SIEM vs Data Lake
It’s easy to mistake a Security Information Event Management (SIEM) for a data lake. Both ingest large volumes of telemetry, offer search capabilities, and support investigations.
I. Beyond Storage: The True Role of a SIEM
It’s easy to mistake a Security Information Event Management (SIEM) for a data lake. Both ingest large volumes of telemetry, offer search capabilities, and support investigations. In fact, a modern SIEM must include data lake features, especially the ability to retain and query historical data during an investigation. But a SIEM is more than just a searchable archive. Its purpose is broader and more active: to identify threats, guide analysis, and support issue resolution.
This distinction is not academic. It has real consequences for how well an organization can detect and respond to threats, how efficiently analysts can work, and how much operational cost is incurred. While these business outcomes are important, this paper focuses specifically on the technical differences between a data lake and a SIEM.
By examining how SIEMs process data, guide investigation, and support workflows, we can clarify what sets a true SIEM apart and why treating it as just another data store misses the point.
II. A Semi-Short History of SIEMs
The story of SIEM doesn’t begin with log indexing—it begins with network operations. In the early days, tools like HP OpenView and IBM NetCool were used to monitor infrastructure health across large environments. These platforms provided real-time visibility into system and network status, superimposing alerts onto topology maps. The model worked because outages in IT infrastructure were usually clear-cut, a service was either up or down.
When security teams began adopting the same centralized model, the assumption was that it would work similarly. Logs could be collected, alerts generated, and security events visualized the same way network outages were. This became the first phase of SIEM: a belief that if we simply aggregated the right data and visualized it, we could understand what was happening.
But security is fundamentally different. It deals not with outages, but with uncertainty, gray areas where something might be wrong. In this context, the model of centralized alert visualization quickly broke down. Analysts were flooded with notifications, few of which were truly meaningful. The more data that was added, the harder it became to distinguish signal from noise. The operational model that worked for infrastructure failed in security.
This early failure set the stage for the next evolution in SIEM: the shift from visibility tools to detection engines, and eventually toward data-centric architectures. But the legacy of that first phase remains: many SIEMs still rely on assumptions inherited from tools that were never built to deal with ambiguity or adversaries.
(continued — Phase Two, Database)
As the limitations of early visualization-centric SIEMs became clear, the industry entered what we now recognize as the second phase. This phase still defines many legacy SIEMs today. The core realization at the time was that security wasn’t just an alerting problem; it was a data volume problem. Logs were flooding in from every endpoint, server, firewall, and cloud service. Analysts could no longer review every event, so the challenge became how to extract meaning from the noise.
In response, SIEM design shifted to focus on data architecture and analytics. The goal was to collect everything and then use queries and dashboards to surface what mattered. We moved away from list-based workflows, where analysts worked through issues one by one, and adopted a chart-driven approach that focused on spikes, anomalies, and activity volume. The idea was simple: if we could see what was happening in aggregate, we could decide what to investigate.
This gave rise to what is now a standard in legacy SIEMs—volume analysis. Logs are ingested into large databases, indexed, and then queried on a schedule. Alerts are generated based on thresholds or frequency counts. In this model, the system is not trying to determine whether something is a security issue. It is highlighting what looks unusual. The burden is still on the analyst to decide what matters.
This approach addressed the scale problem, but it introduced a new one. It replaced resolution with visualization. Instead of identifying and closing issues, SIEMs became tools for monitoring spikes and investigating symptoms. In doing so, they began to favor trend analysis over truth, and visual insights over actual decisions.
(continued — Phase Three, Analytics)
Eventually, the limits of the second phase became impossible to ignore. Security teams were surrounded by charts and trends but found they weren’t actually resolving issues. We had come full circle, back to the original need—to find problems and fix them. The chart-based, search-heavy approach gave visibility, but not action. SIEMs had become places to observe problems, not solve them.
