• Home
  • SIEM expansion

SIEM expansion

This service includes the following

  • Concept, planning, and control of the SIEM expansion.
  • Structured collection and collection of threats, vulnerabilities, attack vectors, information security risks, and IT assets specifications.
  • Analyze threats.
  • Design and assessment of general reaction plans.
  • Use case planning, selection, and implementation.
  • Create runbooks.
  • Integration and adaptation of existing SOC processes.


  • Know current threats to the company.
  • Have implemented use cases that can identify the most significant risks.
  • Have implemented processes for processing the new use case alarms.


The selection of possible SIEM use cases is vast. Therefore, a company must know exactly which SIEM use cases make sense for the company’s threats. The use cases should be selected based on risk.

The service scope includes the conception, planning, and control of the SIEM expansion project according to existing specifications and goals. After a structured collection and collection of threats and attack vectors for the company, security-critical events are derived.
Using these use cases is selected that best covers the identified scenarios. These are compared with the existing use cases to avoid multiple coverages of threats. After the new use cases to be implemented have been selected, we create an implementation plan that prioritizes the implementation of the use cases according to the level of risk. In the course of the implementation, missing event sources will be connected to the SIEM. The implementation takes place with close coordination with the departments concerned, the works council, and, if applicable, data protection.

Runbooks are created so that the alarms triggered by use cases can also be processed efficiently and in a standardized manner. The runbooks serve as a process for the L1 analysts in the SOC. Use cases with similar process steps are summarized in the same runbooks. In addition to specific process steps, the runbooks also contain escalation levels for processing incidents that have occurred.