If you missed last week's discussion on the fun mishaps of the Target breach, it's here: Re: !LEM Thoughts of the Week: Detecting the Target Breach?
This week, thought I'd go a different direction. Since we're all (theoretically) LEM users (or even if we're not we're probably doing some log monitoring or SIEM using another tool), what are the things you wish you knew or did before you got started, or as you worked through your implementation, or for the vets now that you've been using it for a while?
From my end: At a low level, the biggest pet peeve customers have is how to get emails out of LEM - which is generally a problem of understanding how the pieces all fit together.
At a high level, I think maybe prioritization and thinking about how you integrate LEM/SIEM as a part of your IT/security operations before you get started so you even know what problem or problems you're going to start with or try to solve. We have a lot of recurring customers that say "I really am not using LEM to its full potential" or "I know I could be doing more" mixed in with new customers that say "I wish it was magic to set up my irritating use cases (like compliance) faster." We can do some stuff in the product to help get set up faster or help expose more content, but it's critical that you know what you are trying to accomplish, too.
What do you think?