What Is a SIEM?
A Security Information and Event Management (SIEM) system is the central nervous system of an organisation's security operations. It collects log data from across the technology estate, normalises it into a common format, correlates events to detect threats, and provides the audit trail that compliance frameworks demand.
Modern SIEMs have evolved from simple log aggregators into intelligent platforms that combine real-time threat detection, automated response, threat hunting, and compliance reporting.
Core SIEM Capabilities
| Capability | What It Does | Compliance Value |
|---|
| Log collection | Ingest logs from all IT systems via agents, syslog, APIs | Central audit trail evidence |
| Normalisation | Convert diverse log formats into a common schema | Consistent analysis and reporting |
| Correlation | Match events across sources to detect attack patterns | Threat detection evidence |
| Alerting | Notify analysts of detected threats and anomalies | Incident detection evidence |
| Dashboards | Real-time visibility into security posture | Management reporting |
| Investigation | Search and drill into historical events for forensics | Incident response evidence |
| Reporting | Generate compliance and operational reports | Audit evidence packages |
| Retention | Store logs for required retention periods | Regulatory compliance |
SIEM Architecture
| Component | Purpose | Key Considerations |
|---|
| Log collectors/agents | Gather logs from source systems | Agent vs agentless, bandwidth impact |
| Log transport | Securely transmit logs to SIEM | Encryption in transit, reliability |
| Parsing engine | Normalise diverse log formats | Custom parser development effort |
| Correlation engine | Apply detection logic to normalised events | Rule complexity, performance |
| Storage layer | Retain logs for search and compliance | Hot/warm/cold tiers, cost optimisation |
| Analytics engine | ML-based anomaly detection, UEBA | Training data requirements |
| Response layer | SOAR integration for automated response | Playbook development effort |
| Presentation layer | Dashboards, reports, investigation tools | Analyst workflow efficiency |
Essential Log Sources
| Log Source Category | Examples | Detection Value |
|---|
| Identity and access | Active Directory, Entra ID, Okta, SSO providers | Account compromise, privilege escalation |
| Endpoint | EDR alerts, Windows Event Logs, syslog | Malware, lateral movement, data exfiltration |
| Network | Firewalls, IDS/IPS, DNS, proxy, VPN | Command and control, data exfiltration |
| Cloud platforms | AWS CloudTrail, Azure Activity Log, GCP Audit Logs | Misconfigurations, unauthorised access |
| Applications | Web servers, databases, custom applications | Application-layer attacks, data access |
| Email | Email gateway, Microsoft 365/Google Workspace | Phishing, business email compromise |
| Security tools | Vulnerability scanners, DLP, WAF, CASB | Enrichment and correlation context |
Detection Engineering
MITRE ATT&CK Coverage
| Tactic | Priority Detections | Log Sources Required |
|---|
| Initial access | Phishing links clicked, exploit attempts | Email gateway, WAF, EDR |
| Execution | Suspicious process creation, script execution | EDR, Windows Event Logs |
| Persistence | New scheduled tasks, registry modifications, new accounts | EDR, Active Directory |
| Privilege escalation | Admin group changes, token manipulation | Active Directory, EDR |
| Defence evasion | Log clearing, security tool tampering | SIEM self-monitoring, EDR |
| Credential access | Brute force, password spraying, credential dumping | Active Directory, VPN, SSO |
| Lateral movement | Unusual RDP, SMB traffic, service account abuse | Network, Active Directory, EDR |
| Exfiltration | Large data transfers, unusual destinations | Network, proxy, DLP |
Detection Rule Types
| Rule Type | Method | Use Case |
|---|
| Signature-based | Match known patterns (IOCs, hashes, IPs) | Known threats, threat intelligence |
| Threshold-based | Alert when event count exceeds baseline | Brute force, DDoS, scanning |
| Correlation | Match events across multiple sources and time windows | Multi-stage attacks, lateral movement |
| Anomaly-based | ML detects deviation from established baselines | Insider threats, novel attacks |
| Behavioural (UEBA) | User and entity behaviour analytics | Account compromise, privilege abuse |
SIEM vs SOAR vs XDR
