I’ve spent Twenty-plus years in this industry and a good amount of that time being the senior technical and security operations person relied upon in the businesses I have worked for. My time in IT security has taught me a blunt truth: log noise hides the bad stuff.
I have wrestled with SIEM tools that swallowed terabytes yet missed the breach, and I have seen lean deployments that caught an attacker in minutes. The difference was never the brand-name dashboard; it was disciplined scoping, baselining, and continual tuning. That is what this guide is about.
I’ve stood up Microsoft Sentinel, CrowdStrike Falcon LogScale, Huntress Managed SIEM and Blumira’s cloud SIEM/XDR. Spoiler: they all hoover up logs and raise alerts—that part is easy. The real challenge is deciding what to collect, how long to keep it and how to spot the anomalies that matter. Partners such as Huntress give alltasksIT millions of rows of telemetry filtered through AI rules and round-the-clock analysts, while Blumira layers guided playbooks on top. For fully-outsourced clients, we simply look after the lot; for organisations that want to buy or co-manage a SIEM, this article demystifies the moving pieces so you can make an informed call.
CISA’s new Implementing SIEM and SOAR Platforms: Practitioner Guidance distils how to select, stand-up, and grow these platforms without drowning in data. This blog walks you through that guidance, adds Australian context, and shows where alltasksIT can shorten the learning curve. (media.defense.gov)
A Security Information and Event Management platform collects, centralises, and analyses log data, then flags deviations from a baseline of normal activity. Think of it as the security team’s microscope. (media.defense.gov)
Security Orchestration, Automation, and Response layers playbooks on top of SIEM insight. When the SIEM fires an alert, the SOAR can quarantine a host, disable a user, or open an incident ticket, at machine speed, while analysts tackle the root cause. (media.defense.gov)
This question is an interesting one.
Let’s pretend for a moment you’re a small dental practice of 5 full time dentists, and five part time “fly in, fly out” contractors. Your contractors bring in their personal laptops so you don’t have all your user security controls, or more to the point, your IT provider does. That’s where you’re going to get compromised. If you end up with a breach, you have to report it. If you don’t have a SIEM, you have no forensics on the who/what/when/why and how of the breach – so do you need a SIEM? Yes. Do you need the most expensive one? No. Huntress, or Blumira may be what you need, but you’ll let your IT team take care of it.
If you’re an end customer reading this, just ask your service provider “What are you doing to manage and retain our logs?” Their answer will let you know if they are really upping their security game and if they are the right provider for you.
Now lets pretend you are a large organisation with three people on an IT team but no dedicated security team in your organisation, you have a co-managed arrangement with your IT provider, but they aren’t dedcated to security and don’t provide a SIEM. You have a complex infrastructure with firewalls, routers, switches, wireless access points across a dozen sites and you handle sensitive data? Do you need a SIEM? Yes. Will something basic “cut it”? No. Maybe a CrowdStrike or Microsoft Sentinel is where you’re heading.
SIEM could be considered your last line of defense, or let’s face it, somewhere to put the forensic stuff that you’ll probably never refer back to but that doesn’t mean it doesn’t add value to your organisation either directly, or via your service provider. The information below is just some of the benefits having a SIEM in your back pocket can provide.
Up-to-date threat intel and behavioural baselines let a well-tuned SIEM surface Living-off-the-Land tactics before real damage occurs. This relates back to the needle in a haystack problem. If you aren’t collecting everything about everything, then someone hidden inside your network will never be exposed unless they trip up, and the “bad guys” are getting smarter and smarter. A SIEM helps expose things happening on your network that’d otherwise be missed. (media.defense.gov)
SOAR playbooks match attacker speed, cutting dwell time and freeing analysts for complex investigation. Small teams can level-up quickly without adding headcount. If you have a SIEM and it’s an advanced one, the ability for that SIEM and your SOAR platform to orchestrate automated responses will definitely save your bacon. What’s the point of collecting logs if there’s no automated activity behind the platform that shuts down threats as they emerge? (media.defense.gov)
You either need an experienced technology team in your organisation, or a service provider that knows what they are doing. If you’re an end customer without an IT team, these are the challenges your service provider has gone through so you don’t need to. alltasksIT, for example, has met these challenges head on and ensures none of these challenges remain unsolved when we take a customer on. The challenges become are our problem, not yours, so you can sleep easy at night.
Normalising diverse log formats – “src_ip” vs “sourceAddress” wrecks correlations.
Coverage gaps – two forgotten domain controllers equal two blind spots.
Centralisation versus analysis – a SIEM is not a cheap data lake.
False negatives / false positives – both kill trust in the tool.
Automated response risk – a mis-fired playbook can knock out production.
Resource intensity – licensing, storage, skilled people, and continuous training all cost. (media.defense.gov)
A perfectly valid approach to SIEM is to go it alone, and this article is designed to help you make a choice where we’ve evaluated a few products in the market for you. Here’s our four step process at a high level to get you started.
Scope a proof-of-concept first.
Favour data-lake architectures to protect raw logs.
Ensure multi-source correlation.
Hunt hidden costs in ingestion and add-on products.
Budget as much for training as for licences. (media.defense.gov)
Baseline business-as-usual traffic before turning on alerts.
Standardise log collection and retention.
Embed the SIEM owner in enterprise architecture governance. (media.defense.gov)
Continuously evaluate detection quality—true positives and true negatives.
Pre-process logs to cut ingest volume.
