How a SIEM system works
A SIEM system is essentially a specialized Big Data analysis system that seeks to generate useful insights from the mass of events and other data that it ingests and stores. The key source of data is the logs generated by systems, including your servers and security appliances, but SIEMs can ingest a variety of other sorts of data, including NetFlow and network packets, as well as contextual information about users, assets, threats, and vulnerabilities that can be found inside or outside your organization.
This data from diverse sources must then be “normalized,” or reformatted so that the SIEM can make sense of it.