SIEM (Security Information and Event Management) is a centralised platform that collects logs and security events from across an organisation's IT environment — servers, applications, firewalls, endpoints, cloud services, identity systems — and uses correlation rules and analytics to detect threats, generate alerts, and produce compliance reports. Think of SIEM as the central nervous system of a Security Operations Center (SOC): without it, analysts manually check dozens of consoles; with it, they investigate from one place. SIEM combines two earlier categories: SIM (Security Information Management — log storage and reporting) and SEM (Security Event Management — real-time detection).

Five core components: (1) **Log collection** — agents and APIs ingest events from sources (Windows Event Logs, Linux syslog, network appliances, cloud audit logs, applications), (2) **Normalisation and parsing** — diverse formats are mapped to a common schema for correlation, (3) **Correlation engine** — rules, statistical baselines, and machine learning detect patterns across multiple events (e.g., 'failed login from 3 countries within 5 minutes followed by successful login'), (4) **Alerting and dashboards** — high-confidence detections become alerts; analysts work from dashboards and search interfaces, (5) **Storage and search** — long-term retention for compliance (often 1-7 years) and forensic investigation. Modern SIEMs also include behavioural analytics (UEBA) and orchestration (SOAR).

Five market leaders: (1) **Splunk Enterprise Security** — most flexible, premium pricing ($1,800-$2,500 per GB/day ingested), best for large enterprises with complex use cases; acquired by Cisco in 2024, (2) **Microsoft Sentinel** — cloud-native (Azure), pay-per-GB model, strong integration with M365 and Defender XDR, fastest-growing market share, (3) **IBM QRadar SIEM** — strong in regulated industries (finance, healthcare, government); IBM sold QRadar SaaS to Palo Alto in 2024, (4) **Elastic Security** (Elastic SIEM + ELK stack) — open-source roots, cost-effective for high log volumes, (5) **Google Chronicle / Security Operations** — flat-rate pricing based on employee count, designed for petabyte-scale workloads. Mid-market: Sumo Logic, LogRhythm, Securonix, Exabeam, Devo, Rapid7 InsightIDR.

Different functions in a modern SOC: (1) **SIEM** — centralised log aggregation, correlation, and search; bring any source, write your own rules, retain long-term for compliance, (2) **XDR (Extended Detection and Response)** — focused detection-and-response platform pre-tuned by the vendor for endpoint + email + identity + cloud; faster to deploy, less flexible than SIEM, (3) **SOAR (Security Orchestration, Automation and Response)** — workflow engine that automates incident response playbooks (e.g., 'on phishing alert, block sender, isolate endpoint, disable account, notify analyst'). Mature SOCs use all three: SIEM for breadth and compliance, XDR for fast detection on common attack surfaces, SOAR for automated response. Many vendors now bundle SIEM + XDR + SOAR (Splunk SOAR, Sentinel + Defender XDR, Cortex XSIAM).

SIEM is typically priced by data volume ingested (GB/day) or events per second (EPS). Common ranges (2026): Splunk Enterprise — $1,800-$2,500/GB/day perpetual licence + 22% annual maintenance (e.g., $200K-$400K/year for 100GB/day); Microsoft Sentinel — $2-$5/GB ingested (commitment tiers reduce cost); IBM QRadar — $25-$50/EPS perpetual; Elastic Security — $95/GB/month or self-managed open-source; Google Chronicle — flat per-employee/year (typically $5-$15/employee/month). Total cost of ownership includes onboarding ($50K-$500K for large environments), ongoing tuning, and SOC analyst time. Cloud-native SIEMs (Sentinel, Chronicle) typically have 30-50% lower TCO than legacy on-prem deployments.

Yes — SIEM and XDR serve different needs. SIEM remains essential for: (1) **compliance** — many regulations (NIS2, DORA, PCI-DSS, HIPAA, ISO 27001) require centralised logging with multi-year retention that XDR doesn't provide, (2) **breadth** — XDR covers endpoint/email/identity/cloud, but SIEM ingests *anything* including custom applications, OT/ICS, mainframes, B2B EDI, (3) **forensics** — long-term searchable archive for investigating breaches that happened months ago. Most mature SOCs run XDR for fast detection on common attack surfaces *and* SIEM for compliance + breadth + long-term forensics. New gen 'SOC platforms' (Splunk SIEM + SOAR + XDR, Microsoft Sentinel + Defender XDR, Palo Alto Cortex XSIAM) bundle both.

Typical timelines: (1) Cloud-native SIEM (Microsoft Sentinel, Chronicle) — initial deployment 2-4 weeks, value realisation 3-6 months as use cases mature, (2) On-prem or hybrid SIEM (Splunk, QRadar, Elastic) — initial deployment 4-12 weeks, full operational maturity 6-18 months, (3) Migration from one SIEM to another — 6-18 months for large enterprises, often run in parallel during transition. Critical success factors: data source prioritisation (don't ingest everything — focus on high-value sources first), use-case-driven deployment (define detections you need, then build to those), tuning iteration (default rules generate too many false positives), 24/7 staffing (SIEM without staffed monitoring is just expensive logging).