Run regular attack-simulation tests against MITRE ATT&CK techniques. (media.defense.gov)
Use the table below as a sense-check: match your log volumes, in-house skills and ecosystem before you sign a long-term licence. Remember, your logs are only as valuable as the anomalies you can reliably catch—and that comes down to scoping, baselining and continuous tuning, whichever platform you choose.
|
Staff count |
Minimum ingest |
Ideal ingest |
|---|---|---|
|
< 50 |
50 GB |
200 GB |
|
50 – 400 |
150 GB |
300 GB |
|
400 – 2 000 |
250 GB |
600 GB |
|
2 000 – 5 000 |
500 GB |
1.5 TB |
|
> 5 000 |
1 TB |
2.5 TB |
Source: CISA Practitioner Guidance sizing table. (media.defense.gov)
alltasksIT has seen many customers that pay big money for Crowdstrike (for example), still get breached. To be clear, we aren’t throwing shade at CrowdStrike, they are world class and their great reputation is deserved, but logs are hard! Log analysis again, is that needle in the haystack, and threats are forever evolving. Let’s explore a typical log that a SIEM platform would ingest. Do you or your team understand what they are looking at here?
Now let’s look at a typical log that is NOT benign. Can you spot the difference? Maybe, maybe not, but this is one of hundreds of millions of logs that can be generated every single day and you either need to tune your SIEM and own it, or outsource/partner.
Remember this is just one example, of a Microsoft 365 account take over. What about the hundreds if not thousands of other types of attacks that play out through logs?
Token replay flagged – SuspiciousSessionReuse=true and tokenReplayDetected mean a stolen refresh-token was reused, a common post-phish tactic to bypass MFA.
Impossible travel/IP drift – session began on an internal IP, then refresh came from 203.0.113.88 (public), indicating geographic or network jump impossible for a legitimate user.
Conditional Access not applied – ConditionalAccessStatus=NotApplied; the session slipped past policy safeguards, so the risky refresh was allowed.
High sign-in risk – RiskLevelDuringSignIn=high yet ResultStatus=Succeeded; Azure AD recognised danger but still granted a token.
Browser fingerprint change – first login via Outlook client, refresh via Chrome 125.x; mismatched user agent suggests the attacker is on a different device.
ExternalAccess=true – refresh originated outside trusted corporate ranges, reinforcing suspicion of compromise.
Unless analysts are trained to correlate these fields—or a 24 × 7 SOC is actively watching—this entry looks like “just another successful token refresh” amid millions of routine logs.
So you’re convinced you need something now, but what? alltasks has evaluated (and used) every single one of these platforms to help you decide. If you are a small customer of alltasks, you’ll fall into the Huntress (or sometimes Blumira) SIEM. We leverage both because they solve things slightly separately and different customers benefit in different ways. If you’re a large customer with an IT Departments, it’s very worth your while to consider CrowdStrike, or Microsoft Sentinel as you’ll likely need enhanced log retention and capability that goes beyond the small to medium business market’s needs.
|
Platform |
Best suited to… |
Key advantages |
Things to be mindful of |
|---|---|---|---|
|
Huntress Managed SIEM |
SMEs already running the Huntress agent who want MDR eyes on glass |
Smart filtering cuts ingestion costs; 24 × 7 analyst review; seamless tie-in with Huntress EDR (huntress.com, support.huntress.io) |
Retention periods and custom parser options still maturing; relies on Huntress ecosystem |
|
Blumira SIEM + XDR |
Lean IT teams needing fast, low-touch deployment |
Deploys in minutes; automated detection & response; fixed-price model with one-year data retention (blumira.com, info.blumira.com) |
Rule set focuses on mainstream stacks—deep tailoring may require extra effort; shorter “hot” retention than some enterprise tools |
|
CrowdStrike Falcon LogScale |
Enterprises that already use Falcon EDR and need petabyte-scale, real-time search |
Extremely fast search across huge data sets; unified with Falcon agent; cloud native scalability (crowdstrike.com, intezer.com) |
Pay-per-GB model can climb quickly; advanced tuning requires Kusto-like syntax knowledge |
|
Microsoft Sentinel |
Azure-centric organisations wanting cloud-native SIEM + SOAR |
Deep Microsoft 365 connectors, pay-as-you-go pricing, built-in automation with Logic Apps (jit.io, linkedin.com) |
Kusto Query Language learning curve; Azure log egress and ingestion costs add up; non-Azure sources may need extra plumbing |
Spin up an open-source Logging Made Easy (LME) instance if budget is tight. When the basics are proven, graduate to a commercial SIEM with SOAR bolt-ons and reuse your refined log taxonomy. (github.commedia.defense.gov)
Our analysts run multi-tenant SIEM + SOAR every day, parsing billions of events for customers who must hit Essential Eight targets and ISO 27001 audits. We build the baseline, tune the rules, and craft safe playbooks—then hand your team the keys once the noise is gone.
Book a 60-minute discovery call.
Identify three high-value log sources (e.g., EDR, AD, cloud firewall).
Launch a 30-day proof-of-concept with our engineering support.
Review detection quality and decide whether to automate.
Move from log chaos to actionable intelligence—and make every security pound count.
Chief Customer Officer
Mark Boyd is a Chief Customer Officer (CCO), plays a key executive role responsible for overseeing the entire customer experience within alltasksIT. The CCO serves as the voice of the customer at the highest levels of the company, ensuring that customer-centric strategies are developed and implemented across all departments.
