Skip to main content

Security Information and Event Management - SIEM

SIEM (Security Information and Event Management) is a centralized solution that collects, normalizes, analyzes, and correlates logs and events from different systems and devices in an IT infrastructure to identify suspicious behaviors, security violations, and generate real-time alerts.

It combines two classic functions:

  • SIM (Security Information Management) โ€“ collects and stores logs.
  • SEM (Security Event Management) โ€“ analyzes events and generates alerts.

Together, these functions allow the security team (SOC, Blue Team, IAM, etc.) to detect, investigate, and respond to incidents.

It's one of the key pieces that make up the SOC arsenal.

  • Log Centralization: Brings together logs from firewalls, servers, endpoints, cloud applications (AWS, GCP, Entra ID, etc).
  • Threat Detection: Correlates seemingly isolated events to discover attack patterns.
  • Incident Response: Generates alerts, triggers automations (SOAR), enables detailed investigations.
  • Compliance: Helps meet requirements of standards like GDPR, ISO 27001, PCI-DSS.
  • Forensic Analysis: Facilitates post-incident analysis with detailed history.
  1. Data Collection: SIEM ingests data from various sources:
  • Firewalls, IDS/IPS
  • Operating Systems
  • Cloud Services (AWS CloudTrail, GCP Audit Logs)
  • Active Directory / Entra ID
  • Third-party applications (like Jira, BetterCloud)

  1. Normalization. Data arrives in different formats. SIEM normalizes everything into its own standard (JSON, CEF, LEEF, etc.).

  2. Correlations and Rules: SIEM applies rules or machine learning to identify strange behaviors:

  • "User logged in from China and Brazil within 10 minutes" ๐Ÿšฉ
  • "Login attempt failed 50 times in 1 minute" ๐Ÿšฉ

  1. Alerts and Dashboards: Alerts the security team or triggers automations via SOAR (e.g., automatically revoke user token in Entra ID).

  2. Storage and Retention: Stores logs for months/years for audit or investigation purposes.

Some usage examples:

  • Identify an IAM user attempting to escalate privileges in AWS.
  • Detect data exfiltration via a misconfigured server.
  • Know when a dev accessed production data outside business hours.
  • See brute force attempts in Entra ID or Google Workspace.

SIEM is the foundation for automation with SOAR being responsible for triggering the workflows that activate response workflows. SIEM + SOAR is the perfect marriage.

SIEM requires tuning to reduce false positives. Fine configuration is necessary to avoid overload. That's why having a sharp Blue Team is important.

Main Toolsโ€‹

There are several SIEMs on the market, but to be very direct, there's no open source SIEM that goes head-to-head with paid ones.

NameLicenseObservation
Splunk SIEMPaidOne of the most used in the market.
Microsoft SentinelPaid (Azure)Natively integrated with Azure and Entra ID.
IBM QRadarPaidStrong in complex corporate environments.
Elastic SIEMOpen SourceBased on Elastic Stack (Elasticsearch).
GraylogOpen SourceLightweight, good for medium/small environments.
Sumo LogicSaaS/PaidFocused on cloud and analytics.

ELK as SIEM?โ€‹

The ELK stack has always been the most popular open source solution used as a base to build a SIEM, before ceasing to be 100% open source. Important note: we're talking about a set of tools that allows you to create a SIEM, not a ready-made SIEM by itself.

The ELK stack is formed by:

  • Elasticsearch (data storage and indexing). Search and storage engine, great for time series data.
  • Logstash (log ingestion and processing). Aggregates, filters, processes, and enriches virtually any type of data.
  • Kibana: Powerful visualization interface for queries and dashboards.
  • Beats: Lightweight agents for data collection and sending to Logstash or directly to Elasticsearch.

This stack offers all the necessary infrastructure to centralize, process, and visualize logs โ€” but doesn't deliver a ready SIEM. There's still a lot of manual work to create correlation rules, threat detections, alerts, and reports. Nothing comes ready.

Since 2021, Elasticsearch and Kibana started using the SSPL license, which moved them away from pure open source.

