SIEM (Security Information and Event Management)

Also: Log management platform, Security analytics platform

A platform that centralises security logs, enables long-term retention, runs correlation rules and supports investigation. SIEM is the evidence layer under EDR, XDR and SOC operations and the single largest line item in most security budgets.

SIEM has been through multiple generations (on-prem appliance, cloud-native analytics, data-lake-based). The choice today is rarely between SIEM vendors; it is between architectures: SIEM as primary analytics, SIEM as compliance log store, or no-SIEM with data-lake plus separate analytics.

The decision is expensive to reverse. Log retention, detection content and analyst workflows are deeply coupled to the chosen platform. Exit cost and data portability should be dealbreakers rather than weighted criteria.

Under DORA and NIS2, SIEM serves as evidence that incident detection and reporting timelines are actually met. A SIEM without tested use cases and runbooks is a compliance cost, not a control. The decision memo should include the operational readiness evidence, not just the product choice.

SIEM (Security Information and Event Management)

Related terms