Skip to content
Log in

SIEM (Security Information and Event Management)

Definition

A platform that aggregates log and event data from systems, networks, and applications across an environment, correlates events against detection rules, generates alerts, and produces reports. Common platforms include Splunk, Microsoft Sentinel, IBM QRadar, and the open-source Elastic SIEM.

Related terms

EDR (Endpoint Detection and Response)
An agent-based security tool deployed on individual endpoints (workstations, servers, mobile devices) that monitors process execution, file changes, network connections, and registry...
Alert correlation
The process of grouping multiple related events or alerts into a single higher-level alert representing one attack sequence. A correlation rule might...
Alert fatigue
The condition in which analysts receive more alerts than they can meaningfully review, leading to delayed responses, dismissed true positives, and reduced...
Chain of custody
The documented chronological record of who collected, handled, transferred, and examined a piece of evidence. For digital evidence, chain of custody includes...
Compliance dashboard
An automated reporting surface that aggregates metric and control-status data and presents it in a format aligned to one or more regulatory...
Continuous monitoring
An automated control framework that applies fraud indicator tests to transactions as they are processed or on a frequent scheduled basis, generating...
Control effectiveness
The degree to which a security control achieves its intended objective under real operating conditions. Measured through a combination of design review...
Escalation Path
The predefined chain of notification and decision-making authority that an incident follows as its severity increases. Documented in the IR plan before...
Hypothesis testing
In digital forensics, the practice of forming a specific, falsifiable proposition about what occurred (such as 'the attacker used account X to...
IDS/IPS (Intrusion Detection/Prevention System)
Network or host-based systems that inspect traffic or system calls for known attack patterns. An IDS generates alerts without blocking; an IPS...
Indicator of Compromise (IoC)
An observable artefact that suggests a system has been involved in a malicious event. Static analysis produces file-based IoCs: cryptographic hashes, embedded...
Key Performance Indicator (KPI)
A metric that measures how well a specific control or process is performing against a defined target. KPIs are often lagging indicators:...

Explained in these topics

  • Cyber Investigation Tools and Analytical WorkflowA platform that ingests logs from multiple sources, normalises them to a common schema, applies correlation rules to generate alerts, and provides a searchable...
  • Detection Sources and Alert PipelinesA platform that collects, normalises, and stores log and event data from many sources, then applies correlation rules and anomaly detection to generate securit...
  • Security Metrics and Continuous MonitoringA platform that aggregates log and event data from systems, networks, and applications across an environment, correlates events against detection rules, genera...
  • SOC Structure and the Tier ModelA platform that collects, normalises, correlates, and alerts on log and event data from across an organisation's infrastructure. The primary console used by Ti...
  • SOC Tooling and the SIEMA platform that centralises log and event data from across an organisation, normalises it, applies detection rules, and generates alerts. Serves both complianc...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account