What SIEM actually does
A SIEM ingests logs from every security-relevant source — endpoints, firewalls, identity, email, cloud workloads, SaaS — and runs correlation rules against them. The output is alerts ranked by likely severity, plus a queryable archive for hunting and forensics. The 'information' half is the log pipeline and retention; the 'event management' half is the correlation, alert triage and case-management workflow on top.
SIEM versus SOAR
SIEM produces alerts; SOAR (Security Orchestration, Automation and Response) acts on them. SOAR runs playbooks — disable the account, isolate the endpoint, block the IP, create the ticket — without a human in the loop. Modern Microsoft Sentinel ships with both: KQL analytics rules for SIEM, Logic Apps playbooks for SOAR. For Australian mid-market the practical line is: SIEM for detection, SOAR for the response actions you've decided are safe to automate.
Where Microsoft Sentinel sits
Sentinel is a cloud-native SIEM built on Azure Log Analytics. For Microsoft 365 tenants the Defender XDR connector ingests endpoint, identity, email and cloud-apps signals for free. Sentinel's commercial advantage in Australia is the volume tier model — commitment-tier pricing in AUD that often beats Splunk for similar ingestion volumes once you exclude Defender data. The disadvantage is KQL expertise: every analytics rule is a KQL query.