Security monitoring in Industrial Internet of Things environments requires telemetry that spans Information Technology (IT) and Operational Technology (OT) network layers, and most public datasets capture only one such view. We describe a design pattern for hybrid Security Information and Event Management (SIEM) deployments in OT environments (rule-based detection plus edge-deployed machine learning anomaly detection writing into a shared index) and validate it on a Modbus/Jetson/Elastic instance. The pattern is platform-independent: any rule engine that exposes a query language and any edge device with adequate memory headroom can host an instance, and the paper documents the architectural choices that make this portability concrete. The validated instance comprises 27 rules in Kibana Query Language mapped to MITRE Adversarial Tactics, Techniques, and Common Knowledge, plus a CNN-BiLSTM autoencoder on a Jetson Orin Nano that reaches a true positive rate of 1.000 at the 98th-percentile validation threshold and 0.997 at the 99.5th-percentile threshold on a 9997-flow held-out attack partition. Runtime behaviour on the edge hardware is characterised under steady state and adversarial burst, including the queue-wait regime that dominates tail latency. A self-contained calibration step projects rule and model evidence onto a common scale for downstream fusion.
Rahmani et al. (Sat,) studied this question.