In many cases lots of companies need to assess the right product for using as the right tools as Security Incident and Event Management tools (SIEM), that is considered as the core product of the Security Operations Center (SOC). here there are 4 main general category to consider yes no questions. This approaches is the easiest way to assess and find the right SIEM tools.
The 4 main categories includes : 1-User Experience 2-Technical Capabilities 3-Scalabilities and Performance 4-Cost Efficiency
I share the table as below, please feel free to use it or reach out to me in case you need some support.
Note: Please keep in mind that it is just a sample, and might be different question based on your requirement. Also The yes, No question approaches is the easiest way and it is not recommended.
| # | Category | Question |
| 1 | User Experience | Does the SIEM provide a user-friendly interface? |
| 2 | User Experience | Does the SIEM provide a user-friendly installation process? |
| 3 | User Experience | Is the installation process well documented? |
| 4 | User Experience | Can the SIEM provide contextual information for events? |
| 5 | User Experience | Does the SIEM support customization and personalization? |
| 6 | User Experience | Can the SIEM provide a unified view of security events? |
| 7 | User Experience | Does the SIEM support role-based access control? |
| 8 | User Experience | Can the SIEM provide collaboration features for users? |
| 9 | User Experience | Does the SIEM provide a knowledge base or library? |
| 10 | User Experience | Can the SIEM integrate with incident management tools? |
| 11 | User Experience | Does the SIEM provide a dashboard or reporting tool? |
| 12 | User Experience | Can the SIEM provide a search function with NLP? |
| 13 | User Experience | Does the SIEM support a community of users and experts? |
| 14 | User Experience | Can the SIEM provide training or support resources? |
| 15 | User Experience | Can you easily make your own cutom dashboards and search queries based on your needs? |
| 16 | User Experience | Does SIEM provide Asset Management mapping for asset properties such as IP address and Asset Name and other related properties and associate theme with user accounts? |
| 17 | User Experience | Integration with other security controls: Does the SIEM support integration with other enterprise security tools? |
| 18 | User Experience | Threat Intelligence Feed Usage: Does the SIEM support threat intelligence feeds ? |
| 19 | User Experience | Does the SIEM support integration with other TIPs such as MISP or TheHive? |
| 20 | User Experience | Does the SIEM have automated tracking capabilities for MITRE techniques/tactics? (can provide more than lateral movement as c2c, execution etc.) |
| 21 | User Experience | Full Coverage of Incident Management Process: Does the SIEM cover the full incident management process? |
| 22 | User Experience | Incident Timeline: Does the SIEM provide a full incident time-line and ability to define custom correlation to show the time-line of an incident based on different data sources? is it easy to understand? |
| 23 | User Experience | Does the SIEM provide incident prioritization? |
| 24 | User Experience | Does the SIEM provide features for tracking changes? |
| 25 | User Experience | Does the SIEM provide profiling system states/assets, and AI/ML-based detection? |
| 26 | User Experience | Does the SIEM provide AI/ML-based detection? |
| 27 | User Experience | Forensics Capabilities: Does the SIEM provide forensics capabilities including working with raw logs, import/export data, and data analysis? |
| 28 | User Experience | Does the SIEM provide compliance reporting for well-known baselines? (PCIDSS, HIPA etc.) |
| 29 | User Experience | Is the SIEM able to integrate all types of compliance policies? |
| 30 | User Experience | Does the product come with an inbuilt Incident Management & Workflow System to track the policy violations and exceptions? |
| 31 | User Experience | Does the product uses AI techniques to analyze, correlate security incidents? |
| 32 | User Experience | Does the product has intelligence to correlate logs and provide proactive incidents, alerts notifications, even before actual incident happens? |
| 33 | User Experience | Does the product support Investigation & Triage support? |
| 34 | User Experience | Does the product support incident creation & tracking? |
| 35 | User Experience | Does the SIEM documentation good enough to follow up and do the required jobs? |
| 36 | User Experience | Is the SIEM architecture clear to understand about different components and connections? |
| 37 | User Experience | Do you find the SIEM fetures good for threat hunting and investigation? |
| 38 | ||
| 39 | ||
| 40 | Technical Capabilities | Does the product collect and normalize logs on premises? |
| 41 | Technical Capabilities | Does the product collect and normalize logs on cloud infrastructure? |
| 42 | Technical Capabilities | Can the SIEM support multiple data sources? |
| 43 | Technical Capabilities | Can the SIEM support multiple deployment models? |
| 44 | Technical Capabilities | Does the SIEM provide advanced threat intelligence? |
| 45 | Technical Capabilities | Can the SIEM integrate with other security technologies? |
| 46 | Technical Capabilities | Does the SIEM provide an open architecture? |
| 47 | Technical Capabilities | Can the SIEM scale horizontally and vertically? |
| 48 | Technical Capabilities | Does the SIEM provide encryption and data masking? |
| 49 | Technical Capabilities | Can the SIEM provide a threat hunting feature? |
| 50 | Technical Capabilities | Does the SIEM support log data compression and optimization? |
| 51 | Technical Capabilities | Can the SIEM provide compliance reporting and auditing? |
| 52 | Technical Capabilities | Does the SIEM provide a roadmap or vision for future capabilities? |
| 53 | Technical Capabilities | Can the SIEM provide a customizable workspace for different users? |
| 54 | Technical Capabilities | Does the SIEM support a wide range of data types and formats? |
| 55 | Technical Capabilities | Can the SIEM support data ingestion and processing at scale? |
| 56 | Technical Capabilities | Does the SIEM provide a wide range of use cases and pre-built content? |
