SIEM explained

What is SIEM? The definition, without the jargon

SIEM stands for Security Information and Event Management. It combines two older categories: SIM (Security Information Management, focused on long-term log collection, storage, and audit reporting) and SEM (Security Event Management, focused on real-time event correlation and alerting). Modern SIEM platforms merge both into a single platform that simultaneously handles log aggregation at scale and real-time threat detection.

At its core, a SIEM is a central aggregation point for every log your IT environment generates. Firewalls log every permitted and blocked connection. Windows servers log every user login, privilege change, and service start. Microsoft 365 logs every email sent and received, every document opened, every admin change made in the tenant. Active Directory logs every password reset, group membership change, and failed authentication. A VPN gateway logs every remote session. An endpoint protection platform logs every process execution, network connection, and file operation on every device it manages.

Individually, each of these logs tells an incomplete story. A single failed login on a workstation is background noise — it happens hundreds of times a day on any network. But that same failed login followed by a successful authentication three minutes later from a previously unseen IP address, followed by a new inbox forwarding rule in Microsoft 365 that copies all email to an external address, followed by a connection to a cloud storage domain your organization has never used before — that is a business email compromise attack in progress. A SIEM correlates those individual events from four different systems, in real time, and fires a single high-priority alert telling an analyst exactly what is happening and in what sequence.

The second pillar of a SIEM is behavioural analytics, increasingly called UEBA (User and Entity Behaviour Analytics). Rather than only matching known attack signatures, UEBA learns the normal baseline for your environment: which users log in at which hours, from which locations, to which resources, using which applications. When observed behaviour deviates significantly from that baseline — a finance manager's account logging in from Romania at 3 a.m. when she has never accessed the system outside Ontario — the SIEM flags the anomaly even if no specific attack signature matches. This is the capability that catches zero-day exploits, insider threats, and novel attacker techniques that signature-based tools miss entirely.

A SIEM is a detection and visibility tool, not a prevention tool. It does not block attacks by itself. Its value is in what it enables: a security analyst with a SIEM has a complete, correlated picture of everything happening in the environment. Without a SIEM, that same analyst is reading individual device logs in isolation, unable to connect events across systems, and almost certain to miss the multi-stage attack chains that characterize modern threats.

How a SIEM processes your data: from log to alert

Understanding the pipeline from raw log data to actionable alert clarifies what a SIEM actually does at each stage — and where the analyst's time goes.

