Skip to main content
  • Home
  • Solutions
    • CRM Software
      • Vendors
      • Comparison
      • ERP Comparison
      • For Small Business
      • Free
      • Cloud
    • Inventory Management
      • Vendors
      • Industries
      • Cloud
      • Free
    • Production Planning
      • Comparison
      • ERP Integration
      • Resource Planning
      • Free
    • DMS Software
      • Paperless
      • Free
    • Integrations
      • DATEV Interface
      • Shopware Interface
      • Amazon Integration
      • Shopify Interface
      • Magento Interface
      • eBay Integration
      • SAP Integration
      • Salesforce Integration
      • HubSpot Integration
      • Lexware Integration
      • JTL Integration
    • Guides
      • What is an ERP System?
      • ERP Costs
      • RFP Process
      • Contract Negotiation
      • ERP Selection
      • Requirements Document
      • Implementation
      • Data Migration
      • Change Management
      • Key user Concept
      • TCO Calculator
      • ERP Systems Comparison
    • Use Cases
      • ERP for Mid-Market
      • ERP for small companies
      • ERP for Mail Order
      • Seasonal Business
      • Branch Networks
      • Subscription Business
      • Project Business
      • Cloud ERP
      • Cloud vs On-Premises
      • Multichannel ERP
      • Business Intelligence
    • Industries
      • Mechanical Engineering
      • Wholesale
      • Retail
      • Trades & Crafts
      • Lebensmittel
      • Pharma
      • Automotive
      • Construction
      • Logistics
      • Chemie
      • Textil & Mode
      • Metallverarbeitung
      • Service providers
      • E-Commerce
      • Kunststoff
    • Service providers
      • ERP-Beratung
      • Auswahlbegleitung
      • Hosting & Cloud
      • Integration / iPaaS
      • Schulungen
  • Software
    • Enterprise-ERP
    • Mid-Market
    • KMU & Kleinunternehmen
    • Cloud-native
    • Open Source
    • Industries-ERP
    • WMS & Logistics
    • Spezial & Nische
  • Comparisons
  • Glossary
  • ERP News
  • Partners wanted
  • Contact
  • DE
ERP Software
Comparison of ERP software, CRM, DMS and inventory management
ERP Software
📣Advertise here — editorial & DACH-wide.Enquiries →
Skip to content
  1. Home
  2. ›
  3. Vendors
  1. Home
  2. ›
  3. Glossary
  4. ›
  5. SIEM – Security Information and Event Management

SIEM — Security Information and Event Management

SIEM (Security Information and Event Management) denotes a category of cybersecurity platforms that ingest, normalise, correlate and analyse log data from across the IT estate — servers, network gear, endpoint protection, identity providers, ERP, databases — to detect threats, support compliance reporting and enable forensic investigation. For ERP-centric organisations, SIEM is the standard mechanism by which the auditable record from audit trails is preserved, monitored for anomalies and queried during security incidents or regulatory audits.

How SIEM works

A SIEM platform follows a four-stage pipeline. Collection: log shippers (syslog, agents, native APIs) stream raw events from source systems to a central ingest tier. Normalisation: events from heterogeneous sources are parsed into a unified schema (Common Information Model). Correlation: rule-based and increasingly ML-driven detection identifies patterns matching known threat signatures or anomalies versus baselines. Response: alerts trigger automated playbooks (SOAR) or human investigation in a SOC (Security Operations Centre).

Leading SIEM platforms

Enterprise: Splunk Enterprise Security, IBM QRadar, Microsoft Sentinel, Google Chronicle, Elastic Security — 100,000 to 1,000,000 EUR per year for mid-size deployments. Mid-market: LogPoint, Securonix, Exabeam, Rapid7 InsightIDR — 30,000 to 150,000 EUR per year. Open-source: Wazuh, Graylog, OSSIM. In Germany, Switzerland and Austria, Microsoft Sentinel has rapidly gained share through Microsoft 365 E5 bundling, while Splunk remains dominant in larger enterprises with established SOC operations.

