Most organizations I’m involved with used to collect no security log information. This lead to them being hacked for long period of time without their knowledge. This led to most regulatory requirements and compliance laws requiring each covered entity to keep and analyze log files. Unfortunately, organizations went from not collecting anything to collecting and aggregating everything they possibly could. They collected so much information that it slowed down their networks and they had to buy ever bigger event message storage arrays. The best SIEM vendor you can pick is one that understands that less is more.”]
Source: https://www.csoonline.com/article/3262190/avoiding-security-event-information-overload.html