Differentiate SIEM and EDR in security operations relevant to Annex B.

SIEM focuses on centralizing and analyzing logs from many sources to find patterns across the environment, while EDR concentrates on watching each endpoint in real time to detect and respond to suspicious activity on that device. A SIEM collects data from servers, workstations, applications, network devices, and security tools, then uses correlation rules and dashboards to surface alerts for the security team to investigate. An EDR agent runs on endpoints, gathering telemetry like process events, file changes, and network connections, applying behavioral analytics, and taking immediate containment actions when needed. Because they target different layers—global visibility and correlation versus real-time, on-device detection and response—they complement each other rather than replace one another. In practice, EDR data can feed into the SIEM to enhance cross‑domain analysis, while the SIEM provides centralized oversight and context across the organization.