Concept

Security Information and Event Management

SIEM: platform aggregating security logs for real-time threat detection and compliance reporting; Databricks launched Lakewatch SIEM via dual acquisition in March 2026.

Last refreshed: 17 April 2026

Key Question

Why didn't SIEM tools detect BRICKSTORM for 393 days?

Timeline for Security Information and Event Management

#117 Apr

Mentioned in: Google closes $32bn Wiz deal; 38 M&A

Cybersecurity: Threats and Defences

View full timeline →

Common Questions

What is a SIEM and what does it do?: A SIEM (Security Information and Event Management) platform aggregates log data from an enterprise's servers, network devices and applications to detect threats in real time and support compliance reporting.
Why didn't any security tool detect the BRICKSTORM hackers for over a year?: BRICKSTORM ran on VMware ESXi hosts, which are typically not covered by standard EDR or SIEM log ingestion. Its command-and-control traffic ran over Cloudflare Workers and Heroku, appearing as legitimate SaaS traffic. Mandiant documented a 393-day average dwell time as a result.Source: Mandiant M-Trends 2026

Background

Security Information and Event Management (SIEM) platforms aggregate and analyse security event logs from across an enterprise's infrastructure to surface threats and support compliance reporting. The category featured in this update through Databricks' launch of Lakewatch, a SIEM product built by combining the acquisitions of Antimatter and SiftD.ai in March 2026. The Databricks entry is part of a wave of 38 M&A transactions in March 2026 that SecurityWeek documented, reflecting a consolidation of security analytics tooling around data-platform companies.

SIEM platforms have been a foundational enterprise security tool since the early 2000s. Major vendors include Splunk (acquired by Cisco), Microsoft Sentinel, IBM QRadar and Securonix. The SIEM market has evolved from log aggregation to AI-assisted threat detection, with newer entrants competing on data-processing scale and machine-learning detection rather than rule-based correlation.

For UNC5221's BRICKSTORM campaign, the 393-day average dwell time documented by Mandiant illustrates what a SIEM gap looks like in practice: vCenter and ESXi host logs are often not ingested into enterprise SIEMs because they require specialist connectors, and the C2 traffic over Cloudflare Workers and Heroku does not produce anomalous network logs that standard SIEM correlation rules would surface.

How the World Sees Them

Databricks

The Lakewatch launch targets SIEM workloads at data-lakehouse scale, competing on processing volume and AI detection against established vendors.

Existing SIEM vendors

Databricks' platform-native approach to SIEM analytics is a structural competitive threat; organisations already running Databricks for other workloads face reduced friction to adopt Lakewatch.

Enterprise security buyers

BRICKSTORM's 393-day dwell inside enterprise infrastructure not reaching SIEMs is the primary argument for reviewing vCenter/ESXi log ingestion as a SIEM gap.