1. Log collection and forwarding: Log sources are configured to send event data to the SIEM continuously. Windows systems use the Windows Event Forwarding (WEF) protocol or a lightweight agent. Linux systems send logs via syslog. Firewalls, network devices, and cloud platforms use API connectors or syslog-over-TLS. For a 50-user Canadian SMB, this generates 500,000 to 2,000,000 discrete log events per day across all sources combined.
2. Normalization and parsing: Raw log data from different vendors looks completely different — a Fortinet firewall log entry looks nothing like a Windows Security Event or a Microsoft 365 audit record. The SIEM's ingestion layer normalizes all incoming data into a common schema (source IP, destination IP, user, timestamp, action, outcome, resource) so correlation rules can query across sources without needing to understand each vendor's proprietary format.
3. Indexing and storage: Normalized events are indexed for fast search and stored according to your retention policy — typically 90 days of hot storage for active search, 12–24 months of cold storage for audit and forensics. Storage is where cloud SIEM pricing (per-GB-ingested) matters most; verbose logging configurations can multiply ingestion volume without proportional security benefit.
4. Correlation rule evaluation: Every incoming event is evaluated against hundreds of detection rules simultaneously. Rules are logic statements written against the normalized data: "alert when the same user account generates more than five failed authentication events in 60 seconds followed by one success." More complex multi-stage rules look across longer time windows and multiple event sources: "alert when a new email forwarding rule is created in Microsoft 365 within 30 minutes of an Azure AD sign-in from a new geolocation." These rules are mapped to the MITRE ATT&CK framework, which documents specific adversary techniques used by real threat actors — making it possible to align detections to the attacks actually targeting Canadian businesses.
5. Behavioural baseline profiling (UEBA): In parallel with rule-based detection, the SIEM builds and continuously refines a statistical model of normal behaviour for each user, device, and service account in the environment. Anomaly scoring is applied to events that deviate from the baseline, even when no rule fires. An account that never performs bulk file downloads triggering a 500-file download event scores highly regardless of whether a specific rule exists for that action.
6. Alert generation and prioritization: Rule matches and high anomaly scores generate alerts, ranked by severity (informational, low, medium, high, critical) and confidence (how strongly the available evidence supports a true-positive classification). A well-tuned SIEM for a 50-user environment should generate 10–25 medium-or-higher alerts per week for human review — not 500. The tuning work to get from initial deployment (often 1,000+ alerts/week) to steady-state is one of the most labour-intensive parts of SIEM operation.
7. Threat intelligence enrichment: Before an alert reaches an analyst, the SIEM automatically enriches it with threat intelligence: checking source IP addresses and domains against known-malicious feeds (abuse.ch, Recorded Future, the Canadian Centre for Cyber Security's cyber threat feeds at cyber.gc.ca), looking up file hashes against VirusTotal, and tagging observed techniques against MITRE ATT&CK. Enrichment dramatically accelerates triage — an alert about a connection to a known ransomware command-and-control server is immediately classified as high-severity rather than requiring the analyst to research it from scratch.
8. Analyst triage and investigation: A security analyst reviews the enriched alert, consults the correlated events in the surrounding time window, examines the affected endpoint's EDR telemetry, and determines whether the alert is a true positive requiring action, a false positive to document and suppress, or a true positive requiring escalation to incident response. This is the step where human judgment is irreplaceable — no automation reliably distinguishes a legitimate administrator remotely accessing a server at midnight from an attacker doing the same thing.
9. Containment and response: Confirmed incidents trigger pre-authorized containment actions: endpoint isolation from the network, account lockout in Active Directory or Azure AD, session revocation in Microsoft 365, firewall rule updates to block malicious IP ranges. The specific actions taken, and who has pre-authorization to take them, are defined in the incident response playbooks established during SIEM onboarding.
10. Reporting and compliance documentation: The SIEM generates weekly, monthly, and quarterly reports documenting alert volumes by severity, incidents detected and closed, mean time to detect (MTTD) and mean time to respond (MTTR) metrics, log source health (confirming all log sources are actively forwarding), and compliance-mapped evidence. These reports form the audit trail required under PIPEDA breach reporting obligations, Quebec Law 25's CAI notification requirements, and OSFI B-13 technology risk documentation standards.

SIEM log sources: the data your platform needs to see threats

A SIEM is only as good as the telemetry it receives. Many Canadian SMBs onboard a SIEM and connect only their firewall and Windows event logs — then wonder why the service misses a Microsoft 365-based business email compromise attack. Coverage of the right log sources is not optional; it is the prerequisite for the detections to fire. The following sources are listed in priority order for a typical Canadian SMB environment.

• Microsoft 365 unified audit logs — Exchange Online (email send/receive/forward), SharePoint (document access, sharing), OneDrive (file sync, external sharing), Teams (message events), and admin activity. This single source covers the primary attack surface for the majority of Canadian SMBs. Requires Microsoft 365 E3 or higher licensing for full audit log access; Purview Audit is needed for extended retention beyond 90 days.
• Azure Active Directory / Entra ID sign-in and audit logs — Every authentication event (success and failure), conditional access policy evaluation, MFA challenge result, privileged role assignment, and application consent. Critical for detecting credential attacks, impossible travel, and privilege escalation. Available via Microsoft Sentinel's native Azure AD connector at no additional API cost.
• Endpoint protection / EDR telemetry — Process execution chains, network connections initiated by processes, file system changes, registry modifications, PowerShell command execution. Platforms include Microsoft Defender for Endpoint (built into Windows 11), CrowdStrike Falcon, SentinelOne Singularity, and Sophos Intercept X. This is the primary source for detecting ransomware pre-detonation behaviour (shadow copy deletion, mass file encryption) and post-exploitation lateral movement. See our guide to endpoint protection for Canadian businesses for deployment considerations.
• Firewall and perimeter security logs — Permitted and blocked connections, geolocation of source IPs, protocol anomalies, and DNS-layer blocking events. Common Canadian SMB firewalls: Fortinet FortiGate (native syslog), Cisco Meraki, Palo Alto Networks, and SonicWall. Firewall logs identify exfiltration attempts (large outbound data volumes to unusual destinations) and command-and-control callbacks.
• VPN gateway logs — Authentication events for remote access sessions, session duration and data volume, source geolocation. Critical for detecting impossible travel (a user authenticating from Toronto and Mumbai within the same hour) and unauthorized remote access. Applies to Cisco AnyConnect, GlobalProtect, Azure VPN Gateway, and Zscaler Private Access.
• Active Directory event logs — Domain controller Security event channel covering privileged account usage, Kerberos ticket requests (detecting Pass-the-Ticket attacks), Group Policy changes, security group membership changes, and service account activity. Windows Sysmon (a free Microsoft tool) dramatically enhances endpoint telemetry depth when deployed to all domain-joined systems.
• DNS query logs — Queries made by internal resolvers, flagged against threat intelligence for known-malicious domains, command-and-control infrastructure, and data exfiltration via DNS tunnelling. CIRA (cira.ca) provides the CIRA Canadian Shield service, which can be configured as a DNS resolver with logging for Canadian SMBs.
• Cloud platform logs — Azure Monitor / Activity Logs for Azure workloads, AWS CloudTrail for AWS environments, Google Cloud Audit Logs for GCP. Covers virtual machine creation and deletion, storage access, security group changes, and IAM role assignments — critical for detecting cloud misconfiguration exploitation and unauthorized resource provisioning.
• Email security gateway logs — Accepted, quarantined, and rejected messages; attachment scanning results; URL rewriting events; impersonation detections. Providers: Microsoft Defender for Office 365, Proofpoint, Mimecast. Correlating email security events with subsequent user authentication events (a user clicking a phishing link followed by an Azure AD login from an unusual location) is one of the most valuable SIEM use cases for SMBs.
• Application and business system logs — ERP authentication and admin events, CRM access logs, payroll system logins, custom web application authentication. These are the hardest to connect (often requiring custom log parsers) but highest-value for detecting insider threats and targeted attacks against business-critical systems.

