Specifications include, but are not limited to: 2.4.1 Collect, Aggregate, & Normalize The SIEM solution set must be able to collect data from disparate log sources, and aggregate and normalize said logs for all JIS data sources. JIS data sources include, but are not limited to: o Network traffic & Network Flows o Active Directory o Application specific logs o Data Base logs o Security infrastructure logs (e.g. Firewall) 2.4.2 Forensic Analysis Contractor must provide details on how the SIEM solution set meets the following forensic analysis capabilities: . Custom querying o Data drill-down o Data export of relevant forensic analysis data with data preservation o Parsing of IAM and application data o Support for ad hoc queries for incident investigation with ability to query both normalized data and original data collected o Event session reconstruction to present the raw data is an understandable way 2.4.3 Maintain/Retain data and control access to said data. The SIEM data must be maintained and controlled. Data management and security capabilities inherent within your service solution should address at least: • Role-based access control to the solution as a whole. • Encryption of all data within remote collectors/aggregators/analyzers, where such devices are part of your solution. • Ability to retain logs, events, and access notifications for the period of one (1) year. • Where and how data is stored (e.g. on-prem vs cloud) and how is the data archived (e.g. compression).