This opened the door to a third phase, marked by the rise of analytics-driven SIEMs. Around 2015, User and Entity Behavior Analytics (UEBA) emerged as the first sign of this shift. Instead of viewing events atomically, UEBA grouped events around identities, people, devices, or services, and analyzed them in relation to one another. Systems began to consider behavior over time, impact across assets, and even organizational tolerance for risk or failure. In platforms like Fluency, this evolved into concepts like fault tolerance analysis, where the focus wasn’t just on anomalies, but on whether those anomalies posed a material risk.
This approach allowed for more refined judgments. Techniques like impossible travel and abnormal login sequencing became possible only because the system was grouping events, comparing behavior, and evaluating deviation. The shift from “what is happening” to “is this normal” reframed how SIEMs approached security.
More importantly, this phase marked a return to quality. The goal wasn’t to watch everything; it was to understand what mattered. Could the system create accurate groupings? Could it reduce noise? Could it identify and close issues systematically? These questions brought SIEMs out of the data lake mentality and into something closer to operations. It was no longer just about managing data. It was about managing a process.
(continued — Phase 4, Automation)
Today, we find ourselves deep in the complexity introduced by the third phase. We’ve learned to detect anomalies, but we also understand that anomalies are not binary. Just because something is unusual doesn’t mean it’s malicious. We’ve moved into a gray world, where each detection carries a degree of risk rather than a clear verdict. Analysts are left to ask the same question over and over: is this an issue?
The industry has responded by embracing scoring techniques. Events and behaviors are now evaluated on a spectrum, often between 0 and 100, reflecting how abnormal or risky they appear. This is the right direction. It acknowledges that security isn’t about true or false, it’s about probabilities and context. But this approach creates a new problem. Even with scoring, every anomaly still has to be investigated, and that takes time.
This brings us to the central challenge of the current phase: scalability. We know how to detect interesting behavior. We have tools that surface anomalies with increasing precision. But we don’t have the manpower to investigate all of them. Even in UEBA systems, where alerts are smarter and better clustered, alert fatigue persists. In more traditional SIEMs, the problem is even worse.
To bridge this gap, the industry began offloading some of the analysis work to other tools, most notably, SOAR platforms. As SIEMs became more database-like and less process-aware, SOAR systems emerged to implement the processes the SIEM lacked. SOAR tools promised automation, orchestration, and in many cases, helped address the multitenancy problem as well. They filled in the workflow gaps that legacy SIEMs couldn’t handle.
But SOAR has its own limitations. It operates on playbooks, not reasoning. It executes tasks but often lacks the logic to decide which tasks should be executed. As a result, we now see a fragmented model: SIEMs handle detection, SOARs handle execution, and analysts still carry the weight of investigation.
Finally, we’re layering in AI to solve the investigation bottleneck. This creates even more architectural overlap, as both SIEMs and SOARs begin embedding AI into their processes. Some tools aim to use AI for triage. Others use it for summarization. Some even attempt guided resolution. But none of these components exist in isolation. The truth is, detection, analysis, and response are tightly interconnected. Trying to separate them across platforms introduces complexity. And this is where we are now—working through a hybrid model, pulling together scores, automation, and AI, just to manage what was once a single, unified goal: resolving issues.
(conclusion)
Looking across this history, we can see that although SIEMs have evolved, many of their design assumptions still carry the weight of the data lake mindset. We continue to measure system capacity by the volume of data ingested. We size infrastructure based on how many days of logs we can store. Discussions often begin with how much we can collect, not how well we can resolve. These are signs that the data lake perspective is still deeply embedded in how SIEMs are evaluated and purchased.
At the same time, the industry has made significant progress in defining the processes that actually matter. Whether those processes are implemented inside the SIEM or delegated to a SOAR, we now recognize that what happens after the log is collected is the heart of security operations. Identity evaluation, behavior tracking, anomaly scoring, enrichment, grouping, escalation, and resolution—these are the real functions of a SIEM.
And this is where the line must be drawn. A data lake stores events. A SIEM manages security. One is focused on capacity, the other on process. That distinction defines everything that follows.
III. Why the Database Model Dominated
If we look back at the history of SIEMs, it becomes clear why the database model became so dominant. The way we interact with logs: collecting data, recording transactions, generating reports, and issuing notifications; this bears a strong resemblance to how we handle accounting data. Accounting has always been a domain driven by structured storage and repeatable queries. From that perspective, it made perfect sense to rely on databases.
