I. Justify the reasons why an organization turns to a SIEM as a central location to empower a security operations center (SOC) to react and identify various events against their information systems.
II. Describe the process of threat intelligence and why it is a core capability of SIEM systems.
III. Review the needs that a system like this can address for large organizations, which include the following:
• Aggregation of security-related events from across the organization regardless of the source technology.
• Correlation of events with context from external sources, including vendor-specific updates and cooperative industry associations.
• Integration of events from devices, systems, and technologies from disparate sources deployed throughout the organization.
• Detection of known threats when patterns of attack behavior are known.
• Possible detection of emerging threats when analysis is coupled with threat analysis techniques designed into the SIEM system.
• Enabling of ad hoc searches and reporting from recorded events to allow advanced breach analysis during and after incident response and provide support for forensic investigation into breach events.
•    Tracking the actions of attackers and allowing sequencing of events to provide an understanding of what happened and when it occurred.
IV.    Evaluate the essential capabilities ofan analytics-driven SIEM system:
•    Real-time monitoring.
•    Incident response.
•    User monitoring.
•    Threat intelligence.
•    Analytics and threat detection.