Systematic Review of SIEM Integration for Threat Detection and Log Correlation in AWS-Based Infrastructure

The increasing migration of enterprise operations to Amazon Web Services (AWS) has amplified the need for robust, scalable, and intelligent cybersecurity solutions. Security Information and Event Management (SIEM) systems have become vital for detecting threats, correlating logs, and maintaining compliance in cloud environments. This systematic review explores the integration of SIEM tools within AWS-based infrastructures, focusing on their effectiveness in threat detection and log correlation. It examines leading SIEM solutions such as Splunk, IBM QRadar, Sumo Logic, and AWS-native services like Amazon GuardDuty, AWS CloudTrail, and AWS Security Hub. Emphasis is placed on key integration approaches, including API-based ingestion, agentless data capture, and real-time event streaming through AWS services like Kinesis and S3. The review critically analyzes studies published between 2018 and 2023, highlighting trends in the automation of log management, enrichment of security alerts through machine learning, and orchestration via Security Orchestration, Automation, and Response (SOAR) platforms. Challenges such as data normalization, scalability limitations, cross-service visibility, and compliance adherence in multi-account AWS architectures are discussed. The findings indicate that SIEM integration enhances threat detection efficiency by enabling proactive anomaly detection, facilitating rapid incident response, and improving forensic investigation capabilities. However, the review identifies gaps, particularly in cost optimization, handling high-velocity log streams, and adapting traditional SIEM models to dynamic, serverless AWS architectures. Best practices for successful SIEM deployment include leveraging AWS-native integrations, prioritizing event prioritization algorithms, applying continuous tuning, and aligning with security frameworks like NIST and CIS AWS Foundations Benchmark. Future research directions propose the development of AI-driven adaptive SIEM systems tailored for cloud-native environments, advanced correlation engines for serverless and containerized workloads, and strategies to optimize licensing and resource utilization. This systematic review provides cybersecurity practitioners, cloud architects, and researchers with a comprehensive understanding of SIEM integration complexities and evolving practices in AWS infrastructures, ultimately contributing to improved cloud security postures and operational resilience in the face of sophisticated cyber threats.