Security Information and Event Management (SIEM) aggregates log data from across the enterprise, correlates events to identify threats, and provides dashboards and alerts for security operations. SIEM combines Security Information Management (SIM) for log collection and analysis with Security Event Management (SEM) for real-time monitoring and alerting.
Modern SIEM platforms ingest logs from firewalls, servers, applications, endpoints, and cloud services. Correlation rules identify suspicious patterns like failed logins followed by successful access from unusual locations. SIEM provides the central visibility essential for threat detection and incident investigation.
CISSP Relevance
Domain 7 (Security Operations) covers SIEM as a core security operations tool. Understand SIEM functions, log sources, correlation capabilities, and how SIEM supports incident detection and investigation. Know the relationship between SIEM and compliance requirements for log retention and monitoring.
NIST discusses security monitoring in SP 800-137 Information Security Continuous Monitoring.
Related terms: Log Management, Security Operations Center