Key Takeaways
- XDR and SIEM are complementary, not competing. XDR auto-correlates endpoint, identity, email and network telemetry; SIEM ingests everything else and supports custom logic.
- Data quality beats data volume. 50 well-tuned log sources outperform 500 unfiltered ones, and cost 80% less.
- Use cases drive deployment. Start with 10-15 high-confidence detection scenarios; build out from there.
- People are the cost. SIEM licenses are 30-40% of total cost; people (24x7 analysts) are 60-70%. Plan staffing before signing the license.
- MTTD under 1 hour and MTTR under 4 hours are realistic targets for a mature SOC. Most Indian enterprises today operate at MTTD measured in days.
Why XDR and SIEM Matter More in 2026 Than Ever
Indian enterprises face a detection problem, not a prevention problem. Most have invested heavily in firewalls, endpoint protection, email security, and identity protection, yet breaches still happen, and when they do, they go undetected for an average of 200+ days. The gap is not preventive tooling; it is correlation, context, and human response. That is exactly what XDR and SIEM exist to solve.
Extended Detection and Response (XDR) emerged from EDR (endpoint) and expanded to cover identity, email, network, cloud and SaaS, all within a single vendor ecosystem (Microsoft Defender XDR, CrowdStrike Falcon, SentinelOne Singularity, Palo Alto Cortex). XDR's value is auto-correlation: it stitches endpoint, identity, and email signals into a single incident timeline without analyst effort. The trade-off: you're locked into one vendor's telemetry coverage.
Security Information and Event Management (SIEM) is the broader, vendor-agnostic detection platform. Microsoft Sentinel, Splunk Enterprise Security, IBM QRadar, Elastic Security, Sumo Logic, they ingest data from anywhere, store it for compliance retention, and support custom detection logic. The trade-off: more flexibility, more engineering work to operate.
In 2026, mature Indian SOCs run both, XDR for endpoint-identity-email correlation, SIEM for everything else (network, cloud, OT, applications, compliance logs). The two integrate; alerts from one flow into the other.
Start With Use Cases, Not Data
The #1 failure mode of SIEM deployments is starting with "send all logs to the SIEM", generating terabytes of data, massive license costs, and no actual detection. The right starting point is a use case catalog: 15-25 specific detection scenarios mapped to your business risk.
Examples of high-value use cases for an Indian enterprise: impossible-travel logins to M365/Google Workspace, mass file deletion in SharePoint or Google Drive, privileged account usage outside business hours, anomalous PowerShell or scripting activity on workstations, abnormal outbound data volume from servers, new domain admin group additions in AD, MFA fatigue patterns, suspicious OAuth app consent, and known-bad threat intel matches.
For each use case, define: what data sources are required, what the detection logic looks like, what the alert threshold is, who responds, what the playbook is. This forces clarity before money is spent.
- Map each use case to MITRE ATT&CK technique IDs
- Define expected alert volume per use case (1/day, 1/week, 1/month)
- Document false positive scenarios and tuning approach upfront
- Tie each use case to a business risk (ransomware, insider threat, account takeover, data exfiltration)
- Build response playbooks before deploying detection
Get a Free SIEM Strategy Review
45-minute call with our SOC lead. Bring your environment, compliance obligations and budget; leave with a phased SIEM/XDR roadmap.
Schedule Free Strategy Call →Choosing Data Sources: Quality Over Quantity
Once use cases are defined, work backward to data sources. A solid foundation for most Indian enterprises includes: Windows event logs from all servers and a representative workstation sample, Active Directory authentication and group changes, Office 365 or Google Workspace audit logs, EDR telemetry, firewall traffic logs (denies at minimum), VPN and ZTNA authentication, cloud audit logs (CloudTrail, AzureActivity, Audit Logs), DNS query logs, and a representative selection of application logs.
Notably absent from a solid foundation: every server's full debug log, every load balancer access log, every container stdout. These generate huge volume and rarely contribute to detection, they belong in observability tools (Datadog, New Relic, Grafana), not in your SIEM.
Data engineering is real work. Plan for a dedicated detection engineer or send the work to a managed provider, collecting, parsing, normalizing, and enriching log sources is not a side project.
Vendor Selection: Sentinel, Splunk, QRadar, Elastic
Major SIEM options in 2026, by Indian enterprise fit:
- Microsoft Sentinel, Best fit if you are already heavily Microsoft (M365 E5, Azure, Defender XDR). Cloud-native, predictable pricing per GB ingested, deep Microsoft integration. Weaker for non-Microsoft environments.
- Splunk Enterprise Security, The most powerful and most expensive option. Best for large enterprises with dedicated detection engineering teams. Steep learning curve, exceptional flexibility.
- IBM QRadar, Strong in regulated industries (banking, government). Mature compliance content. Less developer-friendly than newer platforms.
- Elastic Security, Open-core option. Lower license cost, higher operational complexity. Good for technically strong teams with budget constraints.
- Sumo Logic / Devo / Exabeam, Cloud-native alternatives with strong UEBA capabilities.
Deployment Phases: A Realistic 12-Month Plan
Phase 1 (months 1-2): Foundation. Deploy the SIEM platform, integrate identity (AD/Entra), connect Windows servers and EDR. Build the first 5-10 detection use cases. Establish alerting and basic incident response process.
