
Security Information and Event Management
Platform that aggregates, correlates, and alerts on security event logs across enterprise infrastructure.
Last refreshed: 24 June 2026 · Appears in 1 active topic
What log sources do most enterprise SIEMs miss that attackers exploit?
Timeline for Security Information and Event Management
Mentioned in: Splunk lands its first-ever KEV entry
Cybersecurity: Threats and DefencesMentioned in: Google closes $32bn Wiz deal; 38 M&A
Cybersecurity: Threats and DefencesWhat is a SIEM and what does it do?
Why didn't any security tool detect the BRICKSTORM hackers for over a year?
What is the difference between a SIEM and a SOC?
Background
Security Information and Event Management (SIEM) is the log aggregation and threat-detection platform at the centre of a modern Security Operations Centre (SOC). A SIEM collects event logs from servers, network devices, endpoints, cloud services, and identity systems; normalises them to a common schema; applies correlation rules and behavioural analytics to surface anomalies; and generates alerts for analyst review. Most enterprise SIEMs also serve a compliance reporting function, providing audit trails required by frameworks such as ISO 27001, PCI-DSS, and DORA.
The category has gone through three commercial generations. First-generation SIEMs were rule-based log aggregators from vendors such as IBM QRadar, ArcSight, and RSA NetWitness. The second generation added user and entity behaviour analytics (UEBA), with Microsoft Sentinel (cloud-native, 2019) and Splunk (acquired by Cisco in 2024) becoming the dominant enterprise platforms. The third generation integrates AI-assisted detection and natural-language investigation; Databricks launched Lakewatch in March 2026 by acquiring Antimatter and SiftD.ai, positioning the data-lakehouse as the SIEM substrate for organisations already running Databricks for analytics workloads.
The primary operational failure mode for SIEMs is log-source coverage gaps. Virtualisation layers (VMware vCenter, ESXi), OT/ICS devices, and cloud-provider control planes are routinely excluded from SIEM ingestion because they require specialist connectors or generate high log volumes. Mandiant's M-Trends 2026 report documented a 393-day average dwell time for the UNC5221 BRICKSTORM campaign partly because vCenter and ESXi host logs were not ingested into enterprise SIEMs and the C2 traffic ran over trusted cloud platforms (Cloudflare Workers, Heroku) that standard correlation rules do not flag.