MDR · 4 MIN READ · SARAH CRONE · APR 17, 2025 · TAGS: SIEM
TL;DR
- The assumption, historically, is more data equates to better security, which leads to SIEM storage costs growing exponentially
- It’s important to understand what data belongs in a SIEM, and what can be stored elsewhere (like a data lake)
- Learn how Expel MDR can help balance your SIEM data costs with our data lake offering
“Log everything.”
If you’ve been in security long enough, you’ve heard this advice before. In theory, the idea of logging everything seems good. The more data you collect in your SIEM, the better your security outcomes will be. More logs mean more visibility, better detections, and deeper investigations…right?
Not exactly.
In reality, most security teams are drowning in low-fidelity, non-security data they don’t need to store in their SIEM, burning through precious budgets on storage costs and still struggling to detect and respond to real threats. SIEMs were designed to centralize security data, but somewhere along the way, organizations fell into the trap of equating volume with security. The result? More noise, more analyst fatigue, and counterintuitively—more blind spots.
Let’s talk about why this happens and how security leaders can rethink their SIEM strategy to improve security outcomes without getting buried in logs.
The SIEM data deluge: why more isn’t always better
When it comes to a forensic investigation, context is key. You want as much context from as many sources as possible to understand what’s a real threat to your business. Although you want your data to tell you a story, you need to be strategic about which logs to store. Because in practice, collecting everything creates a set of problems:
- Too much noise: SIEMs generate an overwhelming number of alerts, most of which are low-fidelity or irrelevant.
- High storage and ingestion costs: Many SIEMs charge based on data volume, meaning organizations pay massive bills just to store logs they never use.
- More work for analysts: Security teams spend valuable time fine-tuning rules, filtering out false positives, and sifting through alerts instead of responding to threats.
Although a SIEM is a powerful tool in your security tool belt, it’s no surprise that many security teams feel like they’re working for their SIEM, instead of their SIEM working for them.
The problem isn’t just having more data—it’s having too much of the wrong data.
From ‘collect everything’ to ‘collect what matters’
Security leaders are shifting away from the outdated belief that more logs equals better security. Instead, they’re focusing on high-value telemetry that actually improves threat detection.
A smarter approach to SIEM data looks like:
- Prioritizing high-fidelity data sources (cloud control plane logs, EDR, identity events) instead of collecting everything indiscriminately.
- Focusing on real-time detection and response instead of just aggregating logs for compliance.
- Leveraging automation and enrichment to reduce manual triage and help analysts focus on meaningful threats.
What to keep
Instead of hoarding every log, prioritize sources that give you the most context and clarity:
- Cloud control plane logs (like AWS CloudTrail): These show changes to cloud resources and who made them. Retain logs related to IAM role changes or access to sensitive services like storage buckets.
- Identity logs (like Okta, Azure AD): Track authentication events, MFA failures, and privilege escalations—critical for detecting account takeovers,
- Endpoint data (like CrowdStrike): Focus on logs showing malicious activity like malware execution or unusual processes, instead of every file opened or app launched.
- Kubernetes logs: Capture events like container privilege escalations or unauthorized network connections, rather than every pod event.
What to skip
Avoid collecting logs in your SIEM that are too generic or irrelevant for detection and opt to store this lower-fidelity data into a data lake. For example,collecting all network traffic without filtering it to focus on critical assets or abnormal behavior can flood your SIEM with noise.Storing every endpoint event or raw system logs without prioritizing suspicious activities can cause alert fatigue, and is another example of low-fidelity logging perfect for a data lake. (instead of your SIEM).
The key is to filter out what doesn’t matter so your team can spend more time investigating real threats—and less time drowning in data.
This is where Expel can help.
How Expel helps solve the data problem
SIEMs are great for aggregating and storing security data, but they require a team of experts to make sense of this data for threat detection, triage, and response. That’s where Expel MDR comes in.
Optimizing SIEM costs
You can leverage Expel’s data lake to store low-fidelity, high-volume data while reducing your SIEM costs. This allows you to store only the necessary logs in SIEM, reducing ingestion costs while maintaining forensic and compliance capabilities.
Intelligent alert enrichment
Expel MDR stitches together related security signals, reducing noise and providing actionable context so analysts don’t have to piece everything together manually.
Offloading alert triage and response
Instead of spending hours switching context during investigations, security teams can offload triage and investigation to MDR, freeing up time for strategic work. Plus, you’re covered with 24×7 monitoring so your team doesn’t have to stress during holidays and off-hours.
SIEM + MDR = better together
So, does this mean you should break up with your SIEM? Probably not. The best approach isn’t necessarily choosing between a SIEM, data lake, or MDR—it’s using them together effectively.
- SIEM as the data platform: Store logs, perform forensic investigations, and meet compliance needs.
- Data lake for data retention: Keep your non-security data available for audits without the high costs.
- MDR as the detection and response engine: Provide 24×7 monitoring, enrich alerts, and act on real threats.
Instead of pouring more money into storing everything, the smartest teams are investing in the right mix of technology and expertise to protect what matters. Learn more about how Expel can support you, no matter where you are in your SIEM journey.