ERP integration patterns

Three integration paths dominate. Syslog forwarding: ERP application server writes a structured audit log that is forwarded over syslog to the SIEM. Works with SAP, Oracle EBS, Dynamics 365, abas and most mid-market products. Native connectors: SAP Enterprise Threat Detection, Splunk for SAP, Microsoft Sentinel SAP connector — out-of-the-box parsing of SAP audit logs (SM20, SM21, transaction logs). Database-level capture: change-data-capture on the ERP database for high-fidelity audit, used in regulated industries (pharma, finance). Choose based on regulatory pressure: a GxP-validated pharma ERP typically needs all three layers; a mid-market services company gets by with syslog forwarding alone.

Compliance and audit relevance

Several regulations indirectly mandate SIEM-like capabilities for ERP-bearing organisations. NIS-2 (EU): critical and important entities must detect and report cyber incidents within 24 hours, which is operationally infeasible without SIEM. DORA (EU financial sector): mandates continuous monitoring of ICT systems including ERP financial modules. ISO 27001 Annex A.12.4: requires logging of system administrator activity. SOX (US-listed): demands evidence of access controls and segregation-of-duty enforcement. Mid-market in Germany, Switzerland and Austria increasingly faces NIS-2 scope from 2024 onwards.

Build vs buy — SOC operating models

For DACH mid-market organisations, three operating models dominate. (1) In-house SOC: dedicated security team operating the SIEM 24/7. Requires 8–15 FTE (one shift covers 24/7 only with redundancy). Cost: 1.2–3 million EUR per year fully loaded. Justifiable only above ~5,000 employees or for sensitive critical-infrastructure operations. (2) Co-managed SIEM: customer owns the SIEM licence and the detection content; an external MSSP (Managed Security Service Provider) provides 24/7 monitoring, alert triage and first-line response. Cost: typically 200,000–800,000 EUR per year for mid-market. (3) Fully managed MDR (Managed Detection and Response): provider operates the entire stack from log collection through detection to response. Customer signs up to a per-endpoint or per-user fee. Common providers in Germany, Switzerland and Austria: Telekom Security, Bitdefender, Sophos MDR, Arctic Wolf, Trend Micro, Rapid7 MDR. Cost: 5–15 EUR per endpoint per month plus per-source ingestion fees. Decision criteria: regulatory exposure (NIS-2, DORA mandate in-scope companies to demonstrate continuous monitoring), in-house security skills available, sensitivity of ERP data being monitored, and tolerance for the integration complexity of a co-managed model. Most 50–500-employee DACH operations choose MDR; 500–5,000-employee operations under NIS-2 typically choose co-managed SIEM; large enterprises operate in-house SOCs.

ERP-specific detection use cases

Beyond generic threat detection, ERP-specific detection content addresses fraud and insider-risk scenarios that are otherwise invisible. Representative use cases. (1) Off-hours master-data change: supplier bank-detail changed Sunday at 02:30 from a new IP geolocation — high-priority alert for finance review before the next payment run. (2) Segregation-of-duty violation: same user creates a supplier and approves a payment to that supplier within 24 hours — alert and require dual review. (3) Mass export: more than 5,000 customer records exported via list reports in one hour by a single user — review for potential data exfiltration before quitting employee leaves. (4) Authorisation creep: user accumulates GoBD-relevant transaction codes over 6 months without HR-side role change — review against intended role. (5) Failed login burst: 30+ failed logins to ERP from a single IP within 5 minutes — lock IP and alert. (6) Privileged-user activity correlation: SAP_ALL user logs in outside maintenance window from outside the corporate network. SAP Enterprise Threat Detection, Splunk for SAP and Microsoft Sentinel SAP connector ship with 30–100 of these use cases pre-built; tuning them to local business reality is the bulk of post-go-live effort. The risk register of mid-market DACH companies increasingly identifies these as material concerns, accelerating SIEM adoption beyond pure NIS-2 compliance.

