Security Information and Event Management (SIEM)

Security Information and Event Management (SIEM) is a technology platform that collects security-relevant log data from across an IT environment — servers, network devices, endpoints, applications, and cloud services — and correlates that data to detect threats and anomalies. SIEM platforms provide real-time alerting when log patterns match known attack signatures or anomalous behaviour baselines; centralised log storage for forensic investigation; compliance reporting by demonstrating audit trails; and dashboards for security operations teams to monitor the security posture. Major SIEM platforms include Splunk, Microsoft Sentinel, IBM QRadar, and open-source options such as Wazuh and OpenSearch (formerly OpenDistro for Elasticsearch). Cloud-native SIEM services have largely replaced on-premises deployments for new implementations.

For manufacturers operating under CRA obligations, SIEM serves several compliance-relevant functions:

• Build and signing infrastructure monitoring: The development pipeline and firmware signing infrastructure are high-value targets for supply chain attacks. SIEM monitoring of these systems can detect anomalous access patterns, configuration changes, or unusual signing activity that might indicate compromise.
• Exploitation detection: SIEM correlation rules can detect patterns in product telemetry or network monitoring data that suggest a published vulnerability in the manufacturer's products is being exploited against their infrastructure or customers.
• Incident investigation support: When a security incident occurs that may trigger CRA Article 14 notifications, SIEM provides the log data needed for rapid investigation and accurate incident characterisation.
• Audit trail for compliance: SIEM provides tamper-resistant log storage that creates an auditable record of security events — evidence that may be requested by MSAs during compliance investigations.

The SIEM's value depends on the quality and completeness of its log sources. Priority log sources for CRA manufacturers include:

• Source code management: Git event logs — commits, branches, pull requests, and access control changes — to detect unauthorised code modifications.
• CI/CD pipeline: Build logs, dependency resolution events, signing operations, and deployment actions.
• Signing infrastructure: HSM usage logs, code signing operations, and key access events.
• Vulnerability management tools: Dependency-Track and PSIRT system events — new high/critical findings, status changes, notification submissions.
• Product telemetry (where applicable): For cloud-connected products, aggregated telemetry indicating exploitation patterns or anomalous usage.
• Corporate network: Standard firewall, endpoint, and identity provider logs for detecting infrastructure compromises that could affect the development environment.

SOAR (Security Orchestration, Automation, and Response) extends SIEM by automating response actions triggered by SIEM alerts. Where SIEM detects and alerts, SOAR automatically executes response playbooks — for example, automatically isolating a compromised device, creating a PSIRT ticket for a new critical vulnerability finding, or drafting a ENISA notification based on a confirmed exploitation alert. For CRA manufacturers with high alert volumes or strict notification timelines, SOAR automation reduces the time between detection and response:

• A SOAR playbook can automatically create a PSIRT triage ticket when Dependency-Track raises a new Critical finding.
• A SOAR playbook can automatically prepare an Article 14 notification draft and route it for senior review when an exploitation alert fires, reducing the manual effort required to meet the 24-hour deadline.
• Response automation must be designed carefully to avoid false-positive triggers that result in erroneous regulatory notifications.