Skip to content
cyber-security.eu
DEEN

SIEM

A SIEM aggregates log and telemetry data, correlates it and provides the foundation for detection and incident response. This page covers function, important data sources and common mistakes.

Who this page is for

This page is for security leaders, SOC leads, detection engineers, IT leadership and decision makers evaluating or operating a SIEM.

What a SIEM does

A SIEM collects security-relevant data from many sources, normalises and stores it, and analyses it for patterns. Detection use cases generate alerts. Reports and dashboards support maturity, compliance and risk visibility.

Important data sources

High-value sources typically include:

- Identity: Active Directory, Entra ID, SSO
- Endpoints: EDR telemetry
- Email: mail gateway, Microsoft 365 / Google Workspace
- Network: firewall, proxy, DNS
- Cloud: AWS, Azure, GCP and SaaS platforms
- Applications: web apps, critical business systems

Not every source needs full depth. Coverage of the top risks matters most.

Log quality beats tool choice

A common mistake is too many logs without use cases. A SIEM run as a data dump generates cost without impact.

More important than the product:

- Clean normalisation
- Use cases with business context
- Defined ownership per log source
- Tuning against false positives

Use cases and detection

Effective detection follows real attacker behaviour, for example MITRE ATT&CK, and the organisation's own crown jewels.

Combining identity, endpoint and cloud data covers many realistic scenarios without an explosion of rules.

Link to SOC and incident response

The SIEM is the SOC's central detection tool and provides the data space for forensics and containment during an incident. Without a sound SIEM or equivalent, incident response often becomes guesswork.

Selection and operations

Selection considers data volumes, licensing, integrations, detection content, the maturity of the cloud option and a realistic operating concept.

Operations means continuous detection engineering, use-case lifecycle, tuning and quality measurement - not a one-off project.

Common mistakes

- Many logs without use cases
- No clear ownership of log sources
- Missing normalisation
- Vendor detection content adopted without tuning
- Retention not aligned with legal and data protection

Checklist

  • Use case library with business context
  • Important log sources fully onboarded
  • Clean normalisation and data model
  • Regular tuning against false positives
  • Retention aligned with legal requirements
  • Detection engineering as a dedicated role
  • Ownership defined per log source

Frequently asked questions

+Do we need our own SIEM?

Not always. For many organisations a managed detection service with solid endpoint telemetry is enough.

+What matters more: volume of logs or the right logs?

The right ones. Log quality and use-case discipline beat raw volume.

+How do SIEM and EDR relate?

EDR delivers deep endpoint visibility, SIEM correlates across many sources. They complement each other rather than replace each other.

Related topics

What is a SOC?

A security operations centre combines people, process and technology to detect cyber incidents early, handle them in a structured way and learn from them. This page covers tasks, models and common pitfalls.

Incident response

A security incident requires a clear process, rehearsed roles and prepared communication. Improvising during an incident wastes time and creates mistakes. This page covers the phases, responsibilities and common pitfalls.

Ransomware: risks and first response

Ransomware remains one of the most expensive cyber risks. It is typically the result of a chain of weaknesses rather than a single click. This page covers typical patterns, effective controls and an orderly first response.

TIBER-EU

TIBER-EU is the European framework for threat-led resilience testing of critical functions. This page explains the idea, the phases and the link to DORA and TLPT - intentionally at a high level and without describing concrete attack techniques.

Cybersecurity for business

Effective enterprise security combines governance with concrete technical and organisational controls. This page shows what decision makers and IT leaders should focus on first - calm, practical and clearly prioritised.

Phishing

Phishing remains one of the most common entry points. Modern attacks look professional, use trusted brands and adapt quickly. Technical filters, awareness and a simple report button belong together.

Endpoint Detection and Response

EDR provides telemetry and response on endpoints. It is standard in many organisations today and extends classic endpoint protection with detection and response.

Extended Detection and Response

XDR combines telemetry from multiple sources to detect threats faster and with better context. This page positions the term beyond marketing.

Threat intelligence

Threat intelligence is more than a list of IOCs. It is processed, contextual knowledge about adversaries, techniques and risks - useful only when it drives decisions.