Director of Community at PeerSpot (formerly IT Central Station)
  • 6
  • 559

What are the main differences between XDR and SIEM?

Hi infosec professionals,

What are the main architectural differences between those two technologies? What are the relations between the two of them? Are they complementary?

What does an XDR solution provide that SIEM doesn't and vice versa?

Thanks for sharing your knowledge with the community!

PeerSpot user
6 Answers
Real User
Top 5
Feb 28, 2022

SIEM focuses on correlation - detection, both known (and with UEBA), unknown/0 Day anomalies.

XDR focuses on blocking - usually of only known patterns - If on Threat Intel List, block - much like implementing AV at a firewall/network level, not entirely dissimilar to IPS.  

Most organizations don't even configure their IDS to block and do IPS.

In my opinion, SIEM/UEBA should be used to detect the threats, confirm multiple indicators and feed SOAR to block them. 

Historically pulling in threat intel lists and even alerting on matches has had a high false-positive rate (>66%). Blocking in low-accuracy detection scenarios leads to Denial of Service events.

In the end, both SIEM and XDR are as good or bad as their intelligence and correlation capabilities. Garbage In, Garbage Out. 

FWIW I'm in favor of many default blocking policies. Allow by exception only. ITAR and OFAC country lists for instance are easy wins with few false-positive scenarios.

I look at XDR much like a firewall with open-source intelligence lists automatically blocked. Not entirely bad, but as much detection, correlation, or confirmation abilities as I'd like to automate threat detection and response.

Search for a product comparison in Security Information and Event Management (SIEM)
CEO at Sentree Systems, Corp.
Top 5
Mar 1, 2022

A SIEM is basically a solution/product that collects all security and syslog data from whatever device you send to it, to store and help decipher all of that data for your needs, like compliance or forensics. 

But it can be very labor-intensive if you do not have a team of people that knows what they are looking for. 

XDR's have more AI built in them and like its cousin EDR, which only looks at the endpoints, XDR (Extended Detection & Response) can also monitor your firewalls and even traffic from your IoT devices. 

But you will still need a team to know what they are looking for.  

If you don't have a team, you can look at MDR (Managed Detection & Response). MDR's already have the team with the expertise to detect and help your respond better than trying to figure it out by yourself.  

But if you have a team (or plan on building one out), the combination of a SIEM with an XDR solution is a good way to go.

Nicholas Arraje - PeerSpot reviewer
Regional Sales Director at Bricata
Feb 28, 2022

XDR as a solution is still evolving and means different things to different organizations.  

Each vendor has a different spin on XDR as they try to win the market and enterprises struggle to figure out what XDR includes and doesn't.  

I try to take a simpler approach as XDR stands for Extended Detection and Response where the extended is referring more than EDR (endpoint detection and response). XDR is the ability of an EDR solution to do more or ingest or provide more detection beyond the endpoint (network or other sources).  

Therefore, you will find EDR vendors talking about XDR as well as SIEM providers.  

Since the SIEM can manage information and events from sources like an EDR, it can then ingest information and events from other locations beyond the endpoint and provide XDR capabilities.  

In many cases today, it is the combination of an EDR tool and a SIEM to provide XDR capabilities. 

We, see many customers adding NDR (Network Detection and Response) to their EDR environments and with tight integrations with the SIEM. 

Does EDR + NDR + SIEM equal XDR? In many cases, yes.  

Regional Manager/ Service Delivery Manager at ASPL INFO Services
Real User
Feb 27, 2022

Hope the below will be helpful

Key differences between SIEM and XDR
Domain coverage Multi domain coverage: Single domain coverage: TDIR
– Threat detection, investigation, and response (TDIR)
– Compliance
– Centralized storage
– Reporting
Design approach Designed for customization and “just in case” situations Designed to be focused on efficient TDIR
Data location Typically assumes that the data needs to be centralized in the SIEM Typically assumes that data could be stored anywhere and/or doesn’t need to be stored for the long term
Delivery model Can be on-prem, cloud-delivered or both Cloud-delivered
Storage requirement Offers an infinitely scalable storage Doesn’t always offer long-term storage
Detection approach Typically focuses on correlation-based analytics Typically offers machine learning-based advanced analytics
Automation approach Typically offers very flexible orchestration, automation, and playbooks for TDIR and non-TDIR use cases. Typically offers prepackaged, use case–specific TDIR with prescriptive orchestration, automation, and playbooks

Senior Security Engineer at a tech services company with 1,001-5,000 employees
Real User
Top 20
Feb 28, 2022

Although it's from the vendor, it's a good description of SIEM / SOAR / XDR, etc. 


