Not all SIEM systems are created equal, and ideally, you'll pick one that has the strengths you need, at a price you can be happy with. But what strengths do you really need? We have a kind of SIEM requirements checklist for that. 

• Asset integration capabilities: Can the SIEM solution easily identify the types of assets you have and tie their data logs together easily?

• Rule customization: Does it let you define specific detection rules? Keep in mind, your team will still need to know what events and event frequencies the SIEM solution needs to detect. 

• Network scanning options: Does the SIEM platform support both passive and active scanning for comprehensive visibility? Passive scanning is non-intrusive, but active scanning is crucial to getting a real-time picture. 

No matter what, make sure you choose a solution that does what you need it to do, without sacrificing security outcomes.

There are three primary types of detection in modern SIEM systems:

• Correlation rules: For example, three failed password attempts in five minutes.

• Behavior-based rules: Observing user patterns over time. 

• Anomaly-based alerts: Focused on identifying unusual system or application errors.

Note that each type of rule will require different actions on the part of your SIEM and your security team. 

In this sense, SIEM solutions are divided in terms of where most of the “work” is done. The types are:

• Managed SIEM: Where a remote, third-party team oversees your SIEM functions and alerts. We’ll say it again, this is Huntress. 

• Cloud-based SIEM, or SIEM as a Service: This is fast and scalable, but very hands-off and requires strong trust in your vendor. 

• On-premise SIEM: This is the traditional SIEM solution where the system exists and is managed on your premises. It’s simple and secure, but can be expensive.

Finally, we have the context required to make an SIEM audit checklist meaningful. SIEM audits are vital processes that make sure your SIEM solution is working as intended, and its configuration still meets your organization's security needs. Many organizations run through a checklist like this annually or even several times a year. 

Your SIEM audit checklist should be tailored to your industry, niche, and the way you do business. But a good place to start might look like the following:

1. Log source inventory

Take a look at the various logs that are feeding into your SIEM system, and make sure they’re all relevant. More importantly, make sure none are missing.

2. Retention and integrity verification

Make sure your SIEM system is retaining all of the logs you need for forensic analysis and compliance purposes. Also, make sure it’s retaining them in an intact, useful manner.

3. Rule coverage

The rules your SIEM uses must be aligned with your actual security needs. They must also be specific, narrowly defined, and contextual. Expect to redefine them often. 

4. Alert review and false-positive rates

This can be crucial. Too high a false positive rate, and you need to reassess your rules. But if the false positive rate is too low, you might be missing too many real threats.

5. Response time metrics

The choice of KPIs is crucial as well. We suggest starting with MTTD (Mean Time To Detect). The shorter your MTTD, the better. 

6. Access and privilege controls

Audit who has access to your SIEM system and review their permissions. Make sure the principle of least privilege is enforced, multi-factor authentication (MFA) is enabled, and role-based access controls are in place to limit potential misuse or accidental exposure.

7. Compliance mapping

Confirm that your SIEM alerts and reports map to relevant regulatory frameworks, like PCI, CMMC, HIPAA, or GDPR. Make sure that auditors can quickly and easily extract the required evidence to demonstrate compliance.

8. System health and maintenance

Audit patching, software updates, and performance baselines to maintain your SIEM system. Check storage use, indexing performance, and other operational metrics to prevent downtime or degraded SIEM performance.

9. Documentation and evidence storage

Just how long your SIEM retains logs and security event data is important to its forensic use as well as for compliance purposes. Ideally, this data should be divided into different classes, each with its own retention policies.

Huntress Managed SIEM combines top-notch threat detection with built-in compliance support. But even better, we can create a custom SIEM audit checklist bespoke to your organization and provide ongoing audits and reports of the effectiveness of the product. Try our free demo and see what our Managed SIEM platform can do for your organization.