That same year OpenSearch was born, a fork of Elasticsearch and Kibana maintained by Amazon, composed of:

  • OpenSearch database (Elasticsearch replacement)
  • OpenSearch Dashboards (Kibana replacement)

But, just like ELK, OpenSearch by itself is also not a complete SIEM, it's a platform for building one.

And what about Elastic SIEM in this story? It's simply a set of:

  • Visualizations
  • Pre-built rules
  • Security integrations

All built on top of Elastic Stack. It's not a separate product, but a feature of Elastic Security, which uses Elasticsearch to process security data. In practice, it's a starting point for those who want to transform ELK into SIEM, without having to start from scratch.

Even so, it's not a ready SIEM for corporate SOC, like QRadar or Splunk ES.

You still need to:

  • Create advanced correlation rules;
  • Manually normalize data;
  • Automate responses with other external tools (SOAR, scripts);
  • Build specific dashboards and reports (e.g., PCI, HIPAA).

In other words, Elastic SIEM is Elastic's attempt to deliver an initial path into the SIEM world, but without abandoning the "do it yourself" philosophy typical of ELK.

Elastic Stack became the basis for many solutions that people "forked" or packaged to create their own observability or security products. Some are:

  • OpenSearch: Amazon created its "own ELK" with improvements and kept it Open Source.
    • Added new dashboards
    • Basic machine learning
    • Security Plugin (access control, TLS)
    • SQL & Piped Queries
  • Wazuh: They took (ELK or OpenSearch) + Beats, added real security detection and correlation.
    • Added security rules
    • Log analysis
    • Integrity monitoring
    • Malware detection
    • Improved installation
    • If using an open source solution, I believe this is the most interesting one.

Graylogโ€‹

It's essentially a log management platform (log management and analysis), just like the ELK Stack, but with a well-defined focus:

  • Simple interface
  • Ease of ingestion, analysis, and log search
  • Low learning curve (compared to ELK)

It has the 'Graylog Security' module, which adds some typical SIEM functions, but in a limited way, serving more for visibility and basic alerts than for a complete SOC.

  • Security dashboards
  • Detection rules
  • Correlation Engine (limited)
  • Alerts
  • Basic log enrichment (e.g., GeoIP, DNS, WHOIS)

But most things are basic.

There still isn't a 100% 'ready-to-use' open source SIEM that rivals enterprise solutions like Splunk ES, Sentinel, or QRadar.

In the case of SIEM, open source solutions are generally chosen by small and medium-sized companies, where you have talent but not as much money! When the company can afford it, they know that market talent receives new proposals and prefers conveniences that others can also work with.

Splunkโ€‹

Splunk (Enterprise Security) is still considered one of the best (if not the best) SIEM on the market, but with some truths nobody tells you:

  • Highly scalable โ€” easily supports terabytes of logs/day.
  • Search Language (SPL) โ€” powerful and flexible to create any query or detection.
  • Insane integrations โ€” practically every vendor (AWS, GCP, Palo Alto, CrowdStrike, etc) has a ready app for Splunk.
  • Behavioral detection and UEBA โ€” ready and adjustable.
  • Has an excellent SOAR on the same platform
  • Ready security content โ€” playbooks, dashboards, and correlations ready for real SOC.
  • Giant marketplace โ€” security apps and plugins for any scenario.

But there's the dark side:

  • Very expensive! The cost per indexed GB is absurd, especially in the cloud.
  • High learning curve for the Search Language.
  • Heavy infrastructure when on-premises.
  • Splunk charges per GB of data ingested/day when SaaS.
  • Confusing licensing with prices varying depending on usage (ingestion, users, features).

Splunk is overkill (and expensive) for medium-sized companies, except in very specific cases (like banks or companies with strong compliance requirements). For basic log visibility and alert needs, there are much more economical and viable options.

QRadar is also expensive, falling into the same category as Splunk in terms of cost and complexity.

That's where Sentinel stands out, especially if the company already uses Entra ID and the Azure ecosystem, as native integration greatly reduces operational effort and initial cost.

And for those seeking a mature and low-cost open source solution, Wazuh, whether on-premises or in Wazuh Cloud, is today the best cost/benefit option.