Why Canadian SMBs face increasing pressure to deploy security monitoring

The Canadian Centre for Cyber Security (CCCS), the Government of Canada's technical authority on cybersecurity operating under the Communications Security Establishment (CSE) at cyber.gc.ca, publishes an annual National Cyber Threat Assessment that consistently identifies Canadian businesses — particularly in professional services, healthcare, finance, manufacturing, and legal — as high-value targets for both financially motivated criminal groups and state-sponsored threat actors.

The 2025–2026 NCTA highlights several trends directly relevant to Canadian SMBs. Ransomware-as-a-service operations continued targeting mid-market Canadian organizations, with professional services firms (accounting, legal, consulting) accounting for a disproportionate share of reported incidents relative to their size. Business email compromise (BEC) attacks targeting Canadian payroll and accounts payable departments showed continued growth, with attackers maintaining persistent access to Microsoft 365 environments for an average of 28–42 days before executing a fraudulent wire transfer — a detection window that only SIEM-based monitoring can reliably cover. Supply chain attacks against Canadian IT managed service providers (MSPs) cascaded to hundreds of SMB clients in 2024, a pattern expected to continue.

CIRA's 2024–2025 Canadian Internet security research documents that Canadian organizations experienced significant volumes of malicious DNS queries and command-and-control traffic throughout the period. The majority of DNS-layer threat indicators were resolvable through log correlation — activity that SIEM monitoring catches and that no other tool in the standard SMB stack detects in real time.

Beyond the threat landscape, two structural pressures are driving SIEM adoption among Canadian SMBs faster than any sales cycle. First, cyber insurance carriers have materially tightened underwriting standards: policies issued in 2025–2026 require documented security monitoring as a precondition for coverage at reasonable premiums, and some carriers deny claims when breach investigation reveals the insured had no logging or monitoring at the time of the incident. Second, Quebec Law 25 (fully in force since September 2023) requires privacy incident documentation and notification to the Commission d'accès à l'information (CAI) within 72 hours of discovering a breach affecting personal information — a timeline that is impossible to meet without active monitoring to detect and scope the incident rapidly.

Cloud SIEM vs on-premises SIEM: which is right for a Canadian SMB?

The choice between cloud and on-premises SIEM deployment is primarily driven by data residency requirements, existing infrastructure investments, and the availability of in-house expertise to operate the platform.

Cloud SIEM platforms — Microsoft Sentinel, Rapid7 InsightIDR, Sumo Logic, Elastic Cloud Security — run in a cloud provider's data centre. For the large majority of Canadian SMBs, Microsoft Sentinel is the correct default: it integrates natively with Microsoft 365, Azure AD, Defender for Endpoint, and the full Microsoft security stack via pre-built connectors requiring no custom development. It runs on Microsoft Azure's Canadian regions — Canada Central (Toronto) and Canada East (Québec City) — which means log data is processed and stored within Canada, satisfying the data residency requirements most Canadian businesses face under PIPEDA and Quebec Law 25. Sentinel pricing is consumption-based (per-GB ingested) with commitment tiers that significantly reduce effective cost for predictable workloads. For a 50-user SMB, Sentinel licensing runs approximately CA$400–$900/month at baseline; a managed service adds analyst coverage on top of that.

