< ciso
brief />
Tag Banner

All news with #siem tag

48 articles

Amazon OpenSearch launches log analytics engine

🔍 Amazon OpenSearch Service introduces a new engine optimized for log analytics that combines faster analytical queries with full-text search. The engine delivers up to 4x better price-performance on internal benchmarks, up to 70% lower storage using columnar storage, 2x higher ingestion throughput, and 2x faster analytical queries. It supports OpenSearch 3.5+, PPL and SQL queries, JDBC/ODBC drivers, and mixed full-text plus analytical predicates. The capability is available across 12 global AWS regions with no additional engine charges.
read more →

Google named a Leader in IDC MarketScape SIEM 2026

🛡️ Google has been named a Leader in the 2026 IDC MarketScape for Worldwide SIEM, reflecting investments in Google Security Operations that combine Mandiant expertise, automation, and integrated AI agents. The report highlights strengths such as agentic alert triage, vertical AI integration with Gemini, curated Mandiant detection content mapped to MITRE ATT&CK, and high-performance search over large data volumes. These capabilities aim to reduce analyst workload and accelerate detection and response.
read more →

Rethinking MDR as Attackers Use AI at Scale

🛡️ For years MDR filled a real gap by providing 24/7 human triage when teams were understaffed, but the modern threat landscape has outpaced that model. AI-powered attackers, expanded attack surfaces, and high alert volumes mean roughly 60% of alerts go unreviewed and low-severity alerts can hide real breaches. The article argues AI-driven SOCs that automate forensic-depth investigation, close the loop into detection engineering, and align pricing to endpoint counts are required to restore coverage and scalability.
read more →

DSIT Rethinks Remediation to Simplify Vulnerability Fixes

🔍 The UK's DSIT manages security for over half a million government domains and is streamlining how vulnerabilities are communicated and fixed. Nick Woodcraft explained at Infosecurity Europe 2026 that DSIT focuses on clear, outcome-oriented guidance so non-experts can prioritise remediations. The department uses SIEM integration and NCSC channels to distribute trusted data and avoids overwhelming organisations by staging issue disclosures. Emphasis remains on basics like patching to mitigate faster-emerging threats.
read more →

Adaptive SIEM Correlation: Moving Beyond Static Rules

🔍 Traditional SIEM logic — fixed rules that match event A followed by event B — is increasingly insufficient against modern, sophisticated threats that use legitimate tools and supply-chain vectors. Kaspersky describes a shift to continuously updated correlation content informed by its MDR service and threat research. In 2025 the team delivered dozens of updates and hundreds of new or refined rules, and now maintains over 850 rules mapped to MITRE ATT&CK. Integration with Kaspersky EDR and expanded telemetry helps detect multi-stage attack chains and reduce false positives.
read more →

Can AI Solve SIEM Rule Sprawl Across Multiple Vendors

🤖 Enterprises migrating between SIEM platforms face repetitive, error-prone rule rewrites because vendors like Splunk, Microsoft Sentinel, IBM QRadar, and Google Chronicle use distinct query languages and data models. Researchers from the National University of Singapore propose ARuleCon, an AI-assisted framework that translates rules while preserving detection intent. In tests on nearly 1,500 conversions it improved accuracy about 10–15% over baseline LLM approaches. Practitioners caution that deterministic engineering, robust validation, and human oversight remain essential to avoid semantic drift and operational risk.
read more →

Configuration-Driven ETL to Convert Logs to OCSF at Scale

🔁 The AWS Professional Services team provides a configuration-driven ETL accelerator that converts custom security logs into OCSF v1.1 and writes OCSF-compliant Parquet files partitioned for use with Amazon Security Lake or other data lakes. The serverless-first solution uses S3, Lambda, DynamoDB, Step Functions and either AWS Glue or EMR Serverless, and ingests mapping and metadata CSVs to drive transformations. An open-source GitHub repository includes deployment artifacts, example mappings, and instructions to validate outputs and run historical loads.
read more →

CISOs Confront Widening AI Visibility and Risk Gaps

🔍 CISOs are scrambling to close visibility gaps as organizations rapidly adopt AI, confronting risks such as prompt injection, data poisoning, shadow AI, and agentic behaviors. Security leaders report limited insight into where AI is used and how models behave, forcing them to reposition existing tools, adopt new monitoring solutions, and formalize governance. While traditional controls like DLP and SIEM can mitigate many issues, experts warn no single solution is fully mature, so leaders must balance guardrails, emerging observability tools, and business velocity.
read more →

Engineering Fairness in Multi-tenant SIEM Platforms

🔎 While reviewing five popular SIEM solutions for a security awards panel, the author observed consistent marketing claims—24/7 SOCs, AI-driven detections, integrations and SLA promises—but a notable omission: how vendors manage multi-tenancy. The piece explains the engineering risk of the “noisy neighbor” effect in shared cloud stacks and shows how poor isolation can produce ingestion latency, delayed detection and violated SLAs. It recommends concrete architectural controls—admission control, fair-share scheduling and resource partitioning—and urges buyers to demand transparency or opt for dedicated clusters when compliance or performance require strict isolation.
read more →

Databricks Debuts Lakewatch SIEM: Cost and Strategy

🔍 Databricks has previewed Lakewatch, an agentic SIEM designed to extend the lakehouse into security analytics and offer a lower-cost alternative to traditional SIEMs. The vendor says it will charge for compute rather than data ingestion or storage, claiming up to an 80% reduction in total cost of ownership while retaining years of hot data. Analysts acknowledge the ingestion-cost problem and note potential savings for organizations that retain large volumes, but warn that costs can shift to compute and processing if usage is uncontrolled. Databricks bolstered its security credibility with acquisitions such as Antimatter and SiftD.ai, indicating a broader security roadmap.
read more →

