Common SIEM Terminology

SIEM platforms use a shared set of terms to describe how security data is collected, analyzed, and investigated. Understanding this terminology helps you interpret alerts, investigations, and reports consistently—regardless of the specific SIEM product you are using.

This article defines commonly used SIEM terms that appear throughout this documentation and across most SIEM platforms. The definitions are vendor‑neutral and intended to provide a shared baseline before moving into product‑specific behavior.

Use this article as a reference when you encounter unfamiliar SIEM terms while reviewing alerts, investigations, reports, or other documentation.

Core data and signal terms

Event

An event is a single piece of security‑relevant data generated by a system. Events represent raw activity such as a login attempt, process execution, configuration change, or network connection.

Events by themselves do not necessarily indicate malicious activity. They serve as inputs for analysis and correlation.

Log

A log is a record that contains one or more events. Logs are produced by systems such as servers, applications, firewalls, identity providers, and cloud services.

In SIEM contexts, the terms log and event are sometimes used interchangeably, but logs typically refer to the recorded data source, while events refer to individual records within that data.

Telemetry

Telemetry is a general term for security‑relevant data collected from systems and services. Telemetry may include logs, metrics, signals, or activity records.

SIEM platforms ingest telemetry from multiple sources to provide visibility across an environment.

Analysis and detection terms

Normalization

Normalization is the process of transforming incoming data into a consistent format. This allows events from different systems to be analyzed and compared uniformly.

Normalization typically standardizes fields such as users, devices, IP addresses, and timestamps.

Correlation

Correlation is the process of connecting related events across multiple data sources. Correlation helps identify patterns that may indicate suspicious or malicious behavior.

For example, authentication activity, endpoint actions, and cloud access tied to the same user may be correlated to reveal a broader incident.

Detection

A detection represents identified activity that may indicate risk, misuse, or malicious behavior. Detections are typically based on correlated events, rules, analytics, or behavioral patterns.

Detections are used to determine whether further investigation is required.

Indicator of Compromise (IOC)

An Indicator of Compromise (IOC) is an observable artifact that may suggest malicious activity. Examples include malicious IP addresses, file hashes, domain names, or known attack behaviors.

IOCs are often used as inputs for detection logic.

Alert and investigation terms

Alert

An alert is a notification generated when detected activity meets defined criteria. Alerts are designed to bring attention to activity that may require investigation.

Alerts typically include contextual information to help analysts understand what happened and assess potential impact.

Severity

Severity is a classification that indicates the relative importance or urgency of an alert. Severity helps teams prioritize investigation and response efforts.

Severity does not automatically imply confirmed malicious activity—it reflects assessed risk based on available context.

Investigation

An investigation is the process of reviewing alerts and related activity to determine what occurred, how systems or users were affected, and whether response actions are needed.

Investigations often involve examining timelines, correlated events, and related entities such as users or devices.

False positive

A false positive occurs when an alert or detection indicates suspicious activity that is ultimately determined to be benign or expected behavior.

Reducing false positives is a common goal of SIEM correlation and tuning.

False negative

A false negative occurs when malicious activity is not detected or does not generate an alert.

SIEM platforms aim to reduce false negatives by correlating data across multiple sources.

Response and outcome terms

Response

Response refers to the actions taken after an investigation confirms or prioritizes an issue. Responses may include containment, remediation, documentation, or escalation.

SIEM platforms typically support investigation and decision‑making rather than acting as the response mechanism themselves.

Remediation

Remediation involves correcting or mitigating the root cause of an incident. Examples include disabling compromised accounts, isolating systems, or reversing unauthorized changes.

Audit and compliance

Audit and compliance activities involve reviewing historical security data to demonstrate adherence to regulatory or organizational requirements.

SIEM platforms support these activities by retaining, organizing, and reporting on security‑relevant data.

Summary

These terms form the shared vocabulary used throughout SIEM platforms and security operations. Understanding them helps you interpret alerts, investigations, and reports consistently as you move into more advanced and product‑specific topics.

How Kaseya SIEM works: Learn how these SIEM concepts are implemented in Kaseya SIEM
Using Kaseya SIEM: See how alerts and investigations are handled during day‑to‑day operations

	Need help? Submit a Kaseya Helpdesk request.
	Want to talk about it? Head over to Kaseya Community.
	Have a new feature idea? Visit the Kaseya Ideas portal.
	Provide feedback for the Documentation team.