On-premises SIEM platforms — Splunk Enterprise, IBM QRadar, LogRhythm SIEM — run on hardware in your data centre or a co-location facility. They offer maximum data sovereignty (no logs leave your network perimeter), are well-suited to air-gapped environments, and avoid per-GB ingestion costs. The trade-offs are significant for SMBs: you are responsible for hardware procurement and maintenance, platform updates (major Splunk and QRadar upgrades are significant engineering projects), high-availability design, backup and disaster recovery, and scaling capacity as data volumes grow. On-premises SIEM requires at minimum one dedicated platform administrator familiar with the product — a specialized role that commands CA$90,000–$140,000/year in the Canadian market.

For regulated industries with specific data residency requirements beyond PIPEDA — financial institutions under OSFI guidance, defence contractors, organizations processing Protected B government data — on-premises or hybrid SIEM deployed in certified Canadian facilities may be required. For those organizations, platforms like Splunk in a Canadian co-location with CSE-compliant controls are the appropriate choice. Contact a qualified security architect to design the deployment.

For the overwhelming majority of Canadian SMBs: cloud SIEM on Microsoft Azure Canadian regions, deployed and operated by a managed security service provider, is the fastest path to genuine SIEM coverage at a predictable monthly cost. The native Microsoft 365 integration alone — which covers the primary attack surface for most SMBs — justifies the platform choice before considering any other factor. See our guide to Microsoft 365 security for Canadian businesses for the configuration prerequisites that make Sentinel most effective.

SIEM vs SOAR vs XDR: which technology does your SMB actually need?

The managed security market's acronym soup — SIEM, SOAR, XDR, MDR, MSSP, SOC — confuses buyers into either purchasing overlapping tools or avoiding the entire category. Here is a plain-English breakdown of what each technology does and how they relate to one another.

SIEM is the log aggregation and correlation engine. It collects, normalizes, and correlates logs from every connected source, applies detection rules and behavioural analytics, and generates alerts for analyst review. A SIEM does not take action — it detects and documents. It requires human analysts or automation to act on its output.

SOAR (Security Orchestration, Automation, and Response) takes SIEM alerts as input and executes response playbooks automatically. When a SOAR playbook fires on a high-confidence alert — for example, a detected PowerShell download-cradle execution (a common ransomware delivery technique) — it automatically isolates the affected endpoint, disables the user account, opens a ticketing system incident, and notifies the on-call analyst, all within seconds. SOAR dramatically reduces the manual workload for repetitive tier-1 response tasks, freeing analysts for complex investigation. Most managed security providers operate SOAR internally as part of their service delivery platform; SMBs benefit from it without purchasing or managing the platform directly.

XDR (Extended Detection and Response) integrates endpoint, identity, email, network, and cloud telemetry into a single vendor platform with built-in response capability — tighter integration than a SIEM + individual vendor tools, but less flexible for ingesting data from heterogeneous environments. Leading XDR platforms in the Canadian market include Microsoft 365 Defender (which Sentinel extends), CrowdStrike Falcon Complete, and SentinelOne Singularity. XDR is particularly effective in organizations with a homogeneous tool stack; it is less suitable when legacy or custom applications require custom log parsers that XDR platforms do not natively support.

In practice, a mature managed security service for a Canadian SMB will operate SIEM, SOAR, and XDR-class capabilities together, without requiring the buyer to purchase or integrate each separately. When evaluating managed security providers, ask specifically: which SIEM platform do you operate on my behalf? Do you use SOAR to automate tier-1 response? What EDR/XDR platform do your analysts work with on endpoint telemetry? The answers reveal the maturity of the service stack beneath the marketing.

Eight SIEM use cases that matter for Canadian SMBs

Abstract threat detection capability is hard to evaluate. These are the specific scenarios where SIEM monitoring delivers measurable value for businesses operating in the Canadian market, drawn from incident patterns documented by the CCCS and Canadian managed security providers.

1. Ransomware pre-detonation detection. Modern ransomware operators spend days or weeks inside a network before encrypting anything — mapping drives, stealing credentials, establishing persistence, and disabling backups. SIEM detects the pre-detonation behaviour (Volume Shadow Copy deletion, mass credential dumping via tools like Mimikatz, unusual SMB lateral movement between servers) and can trigger containment before the encryption payload executes. This is the use case that makes SIEM most valuable from a financial loss prevention standpoint.