An accountant would be quick to point out that there’s intelligence in how accounting rules and formulas are applied. That’s precisely why we have accounting software, not just a raw database interface. Security deserves the same respect. If we treat logs and telemetry as just data, we dismiss the fact that security requires processes, interpretation, and structure to turn that data into insight.
This is the core issue with the database mindset. When we approach SIEM through the lens of storage, normalization, and query, we reduce everything to data manipulation. We lose the transition from data to intelligence. We create systems that store information but depend entirely on people to interpret it. Analysts are left to implement the process themselves, often manually. The SIEM becomes little more than a data repository that responds to requests. It doesn’t understand anything on its own.
We can see this clearly in how many traditional SIEMs approach AI. The moment a product says it’s “enhancing the analyst,” what it’s really saying is that it isn’t doing the analysis. It’s helping the human do what the system itself should be responsible for. That’s a red flag.
Yes, data storage is still necessary. We need it for investigations, for audits, and to meet compliance requirements. Long-term retention is part of a mature security model. But that capability should be treated as a supporting feature, not the foundation. The real value of a SIEM lies in its ability to process, understand, and resolve issues—not simply to collect and query logs.
IV. Where the Database Model Breaks
It’s not enough to store security data. The question is whether you can use it to find and resolve real issues. And that’s where the database model breaks.
At first, the database model feels right. Security logs look like transactions: discrete records, each with a timestamp, a user, an action, and a result. It’s easy to imagine that you can query this data just like accounting records, filter it, sort it, and build reports. And that works, for a while. If your goal is to organize known alerts from known systems, a database with queries and dashboards gets the job done.
But the second the goal shifts from organizing alerts to detecting issues, the model starts to fail.
The problem is that security data isn’t transactional. It’s ambiguous. We don’t know what’s good or bad just by looking at a single log. That log might be evidence of something, or it might be irrelevant. The only way to know is to place it in context, historical context, behavioral context, identity context. And databases don’t do context. They do records.
This is the core contrast:
Queries ask questions about what you already know. Detection requires asking questions you haven’t thought of yet.
For example, detecting a lateral movement attack might involve tracing multiple logins over several days, across different systems, with different usernames but the same underlying pattern: access from the same IP, or unusual access sequences tied to a single compromised account. No SQL query expresses that. No filter or join uncovers it. You need correlation, history, and stateful analysis.
There are two kinds of data that flow into a SIEM:
First, there’s pre-processed data, already categorized by upstream tools: alerts from firewalls, endpoint detections, authentication failures. This can be indexed, searched, and organized.
But then there’s derived detection data, findings that emerge from watching behavior over time. Examples include impossible travel, privilege misuse, or newly installed remote access tools. These require detection logic that unfolds across minutes, hours, or days. And these detections are often the only way to discover the threats that products missed.
This is where the traditional SIEM falls short. It excels at summarizing what’s already known. It fails when asked to discover what isn’t.
And that’s the hidden danger of the database model. It creates an illusion of capability. Dashboards light up. Queries run. Alerts are counted. But none of that answers the core question: Can the system organize the uncertainty and help us resolve the right issues?
Storing logs is necessary. Retention matters. Queries help during triage. But those are supportive roles. The real job of a SIEM is to find patterns, surface what’s abnormal, and organize that into something analysts can investigate and close. If all the process work still lives outside the platform, if it’s still done manually, in tickets, spreadsheets, and analyst heads, then the SIEM isn’t solving the right problem.
V. Why SIEM Requires Process, Not Queries
To understand what makes a SIEM effective, we must distinguish between a query and a process. These are not opposing concepts—rather, one is a building block for the other. A process can use many queries, but a query alone does not constitute a process.
Consider the role of a security analyst who receives an alert: “Possible compromise of user account due to multiple logins from disparate locations.” The alert doesn’t confirm a breach—it signals uncertainty. If the system knew with confidence that the account was compromised, it could take action immediately: revoke tokens, disable the account, or quarantine the device. But because the alert is ambiguous, the burden shifts to the analyst to validate and respond.
The analyst now enters a decision-making phase. Should the account be disabled? Is the device at risk? This leads to a sequence of questions:
- When and where did the logins occur?
- Has the user accessed these locations before?
- Are there related events—new devices, password changes, file access anomalies?
- Is this pattern consistent with the user’s past behavior?
Each of these questions might be answered with a query. But the sequence of questions—their dependencies, their order, their conditional checks—that is the process.
This is where the difference between a SIEM and a data lake becomes clear. A data lake can respond to queries. It stores logs, makes them searchable, and returns data. A SIEM, by contrast, applies processes—structured workflows that resolve uncertainty, guide investigations, and automate resolution when possible.
These processes might:
- Enrich an alert with context (e.g., VirusTotal lookups)
- Correlate related events
- Cluster activity over time or across entities
- Detect deviations from historical behavior
- Evaluate the scope of the issue (device vs. account vs. application)
- Trigger automated containment actions based on confidence thresholds
This is also the philosophical divide between database-driven SIEMs and process-driven SIEMs. If your system helps analysts ask better questions, it’s a data lake with a query interface. If it helps analysts resolve uncertainty and take action, it’s operating as a SIEM.
In short:
- Queries retrieve data.
- Processes reduce uncertainty.
That distinction defines the purpose—and the value—of the SIEM.
VI. Models Over Features: Why SIEMs Keep Evolving
As we look deeper into security analytics, it’s easy to become distracted by individual features—UEBA, Identity SIEM, AI-driven SIEMs. Each of these sounds like a separate product category or architecture, and often they are marketed that way. But these aren’t simply features bolted onto a data store. They’re models of how analysis is performed—not how data is stored or queried.
What connects them is process.
- UEBA (User and Entity Behavior Analytics) is not a table or a log type. It’s a continuous process of baselining, clustering, and comparing behavior over time.
- Identity SIEM doesn’t just log who authenticated. It maintains a stateful model of sessions, trust levels, and impersonation attempts—tracking who someone really is, across systems.
- AI SIEM doesn’t just help write queries. It represents a shift where the system attempts to perform the analyst’s reasoning steps, and the human takes on a QA and edge-case validation role.
These are not optimizations for storage. They are procedural shifts in how we work with security data. They highlight the evolution of SIEM as a tool for interpreting and resolving security events, not just storing or retrieving them.
And that is the key distinction from a data lake.
A data lake provides capacity and search. A SIEM provides structure and resolution. Whether that resolution is manual (Tier 1 triage) or automated (AI-assisted investigation), the SIEM’s role is to manage uncertainty—not just expose raw data.
So when we reference UEBA, Identity SIEM, or AI workflows, we’re not expanding the definition of a SIEM. We’re seeing the natural consequence of treating the SIEM as a process engine, not a passive database.
VII. Case Management: The Heart of a SIEM
Among the clearest ways to distinguish a data lake from a true SIEM is through its treatment of case management. A data lake may store a wealth of information and provide extensive search capabilities, but without a structured method for organizing, tracking, and resolving issues, it falls short of supporting real security operations.
Data lakes, whether built with tools like ELK or Wazuh, tend to focus on exposing data. They excel at ingesting logs, indexing events, and allowing flexible queries. Analysts working in these systems often interact with raw alerts, visual dashboards, and grouped search results. However, these systems rarely go beyond the surface. Alerts are treated as endpoints rather than starting points. The concept of an “issue”—a broader, correlated set of events requiring investigation—is absent. This leaves analysts with the burden of interpreting, correlating, and acting upon isolated pieces of information, often under conditions of time pressure and incomplete context.
A good indicator that you are working within a data lake rather than a SIEM is how the system handles alerts. If alerts are treated as equivalent to cases, or if a basic search or grouping result is automatically converted into a “ticket,” then you are not seeing true case management. This is a common failure point, even in systems that claim to support incident response. A single alert is not a case. Treating it as such leads directly to information overload, shallow analysis, and missed relationships. It forces analysts to triage in isolation rather than investigate with context.
Even SOAR platforms, which are intended to drive automated response, often inherit this limitation. Rather than operating as part of a broader process, many SOAR tools are deployed simply to extract alerts from a data lake and initiate predefined workflows. These workflows, built around atomic events, can automate responses but rarely support investigation. When SOAR is built on the foundation of a query and alert-based model, it reproduces the same analytical shortcomings as the data lake itself.
By contrast, a true SIEM recognizes that events must be evaluated in context. It sees the alert as a signal, not a conclusion. A case in a SIEM is not just a record of a triggered rule, but a structured effort to determine whether an issue exists, what its scope is, and how it should be resolved. This requires correlation, enrichment, behavioral analysis, and ultimately, lifecycle tracking. A proper case moves from detection to investigation and resolution, with all related evidence grouped and organized along the way.
This is the defining difference. A data lake shows you the data. A SIEM helps you reach a decision. A system that cannot manage cases—or worse, treats alerts as cases—is not supporting your analysts. It is assigning them the responsibility of doing everything manually. The goal of a SIEM is not just to capture events, but to close issues. Case management is the foundation that makes that possible.
VIII. Data Lake vs. SIEM: A Balance, Not a Binary
It’s important to understand that no modern SIEM operates without some form of data retention. Storage is necessary. Historical analysis, forensics, and compliance all require the ability to look back over logs, sometimes for months or years. But retention alone does not make a system a SIEM. Storing data is only part of the picture. The question is what the system does with the data once it’s stored.
To illustrate this, we introduce a model that considers every product as a blend of two functions: data lake and SIEM. A pure data lake is designed for storage and query. A true SIEM is designed for investigation and closure. Most tools sit somewhere between these two poles.
Let’s visualize this as a ratio—how much of the product architecture and intent is devoted to storage and search, and how much is focused on real investigation and response.
SIEM/Data Lake Balance Visualization
Fluency [█████████████---------] 90% SIEM / 10% Data Lake
Sentinel [█████████-------------] 45% SIEM / 55% Data Lake
Splunk [█████████-------------] 45% SIEM / 55% Data Lake
QRadar [██████████------------] 60% SIEM / 40% Data Lake
Wazuh [█████-----------------] 30% SIEM / 70% Data Lake
Elastic [████------------------] 25% SIEM / 75% Data Lake
Chronicle [███████---------------] 35% SIEM / 65% Data Lake
Sentry [████████--------------] 40% SIEM / 60% Data Lake
The architecture reveals the intent. If everything starts from a search bar, you’re not in a SIEM. You’re in a data lake.
Comparative Feature Focus
| Product | Primary Focus | Alert Evaluation | Identity Tracking | Case Lifecycle | Process Integration |
|---|---|---|---|---|---|
| Fluency | Real-time SIEM processing | ✅ High | ✅ Native | ✅ Built-in | ✅ Full pipeline |
| Sentinel | Azure-native SIEM over Data Lake | ⚠️ Search-centric | ✅ Strong in Azure | ⚠️ Via Log Analytics | ⚠️ Rule-based SOAR |
| Splunk | Search-first with SIEM app | ⚠️ Moderate | ⚠️ Partial | ⚠️ Add-on | ⚠️ Mixed |
| QRadar | Traditional SIEM | ✅ Good | ⚠️ Mixed | ⚠️ Add-on | ⚠️ SOAR-tied |
| Wazuh | Log storage & correlation | ❌ Basic | ❌ Minimal | ❌ None | ❌ None |
| Elastic | Data lake engine | ❌ Basic | ❌ Minimal | ❌ None | ❌ None |
| Chronicle | Cloud-scale retention | ⚠️ Limited | ⚠️ Partial | ❌ None | ⚠️ Emerging |
| Sentry | Application monitoring | ❌ App-focused | ❌ Not designed | ❌ None | ❌ None |
Product Spotlights: Understanding the Difference in Practice
Sentinel’s Place in the Spectrum
Microsoft Sentinel is often described as a cloud-native SIEM, largely because it integrates deeply with Azure and has strong alerting capabilities tied to identity. However, its investigative workflows are rooted in query-based exploration using Kusto Query Language (KQL). While Sentinel can generate alerts and visualizations, the burden of investigation remains on the analyst.