Partner Account Manager 🔆 at SEC DataCom A/S
Feb 28, 2022


I found this on the SentinelOne website:

"How Is XDR Different From SIEM?

When we talk about XDR, some people think that we are describing a Security Information & Event Management (SIEM) tool in a different way. But XDR and SIEM are two different things.

SIEM collects, aggregates, analyzes, and stores large volumes of log data from across the enterprise. SIEM started its journey with a very broad approach: collecting available log and event data from almost any source across the enterprise to be stored for several use cases. These included governance and compliance, rule-based pattern matching, heuristic/behavioral threat detection like UEBA, and hunting across telemetry sources for IOCs or atomic indicators.

SIEM tools, however, require a lot of fine-tuning and effort to implement. Security teams can also get overwhelmed by the sheer number of alerts that come from a SIEM, causing the SOC to ignore critical alerts. In addition, even though a SIEM captures data from dozens of sources and sensors, it is still a passive analytical tool that issues alerts.

The XDR platform aims to solve the challenges of the SIEM tool for effective detection and response to targeted attacks and includes behavior analysis, threat intelligence, behavior profiling, and analytics."

Learn what your peers think about Splunk. Get advice and tips from experienced pros sharing their opinions. Updated: December 2022.
670,331 professionals have used our research since 2012.
Related Questions
User at M2P Fintech
Jan 16, 2023
Hi peers,  I work at a medium-sized financial services firm. I am currently researching SIEM solutions and would like to understand the difference between SIEM and Next-Gen SIEM solutions. In addition, I would like to know what are the differences between Gurucul and Wazuh. Thank you for your help.
See 2 answers
Jan 14, 2023
"SIEM" and "Next-Gen SIEM" are often used in marketing and may not have a clear definition. Each vendor may have their own interpretation of these terms. The main difference between SIEM and Next-Gen SIEM (often called XDR) is the responsibility for creating security detections. Next-Gen solutions typically offer more pre-built detections and require less maintenance compared to traditional SIEMs, which primarily focus on collecting log data.   Comparing Gurucul and Wazuh, some key differences between the two include: Wazuh is open-source, while Gurucul's SIEM solution is proprietary. Wazuh focuses on providing detailed visibility and control over an organization's endpoint security, whereas Gurucul's SIEM solution provides a broader range of security features such as threat intelligence, user behavior analytics, and incident response.
SiddhantMishra - PeerSpot reviewer
Cyber Security Consultant at DNIF
Jan 16, 2023
SIEM (Security Information and Event Management) is a security management system that uses software to collect, store, and analyze security-related data from various sources. It provides a centralized view of the security posture of an organization by correlating events from different sources, such as network devices, servers, and applications. Next-gen SIEM solutions, also known as "modern" or "advanced" SIEMs, build on the basic functionality of traditional SIEMs by adding new capabilities such as: - Machine learning and artificial intelligence to improve threat detection and reduce false positives - Cloud-based deployment for greater scalability and flexibility - Integration with other security tools such as endpoint protection and vulnerability management - Automated incident response and threat hunting - Greater visibility into modern technologies such as cloud environments and IoT devices. In summary, Next-gen SIEMs offer more advanced analytics, automation, and improved scalability, to help with detecting and responding to cyber threats in real time. Wazuh is an open-source security platform that provides an integrated solution for threat detection, incident response, and compliance. It is built on top of Elastic Stack and provides an agent-based architecture for data collection and centralized management. Wazuh focuses on providing endpoint security by monitoring and alerting system activity, file integrity, and vulnerabilities. Gurucul, on the other hand, is a security analytics platform that uses machine learning and behavioral analytics to detect and respond to cyber threats in real time. It also provides a centralized view of security-related data and can integrate with a variety of security tools. Gurucul focuses on providing user and entity behavior analytics (UEBA) and fraud detection, it can identify anomalies and suspicious activities in an organization's network, applications, and user behavior. In summary, Wazuh is an open source endpoint security platform, while Gurucul is a security analytics platform that uses machine learning and behavioral analytics to detect and respond to cyber threats in real time.
