Too Long; Didn't Read
I was recently surfing around Anton Chuvakin’s posts on SIEMs and became particularly restless about one particular requirement “tearing them apart”: <a href="https://blogs.gartner.com/anton-chuvakin/2014/07/30/siem-real-time-and-historical-analytics-collide/" target="_blank">real time vs historical analysis</a>. His post from 2014 on the subject gives an excellent overview of the antagonism between these two (scroll down to the table!).