For years, the SIEM system has been the core of the SOC, sitting at the center of the Threat Detection, Investigation, and Response (TDIR) architecture. It served as the central brain, performing three critical, overlapping functions.

The Traditional SIEM-Centric TDIR Model

In the traditional model, the SIEM is tasked with:

1. Detection System: Collecting granular events from various data sources (like identity providers) and applying detection logic (rules, ML models) to identify potential threats. For example, looking at simple authentication events to generate an alert for suspicious activity. (SIEM as a detection system)

2. Consolidation and Aggregation System: Collecting alerts generated by other security solutions (EDR, email security, IDP) and correlating them into a unified attack chain or case. This provides investigators with crucial context—for instance, connecting a phishing email alert, a suspicious URL access, and a subsequent malware execution into a single, comprehensive investigation case.

3. Log Management and Data Retention System: Maintaining all granular events and alerts for long periods, acting as a single source of truth for analysts performing investigations and threat hunting. (SIEM as log management, data retention system)

The appeal of this model is its centralization of signals, which naturally enables all three use cases and encourages the idea of centralized investigation.

This centralized position made the SIEM a highly attractive tool, yet having all these functions bundled together has often led to the tool becoming bloated, expensive, and complex to maintain, rarely delivering good results across all use cases simultaneously. Many organizations still struggle with partial implementations, driving a search for a more flexible, cost-effective TDIR pattern.

The Critical Role of Detection Architecture

The trend of SIEMs evolving into primarily alert aggregators underscores the importance of “detection architecture”—a critical planning step that precedes detection engineering.

A robust detection architecture requires a good understanding of how every piece of your environment—including different threat categories and technologies—will be covered for detection.

• Specialized Tools: Certain threats and environments are best covered by specialized tools (e.g., XDR/EDR for endpoints, CNAPP/CSPM for cloud environments). These tools handle the detection logic locally and send resulting alerts downstream.

• Centralized Telemetry: Other systems lacking specialized detection capabilities funnel their granular telemetry into a centralized system (historically the SIEM, often with a UEBA component) where custom detection logic is applied.

This is a multidimensional puzzle every organization must assemble according to its unique needs. However, the outcome is clear: the SIEM will almost never be entirely responsible for detection.

This reality forces us to focus on the downstream TDIR architecture: Where should all the alerts—both from specialized tools and the SIEM itself—go next?

• Option A: Enforce all alerts getting into the SIEM for an additional layer of contextualization and correlation.

• Option B: Send all individual alerts, from the SIEM and from other sources, downstream directly to an investigation engine, such as an AI-SOC solution.

The Emerging Decentralized TDIR Pattern

The decentralized model embraces Option B, allowing for a more agile and cost-effective TDIR architecture:

• Distributed Detections: Detection logic is run where the data originates (in specialized security tools or the SIEM for niche/custom needs).

• Centralized Investigation Engine: Individual alerts are sent directly to an AI-SOC solution. This tool becomes the hub for performing or supporting the investigation. Connecting individual alerts related to the same threat happens at investigation time.

• Data-on-Demand: The AI-SOC queries the necessary security and infrastructure systems at investigation time to collect additional data and context. This key shift eliminates the massive, costly, and often unnecessary need to send all data in advance to a centralized location.

• Cost-Effective Retention: Granular, voluminous data needed for long-term retention is stored in cheaper data repositories like S3 buckets, Databricks, Snowflake, or other data lakes, which can be easily queried by the investigation engine when needed.

The Future: SIEMless or Just SIEM-Lite?

The decentralized pattern is the clear current trend. However, organizations must address the two main challenges:

1. Handling Detection Gaps: For systems without native detection capability (e.g., custom application logs), a SIEM or UEBA component is still needed. The compromise is adopting a smaller, specialized SIEM (Maybe a “SIEM-Lite”?) just for these niche, custom-detection use cases.

2. Consolidated View: The SOC needs a way to have a consolidated view of detection coverage across all distributed detection tools.

The power of AI systems is what makes the decentralized model practical. AI-SOC capabilities simplify the complexity of managing distributed systems by:

• Dynamically Generating and translating threat hunts and investigations plans across multiple disparate technologies and APIs.

• Removing the need to write detailed and prescriptive playbooks in advance, which usually require extensive pre-work and continuous maintenance.

The move toward a decentralized system points to less reliance on a single, monolithic SIEM as the sole TDIR core. It fosters a more flexible, loosely coupled, and agile architecture capable of adapting to the rapid pace of modern cyber threats.

Thanks to Filip Stojkovski for the LinkedIn post that served as inspiration for this thinking nugget.