Awesome response nicole pauls! I realy do like the approach that you guys have taken with the LEM product "instead of writing rules that expose very specific attacks/viruses, write rules that expose threats/patterns of attack".
While I have spent a fair amount of time working with the product I will openly admit to feeling that I have only scratched the surface of it's capabilities. The purpose of my posting here was to sort of think out loud with the idea of inspiring some creative and forward thinking with regard to both SIEM and LEM specifically; considering the lack of replies I am not sure I was very successful at that.
We are a service provider and LEM/SIEM combined with our NOC is one of the sets of services that we offer. What I have found difficult with executives, technical peers, customers and just about everybody is connecting SIEM with reality in a way to show it's value. Unlike other things I have done, SIEM remains too conceptual; when I try and sell people on the idea of SIEM they always agree that it sounds great conceptually but it never seems to make a solid connection to something real for them. On the flip side, centralized Log Management hits home with just about everybody I talk to, they can directly correlate that to value in the time it saves them to dig through logs.
One thought I had was to have a section of thwack called something like (The Weekly Threat) where each week SolarWinds could pick a real threat and show how LEM could help detect and defend against that threat; showing the actual LEM rules used, etc. Other LEM users could also participate. I know it may sound silly but it would help connect LEM to something real; showing the actual LEM rule in use to defend against a real known threat. In addition this might show LEM users different ways of using LEM that they may not have already thought of.
Again, this is all just me thinking out loud so take it for what it's worth. Thanks again for humoring me!