Security Information and Event Management (SIEM) is a security management approach that integrates the functions of Security Information Management (SIM) and Security Event Management (SEM) into a unified system.

A SIEM system operates by collecting relevant data from multiple sources, such as Windows event logs and firewall logs, to identify anomalies and take appropriate action. For instance, if a potential issue arises, the SIEM system may log additional details, generate an alert, or direct other security controls to halt an activity.

For example, a user account with 25 failed login attempts over 25 minutes might be flagged as suspicious but considered low priority, as it could be a case of forgotten login details. However, an account with over 100 failed attempts within five minutes would likely trigger a high-priority alert, as it could indicate an ongoing brute-force attack.

Please see our resources page for more documents about MDR for M365.