A SIEM (Security Information and Event Management) collects log data from across the IT infrastructure, normalises it, and correlates events to detect security-relevant patterns. Typical sources include firewalls, intrusion-detection systems, server logs, and authentication records. You define correlation rules that trigger alerts automatically when suspicious patterns emerge. In a SOC the SIEM is the central tool for real-time monitoring. In your ISMS you document the SIEM as a control for logging and monitoring per ISO 27001 Annex A 8.15-8.16. Regular tuning reduces false positives.