Implementing SIEM and SOAR Platforms

Implementing SIEM and SOAR Platforms

Implementing SIEM and SOAR Platforms: ACSC Guidance & Why XSIAM with RightSec is the Right Fit

The Australian Cyber Security Centre has recently released (27/05/2025) updated guidance to help organisations implement Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platforms effectively. These tools play a critical role in improving system monitoring, reducing incident response times, and supporting compliance with the Australian Signals Directorate’s Information Security Manual and Essential Eight Maturity Model.

Of course, before investing in new security tools, it’s important that the right capabilities are being acquired, and that you’re getting as much ‘bang for your buck’ as you can; this is where  Extended Security Intelligence & Automation Management (XSIAM) comes in.

Before we jump in to how implementing these platforms can help your organisation, let’s establish some key definitions and look at the take-aways from the ACSC:

SIEM: “A type of software or appliance that collects, centralises, and analyses log data from sources within a network or system. If it is properly implemented, a SIEM platform automates the collection and centralisation of important log data from across a network that would otherwise be scattered, making it easier for a human security team to navigate.”

SOAR: “A platform which detects anomalous activity on a network and automates a response. It applies predefined ‘playbooks’, which combine incident response and business continuity plans to determine automatic actions, supporting actions from incident response providers.”

XSIAM: An AI-driven security operations platform that harnesses the power of AI and automation to radically improve security outcomes and transform security operations. XSIAM reduces risk and operational complexity by consolidating multiple products (EDR, SIEM, SOAR) into a single platform purpose-built for security operations. Using a security-specific data model and applying machine learning, XSIAM automates data integration, analysis, and triage to respond to most alerts, enabling you to focus on incidents that require human intervention.

Why Implement SIEM and SOAR?

A SIEM gathers and analyses security data, giving teams the visibility they need to identify and respond to threats efficiently. SOAR takes it a step further, automating responses, streamlining workflows, and reducing manual workload, allowing security professionals to focus on complex threats instead of repetitive tasks.

Together, these platforms enhance an organisation’s security visibility, automate repetitive tasks, and enable proactive detection and mitigation of cyber threats. With SIEM analysing huge amounts of security data and SOAR orchestrating responses, organisations are equipped with a modern and robust security operations function – improving their security posture, reducing incident response time, and optimising resources – all while ensuring compliance with industry standards, and regulatory obligations

SIEM and SOAR: Strategic Enablement

The ACSC’s Executive Guidance underscores SIEM and SOAR platforms as strategic enablers for cybersecurity, enhancing an organisation’s threat visibility, incident response, and regulatory compliance. Executive ownership is critical; leaders must prioritise investment, skilled personnel, and integration into governance frameworks to ensure success. A phased approach is recommended to minimise risk while optimising outcomes, with clear objectives aligned to business needs, such as reducing response times and improving automation.

Additionally, executives must address hidden costs, vendor lock-in risks, and the ongoing need for continuous tuning and improvement. Measuring success through key security metrics ensures that SIEM/SOAR implementation remains effective and adaptable to evolving threats. Ultimately, cybersecurity must be seen as a business risk rather than just an IT concern, requiring leadership commitment to drive long-term resilience.

ACSC Recommendations:

Key SIEM/SOAR Platform Capabilities

When going to the market for a SIEM/SOAR platform, organisations should ensure that the following capabilities can be delivered:

  • Centralised Logging
    Organisations should establish a centralised event logging facility (e.g., a secure data lake), capable of aggregating logs and forwarding them to analysis platforms like SIEM and Extended Detection and Response (XDR) systems.
  • High-Quality Log Capture
    Logs should provide rich, actionable insights, including read/write operations, administrative changes, and authentication events, to support thorough threat detection and forensic investigations.
  • Automated Log Normalisation
    To ensure consistency across various log sources, organisations are encouraged to implement automated log normalisation processes. This improves the ability to search, correlate, and triage logs efficiently.
  • Integrated SIEM and SOAR Use
    Integration between SIEM and SOAR platforms is recommended to enable real-time detection and response capabilities, automating remediation and streamlining analyst workflows.

Implementation Best Practice Principles

The ACSC have identified 11 best practices principles (BPPs) to follow when implementing SIEM/SOAR platforms across the three implementation stages. Practitioners who ensure these BPPs are met can have confidence that their platform is optimised and operating effectively:

Procurement

  1. Define the scope of implementation for your organisation.
  2. Consider a SIEM product with a data lake architecture.
  3. Consider a SIEM product that can correlate data from multiple sources.
  4. Look for the hidden costs of different products.
  5. Invest in the training, not just the technology.

Establishment

  1. Establish a baseline of business-as-usual activity on the network.
  2. Develop a standard for the collection of logs.
  3. Incorporate the SIEM into your organisation’s enterprise architecture.

Maintenance

  1. Evaluate threat detection.
  2. Reduce log ingestion through pre-processing.
  3. Test your SIEM and/or SOAR’s performance.

