In May 2025, CISA dropped new guidance on how to actually implement SIEM and SOAR platforms properly. In this mini-article, we’ll break it down into simple terms to give you the big picture without getting lost in technical details.
CISA split the guidance into three parts:
- For executives: explains the big picture and why these tools matter
- For practitioners: dives deep into technical implementation details
- For practitioners: focuses on which logs you should actually care about for your SIEM
And now we’ll briefly discuss the second part that focuses on practical aspects.
The hidden concerns
Time and complexity: SIEM and SOAR aren’t “set and forget” solutions. They need constant tuning, skilled personnel, and ongoing maintenance to work effectively. You must establish what normal network activity looks like before these tools can reliably detect threats.
Budget reality: Most SIEM vendors charge based on data ingestion volume, which can escalate quickly. Beyond licensing costs, you’ll need skilled analysts, engineers, and ongoing training. Organizations often experience sticker shock when the total cost of ownership extends far beyond the initial purchase price.
Skills shortage: Success depends on having people who can configure these systems properly, write effective detection rules, and build reliable playbooks. The guidance warns against rushing into automation — human oversight remains essential for complex scenarios.
Why it’s still worth it
Enhancing visibility. SIEM platforms automate log collection and present data in dashboards, making it easier for security teams to see what’s happening across the network.
Enhancing detection. Well-configured SIEM platforms generate swift alerts about unusual network activity and help determine if detections are false positives. They protect log integrity by preventing attackers from modifying or deleting logs.
Enhancing response. SIEM platforms provide early alerts that allow organizations to intervene before incidents escalate. They give incident responders the data needed to analyze what happened. SOAR platforms automate routine response actions, letting staff focus on complex problems while matching the speed of automated attacks.
The cherry on top: these tools help you meet requirements like the Essential Eight and CISA’s Cybersecurity Performance Goals.
The Solutions: How to Do It Right
Do SIEM First, SOAR Later
CISA’s advice? Get your SIEM working properly before you even think about SOAR. Makes sense when you think about it — you can’t automate responses to threats if you can’t detect them accurately in the first place.
The guidance suggests looking for SIEM products with data lake setups and tools that can connect data from different sources. Major platforms like Microsoft Sentinel, Palo Alto Cortex XSIAM, SentinelOne Singularity AI SIEM, and CrowdStrike offer these capabilities. For SOAR, focus on building playbooks that actually work in your environment.
Eleven Best Practices
The guidance breaks down eleven key practices covering everything from buying these tools to keeping them running. Here’s what they recommend:
Procurement:
- Define your implementation scope clearly
- Consider SIEM products with data lake architecture
- Look for platforms that can correlate data from multiple sources
- Watch out for hidden costs in different products
- Invest in training, not just the technology
Establishment:
- Establish a baseline of normal network activity
- Develop standards for log collection
- Integrate the SIEM into your enterprise architecture
Maintenance:
- Regularly evaluate your threat detection effectiveness
- Reduce unnecessary log ingestion through pre-processing
- Test your SIEM and SOAR performance regularly
The main points: test everything with proof-of-concepts, establish baselines of normal activity, and regularly check if your setup actually works through pen testing and red team exercises.
Bottom Line
This guidance finally gives us a realistic roadmap for SIEM and SOAR implementation. If you’re planning to deploy these tools, we strongly recommend reading the full guidance, especially the «best practice principles» section that covers technical implementation details. If you’re trying to improve what you already have, this guidance is also worth your time. It might save you from some expensive mistakes.
