<p>A security, incident and event management system collects, centralizes and analyzes data from across the IT environment to uncover cybersecurity and operational problems.</p>
<p>As with so many formerly distinct and well-defined cybersecurity systems, “SIEM” is now as often a set of features as it is a separate product or service. In the current era of category drift and <a href=”https://www.techtarget.com/searchsecurity/tip/What-cybersecurity-consolidation-means-for-enterprises”>tool convergence</a>, an extended detection and response (XDR) platform might include SIEM features, a SIEM offering might include user and entity behavior analytics (UEBA) and so on. </p>
<p>Whether in a standalone product or as part of a broader offering, <a href=”https://www.techtarget.com/searchsecurity/feature/SIEM-isnt-dead-its-place-in-the-SOC-is-just-evolving”>enterprises continue to rely on SIEM functionality</a>. Top SIEM use cases span cybersecurity and IT ops and include log management, attack detection, event detection, event forensics and cybersecurity posture management.</p>
<section class=”section main-article-chapter” data-menu-title=”1. Log management”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>1. Log management</h2>
<p>This is job No. 1 for a SIEM. In addition to serving as the destination for logs from core security systems such as firewalls and intrusion detection and protection systems, SIEMs also aggregate and normalize streams from more far-flung data sources, such as <a href=”https://www.techtarget.com/searchsecurity/tip/EDR-vs-XDR-vs-MDR-Which-does-your-company-need”>endpoint detection and response and XDR</a> systems. A centralized repository for security event log data is useful for monitoring, analysis and compliance purposes.</p>
<p>SIEMs gather operational logging data — e.g. performance data on a router’s interfaces — as well as cybersecurity logs, so they are useful to the NOC and IT ops staff as well as to the SOC.</p>
</section>
<section class=”section main-article-chapter” data-menu-title=”2. Attack detection”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>2. Attack detection</h2>
<p>While SIEMs can do a lot to detect attacks on their own, they <a href=”https://www.techtarget.com/searchsecurity/tip/Top-10-UEBA-enterprise-use-cases”>benefit from integration with UEBA systems</a>. UEBAs are specifically built to apply advanced behavioral analytics to the kinds of real-time activity data that a SIEM provides.</p>
<p>Note that a <a href=”https://www.techtarget.com/searchsecurity/tip/SIEM-vs-SOAR-vs-XDR-Evaluate-the-differences”>SIEM typically does not coordinate the response to an attack</a>. That responsibility traditionally falls to a <a href=”https://www.techtarget.com/searchsecurity/feature/Is-SOAR-dead-or-alive-Sort-of”>security orchestration, automation and response system</a>, which can also integrate with the SIEM.</p>
<div class=”extra-info”>
<div class=”extra-info-inner”>
<h3 class=”splash-heading”>And, of course, AI</h3>
<p>SIEM systems have made use of machine learning for more than a decade. Now, like everything else in cybersecurity, they are getting liberal doses of AI. A SIEM infused with LLM capabilities can accept natural-language queries from users and offer them “guide by the side” advisory functionality with natural-language explanations.</p>
<p>Agentic AI is finding its way into SIEM systems as well, and SIEMs with AI agents are providing new levels of flexible and context-aware response automation.</p>
</div>
</div>
</section>
<section class=”section main-article-chapter” data-menu-title=”3. Event detection”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>3. Event detection</h2>
<p>Not all events are attacks. Equipment failures and performance problems can lead to events that show up in logs, and a SIEM can alert IT ops staff and the network operations (NOC) team when such issues occur. For example, when a router stops reporting normal traffic from a branch office, the SIEM might alert the NOC to the problem.</p>
</section>
<section class=”section main-article-chapter” data-menu-title=”4. Forensics and root cause analysis”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>4. Forensics and root cause analysis</h2>
<p>SIEMs are repositories of huge volumes of data relevant to attacks — whether successful or averted — and provide search and filter features to help investigators tease out relevant information and patterns. Similarly, IT ops teams searching for <a href=”https://www.techtarget.com/searc
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: