What is a SIEM and what should you log for effective detection?

A SIEM aggregates logs for detection and investigation. Log: - Auth events (success/failure) - Privileged actions - Network flows - API access patterns - Endpoint events Quality matters: normalize fields, add correlation IDs, reduce noise, and build detections tied to real threats.