| 57 | Technical Capabilities | Can the SIEM provide a low false positive rate and high true positive rate? |
| 58 | Technical Capabilities | Does the SIEM provide a flexible and robust query language? |
| 59 | Technical Capabilities | Can the SIEM provide deep visibility and correlation of security events? |
| 60 | Technical Capabilities | Does the SIEM provide runbooks for incidents? |
| 61 | Technical Capabilities | Can the SIEM provide detailed analytics and insights? |
| 62 | Technical Capabilities | Does the SIEM detect and display security events for at least the last 30 days? |
| 63 | Technical Capabilities | Does the SIEM provide clear and meaningful data visualization? |
| 64 | Technical Capabilities | Does the SIEM support custom parsing for events which are not parsed natively by indexing engine? |
| 65 | Technical Capabilities | Are custom parser supported and is vendor support available to help generating parsers? |
| 66 | Technical Capabilities | is all common data formats are supported by default (CEF, Syslog, etc.)? |
| 67 | Technical Capabilities | Historical Data Usage: Is the SIEM able to use historical data for timelines and correlations related to long-term or slow attacks? |
| 68 | Technical Capabilities | Does the SIEM provide historical data usage with reasonable performance? |
| 69 | Technical Capabilities | Does the SIEM provide log retention in compliance with customer’s (fidor) log retention policy? |
| 70 | Technical Capabilities | Business Data Processing: Is the SIEM able to process application data (threats for Business logic or buisness fraud, etc.) in case of business need? |
| 71 | Technical Capabilities | Is the SIEM able to do real-time security monitoring, alerting? |
| 72 | Technical Capabilities | Is the SIEM able to do real-time searching? |
| 73 | Technical Capabilities | Data Processing and Trends/Anomalies: Is the SIEM able to process and display trends and anomalies based on our requirement? |
| 74 | Technical Capabilities | Is it easy to customize and fine tune the trends and anomalies displayed on SIEM? |
| 75 | Technical Capabilities | Flexible Query Writing: Is the SIEM flexible to write queries for analysis on different types of data? |
| 76 | Technical Capabilities | Integration with Other Tools: Does the SIEM support easy integration with other enterprise security controls such as vulnerability scanners and asset inventory/monitoring tools? |
| 77 | Technical Capabilities | API Support: Does the SIEM have API support ? |
| 78 | Technical Capabilities | Does the vendor provide well-structured documentation for API? |
| 79 | Technical Capabilities | Does the product offer log retention? |
| 80 | Technical Capabilities | Does the product offer log Rotation? |
| 81 | Technical Capabilities | Does the product offer scheduled search? |
| 82 | Technical Capabilities | Does the product manage log storage and archival? |
| 83 | Technical Capabilities | Does the SIEM provide automatically assign offenses to analysts? |
| 84 | Technical Capabilities | Does the SIEM provide assign SLA time to offenses? |
| 85 | Technical Capabilities | Can you easily make you dashboard from different types of data sources as you wish? |
| 86 | Technical Capabilities | Is the SIEM able to create incident timeline or provide a feature to you to do so ? |
| 87 | Technical Capabilities | Is the product modular ? and able to add more feature via new modules? (UBA, Correlation Engine, Logger, etc.) |
| 88 | ||
| 89 | ||
| 90 | Scalability and performance | Can the SIEM handle a significant increase in data volume without adding significant additional resources? |
| 91 | Scalability and performance | Can the SIEM add additional nodes to a cluster without requiring significant downtime? |
| 92 | Scalability and performance | Does the SIEM offer load balancing and data distribution across multiple nodes in a cluster? |
| 93 | Scalability and performance | Can the SIEM operate across multiple regions without significant performance degradation? |
| 94 | Scalability and performance | Can the SIEM handle large volumes of event and log data without significantly increasing query times? |
| 95 | Scalability and performance | Does the SIEM provide real-time monitoring and alerting capabilities for high-priority security events? |
| 96 | Scalability and performance | Can the SIEM perform real-time threat analysis at scale without significant performance degradation? |
| 97 | Scalability and performance | Does the SIEM provide automated scaling and resource allocation to optimize performance and cost? |
| 98 | Scalability and performance | Can the SIEM integrate with cloud-based data sources and platforms to enable efficient data ingestion? |
| 99 | Scalability and performance | Does the SIEM support high-availability and fault-tolerance to ensure uptime and data integrity? |
| 100 | Scalability and performance | Does the SIEM has auto-scalability feature as SaaS platform? |
| 101 | ||
| 102 | ||
| 103 | ||
| 104 | Cost Efficiency: | Is the SIEM cost-effective compared to other solutions? |
| 105 | Cost Efficiency: | Does the SIEM require a lot of resources to run effectively? |
| 106 | Cost Efficiency: | Does the SIEM require specialized hardware or software to run? |
| 107 | Cost Efficiency: | Is the SIEM licensing model affordable for the organization? |
| 108 | Cost Efficiency: | Does the SIEM provide a good return on investment? |
| 109 | Cost Efficiency: | Does the SIEM provide a transparent pricing model with no hidden fees or charges? |
| 110 | Cost Efficiency: | Can the SIEM provide cost savings by consolidating security event management across multiple systems? |
| 111 | Cost Efficiency: | Does the SIEM provide a low total cost of ownership over the long term, taking into account maintenance, support, and upgrade costs? |
| 112 | Cost Efficiency: | Can the SIEM provide a fast return on investment by reducing the time and effort required to manage and respond to security incidents? |
| 113 | Cost Efficiency: | Does the SIEM provide a flexible deployment model, such as on-premises, cloud-based, or hybrid, to meet different business needs? |
| 114 | Cost Efficiency: | Does the SIEM provide a clear and transparent pricing model? |
ReZaAdineH 
Leave a comment