What is SIEM?

Security Information and Event Management (SIEM) is a category of security software that combines two earlier technologies — Security Information Management (SIM) and Security Event Management (SEM) — to enable real-time analysis of security events alongside long-term log storage and reporting. The term was coined by Gartner analysts in 2005, and SIEM has been the backbone of security operations ever since.

In plain terms: a SIEM centralises the logs and security telemetry from your servers, applications, network and cloud, looks across them for signs of an attack, raises alerts on what matters, and keeps the data so you can investigate and prove compliance.

A SIEM is the union of the two: the live detection of SEM plus the retention and reporting of SIM, on one platform.

• Log collection & aggregation — ingest logs and events from across the estate into one place.
• Normalisation — parse different log formats into a consistent structure that can be searched and compared.
• Correlation & detection — apply detection rules and correlate events across sources to surface attacks that no single log shows.
• Alerting — notify analysts of suspicious activity, ideally prioritised by risk rather than volume.
• Investigation (TDIR) — give analysts fast search and context to triage, investigate, and respond — threat detection, investigation and response.
• Dashboards & reporting — visualise security posture and produce compliance evidence.
• Retention — store logs long enough for forensics and regulatory requirements.

1. Collect — agents and integrations forward logs and telemetry from endpoints, servers, network, identity, and cloud.
2. Normalise & enrich — events are parsed into a common schema and enriched (geo-IP, threat intel, asset context).
3. Correlate & detect — detection rules and analytics evaluate the stream, including multi-step sequences across sources.
4. Prioritise & alert — matches are scored and the highest-risk cases are raised for analysts.
5. Investigate & respond — analysts (increasingly with AI agents) work the case and trigger response.

A 2026 SIEM is far more than rules over logs. The category has absorbed several capabilities, each of which has its own guide:

• Risk-based alerting (RBA) — attribute risk to entities instead of firing an alert per rule, to cut alert fatigue.
• UEBA — behavioral analytics that baseline users and entities and flag anomalies.
• SOAR — orchestration, automation and response to act on detections.
• Detection-as-code — manage detections like software, with version control and testing.
• Threat intelligence and AI/ML — enrich and triage at machine speed, leading toward the agentic SOC.

• Cost — per-GB or per-host pricing makes ingesting more data punishingly expensive, so teams under-log.
• Alert fatigue — rule-per-alert designs bury analysts; risk-based alerting is the modern answer.
• Tuning burden — detections need constant maintenance to stay useful.
• Data silos — separate security, observability and search stacks fragment the picture and the budget.

Frameworks rarely name "SIEM" outright, but their requirements — continuous monitoring, correlation, alerting, retention, and incident reporting — are hard to meet without one. See the NIS2 and DORA logging guides for how the EU regimes translate into SIEM-shaped obligations, and log retention requirements for how long to keep the data.

LogPulse runs a full SIEM on the same LPQL + ClickHouse engine as log search and service intelligence — no separate, separately-priced security data store. It combines MITRE-tagged detections, risk-based alerting (one bounded 0–100 score per entity), UEBA, threat intelligence, and response actions behind a human-approval gate — an agentic SOC with a human in the loop. Pricing is flat, and data stays EU-hosted and GDPR-compliant.