As part of an extensive look at intrusion detection and prevention this Resource provides considerable guidance on the importance and role of SIEM. From the Resource: “A SIEM is responsible for the overall examination of information and activity on a network, to spot anomalies and larger threat patterns, or ‘incidents.’ Incidents may be thought of as ‘meta-events’ – events that are built out of multiple smaller events, flows, and logs. A SIEM is only as valuable as the data that it manages, however. For this reason, IPS policies should establish robust notification when communicating with a SIEM. i.e., while you may not want to be personally notified of every event that occurs, it is important that as much data as possible be sent to the SIEM. The SIEM becomes responsible for filtering false positives, while retaining a rich knowledge-base from which to observe larger incidents.”

Link to Resource: Sound Practice in Intrusion Detection & Prevention

Source: Michael Leland and Eric Knapp, SANS Institute

SIM Resource Guide Section: Security Information Management Best Practices