2. Business email compromise (BEC) detection. Attackers who successfully phish a Microsoft 365 password immediately create inbox forwarding rules to intercept incoming communications, add external delegates to shared mailboxes, or modify auto-reply settings. SIEM correlates the new forwarding rule event with the preceding login-from-unusual-location event to fire a single high-confidence alert, rather than requiring an analyst to find both events separately.

3. Credential stuffing and account takeover. Automated credential stuffing attacks try millions of username/password combinations against Microsoft 365, VPN, and web application login endpoints. SIEM detects the combination of high failed authentication volumes followed by a success, particularly when the success originates from a known-malicious IP or unusual geolocation.

4. Impossible travel and session anomalies. A user's account authenticating from Mississauga and Seoul within the same two-hour window is physically impossible — it means the account is compromised. SIEM's UEBA layer catches this automatically using geolocation data from Azure AD sign-in logs, even without a specific attacker IP match.

5. Privileged account abuse. Domain administrator accounts and service accounts are the highest-value targets in any Windows environment. SIEM monitors every privileged action — a domain admin account logging into a workstation it has never accessed, a service account executing interactive PowerShell sessions — and alerts when privileged activity deviates from baseline. Attackers who compromise a domain admin account often have complete access within minutes; SIEM's baseline monitoring is the earliest-warning detection available.

6. Cloud misconfiguration exploitation. Attackers actively scan for misconfigured cloud storage buckets, overly permissive Azure RBAC assignments, and publicly exposed management ports. SIEM monitoring of Azure Activity Logs and AWS CloudTrail detects unauthorized access attempts against cloud resources and changes to security group rules or storage access controls.

7. Insider threat detection. Employees who access unusually large volumes of sensitive documents before a departure date, access systems outside their role, or copy data to personal cloud storage show behavioural signatures that SIEM's UEBA layer flags — even when all of their individual actions are technically authorized.

8. Compliance audit trail generation. For Canadian businesses with PIPEDA, Law 25, OSFI B-13, or SOC 2 Type II obligations, SIEM's log retention and reporting capability provides the documented evidence of monitoring required to demonstrate compliance. Every alert, investigation, and containment action is logged with timestamps, analyst notes, and evidence — the audit trail required if a breach must be reported to the OPC at priv.gc.ca or the CAI.

SIEM pricing in Canada 2026: what to budget in CA$

SIEM pricing varies by deployment model (managed vs. self-operated), platform, log data volume, user count, and scope of included analyst services. All figures below are in Canadian dollars, before HST/GST, and are 2026 market estimates. Managed pricing includes platform licensing, log ingestion costs, and analyst coverage. DIY pricing covers platform licensing only and excludes the staffing cost required to operate the platform.

Pricing variables that shift your effective monthly cost by 30–60%: Is EDR platform licensing included or billed separately? Is SOAR automation included? Does the monthly fee include compliance report preparation (SOC 2 evidence, PIPEDA documentation), or is that a separately quoted deliverable? What is the onboarding fee (typically CA$3,000–$15,000 one-time)? How many incident response hours are included per month before overage rates (CA$250–$400/hour) apply? Get explicit answers to all five questions before signing a managed SIEM contract.

Hidden costs most SIEM proposals don't disclose

The headline monthly fee in a managed SIEM proposal tells you less than half the story. Understanding the true total cost of ownership prevents expensive surprises six months into a contract.

Log storage and ingestion overages. Cloud SIEM pricing is fundamentally consumption-based. Enabling verbose logging on all endpoints and enabling every available log source can 5–10× your data volume compared to the baseline estimate used in your proposal. The difference between 3 GB/day and 15 GB/day can add CA$800–$2,000/month to your Microsoft Sentinel bill. Right-size your logging configuration during onboarding — not all log sources provide equal detection value, and a competent managed security provider will help you prioritize high-signal sources over high-volume ones.

Alert tuning labour in the first 60–90 days. A fresh SIEM deployment against a new environment generates hundreds to thousands of alerts daily — mostly false positives from legitimate behaviour that looks suspicious to default detection rules. Tuning those rules to reflect your environment's normal patterns typically requires 60–90 days of focused analyst effort. This work is often not included in standard managed SIEM contract fees; clarify in advance whether rule tuning during the onboarding period is included or billed as professional services at your provider's hourly rate.

