here is another approaches to use for assessment of the right SIEM product based on SOC-CMM approaches.
There are 3 main categories to consider:
1-The basic and fundamental features of the SIEM
2-The security analytics requirement
3-The automation and orchestration requirement
In the below table we can see the table of topics to consider for SIEM assessment based on SOC CMM model.
Note: keep in mind that this is a sample and might not cover all of your requirements.
| Areas of check for SIEM assessment | KPI | Score | weight | ||
| Basic/Fundamental features | Aggregation | ||||
| Correlation | |||||
| Custom parsing | |||||
| Threat Intelligence integration | |||||
| Subtle event detection | |||||
| Automated alerting | |||||
| Alert acknowledgement | |||||
| Automated threat response | |||||
| Multi-stage correlation | |||||
| Pattern detection | |||||
| Case management system | |||||
| Asset management integration | |||||
| Business context integration | |||||
| Identity context integration | |||||
| Asset context integration | |||||
| Vulnerability context integration | |||||
| Standard rules | |||||
| Custom rules | |||||
| Network model | |||||
| Customized SIEM reports | |||||
| Customized SIEM dashboards | |||||
| Granular access control | |||||
| API Integration | |||||
| Secure Event Transfer | |||||
| Support for multiple event transfer technologies | |||||
| Security Analytics | Scalable analytics engine | ||||
| Automated data normalization | |||||
| Pattern-based analysis | |||||
| Integration of security incident management | |||||
| Integration of security monitoring | |||||
| External threat intelligence integration | |||||
| Advanced searching and querying | |||||
| Data visualization techniques | |||||
| Data drilldowns | |||||
| Detailed audit trail of analyst activities | |||||
| Historical activity detection | |||||
| Structured data collection | |||||
| Unstructured data collection | |||||
| User baselines | |||||
| Application baselines | |||||
| Infrastructure baselines | |||||
| Network baselines | |||||
| System baselines | |||||
| Central analysis console | |||||
| Security data warehouse | |||||
| Flexible data architecture | |||||
| Granular access control | |||||
| API Integration | |||||
| Automation & Orchestration | SIEM Integration | ||||
| Threat intelligence integration | |||||
| Asset management integration | |||||
| User management integration | |||||
| Vulnerability management integration | |||||
| Historical event matching | |||||
| Knowledge base integration | |||||
| Risk-based event prioritization | |||||
| Firewall integration | |||||
| IDPS integration | |||||
| Email protection integration | |||||
| Malware protection integration | |||||
| Sandbox integration | |||||
| Active Directory / IAM integration | |||||
| Ticket workflow support | |||||
| Granular access control | |||||
| Performance tracking | |||||
| Runbook support | |||||
ReZaAdineH 
Leave a comment