Also consider:SAP Business One · Microsoft Dynamics 365 Business Central

Related Topics

  • Audit trail
  • Single sign-on
  • ERP

Sources

This term definition is based on research from the following source types:

  • Standard textbooks on business informatics and ERP literature (Hansen/Mendling, Becker, Mertens)
  • Vendor documentation of leading ERP providers (SAP, Microsoft, Oracle, Sage, Infor)
  • Industry studies from Gartner, Forrester and IDC plus user studies focused on Germany, Switzerland and Austria (annual)
  • Consulting experience from 100+ implementation projects in the mid-market in Germany, Switzerland and Austria
Epicor Kinetic LogoFloomia LogoMRPeasy Logo4SELLERS LogoSEEBURGER Logobrandbox LogoProAlpha ERP LogoOOURS LogoOpen Telekom Cloud LogoTryton LogoSage 50 Connected LogoETRON onRetail Logodynamic commerce LogoorgaMAX ERP LogoyourBeez LogoInsightLoop LogomexXsoft X2 LogoProcuros Integration Hub Logoameax Faktura Logoecosio Logoe-contor Sourcing Suite LogoSage b7 LogoGUS-OS Suite LogoAptean ERP oxaion Edition Logo.iD régie LogoLABEST LogoInfor M3 Logo3S ERP LogoKUNO LogoOracle Fusion Cloud ERP LogoEpicor Kinetic LogoFloomia LogoMRPeasy Logo4SELLERS LogoSEEBURGER Logobrandbox LogoProAlpha ERP LogoOOURS LogoOpen Telekom Cloud LogoTryton LogoSage 50 Connected LogoETRON onRetail Logodynamic commerce LogoorgaMAX ERP LogoyourBeez LogoInsightLoop LogomexXsoft X2 LogoProcuros Integration Hub Logoameax Faktura Logoecosio Logoe-contor Sourcing Suite LogoSage b7 LogoGUS-OS Suite LogoAptean ERP oxaion Edition Logo.iD régie LogoLABEST LogoInfor M3 Logo3S ERP LogoKUNO LogoOracle Fusion Cloud ERP Logo

Further Reading

  • ERP System Definition
  • ERP vs CRM
  • What is an ERP System?
  • Cloud ERP vs On-Premise
  • ERP Vendors Overview
  • Find ERP Consultants
  • ERP for small companies
  • ERP for the mid-market
Recently featured: Projektron BCS · DATEV Interface · Consafe Logistics · Data Warehouse · Comarch ERP Enterprise vs APplus

Frequently Asked Questions

Do I need SIEM if I am a mid-market manufacturer?

From 2024, the NIS-2 directive brings many mid-market manufacturers (above 50 employees or 10 million EUR turnover in critical sectors) into scope. For those entities, SIEM-grade incident detection is effectively mandatory. Smaller companies can defer SIEM and rely on managed detection-and-response (MDR) services from providers like Telekom Security, Bitdefender or Sophos.

How does SIEM compare to traditional audit trails?

An ERP audit trail records what happened inside the ERP. SIEM correlates ERP events with data from outside the ERP — the firewall, the VPN, the identity provider, the endpoint — to spot multi-system attack patterns that a single audit trail cannot detect.

What is the typical implementation effort for SIEM?

For a mid-market deployment, plan 6 to 12 months from procurement to operational state, with 50 to 200 person-days of effort across security engineering, ERP-side integration and detection-rule tuning. Continued tuning is essential — an unmaintained SIEM produces alert fatigue that quickly erodes its value.

erp-software.org · the independent ERP comparison for the mid-market in Germany, Switzerland and Austria
Imprint · Privacy · Contact · Cookie Settings · Glossary · ERP News · Comparisons · Sitemap · ERP Software
All mentioned brand, product and company names are property of their respective owners. References are made solely for identification and comparison purposes (no indication of commercial or partnership relationships). Note pursuant to §5b German UWG (Unfair Competition Act): user reviews are manually plausibility-checked before publication – we cannot, however, determine with absolute certainty whether reviews originate exclusively from actual users. Some links on erp-software.org may lead to advertising partnerships or lead-referrals; editorial assessments are made independently of these.