This is an early access version, the complete PDF, HTML, and XML versions will be available soon.
Open AccessArticle
An Operational Hybrid SIEM Framework for OT Anomaly Detection †
by
Jaafer Rahmani
Jaafer Rahmani
,
Salva Daneshgadeh Çakmakçı
Salva Daneshgadeh Çakmakçı
Kai Oliver Detken
Kai Oliver Detken
Axel Sikora
Axel Sikora
1
Institute of Reliable Embedded Systems and Communication Electronics (ivESK), Offenburg University of Applied Sciences, 77652 Offenburg, Germany
2
Faculty of Engineering, University of Freiburg, 79110 Freiburg, Germany
3
DECOIT GmbH & Co. KG, 28215 Bremen, Germany
*
Author to whom correspondence should be addressed.
†
This paper is an extended version of our paper published in: Rahmani, J.; Daneshgadeh Çakmakçı, S.; Detken, K.O.; Sikora, A. A SIEM-Based Framework for Multi-Layer Data Collection and Anomaly Detection in OT-Networks. In Proceedings of the 13th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems (IDAACS 2025), Gliwice, Poland, 4–6 September 2025; pp. 261–266.
https://doi.org/10.1109/IDAACS68557.2025.11322203.
Sensors 2026, 26(10), 3155; https://doi.org/10.3390/s26103155 (registering DOI)
Submission received: 20 April 2026
/
Revised: 13 May 2026
/
Accepted: 14 May 2026
/
Published: 16 May 2026
Abstract
Security monitoring in Industrial Internet of Things environments requires telemetry that spans Information Technology (IT) and Operational Technology (OT) network layers, and most public datasets capture only one such view. We describe a design pattern for hybrid Security Information and Event Management (SIEM) deployments in OT environments (rule-based detection plus edge-deployed machine learning anomaly detection writing into a shared index) and validate it on a Modbus/Jetson/Elastic instance. The pattern is platform-independent: any rule engine that exposes a query language and any edge device with adequate memory headroom can host an instance, and the paper documents the architectural choices that make this portability concrete. The validated instance comprises 27 rules in Kibana Query Language mapped to MITRE Adversarial Tactics, Techniques, and Common Knowledge, plus a CNN-BiLSTM autoencoder on a Jetson Orin Nano that reaches a true positive rate of 1.000 at the 98th-percentile validation threshold and 0.997 at the 99.5th-percentile threshold on a 9997-flow held-out attack partition. Runtime behaviour on the edge hardware is characterised under steady state and adversarial burst, including the queue-wait regime that dominates tail latency. A self-contained calibration step projects rule and model evidence onto a common scale for downstream fusion.
Share and Cite
MDPI and ACS Style
Rahmani, J.; Çakmakçı, S.D.; Detken, K.O.; Sikora, A.
An Operational Hybrid SIEM Framework for OT Anomaly Detection. Sensors 2026, 26, 3155.
https://doi.org/10.3390/s26103155
AMA Style
Rahmani J, Çakmakçı SD, Detken KO, Sikora A.
An Operational Hybrid SIEM Framework for OT Anomaly Detection. Sensors. 2026; 26(10):3155.
https://doi.org/10.3390/s26103155
Chicago/Turabian Style
Rahmani, Jaafer, Salva Daneshgadeh Çakmakçı, Kai Oliver Detken, and Axel Sikora.
2026. "An Operational Hybrid SIEM Framework for OT Anomaly Detection" Sensors 26, no. 10: 3155.
https://doi.org/10.3390/s26103155
APA Style
Rahmani, J., Çakmakçı, S. D., Detken, K. O., & Sikora, A.
(2026). An Operational Hybrid SIEM Framework for OT Anomaly Detection. Sensors, 26(10), 3155.
https://doi.org/10.3390/s26103155
Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details
here.
Article Metrics
Article metric data becomes available approximately 24 hours after publication online.
