SIEM (Security Information and Event Management) is a platform that collects log data from across your entire infrastructure — servers, firewalls, applications, identity systems, cloud services — correlates events in real-time, and identifies security threats that no single system could detect alone.
A firewall log showing a blocked connection is noise. An authentication failure is routine. A certificate error is a misconfiguration. But a SIEM correlating all three — blocked connection from the same IP that had an auth failure, targeting a service with a certificate error — reveals an attack pattern that individual logs can’t show.
How SIEM Works
The Data Pipeline
1. COLLECT: Ingest logs from every source
├── Firewalls, IDS/IPS (network events)
├── Servers (OS logs, auth logs)
├── Applications (access logs, error logs)
├── Identity systems (AD, SSO, MFA)
├── Cloud services (CloudTrail, Azure Monitor)
├── Certificate systems (issuance, expiry, errors)
└── Endpoints (EDR, antivirus)
2. NORMALIZE: Parse different log formats into common schema
Raw: "Mar 5 14:23:01 server sshd[1234]: Failed password for root from 10.0.1.5"
Normalized: {timestamp, source, event_type: "auth_failure", user: "root", src_ip: "10.0.1.5"}
3. CORRELATE: Connect related events across sources
"Same IP (10.0.1.5) had 50 auth failures across 5 servers in 2 minutes"
4. DETECT: Match patterns against rules and baselines
Rule: "More than 10 auth failures from single IP in 5 minutes → alert"
ML: "This user normally logs in from US, now logging in from Russia at 3 AM"
5. ALERT: Notify security team with context
"Brute force attack detected from 10.0.1.5 targeting SSH on 5 servers"Core Capabilities
| Capability | What It Does | Example |
|---|---|---|
| Log aggregation | Centralize logs from all sources | All firewall, server, and app logs in one place |
| Real-time correlation | Connect events across systems | Auth failure + privilege escalation + data exfil = breach |
| Threat detection | Match known attack patterns | MITRE ATT&CK technique detection |
| Anomaly detection | Identify deviations from baseline | User accessing 10x more files than normal |
| Incident investigation | Search and pivot across all data | ”Show me everything this IP did in the last 24 hours” |
| Compliance reporting | Generate audit evidence | ”All privileged access events for SOC 2 audit” |
| Dashboards | Visualize security posture | Real-time threat map, alert trends, top talkers |
SIEM and Certificate/PKI Integration
SIEM becomes significantly more powerful when it ingests certificate and PKI events:
What to Send to SIEM from Your PKI/CLM
Certificate events:
- Certificate issued (who requested, what domain, which CA)
- Certificate renewed (automatic or manual, success or failure)
- Certificate expired (which service, was it monitored?)
- Certificate revoked (reason, who authorized)
- Certificate validation failure (chain error, hostname mismatch)
Key management events:
- Key generated (algorithm, size, storage location)
- Key accessed (which system, which operation)
- Key rotated (old key deactivated, new key activated)
- Key destruction (authorized by whom)
Authentication events:
- mTLS handshake success/failure (client identity, server identity)
- SSH key authentication (which key, which server, success/failure)
- Certificate-based VPN authentication
Anomalies:
- Certificate issued for unusual domain
- Signing operation outside business hours
- Unusual volume of certificate requests
- Certificate used from unexpected IP/locationDetection Rules for Certificate-Related Threats
# Rule: Unauthorized certificate issuance
- name: "Certificate issued for monitored domain by unexpected CA"
condition: |
event.type == "certificate_issued" AND
event.domain IN monitored_domains AND
event.issuer NOT IN approved_cas
severity: CRITICAL
response: "Investigate potential rogue CA or domain hijack"
# Rule: Certificate expiry approaching without renewal
- name: "Certificate expires in 7 days with no renewal attempt"
condition: |
certificate.days_to_expiry < 7 AND
NOT exists(renewal_event for certificate in last 30 days)
severity: HIGH
response: "Page certificate owner — imminent outage risk"
# Rule: Mass certificate requests (potential compromise)
- name: "Unusual certificate request volume"
condition: |
count(certificate_requests from source in 1 hour) > 10 * baseline
severity: MEDIUM
response: "Investigate — possible compromised ACME credentials or automation bug"Major SIEM Platforms
| Platform | Type | Best For | PKI/Cert Integration |
|---|---|---|---|
| Splunk | Commercial | Large enterprises, flexible queries | Splunk Add-on for certificate data |