Custom integration development. Connecting standard log sources (Microsoft 365, Windows, Fortinet firewalls, major EDR platforms) uses pre-built connectors and costs nothing beyond setup time. Connecting custom or legacy applications — an internally developed ERP system, a proprietary database application, a 15-year-old manufacturing system — requires custom log parser development. Budget CA$2,000–$8,000 per custom integration, depending on log format complexity and the provider's hourly rate.

Incident response overages. Most managed SIEM contracts include a fixed number of analyst hours for incident response per month — commonly 5–15 hours. For a quiet month with no significant incidents, this is adequate. A meaningful incident — a business email compromise investigation, a ransomware triage — can consume 20–80 analyst hours. Know your overage rate (typically CA$250–$450/hour) and whether your contract allows you to pre-purchase incident response retainer hours at a discounted rate. Organizations in high-risk verticals (professional services, healthcare, financial services) should strongly consider an explicit IR retainer.

Compliance report preparation. Some managed SIEM providers include monthly and quarterly compliance reports (PIPEDA breach documentation templates, SOC 2 Type II evidence packages, OSFI B-13 monitoring records) in the standard monthly fee. Others charge CA$500–$2,500 per report package. If compliance documentation is a primary driver for deploying SIEM — as it is for most Canadian SMBs — confirm what reports are included, in what format, and whether they are accepted by your insurer and auditors before committing.

When a Canadian SMB actually needs SIEM — and when it doesn't

SIEM is not the right first security investment for every business. Getting the sequence wrong — deploying SIEM before foundational controls are in place — wastes money and produces poor detection coverage. Here is how to assess where your business stands.

You should prioritize SIEM now if:

• Your cyber insurance renewal questionnaire requires "active security monitoring and log management" — and you currently have neither.
• You handle regulated personal data under PIPEDA (sensitive employee data, customer financial records, health information) or fall under Quebec Law 25 with obligations to the CAI.
• You have OSFI B-13 technology risk management documentation requirements as a federally regulated financial institution or a material technology service provider to one.
• You have a SOC 2 Type II, ISO 27001, or NIST CSF audit requirement from a major client or enterprise partner.
• You have experienced a security incident — or discovered your IT provider had no logging enabled — and realized you had zero visibility into what happened.
• You have 50+ employees, significant cloud workloads, and a distributed remote workforce creating an attack surface that no single device's alerts can cover comprehensively.
• Your IT service provider manages multiple clients' environments from shared tooling and you want independent visibility into your own security posture.

You should focus on foundational controls first if:

• You have fewer than 20 employees with no regulated data and no cloud workloads beyond Microsoft 365 — start with MFA on all accounts, EDR on all endpoints, and a documented backup. A penetration test will tell you what gaps to close first.
• You have not deployed EDR on all endpoints. A SIEM without EDR telemetry is monitoring an incomplete picture; endpoint events are the primary detection source for ransomware and most post-exploitation activity.
• You do not have MFA enforced on all remote access and email accounts. A SIEM will detect the account takeover, but MFA prevents it entirely — the prevention is worth more than the detection at this stage.
• Your Microsoft 365 audit logging is not enabled (it requires E3 licensing or above; Basic Audit is included in E1 but limits log categories and retention). Without audit logging enabled in your M365 tenant, a SIEM has nothing to ingest from your primary collaboration platform.

Managed SIEM vs DIY: the real total cost comparison

The most common objection to managed SIEM — "we could just run Sentinel ourselves, it's just a SaaS platform" — ignores the human capital reality of operating a SIEM effectively. The platform is the easy part. The analysts consuming its output around the clock are what make it valuable.

Running your own Microsoft Sentinel deployment requires: a dedicated analyst who knows Sentinel's KQL query language and detection engineering (CA$85,000–$130,000/year in base salary and benefits in the Canadian market); 4–8 weeks of initial deployment and log source integration; 5–10 hours per week of ongoing rule tuning and maintenance to keep pace with new attack techniques; 24/7 coverage — which requires either additional staff on shift rotation (3–4 analysts minimum for round-the-clock coverage) or on-call pager duty that rapidly causes burnout and retention problems; and annual platform updates, threat intelligence subscription management, and capacity planning as data volumes grow.

The fully loaded annual cost of a functional DIY SIEM operation for a 50–150 user Canadian organization: CA$350,000–$750,000 per year, almost entirely in analyst salaries and benefits. This is before factoring in analyst attrition — the cybersecurity talent market in Canada is competitive, and losing a trained Sentinel analyst costs 1.5–2× annual salary in recruiting and productivity loss.

