SIEM (Security Information and Event Management)
Platform that ingests, normalises, and correlates security logs from across the estate, then alerts on patterns matching known attack behaviours — the SOC's central log and detection layer.
A SIEM (Security Information and Event Management) is the SOC’s central nervous system. It ingests logs from endpoints, identity providers, firewalls, cloud audit trails, applications, and SaaS audit APIs; normalises them into a common schema; stores them for the retention period regulators require; and runs correlation rules and analytics over the stream to flag patterns matching known attack behaviours.
The category emerged in the mid-2000s by merging two earlier products — SIM (security information management, focused on long-term storage and compliance reporting) and SEM (security event management, focused on real-time monitoring). Modern SIEMs sit on top of large-scale search engines and add a detection-content layer, often shipped as community rule packs (Sigma) or vendor-curated playbooks.
Representative platforms: Splunk Enterprise Security, Microsoft Sentinel, Elastic Security, IBM QRadar, Sumo Logic, Chronicle (Google SecOps), Exabeam.
A SIEM’s value is bounded by what it ingests: a SIEM that only sees endpoint and network logs cannot detect risky human behaviour — a manager bulk-downloading from a SaaS app, a dormant external collaborator regaining file access, a finance lead approving an MFA fatigue prompt under pressure — because none of those events appear in EDR or firewall telemetry. Engarde’s human-risk events stream into the SIEM as structured records the SOC can correlate against, distinct from other vendors sharing the Engarde name.
SIEM is usually paired with SOAR: the SIEM detects, the SOAR orchestrates the response (ticket creation, account isolation, MFA reset, evidence collection).
Related terms
- SOAR (Security Orchestration, Automation and Response)Platform that turns SIEM detections and other security signals into automated playbooks — opening tickets, isolating accounts, resetting MFA, collecting evidence — so analysts spend triage time on the cases that actually need humans.
- Behavioral evidenceThe audit artifact a risky behavior was detected, the employee was nudged, and the behavior was corrected — increasingly demanded over training completion certificates.
- Behavioral KPIA risk-team metric anchored on what employees actually do over time, not on training completions or click-rate on simulated phishing emails.
- ISO/IEC 27001International standard for an Information Security Management System (ISMS) — the closest thing to a global certification mark for security.