| Microsoft Sentinel | Cloud (Azure) | Azure-centric, Microsoft ecosystem | Native Azure Key Vault + AD CS integration |
| IBM QRadar | Commercial | Regulated industries, compliance | Custom log sources for PKI |
| Elastic SIEM | Open-source core | Cost-sensitive, custom deployments | Filebeat + custom parsers |
| Google Chronicle | Cloud (GCP) | Google ecosystem, massive scale | Cloud KMS audit log integration |
| CrowdStrike LogScale | Cloud | Fast search, endpoint-heavy | API-based ingestion |
| Wazuh | Open-source | Budget-constrained, compliance | Agent-based certificate monitoring |
SIEM for Compliance
SIEM is often the primary tool for demonstrating compliance:
| Framework | What SIEM Provides |
|---|---|
| PCI DSS | Req 10: Track all access to cardholder data. SIEM stores and correlates access logs. |
| SOC 2 | CC6/CC7: Logical access controls and system monitoring. SIEM provides evidence. |
| HIPAA | §164.312(b): Audit controls. SIEM logs all access to ePHI systems. |
| SOX | IT General Controls: Monitor privileged access to financial systems. |
| ISO 27001 | A.12.4: Logging and monitoring. SIEM is the implementation. |
| NIST 800-53 | AU (Audit) family: Audit generation, review, analysis, reporting. |
Implementing SIEM: Practical Considerations
What to Log (Priority Order)
- Authentication events — logins, failures, MFA challenges, certificate auth
- Privilege changes — role assignments, permission grants, sudo usage
- Network security — firewall allows/denies, IDS alerts, DNS queries
- Data access — database queries, file access, API calls to sensitive endpoints
- System changes — configuration modifications, software installs, certificate changes
- Cloud activity — API calls, resource creation/deletion, IAM changes
What NOT to Log (Privacy/Volume)
- Full request/response bodies (PII risk, storage cost)
- Health check endpoints (noise, massive volume)
- Static asset requests (CSS, JS, images — no security value)
- Encrypted payload contents (you can’t read them anyway)
Retention Periods
| Data Type | Minimum Retention | Reason |
|---|---|---|
| Security alerts | 1 year | Incident investigation |
| Authentication logs | 90 days - 1 year | Compliance (PCI: 1 year) |
| Network logs | 30-90 days | Forensics |
| Application logs | 30 days | Troubleshooting |
| Compliance evidence | 7 years | SOX, regulatory |
SIEM vs Other Security Tools
| Tool | Purpose | Relationship to SIEM |
|---|---|---|
| EDR (CrowdStrike, SentinelOne) | Endpoint threat detection | Feeds events INTO SIEM |
| SOAR (Splunk SOAR, Palo Alto XSOAR) | Automated response | Triggered BY SIEM alerts |
| NDR (Darktrace, Vectra) | Network anomaly detection | Feeds events INTO SIEM |
| CLM (QCecuring, Venafi) | Certificate lifecycle | Feeds cert events INTO SIEM |
| PAM (CyberArk, BeyondTrust) | Privileged access | Feeds access events INTO SIEM |
| SIEM | Correlation + detection + investigation | Central nervous system |
SIEM doesn’t replace these tools — it connects them. Each tool is an expert in its domain. SIEM correlates across all domains to find threats that span multiple systems.
FAQ
Q: Do I need a SIEM if I’m a small company? A: If you have compliance requirements (PCI, SOC 2, HIPAA): yes, you need centralized logging and monitoring. For small teams, open-source options (Wazuh, Elastic SIEM) or cloud-native options (AWS Security Hub, Azure Sentinel pay-per-use) are cost-effective starting points.
Q: How much does SIEM cost? A: Varies enormously. Splunk: $150-$300+ per GB/day ingested. Elastic: free (self-managed) to $95/GB/month (cloud). Microsoft Sentinel: $2.46/GB ingested. The cost driver is log volume — a mid-size enterprise ingests 50-500 GB/day.
Q: What’s the difference between SIEM and a log management tool? A: Log management (ELK, Loki, Datadog Logs) stores and searches logs. SIEM adds: correlation rules, threat detection, incident workflows, compliance reporting, and security-specific analytics. SIEM is log management + security intelligence.
Q: How does SIEM relate to certificate management? A: SIEM should ingest certificate lifecycle events (issuance, renewal, expiry, revocation) from your CLM platform. This enables: detecting unauthorized certificate issuance, alerting on approaching expiry, correlating certificate errors with security incidents, and providing compliance evidence for certificate management controls.
Q: Can SIEM detect a compromised code signing key? A: If you feed signing events into SIEM, yes. Detection rules can alert on: signing operations outside business hours, signing from unexpected systems, unusual signing volume, or signing of unexpected artifact types. The SIEM correlates these with other indicators (network anomalies, auth events) to assess whether the signing key is compromised.