I found this article, written by Paul Stamp, that talks about using your Security Incident and Event Management (SIEM – sometimes defined as SEIM) system to identify the really important stuff. In his post he states that:
A good SIEM system should be able to analyze all the event data and contextual information it has at its disposal to alert only on that really important event – when a critical vulnerable server is being attacked.
This is, of course, true. You purchase a SIEM solution to assist in the identification of events of interest (EOI) but, contrary to what vendors will tell you, it’s not as simple as plugging their solution into your network and turning on all of the canned rules. Although vendors try their best to create blanket rules that apply to the different types of environments, such as University vs. Enterprise, PCI vs. SCADA, and so on, the truth is that the vendor cannot take all possible scenarios into account when defining their rules. What traffic looks like in one PCI-enforced environment might not be the same as another, or any other for that matter.
No matter what your vendor tells you before you plunk their solution into your network, you need to account for a rigorous tuning exercise as part of your implementation plan. You must also plan for tuning updates at regular intervals throughout the life of the solution to account for change, updates, etc.
As with any solution, take what the vendor says with a grain of salt.