Cisco / CISA KEV