| Capability | SIEM | SOAR | XDR |
|---|
| Log collection and storage | Primary function | No | Limited |
| Threat detection | Correlation rules, analytics | No (consumes SIEM alerts) | Built-in detection |
| Automated response | Basic (email, ticket) | Primary function (playbooks) | Built-in response actions |
| Compliance reporting | Primary function | No | Limited |
| Investigation | Log search and forensics | Case management | Guided investigation |
| Scope | All log sources | Alert response workflows | Endpoint, network, cloud, email |
| Best for | Compliance + detection + retention | Response automation | Unified detection and response |
Log Retention Requirements
| Framework | Minimum Retention | Notes |
|---|
| ISO 27001 | Defined by organisation | A.8.15 requires logging policy with defined retention |
| SOC 2 | 1 year | CC7.2 — sufficient to support investigation |
| NIS2 | Not explicitly specified | Must support incident investigation (Article 23) |
| DORA | 5 years | ICT-related incident records (Article 17) |
| PCI DSS | 1 year (3 months hot) | Requirement 10.7 — immediately available for analysis |
| GDPR | Purpose-limited | Balance security monitoring with data minimisation |
Compliance Requirements
Framework Mapping
| Requirement | ISO 27001 | SOC 2 | NIS2 | DORA |
|---|
| Centralised logging | A.8.15 | CC7.2 | Art. 21(2)(b) | Art. 10 |
| Security monitoring | A.8.16 | CC7.2 | Art. 21(2)(b) | Art. 10 |
| Incident detection | A.5.25 | CC7.3 | Art. 21(2)(b) | Art. 10 |
| Log protection | A.8.15 | CC7.2 | Art. 21(2)(d) | Art. 10 |
| Time synchronisation | A.8.17 | CC7.2 | Art. 21(2)(d) | Art. 10 |
| Audit trail | A.8.15 | CC7.2 | Art. 23 | Art. 17 |
| Reporting to management | A.5.25 | CC7.3 | Art. 20 | Art. 13 |
Audit Evidence
| Evidence Type | Description | Framework |
|---|
| SIEM deployment documentation | Architecture, log sources, coverage | All frameworks |
| Log source inventory | All systems sending logs with status | ISO 27001, SOC 2 |
| Detection rule catalogue | Documented rules mapped to threats | ISO 27001, NIS2, DORA |
| Alert response procedures | SOPs for each alert type | All frameworks |
| MTTD/MTTR metrics | Monthly detection and response times | SOC 2, NIS2, DORA |
| Log retention configuration | Retention policies and verification | All frameworks |
| Incident investigation reports | Completed investigation records | NIS2, DORA |
| SIEM health monitoring | Uptime, ingestion rate, storage utilisation | ISO 27001, SOC 2 |
SIEM Deployment Models
| Model | Pros | Cons | Best For |
|---|
| On-premises | Full data control, no egress costs | High CapEx, maintenance burden | Regulated industries, data sovereignty |
| Cloud-native | Elastic scaling, managed infrastructure | Data residency concerns, egress costs | Cloud-first organisations |
| Managed SIEM (MDR) | 24/7 expert monitoring, lower staffing | Less customisation, vendor dependency | SMBs, teams without SOC staff |
| Hybrid | Sensitive data on-prem, scale in cloud | Complexity, dual management | Organisations with mixed requirements |
Common Mistakes
| Mistake | Impact | Fix |
|---|
| Collecting everything | Alert fatigue, high costs, slow queries | Prioritise log sources by threat model |
| No detection tuning | 90%+ false positive rates | Baseline, tune, and continuously improve rules |
| Ignoring SIEM health | Silent log gaps create blind spots | Monitor ingestion rates and alert on drops |
| No response procedures | Alerts without action waste investment | Document and train on SOPs for every alert type |
| Single analyst dependency | No coverage during absence | Cross-train team, document runbooks |
| Skipping log source validation | Missing critical events | Regularly verify all sources are sending expected data |
| No MITRE ATT&CK mapping | Unknown detection gaps | Map existing rules to ATT&CK and identify coverage gaps |
How Orbiq Supports SIEM Compliance
Orbiq helps you demonstrate security monitoring controls:
- Evidence collection — Centralise SIEM deployment evidence, detection rule documentation, and MTTD/MTTR metrics
- Continuous monitoring — Track SIEM coverage and detection effectiveness
- Trust Center — Share your security monitoring posture via your Trust Center
- Compliance mapping — Map SIEM controls to ISO 27001, SOC 2, NIS2, and DORA
- Audit readiness — Pre-built evidence packages for auditor review
Further Reading
