United States
Australia
United Kingdom
Europe
New Zealand
Canada
FORT MEADE, Md. — The National Security Agency has teamed with Australia’s cyber authority and a broad coalition of allied partners to publish three how-to guides on planning, deploying, and running Security Information and Event Management and Security Orchestration, Automation, and Response platforms. Released May 27 with the Australian Signals Directorate’s Australian Cyber Security Centre, the materials target both decision-makers and front-line defenders as agencies and contractors accelerate zero-trust adoption and modernize security operations.
The guidance distills what SIEM and SOAR are designed to do, how they work together, and where organizations often stumble. SIEM tools centralize and correlate log and event data so analysts can spot malicious behavior that would otherwise be missed. SOAR platforms then use that telemetry to automate and orchestrate responses, tightening feedback loops and reducing dwell time, particularly in zero-trust environments where continuous verification and granular policy enforcement generate vast volumes of signals.
One document, “Implementing SIEM and SOAR Platforms: Executive Guidance,” maps out roles, benefits, risks, and high-level best practices for program leaders. A companion, “Implementing SIEM and SOAR Platforms: Practitioners Guidance,” drills into how the technologies boost visibility, detection, and response, and offers principles for procurement, setup, and ongoing operations. A third, “Priority Logs for SIEM Ingestion: Practitioner Guidance,” provides technical direction on which data sources to prioritize, spanning endpoint detection and response tools, Windows and Linux systems, network gear, and cloud services.
The authoring agencies say the publications are particularly aimed at National Security Systems, the Department of Defense, and the Defense Industrial Base, urging executives, network owners, and defenders in those communities to implement SIEM and SOAR in line with the recommendations to better spot and contain intrusions.
The release carries an unusually broad set of co-seals, reflecting the shared threat picture across allied networks and supply chains. In addition to ASD’s ACSC and NSA, contributors include the Cybersecurity and Infrastructure Security Agency; the Federal Bureau of Investigation; the Canadian Centre for Cyber Security; the United Kingdom’s National Cyber Security Center; New Zealand’s National Cyber Security Center; Japan’s National Center of Incident Readiness and Strategy for Cybersecurity and JPCERT; the Republic of Korea’s National Intelligence Service; the Czech Republic’s National Cyber and Information Security Agency; and Singapore’s Cyber Security Agency.
Beyond technology selection, the documents emphasize the operational realities that often derail SIEM/SOAR programs: integrating diverse data sources, tuning detections to reduce noise, managing storage and retention costs, and building playbooks that automate the right actions without introducing new risk. For leaders, the guidance frames governance, staffing, and measurable outcomes; for practitioners, it details build-and-run tasks from onboarding log sources to maintaining content and playbooks.
The full publications are available on the U.S. Department of Defense website:
– “Implementing SIEM and SOAR Platforms: Executive Guidance”
– “Implementing SIEM and SOAR Platforms: Practitioners Guidance”
– “Priority Logs for SIEM Ingestion: Practitioner Guidance”