A managed SIEM service covering the same organization costs CA$2,000–$5,000/month — CA$24,000–$60,000/year — with a pre-built team of trained analysts, established detection engineering, continuous threat intelligence, and contractual SLA commitments. The economics overwhelmingly favour managed over DIY for any Canadian organization under approximately 300–400 employees.

For Canadian businesses that want to build internal security capability over time, a managed SIEM arrangement serves an additional purpose: it creates a structured training environment. Your in-house IT staff can work alongside the managed team — co-monitoring alert queues, participating in incident investigations, learning Sentinel KQL and detection engineering — while the managed provider maintains the 24/7 coverage baseline. For organizations who want managed SIEM and 24/7 SOC coverage without building an internal team, IT Cares deploys and operates managed SIEM for Canadian SMBs from initial log-source onboarding through to monthly compliance reporting.

How to evaluate a managed SIEM provider: a due diligence checklist

Not all managed security providers deliver the same SIEM quality, even at similar price points. These are the evaluation criteria that separate genuine 24/7 monitoring from a basic alerting service with a managed SIEM marketing label.

• Data residency confirmed in writing. Verify in the service agreement that log data is processed and stored exclusively in Canadian Azure regions (Canada Central, Canada East) or equivalent Canadian-based infrastructure. "North American" data centres include US regions, which may not satisfy PIPEDA and Law 25 data residency expectations for sensitive personal information.
• SLA defines MTTD and MTTR in minutes, not hours. Mean time to detect (MTTD) should be under 15 minutes for high-severity alerts. Mean time to respond (MTTR — meaning analyst triage, validation, and initial containment initiated) should be under 30 minutes. Anything measured in hours for high-severity events is insufficient; an active ransomware detonation can encrypt an entire file server in under 20 minutes.
• "Respond" is defined as containment action, not notification. Ask specifically: when a high-confidence alert fires at 3 a.m., does your team take a containment action (endpoint isolation, account lockout) immediately, or do you send us an email to act on in the morning? The answer to this question is the most important differentiator between an MSSP (notification only) and true MDR/managed SOC (containment capability).
• Log sources included in base fee are listed by name. A contract that says "we monitor your environment" without naming the specific log sources is unacceptable. Get an explicit list: M365, Azure AD, Fortinet firewall, Windows Event Logs, SentinelOne EDR, etc. Any log source not in the list is not monitored.
• IR hours per month are stated, and overage rate is specified. Know in advance how many analyst hours for incident response are included monthly, and what the per-hour rate is for additional hours. This prevents a large invoice surprise after a significant incident.
• Compliance report format matches your requirements. Ask for a sample report. Confirm it maps to the specific frameworks your insurer, auditor, or regulator requires — PIPEDA breach documentation format, SOC 2 Type II evidence package structure, OSFI B-13 monitoring records. A generic "security summary" is not a compliance report.
• PIPEDA and Law 25 breach notification support is included. Under Law 25, breach notification to the CAI is required within 72 hours of discovery. Confirm your provider will assist with incident scoping and notification preparation within that timeline, not just deliver a post-incident report 30 days later.
• Provider references from comparable Canadian businesses are available. Ask for two or three reference contacts at Canadian SMBs of similar size, industry, and IT environment. The quality and responsiveness of the managed SOC during actual incidents is the dimension most underweighted by buyers who evaluate only based on pricing and platform marketing.
• Exit terms for your log data are specified. When the contract ends, what happens to the log data the provider has stored on your behalf? You need a contractual right to export your logs in a standard format within a defined window — 30–60 days is typical. Confirm before signing.
• Onboarding timeline and included professional services are specified. A realistic onboarding timeline for a 50-user environment with five primary log sources is 3–6 weeks. Confirm what is included (log connector setup, initial rule tuning, SOAR playbook configuration) and what is billed separately.

SIEM and Canadian compliance: PIPEDA, Law 25, OSFI, and cyber insurance

SIEM's compliance value is one of the primary drivers of adoption among Canadian SMBs, particularly as regulatory enforcement and insurance underwriting standards have both materially tightened since 2023.

PIPEDA (Personal Information Protection and Electronic Documents Act) — Canada's federal private-sector privacy law, administered by the Office of the Privacy Commissioner (OPC) at priv.gc.ca — requires organizations to implement "appropriate safeguards" proportional to the sensitivity of personal information they collect, use, or disclose. The OPC has consistently indicated through breach investigation findings that organizations handling sensitive personal data (financial records, health information, employee data) are expected to have active monitoring controls. SIEM provides the documented monitoring trail that demonstrates the "appropriate safeguards" standard was met. PIPEDA's mandatory breach reporting requirement (breach notification to the OPC within "as soon as feasible") also presupposes that the organization knows about the breach — which requires monitoring to detect it.

