Specifications include, but are not limited to: Ease of deployment: Through a robust central logging activity (Splunk), the State has created an environment that allows a relatively easy deployment for a mature SIEM solution. Ideally, the deployment strategy should focus heavily on integrating with this solution to quickly parse and identify unique event sources. Information capture: Although one of our primary objectives is to use our central logging solution to interact the SIEM solution, some event sources may communicate directly with the SIEM solution for reasons such as reducing the volume of logs; some event sources may not need the long-term storage of our central log solution. Considering this, knowing the various methods of collecting information, events and other relevant data is of great importance and prospective solutions should support a wide range of methods in capturing information. Log management and data archiving: As previously stated, the State has a central logging solution. The State is pressing that this solution be used as the primary source for events, however knowing that the SIEM will likely have some event sources report directly to it, the State will need to know the capabilities of the solution to ensure compliance requirements for logging can be met