Phase 2 (months 3-4): Coverage expansion. Onboard Office 365/Google Workspace, firewall, VPN, cloud audit logs. Expand to 20-30 detection use cases. Begin formal tuning to reduce false positive rate below 30%.
Phase 3 (months 5-8): Maturity. Onboard application logs for business-critical apps, integrate threat intelligence feeds, implement UEBA, build executive dashboards, document playbooks for top 20 alert types.
Phase 4 (months 9-12): Optimization. Reduce MTTD and MTTR through automation (SOAR), retire underperforming detections, expand use case catalog to 40-60 scenarios, conduct purple-team exercises to validate detection efficacy.
Managed SOC-as-a-Service
24x7 monitoring by Indian-based analysts. Microsoft Sentinel, Splunk, Elastic, QRadar supported. Onboarding in 4-6 weeks.
See Managed SOC Service →Staffing: In-House SOC vs Managed SOC vs Hybrid
A 24x7 in-house SOC requires 8-12 analysts (3 shifts, weekends, leave coverage) plus 2-3 detection engineers and a SOC manager. Total fully-loaded cost in India: INR 2-4 crore per year. For most enterprises under 1,000 employees, this is hard to justify.
Managed SOC services (MDR providers, including our SOC-as-a-Service) typically run INR 30-80 lakh per year depending on scope, substantially less than in-house, with the trade-off of less business context. Hybrid models, in-house tier 1 with external tier 2/3 expertise, work well for enterprises in the 500-2000 employee range.
Whatever model you choose, do not skip the people question. A SIEM with no analysts is just an expensive log warehouse.
Measuring SOC Effectiveness: MTTD, MTTR and Beyond
Mean Time To Detect (MTTD) and Mean Time To Respond (MTTR) are the standard SOC metrics. A mature SOC targets MTTD under 1 hour for high-severity incidents and MTTR under 4 hours. Less mature SOCs operate at days-to-weeks.
Layer additional metrics: alert volume per analyst per shift (target 20-50, anything higher means alert fatigue), false positive rate (target under 30%), use case coverage of MITRE ATT&CK techniques (target 60%+), purple team detection rate (what percentage of red-team activity is detected, target 70%+).
Report these monthly to leadership. SOC effectiveness is measurable; treat it like a business metric.
Frequently Asked Questions
Do we need both XDR and SIEM, or just one?
Small organizations under 200 employees can usually start with XDR alone, modern XDR platforms (Defender XDR, CrowdStrike Falcon, SentinelOne) cover the highest-value detection surface and require less engineering than SIEM. Mid-size and enterprise organizations almost always need both: XDR for endpoint/identity/email correlation, SIEM for network, cloud, OT, applications, and long-term compliance retention.
What is the typical cost of SIEM for an Indian enterprise?
Highly variable based on log volume. Microsoft Sentinel at modest volume (10 GB/day) runs INR 8-15 lakh/year in license alone; Splunk at the same volume can be 2-3x. Plus implementation (INR 15-40 lakh one-time) and staffing or managed services (INR 30 lakh to 4 crore depending on model). Total first-year all-in for a 500-employee enterprise: INR 50 lakh to 1.5 crore.
How long does it take to deploy a SIEM and see value?
Initial value (first detections live, basic alerting working) in 6-10 weeks. Real operational maturity (40+ tuned use cases, MTTD under 2 hours, formal response playbooks) takes 9-12 months. Anyone promising "SIEM in 2 weeks" is selling shelfware.
Is managed SOC reliable for compliance-sensitive industries like banking or healthcare?
Yes, most major Indian banks and healthcare providers use managed SOC providers in some capacity, often co-managed with internal teams. Key requirements: provider must be ISO/IEC 27001:2022 certified, SOC 2 Type II audited, support data residency in India, and offer named analysts rather than anonymous ticket queues. Verify these before signing.
Can we run SIEM ourselves with a small team?
If you have 2-3 dedicated security engineers and pick a manageable platform (Microsoft Sentinel for Microsoft shops, Elastic for technical teams), yes. Below 2 dedicated FTEs, managed SOC is almost always more cost-effective and delivers better outcomes.
How do we measure if our current SOC is effective?
Run a purple team exercise. A red team simulates 20-30 attack techniques across MITRE ATT&CK; track how many your SOC detects, how quickly, and whether response is appropriate. Healthy SOCs detect 60%+ of techniques within their service hours. Below 40% is a red flag, either tooling, tuning, or staffing needs urgent attention.
How does SIEM relate to ISO 27001 and DPDP compliance?
ISO 27001 Annex A.8.15 (logging) and A.8.16 (monitoring) require log collection, monitoring of anomalous behavior, and incident detection, all squarely in the SIEM remit. DPDP Act breach notification requires the ability to detect personal data incidents within hours, which functionally requires SIEM-grade monitoring. Both frameworks treat SIEM as effectively mandatory at scale.
Build a SOC That Actually Detects
Codesecure runs an ISO/IEC 27001:2022 certified managed SOC operating Microsoft Sentinel, Splunk and Elastic deployments for Indian enterprises. Named analysts, India-based, 24x7. Fixed monthly pricing.
