In our previous articles we talked about logs and log aggregators. The next step is to store incoming logs.
One of the common mistakes made in SIEM structures is to focus on storage size. High-sized storage is important, as well as the speed of accessing this data.
When we look at the popular storage technologies in the market (Example: mysql), we see that it is focused on adding, editing, and deleting data. But our focus is on indexing the data, we do not intend to edit the stored log later. Our purpose is to access data as quickly as possible. For this, WORM (write once read many) based technologies are more suitable to be used in SIEM.
More info about worm once read many: https://en.wikipedia.org/wiki/Write_once_read_many