Wilson Mar bio photo

Wilson Mar


Email me Calendar Skype call

LinkedIn Twitter Gitter Instagram Youtube

Github Stackoverflow Pinterest

Security Information and Event Management

US (English)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Estonian   اَلْعَرَبِيَّةُ (Egypt Arabic)   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean


SIEM is an industry-wide term. According to Gartner [1]

Security information and event management (SIEM) technology supports threat detection, compliance, and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources. The core capabilities are a broad scope of log event collection and management, the ability to analyze log events and other data across disparate sources, and operational capabilities (such as incident management, dashboards, and reporting).

NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.

SIEM provides for analysis of security alerts based on log and event data generated by applications and network hardware (usually globally) in order to give centralized security teams the insight to detect and analyze advanced threats.

SIEM is a security solution that helps organizations recognize potential security threats and vulnerabilities before they have a chance to disrupt business operations. – IBM [2]

SIEM software combines security information management (SIM) and security event management (SEM). Its processes include data aggregation, event correlation, alerting, dashboards, compliance, retention, forensic analysis.[3]


SIEM software matches events against rules in analytics engines which indexes logs to enable searches and event correlation.

SIEM gathers data from antivirus events, firewall logs, and other locations; it sorts this data into categories, for example: malware activity and failed and successful logins. When SIEM identifies a threat through network security monitoring, it generates an alert and defines a threat level based on predetermined rules. For example, someone trying to log into an account 10 times in 10 minutes is ok, while 100 times in 10 minutes might be flagged as an attempted attack.

“Legacy” SIEM has been around since 2005, but has evolved significantly since then from just log management.

SIEM applications provide limited contextual information about their native events,

SIEMs are known for their blind spot on unstructured data and emails. For example, you might see a rise in network activity from an IP address, but not the user that created that traffic or which files were accessed.

SIEM vendors provide customizable dashboards and event management workflows (SOAR) to improve investigative efficiency.

“Next gen”

  • reducing time wasted on false-positives. “Next gen” SIEM solutions aim to improve KPIs Mean Time To Detect (MTTD) and Mean Time To Respond (MTTR) for IT security teams.

  • Real-time visualizations to prioritize focus on the most important, high-risk activities. This includes the ability to measure status against regulatory frameworks such as PCI DSS) for risk prioritization and management

  • Open, ‘big data architecture’ allows quicker integration with enterprise infrastructure including cloud, on-site and BYOD (in a scaleable way)

  • Detect insider threats

  • Automatically generate reports to meet data compliance standards including PCI DSS, GDPR, HIPAA, SOX.

  • integration of threat intelligence from custom, open-source and commercial sources, interacting with other security technologies to automatically carry out the initial steps of incident response.

  • User Entity Behavior Analytics (UEBA)” (using Machine Learning) highlights significant changes in behavior to better understand event context and recognize intent within specific scenarios. It models the behavior of both humans and also the machines within network, offering advanced threat detection.


Security Orchestration, Automation and Response (SOAR) helps security teams reduce response times by prioritization of real threats. SOAR tools allow an organization to define incident analysis and response procedures in a digital workflow format. SOAR automates workflows and accelerates threat qualification, investigation, and response.

SIEM Vendors


Splunk offers both a cloud and full on-prem SIEM solution which Gartner rates among leaders in the space. Splunk supports security monitoring and can provide advanced threat detection capabilities.

IBM QRadar is a popular SIEM that can be deployed as a hardware appliance, a virtual appliance, or a software appliance.

LogRhythm is used by smaller organizations.


Sigma Community

What Snort is to network traffic, and YARA to files, is Sigma to logs. https://isc.sans.edu/forums/diary/Sigma+rules+The+generic+signature+format+for+SIEM+systems/26258/

https://github.com/SigmaHQ/sigma enables Generic Signature Format for SIEM Systems

https://www.securonix.com/blog/sigma-community-driven-approach-to-stop-cyber-threats/ YAML files.


  • Sigma → ArcSight
  • ArcSight → Sigma → Splunk
  • Splunk → Sigma → ArcSight
  • QRadar → Sigma → ArcSight


[1] https://www.gartner.com/en/information-technology/glossary/security-information-and-event-management-siem

[2] https://www.ibm.com/topics/siem

[3] https://www.wikiwand.com/en/Security_information_and_event_management