Regional Manager/ Service Delivery Manager at ASPL INFO Services
Nov 17, 2022
Hi community,  I am a Service Delivery Manager at a medium-sized tech services company. I am researching PSIM (Physical Security Information Management). What are the main use cases and benefits of products that fall under this category? Thank you for your help.
See 1 answer
Principal Consultant Cyber Security at Servian
Nov 17, 2022
Physical security of an information management system assures security by implementing protective controls to a location that hosts your most confidential data. For example, when you access data centers physically to access servers, storage, routers, switches, etc. Similarly, when you are accessing the location (warehouse, IT department, finance or HR department) with malicious intentions to discover the possibility of a targeted attack which could be by inserting the infected USB drive, stealing confidential documents, taking pictures, finding the ways to access the data centers from elevators to the reception to the data center. ISO27001:2013 explains in detail what protective controls must be there to ensure physical security like access cards, port security, identification, CCTV, Biometrics, preventing WIFI access outside the location, fire alarm system, assembly points, etc.
Related Articles
Ertugrul Akbas - PeerSpot reviewer
Manager at ANET
Jan 24, 2023
It is important to retain logs for a significant amount of time in order to be able to investigate and analyze past attacks. This allows security teams to identify patterns and trends that can aid in the detection and prevention of future attacks. The retention period will vary depending on the organization's specific requirements and regulations, but it is generally recommended to keep logs ...
Navcharan Singh - PeerSpot reviewer
Senior Seo Executive at Ace Cloud Hosting
Oct 7, 2022
Security Information and Event Management (SIEM) solutions differ significantly from firewalls. While both security solutions are integral components of cybersecurity infrastructure, they have different capabilities, functions, and roles. Do you need SIEM if you already have a firewall? If you have questions about the difference between SIEM and firewall, you have come to the right place....
Director of Community at PeerSpot (formerly IT Central Station)
Jul 5, 2022
Dear PeerSpot community members, This is our latest Community Spotlight for YOU. Here we've summarized and selected the latest posts (professional questions, articles and discussions) contributed by PeerSpot community members.  Check them out! Trending See what your peers are discussing at the moment! What were your main pain points during the SIEM product purchase process? What...
Director of Community at PeerSpot (formerly IT Central Station)
Apr 4, 2022
Hi peers, This is our new Community Spotlight that includes recent contributions (questions, articles and discussions) by the PeerSpot community members. Trending Is RPA beneficial for a healthcare organization? With the increasing risk of cyber attacks in the west, due to the war in Ukraine, how safe is your data in the cloud? Articles 8 Business Automation Ideas to Save Time and...
Director of Community at PeerSpot (formerly IT Central Station)
Mar 18, 2022
Hi community members, Here we go with a new Community Spotlight. We publish it to help YOU catch up on recent contributions by community members. Trending What open-source HCI solution do you recommend? How much time does SSO save? What are the main technical differences between Microsoft Power Automate and Blue Prism? Articles Top HCI in 2022 What is Web Design? The Ultima...
Related Articles
Ertugrul Akbas - PeerSpot reviewer
Manager at ANET
Jan 24, 2023
Features of Today's SIEMs – Requirements for Today’s Attacks and Breaches
It is important to retain logs for a significant amount of time in order to be able to investig...
Navcharan Singh - PeerSpot reviewer
Senior Seo Executive at Ace Cloud Hosting
Oct 7, 2022
SIEM vs. Firewall
Security Information and Event Management (SIEM) solutions differ significantly from firewalls. W...
Download Free Report
Download our free Splunk Report and get advice and tips from experienced pros sharing their opinions. Updated: December 2022.
670,331 professionals have used our research since 2012.