SIEM
Security Information and Event Management — a platform that aggregates, correlates, and analyzes log data from across an organization's infrastructure to detect threats and support incident response.
Definition
A SIEM is the central log aggregation and analysis platform for most security operations centers. It ingests log and event data from endpoints, network devices, cloud services, and applications, normalizes it into a common schema, and applies correlation rules and analytics to surface potential threats. Leading SIEMs include Splunk, Microsoft Sentinel, Elastic Security, and IBM QRadar.
Why It Matters
No single system has full visibility into an organization's environment. A SIEM provides the unified data layer that makes detection, investigation, and compliance reporting possible at scale. Without centralized log aggregation, incidents that span multiple systems — the norm for sophisticated attacks — are nearly impossible to detect or reconstruct.
How It Works
Agents or log forwarders collect events from sources and ship them to the SIEM's indexing layer. The SIEM normalizes events into a common data model and runs detection rules against the incoming stream. When a rule fires, it generates an alert. Analysts use the SIEM's query interface to investigate alerts, pivot across data sources, and build timelines. Detection logic is typically expressed in a SIEM-specific query language: Splunk SPL, Elasticsearch Query DSL, or Microsoft Sentinel KQL.
DFIR Platform
is designed to integrate with SIEM workflows via REST
The DFIR Platform is designed to integrate with SIEM workflows via REST API. Sigma rules generated by the AI Triage are expressed in the vendor-neutral Sigma format, which can be converted to any SIEM query language — Splunk SPL, Elasticsearch Query DSL, or Microsoft Sentinel KQL — using standard tooling
View DocumentationRelated Concepts
Try these concepts in practice
Free tier with 100 credits/month. No credit card needed.