How Palo Alto Networks’ XSIAM Delivers

Palo Alto Networks’ Cortex XSIAM offers several enhancements over traditional SIEM and SOAR platforms. XSIAM extend SIEM functionality by incorporating advanced features and threat intelligence, ultimately reducing analyst time, and improving response. It’s compatibility with other PAN tools and third-party security solutions makes it the ideal solution to provide a comprehensive security posture. Cortex XSIAM is purpose-built to modernise SOC operations, and delivers on the ACSC’s recommendations for SIEM and SOAR platforms through the following capabilities:

  • Unified Data Ingestion & Normalisation (BPP10)
    Ingests, normalises, and analyses structured and unstructured data at scale — meeting ACSC’s requirement for quality log management.
  • AI-Driven Analytics (BPP9)
    Detects complex threats with behavioural analytics and machine learning, including zero-day attacks and insider threats.
  • Data Lake Architecture (BPP2)
    PAN’s XSIAM leverages the data within Cortex Data Lake – its foundational component – to automate threat detection, analysis, and response. (PAN was the first major security vendor to tightly integrate a native security data lake with its own XDR platform, and evolve that into a modern SIEM/SOC platform: XSIAM.)
  • Platform Convergence (BPP3)
    Centralises data and SOC capabilities (XDR, SOAR, ASM, SIEM – all built-in to XSIAM) into one platform, streamlining security operations and removing the need for multiple platforms.
  • SOAR Automation
    Executes automated playbooks and workflows for alert triage, response actions, and cross-platform enforcement, in line with real-time remediation needs.
  • BAU Baseline (BPP6)
    Builds a baseline understanding of the environment and provides critical insights (performed by PAN’s Cortex Analytics Engine, part of Cortex XSIAM).
  • Compliance & Visibility
    Supports policy-based controls, audit trails, and dashboards aligned with ISM and other regulatory requirements.
  • Return Of Investment (BPP4)
    Reduces the need for multiple tools and manual processes, lowering operational costs and improving analyst efficiency.

Why Partner with RightSec?

RightSec stays up-to-date with updates to cyber frameworks, legislation, and guidance from industry authorities such as the ACSC, and supports organisations with adopting new requirements efficiently. After reading the new SIEM and SOAR implementation guidelines, it was clear that PAN’s Cortex XSIAM fits the bill; the RightSec team are confident that we have the skills and the knowhow to support you on your implementation journey. Here are just a few ways that RightSec can deliver on the implementation guidelines and add value to your organisation:

  • Scoping & Onboarding (BPP1)
    Tailored assessments and structured implementation planning, defining High-level Design and As-built documentation.
  • Deployment & Tuning (BPP6)
    Project Management, phased approach, fast-tracking of configuration and fine-tuning for government and critical infrastructure environments.
  • 24/7 Monitoring & Incident Response (BPP11)
    Continuous protection and proactive threat hunting, constant monitoring of platform performance.
  • Playbook Creation
    Custom SOAR automation designed for your environment.
  • Systems Integration (BPP8)
    Linking XSIAM with vulnerability management, ITSM, identity platforms, firewalls, and more.
  • Training (BPP5)
    Upskilling your internal teams to understand and operate XSIAM effectively.
  • Monthly Reporting & Meetings
    Detailed metrics, security posture tracking, and executive-level briefings.

RightSec is an Australian Cyber Security Advisory firm with a strong strategic arm, also delivering Offensive and Defensive services (we are a MSSP and MDR provider with deep expertise in XSIAM deployment, management, and customisation). We stay up-to-date with the latest requirements from cyber frameworks, legislation, and guidance from industry authorities such as the ACSC. We are amongst the first companies in APAC to have operationalised a modern SOC on XSIAM. Our decision to choose and endorse Cortex XDR and XSIAM is the result of careful consideration, following a comprehensive evaluation of compliance, visibility, and resilience needs.

By following the ACSC’s SIEM and SOAR platform implementation guidance with the advanced capabilities of PAN Cortex XSIAM, and leveraging RightSec’s strategic understanding and deep operational expertise, your organisation can modernise its SOC, reduce risk exposure, and achieve greater resilience. Reach out today to start your modern SOC transformation!

Ready to get started?

Find out how RightSec can help your organisation enhance
their cyber security resilience.

Contact Us
Headshot of founding director Virginia Calegare

Virginia Calegare - Co-author

Founding Director

Tahlia Castles - Co-author

Senior Cyber Security Consultant

Cyber Security Services

Illustration of a hacker device, representing cyber threats and the importance of cybersecurity defense mechanisms.

Cyber Strategy and Consulting

Expert guidance on how to safeguard your organisations valuable assets and reputation.

Icon representing domain registration, highlighting the importance of securing digital assets and online presence in cybersecurity.

Managed Security Services

RightSec's 24/7 managed security services will give your business the visibility and coverage needed.

Target icon symbolizing cybersecurity risk management and the identification of vulnerabilities in digital systems.

Penetration Testing and Red Teaming

Identify security weaknesses and take proactive measures to improve your security posture.

Cybersecurity flyer with key service offerings, promoting RightSec’s expertise in protecting businesses from digital threats and vulnerabilities.

Governance, Risk and Compliance

Assess your organisation's resources and validate the adequacy of your capabilities to manage Cyber Risk.

Startup icon symbolizing innovative cybersecurity solutions designed to protect new and growing businesses from digital threats.

Digital Forensics and Incident Response

RightSec’s IR team is available round the clock to provide immediate assistance to on-going incidents.

Business icon in black, representing professional cybersecurity services tailored to protect business operations and digital assets.

Team Augmentation

Augment your team with RightSec Cyber Security experts, to meet the growing demand of Cyber Security.

Customer-centricity icon illustrating a focus on client needs and personalized cybersecurity solutions to ensure business protection and success.

Auditing and Gap Analysis

We will help you evaluate your existing security controls and identify any vulnerabilities that may exist.

Reliability icon representing dependable cybersecurity services that ensure consistent protection and secure operations for businesses.

Security Awareness and Training

Our methodology leverages decades of experience in identifying and analysing threats, tailoring campaigns to educate stakeholders and users on threats an organisation may be facing.