CrowdStrike Adds Microsoft Defender Support to Falcon SIEM

🛡️ CrowdStrike is extending Falcon Next‑Gen SIEM to ingest and operationalize telemetry from third‑party EDRs, beginning with Microsoft Defender, without requiring a Falcon sensor. The release embeds real‑time data pipelines via Falcon Onum to filter, enrich, and route telemetry, and expands federated search to include Falcon LogScale, ExtraHop, and cloud archives. It also introduces Third‑Party Indicator Management to operationalize external threat intelligence and a Query Translation Agent to convert legacy searches into CQL. Together these capabilities aim to reduce ingestion costs, accelerate investigations, simplify SIEM migrations, and let teams modernize SOC operations without replacing endpoint agents.
read more →

Cloudflare Security Overview: From Noise to Action Today

🔍 Cloudflare’s redesigned Security Overview dashboard helps security teams turn overwhelming telemetry into prioritized, actionable remediation. The interface introduces Security Action Items — ranked by Critical, Moderate, and Low — alongside a Detection Tools module that indicates whether protections are actively enforcing or left in "Log Only" mode. Suspicious Activity cards deep-link into Security Analytics to preserve filters and speed triage.
read more →

Falcon Next-Gen SIEM: Sensor-Native Log Collection

🔒 CrowdStrike announces sensor-based log collector deployment in Falcon Next-Gen SIEM, leveraging the existing Falcon sensor footprint to automate collector installation and management. The policy-driven model enables host-group scoping, incremental rollouts, and real-time installation telemetry without separate distribution tooling or packaging workflows. Organizations can onboard external log sources faster while retaining centralized governance and RBAC.
read more →

Building a High-Impact Tier 1: 3 Steps CISOs Must Follow

🛡️ Tier 1 analysts handle the bulk of alerts but frequently lack the context and tooling needed to decide quickly and accurately. The piece advises CISOs to invest in three coordinated capabilities: live threat intelligence feeds to improve detection, automated enrichment and sandbox analysis to turn flags into findings, and comprehensive integration of intelligence into SIEM, EDR, and network controls. These steps reduce MTTD/MTTR, lower false positives, and shift Tier 1 work from manual research to high-value investigation.
read more →

Cloudflare Threat Intelligence Platform: Edge-native TIP

🛡️ Cloudflare’s Cloudforce One Threat Intelligence Platform is an edge-native TIP that centralizes global telemetry, analyst investigations, and automated defenses. It eliminates bulky ETL and monolithic databases by using a sharded, SQLite-backed Durable Object architecture and running GraphQL in Workers for sub-second, multi-shard queries. The platform enriches SIEM alerts with historical actor context, supports STIX2 exports, and can push instant protections via the Firewall API to close the loop between discovery and defense.
read more →

Operational Cost of Fragmented SOCs: Unify Now or Lose

🔍 New research from Microsoft and Omdia exposes how tool sprawl, manual triage, and alert overload are stretching security operations to a breaking point. SOC teams report using an average of 10.9 consoles, manually ingesting data frequently, and leaving roughly 42% of alerts uninvestigated. The study argues that unification, targeted automation, and governable AI-integrated workflows—centered on identity-to-endpoint controls—are essential to restore analyst capacity and reduce business risk.
read more →

SIEM Buyer’s Guide: Selecting Effective Security Tools

🔒 This guide helps security teams evaluate and select a Security Information and Event Management (SIEM) solution by outlining key selection criteria and practical trade-offs. It covers operational models (SaaS vs on-premises), analytics and AI/ML capabilities, log collection and parsing, alerting and role-based access, compliance requirements and ecosystem integrations. The guide also discusses pricing models and highlights vendors such as Splunk, Microsoft Sentinel and IBM QRadar to help start vendor research and pilot selection.
read more →

Criminal IP Integrates with IBM QRadar SIEM and SOAR

🔍 Criminal IP has integrated with IBM QRadar SIEM and SOAR, embedding external IP-based threat intelligence directly into detection, investigation, and response workflows. Firewall traffic forwarded to QRadar is analyzed via the Criminal IP API and observed IPs are automatically scored as High, Medium, or Low to help prioritize actions. Analysts can right-click IPs in Log Activity to view detailed Criminal IP reports, while pre-built SOAR playbooks automate IP and URL enrichment to accelerate response without leaving the QRadar environment.
read more →

Five Key Trends Reshaping the SIEM Market for 2025

🔍 Modern SIEM platforms have evolved far beyond simple log collection, embedding AI/ML, XDR, and SOAR to enable real-time detection, automated remediation, and analyst workspaces. Convergence with XDR and SOAR is creating unified platforms that reduce complexity and accelerate response, while many SMBs opt for MDR instead of maintaining full SIEM deployments. Economic shifts and AI compute costs are changing cloud vs. on-prem trade-offs, and vendors are consolidating functionality through M&A and bundling.
read more →

Proactive Cyber Resilience Strategies with Wazuh Platform

🔒 Wazuh is an open-source SIEM and XDR platform designed to help organizations build proactive cyber resilience by delivering centralized visibility, continuous detection, and automated response across endpoints, servers, cloud workloads and containers. It collects telemetry via agents, syslog and agentless methods, enabling early detection through log analysis, File Integrity Monitoring and correlation rules. Automated response actions and AI-assisted analysis speed containment and remediation while vulnerability detection and security configuration assessments support ongoing IT hygiene and compliance.
read more →