Which function best describes the role of SIEM in real-time cyber defense?

SIEM in real-time cyber defense centers on aggregating logs from diverse sources, correlating events across them, and enabling real-time detection and incident response. By collecting data from firewalls, IDS/IPS, endpoints, servers, and cloud services, SIEM normalizes information and runs correlation rules that reveal multi-step attacks or unusual patterns that individual sources might miss. When a correlation triggers, it generates alerts with rich context, helping analysts investigate and respond quickly. It also preserves historical data for investigations and compliance, but its primary value in real-time defense is turning disparate events into actionable alerts and coordinated responses. The other options describe offline backups, traffic routing, or replacing endpoint security—functions outside the SIEM’s role.