Glossary
SIEM (Security Information and Event Management)
A Security Information and Event Management (SIEM) platform centralizes logs and security events from across an organization — endpoints, network devices, cloud services, identity providers — and runs detection rules against the combined feed. SIEMs are the historical foundation of SOC operations and remain the system of record for security telemetry. Examples include Splunk, Microsoft Sentinel, Elastic Security, and Sumo Logic.
In depth
The relationship between SIEM and EDR has shifted over time. Traditionally the SIEM was the alert hub and the EDR was one of many telemetry sources feeding it. Modern EDR platforms increasingly handle detection autonomously, and the SIEM is more often used for cross-source correlation, retention, and compliance reporting than for the front-line alert queue.
SIEM and PocketSOC
PocketSOC is not a SIEM and does not replace one. It is a mobile responder interface for the alert queue and host containment workflow — see our position on SIEM and EDR consoles. The PocketSOC Enterprise plan does support log forwarding from the portal to Splunk for organizations that want PocketSOC activity to land in their SIEM.
Related terms
EDR →
Endpoint Detection and Response (EDR) is a category of security software that continuously monitors endpoints — laptops, servers, and workstations — for malicious activity.
SOC →
A Security Operations Center (SOC) is the team and facility responsible for continuously monitoring an organization's security posture.
Incident Response →
Incident response (IR) is the structured process of preparing for, detecting, containing, eradicating, recovering from, and learning from security incidents.