Quebec Law 25 (Act Modernizing Privacy Legislation, Bill 64) — Quebec's substantially stricter provincial privacy law, administered by the Commission d'accès à l'information (CAI) — requires breach notification within 72 hours of determining that a breach creates a "risk of serious injury." Meeting that 72-hour window requires monitoring to detect the breach promptly, investigation tooling to scope it quickly, and documented incident response to assess the "risk of serious injury" threshold. SIEM addresses all three requirements directly. Law 25 also requires Privacy Impact Assessments for systems involving personal information — SIEM's log retention and access control documentation supports this requirement.

OSFI B-13 (Technology and Cyber Risk Management Guideline, effective January 2024) — The Office of the Superintendent of Financial Institutions' binding guideline for federally regulated financial institutions (FRFIs) explicitly requires a technology risk management framework with continuous monitoring of technology assets and early detection of anomalous activity. SIEM is the standard implementation of this requirement. FRFIs and their material technology service providers should document SIEM coverage as part of their B-13 technology risk governance evidence package.

Cyber insurance (2025–2026 market). Canadian cyber insurers — including Intact, Aviva, Chubb, and AIG — have incorporated specific security control requirements into their application questionnaires and policy conditions since 2022, with standards tightening further in 2025. Common requirements affecting insurability and premium: MFA on all remote access and email (now a near-universal baseline requirement); EDR on all endpoints; documented incident response plan; and security event logging and monitoring. A managed SIEM contract with documented SLAs and monthly monitoring reports is the most robust evidence available for the monitoring control requirement. Some insurers now specifically ask about MTTD and MTTR metrics — which a managed SIEM contract provides contractually. Without documented monitoring, insurers may apply coverage exclusions or deny claims when post-breach investigation reveals the insured had no active monitoring at the time of the incident. See our Law 25 and PIPEDA compliance guide for the full compliance landscape affecting Canadian businesses.

Case study: how a Toronto professional services firm caught a BEC attack in 22 minutes

Context: A 38-employee financial consulting firm in Toronto, managing investment analysis for mid-market clients and handling sensitive client financial data subject to PIPEDA. The firm had Microsoft 365 E3, a Fortinet FortiGate firewall, and SentinelOne deployed on all endpoints. IT was managed by a small outsourced MSP. The firm had no centralized log correlation and no 24/7 monitoring. A cyber insurance renewal questionnaire in Q4 2025 flagged the absence of security monitoring as a high-risk gap, with the insurer indicating that the firm's current coverage limit (CA$1M) might be reduced or premiums increased at renewal without remediation.

The firm engaged a Canadian managed security provider to deploy Microsoft Sentinel with a managed SOC service. Onboarding took three weeks: Microsoft 365 audit logs, Azure AD sign-in logs, SentinelOne telemetry, Fortinet FortiGate syslog, and Active Directory event logs were all connected. Initial deployment generated approximately 1,600 alerts in the first month; after 45 days of tuning, steady-state alert volume settled at 14–22 actionable alerts per week for analyst review.

In week seven post-onboarding, the SIEM fired a correlated alert at 11:47 p.m. on a Tuesday: a senior partner's Microsoft 365 account had authenticated from a Romanian IP address (a geolocation that user had never accessed from in 18 months of Azure AD logs), and within eight minutes, a new inbox forwarding rule had been created that copied all incoming email from a specific domain (a major client's domain) to an external Gmail address. A tier-2 analyst investigated within 14 minutes of the alert — confirmed a true positive, consistent with a BEC pre-positioning attack preparing to intercept an upcoming client wire transfer instruction. The analyst executed pre-authorized containment: the account's sessions were immediately revoked in Microsoft 365, the forwarding rule was deleted, the account password was force-reset, and MFA re-enrollment was required. The attacker's external access was terminated within 22 minutes of initial compromise detection.

The client was notified within the hour with a structured incident summary, a timeline of attacker activity, and a validated remediation checklist (MFA re-enrollment confirmation, review of all active delegations, phishing simulation for the affected user, and Secure Score review). No financial loss occurred. The full incident report was delivered within 48 hours. At cyber insurance renewal three months later, the firm presented the managed SIEM contract, the SLA documentation showing sub-15-minute MTTD, and the incident report as evidence of their monitoring controls — the insurer increased the coverage limit from CA$1M to CA$2M with no premium increase.

Frequently asked questions about SIEM