SIEM – Duplication or Detection?

By Joshua Riesenweber

TL;DR

Modern security platforms now do natively what organisations once needed a SIEM to build. For years, a SIEM was the only way to correlate signals across endpoint, identity, and cloud.

That stopped being true.

Background

The SIEM has been the centrepiece of security operations for many years. At first glance, the value proposition is straightforward: aggregate everything in one place, write detection logic, correlate events, and let the security team work from a single pane of glass. For a good SOC (security operations centre) team there was clear value here, security tools were  immature and required a lot of work to extract meaningful data.

In practice today, a lot of organisations are paying high ingestion bills for a platform that is largely re-processing alerts their security tools already produce, ingesting logs that are rarely (if ever) used in correlation <cough> firewall hits <cough>, writing detection rules they could have had out of the box, and building alert logic that modern endpoint, identity, and email platforms now do natively.

This is not an argument that SIEMs are dead. It is an argument that a lot of organisations are funding infrastructure when they should be funding outcomes.

What you're actually paying for

The sticker price of a SIEM is not the cost of a SIEM. Licensing models based on data ingestion create a system where doing the right thing (logging broadly, retaining longer, correlating more sources) is directly represented in your bill.

Stats

The SANS 2025 SOC Survey found that:

  • 42% of SOCs ingest data into their SIEM without a plan for retrieval or analysis.
  • 85% of respondents say endpoint security alerts are their primary trigger for response.

Source – SANS 2025 SOC Survey

Before you’ve built a single detection rule, you are paying to ingest, parse, normalise, and index data from every source in your environment. For organisations with cloud workloads, that volume can sprawl quickly.

 

Beyond licensing, the operational cost is the piece that surprises a lot of people. A SIEM does not detect threats. It is infrastructure on which detection can be built. That building requires detection engineers who understand both the platform query language and the underlying threats, ongoing tuning as the environment changes, and a feedback loop between false positives and rule refinement. None of that is included in the licence.

Security Tools Grew Up

Five years ago, the case for a SIEM was stronger because the security platforms themselves were relatively limited detectors. Your endpoint protection might alert on a known hash. Your email gateway might block a known domain. Your identity platform might log a failed login. But connecting those signals (understanding that the same user failed to log in from an unusual country, then received a phishing email, then ran an unusual binary) required a centralised log aggregation layer with correlation rules on top.

That is no longer the only way to achieve correlation.

Microsoft Defender XDR, CrowdStrike Falcon, SentinelOne, and similar platforms now do signal correlation natively. They ingest telemetry from endpoint, identity, cloud, email, and network, and they apply detection logic across all of those simultaneously. 

Signal correlation: SIEM vs. native integration
TRADITIONAL SIEM Endpoint Identity Email Cloud Network SIEM Ingest + normalise + write rules Alert       Ingestion cost at each arrow XDR / MDR DIRECT INTEGRATION Endpoint Identity Email Cloud Network MDR alert correlation native telemetry Respond     No additional ingestion cost

This is not "One-Size-Fits-All"

There are environments where a SIEM continues to make clear sense.

Regulatory and compliance requirements

Several compliance frameworks and government mandates require centralised log retention and query capability. In those contexts, a SIEM may become the clearest way to comply.

Bespoke or legacy technology

Organisations with significant custom-built applications, OT/SCADA environments, or legacy platforms that do not have native detection capabilities still benefit from a centralised log layer. XDR platforms have excellent coverage of modern commercial software, but there are architectures that may better suit a SIEM.

Multi-vendor / complexity

Large enterprises with complex environments, such as multiple identity providers, different business units with separate endpoint vendors, complex network segmentation, may find that a SIEM remains the most practical approach. 

Sovereign data and audit trail requirements

Government and critical infrastructure organisations may have requirements around log custody, chain of evidence, and auditability that are best met by a controlled on-premises or sovereign-cloud log repository.

Questions Worth Asking

Whether you are evaluating a new SIEM or coming up to renewal on an existing one, these are questions worth working through.

  • What percentage of your current alerts originate from platform detection versus SIEM correlation rules you wrote?
  • How many active, maintained detection rules do you have in your SIEM? When were they last reviewed?
  • What is your total cost of ownership (licence, ingestion overage, engineering time, analyst time) not just the platform fee?
  • If your SIEM went offline tomorrow, which threats would you genuinely miss that your XDR or endpoint platform would not catch?
  • Are you retaining logs in the SIEM for compliance or for detection? Could those functions be separated?
  • Could your detection engineering hours be better spent tuning and building coverage in the platforms you actually use?
  • What would it cost to get equivalent 24/7 coverage in MDR versus maintaining the SIEM model?

The Division 5 Approach

Division 5 does not have a commercial interest in recommending a SIEM or ruling one out. Our MDR service connects directly to the platforms your organisation operates, and we work with what gives the best detection coverage in your specific environment.

Closing Notes

In practice, many of the Australian mid-market organisations are better served by direct-to-platform MDR than by adding a SIEM layer. The coverage is comparable and the cost is lower.

For organisations with genuine compliance mandates, OT environments, or high complexity, we take a different position. In some cases that means helping a client ingest existing SIEM alerting more effectively rather than replacing it.

What we do not do is recommend a platform because it is convenient for us or because it was the right answer five years ago. Security operations changed significantly when the major platforms matured their native detection capabilities, and that change is still working its way through how most organisations think about their stack.

If you are approaching a SIEM renewal and want an honest assessment of whether it is still the right investment for your environment, our team is happy to work through it with you.

Talk To Our Team