Case management is externalized. Playbooks rely on Logic Apps, and ticketing is handled through Azure DevOps or third-party connectors. There is no unified, native issue lifecycle management. Sentinel helps present the data, but it expects humans or bolt-on automation to make sense of it. This places it firmly in the category of data-first systems.
This reflects the central theme: if a system surfaces alerts but offloads resolution to external tools or users, it behaves like a data lake. A SIEM must do more, it must help analyze, organize, and resolve.
Wazuh’s Place in the Spectrum
Wazuh is often promoted as a free and open-source SIEM, but its core architecture lacks the defining traits of a true SIEM. Wazuh collects logs, applies rules, and produces alerts. That’s where its work ends. There is no embedded investigation flow, no behavior correlation, and no lifecycle management of issues.
In Wazuh, an alert is treated as a problem, not a clue. There’s no clustering or context. Analysts must either react to each alert individually or build their own downstream systems. This becomes immediately obvious when users attempt to layer dashboards or integrate ticketing tools externally.
The alert-to-ticket model is a clear sign of a data lake masquerading as a SIEM. A real SIEM understands that alerts are only pieces of the picture, and that effective analysis requires organizing them into coherent cases with start, scope, and resolution.
Elastic’s Place in the Spectrum
Elastic is a high-performance document store optimized for full-text search and indexing. While the Elastic Stack is powerful for storing and retrieving records, it was not designed to manage investigations. Alerts are built from saved queries or statistical models, and they exist only as outputs, not as the beginning of a structured process.
Elastic Security, the product’s SIEM interface, adds dashboards and visualizations, but it does not enforce or even encourage a process flow. Case management is shallow and disconnected. Analysts move between visual panels, timelines, and documents without a defined structure for evaluation, escalation, or closure.
Elastic’s greatest strength, flexibility, is also its greatest weakness in this space. Everything is possible, but nothing is built-in. The system provides the data. The analyst builds the logic. If there is a process, it must be constructed from scratch.
Fluency’s Place in the Spectrum
Fluency SIEM was built from the ground up to address what other platforms leave out: the actual process of analysis. Rather than prioritizing data storage or search speed, Fluency prioritizes issue resolution. It treats alerts not as end results, but as starting points. Clusters of related activity are grouped, analyzed, and carried through an investigative workflow designed to mirror human reasoning.
The architecture supports streaming ingestion with immediate event correlation and risk scoring. Identity resolution, behavioral baselining, and anomaly detection are built in, not as optional dashboards, but as core mechanics. Fluency maintains working memory of user and system behavior over time, allowing it to determine what’s normal, what’s new, and what’s risky.
Most critically, Fluency doesn’t expect an analyst to stitch everything together manually. It builds cases automatically, grouping events into meaningful units of work. These cases move through an internal lifecycle: validated, scoped, resolved, and reviewed. Analysts don’t just search, they manage and close issues. This native case management, coupled with embedded AI assistance, defines Fluency’s shift from traditional SIEM to a process-first system.
The difference is clear: while other platforms help analysts find data, Fluency is designed to resolve problems.
X. Conclusion: What a Modern SIEM Must Be
The evolution from data lake to SIEM reflects a fundamental shift in purpose. A data lake stores, retrieves, and indexes logs, it enables you to ask questions. A SIEM, by contrast, is expected to answer them. That means owning the process of analysis, not just hosting the data that supports it.
A modern SIEM must evaluate every event in the context of identity, behavior, and intent. It must move beyond rule matching to build understanding. It must resolve uncertainty, not pass it on. Most importantly, it must drive the closure of issues, because that is the only outcome that improves security.
In short, the value of a SIEM is not in how much data it holds, but in how effectively it helps organizations detect, investigate, and resolve threats. The more a platform behaves like a query engine or alert generator, the more it resembles a data lake. The more it guides the analyst toward resolution through structured processes, memory, and context, the more it fulfills the true role of a SIEM.
Understanding this difference is critical—not just for choosing the right technology, but for ensuring that security teams can focus less on looking and more on knowing.
