Some years ago, during the renaissance of security information and event management (SIEM), security became log crazy. The hope was that by gathering logs from networking and security devices and running them through the SIEM, security events could be astutely exposed and security teams could gain an upper hand over attackers. The enthusiasm was soon dashed when it was obvious that logs alone were not the answer. In the first place, not everything was covered by logs and security details that were being captured could be manipulated easily as an attacker attempted to cover their tracks. Second, it’s one thing to aggregate logs but another to integrate the findings to produce true intelligence, particularly that which could easily stand apart from false positives.