IT Central Station is now PeerSpot: Here's why

What are the main differences between XDR and SIEM?

Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)

Hi infosec professionals,

What are the main architectural differences between those two technologies? What are the relations between the two of them? Are they complementary?

What does an XDR solution provide that SIEM doesn't and vice versa?

Thanks for sharing your knowledge with the community!

PeerSpot user
66 Answers

David Swift - PeerSpot reviewer
Top 5Real User

SIEM focuses on correlation - detection, both known (and with UEBA), unknown/0 Day anomalies.

XDR focuses on blocking - usually of only known patterns - If on Threat Intel List, block - much like implementing AV at a firewall/network level, not entirely dissimilar to IPS.  

Most organizations don't even configure their IDS to block and do IPS.

In my opinion, SIEM/UEBA should be used to detect the threats, confirm multiple indicators and feed SOAR to block them. 

Historically pulling in threat intel lists and even alerting on matches has had a high false-positive rate (>66%). Blocking in low-accuracy detection scenarios leads to Denial of Service events.

In the end, both SIEM and XDR are as good or bad as their intelligence and correlation capabilities. Garbage In, Garbage Out. 

FWIW I'm in favor of many default blocking policies. Allow by exception only. ITAR and OFAC country lists for instance are easy wins with few false-positive scenarios.

I look at XDR much like a firewall with open-source intelligence lists automatically blocked. Not entirely bad, but as much detection, correlation, or confirmation abilities as I'd like to automate threat detection and response.

Kevin Mabry - PeerSpot reviewer
Top 5LeaderboardReal User

A SIEM is basically a solution/product that collects all security and syslog data from whatever device you send to it, to store and help decipher all of that data for your needs, like compliance or forensics. 

But it can be very labor-intensive if you do not have a team of people that knows what they are looking for. 

XDR's have more AI built in them and like its cousin EDR, which only looks at the endpoints, XDR (Extended Detection & Response) can also monitor your firewalls and even traffic from your IoT devices. 

But you will still need a team to know what they are looking for.  

If you don't have a team, you can look at MDR (Managed Detection & Response). MDR's already have the team with the expertise to detect and help your respond better than trying to figure it out by yourself.  

But if you have a team (or plan on building one out), the combination of a SIEM with an XDR solution is a good way to go.

Nicholas Arraje - PeerSpot reviewer
Top 20Vendor

XDR as a solution is still evolving and means different things to different organizations.  

Each vendor has a different spin on XDR as they try to win the market and enterprises struggle to figure out what XDR includes and doesn't.  

I try to take a simpler approach as XDR stands for Extended Detection and Response where the extended is referring more than EDR (endpoint detection and response). XDR is the ability of an EDR solution to do more or ingest or provide more detection beyond the endpoint (network or other sources).  

Therefore, you will find EDR vendors talking about XDR as well as SIEM providers.  

Since the SIEM can manage information and events from sources like an EDR, it can then ingest information and events from other locations beyond the endpoint and provide XDR capabilities.  

In many cases today, it is the combination of an EDR tool and a SIEM to provide XDR capabilities. 

We, see many customers adding NDR (Network Detection and Response) to their EDR environments and with tight integrations with the SIEM. 

Does EDR + NDR + SIEM equal XDR? In many cases, yes.  

Shibu Babuchandran - PeerSpot reviewer
ExpertModeratorReal User

Hope the below will be helpful

Key differences between SIEM and XDR
Domain coverage Multi domain coverage: Single domain coverage: TDIR
– Threat detection, investigation, and response (TDIR)
– Compliance
– Centralized storage
– Reporting
Design approach Designed for customization and “just in case” situations Designed to be focused on efficient TDIR
Data location Typically assumes that the data needs to be centralized in the SIEM Typically assumes that data could be stored anywhere and/or doesn’t need to be stored for the long term
Delivery model Can be on-prem, cloud-delivered or both Cloud-delivered
Storage requirement Offers an infinitely scalable storage Doesn’t always offer long-term storage
Detection approach Typically focuses on correlation-based analytics Typically offers machine learning-based advanced analytics
Automation approach Typically offers very flexible orchestration, automation, and playbooks for TDIR and non-TDIR use cases. Typically offers prepackaged, use case–specific TDIR with prescriptive orchestration, automation, and playbooks

reviewer986433 - PeerSpot reviewer
Top 5LeaderboardReal User

Although it's from the vendor, it's a good description of SIEM / SOAR / XDR, etc.

Carsten Dan Petersen - PeerSpot reviewer


I found this on the SentinelOne website:

"How Is XDR Different From SIEM?

When we talk about XDR, some people think that we are describing a Security Information & Event Management (SIEM) tool in a different way. But XDR and SIEM are two different things.

SIEM collects, aggregates, analyzes, and stores large volumes of log data from across the enterprise. SIEM started its journey with a very broad approach: collecting available log and event data from almost any source across the enterprise to be stored for several use cases. These included governance and compliance, rule-based pattern matching, heuristic/behavioral threat detection like UEBA, and hunting across telemetry sources for IOCs or atomic indicators.

SIEM tools, however, require a lot of fine-tuning and effort to implement. Security teams can also get overwhelmed by the sheer number of alerts that come from a SIEM, causing the SOC to ignore critical alerts. In addition, even though a SIEM captures data from dozens of sources and sensors, it is still a passive analytical tool that issues alerts.

The XDR platform aims to solve the challenges of the SIEM tool for effective detection and response to targeted attacks and includes behavior analysis, threat intelligence, behavior profiling, and analytics."

Buyer's Guide
Security Information and Event Management (SIEM)
June 2022
Find out what your peers are saying about Splunk, IBM, Microsoft and others in Security Information and Event Management (SIEM). Updated: June 2022.
610,190 professionals have used our research since 2012.