Managed SIEM Service

Service Definition • Armstrong Bell • 21 May 2026
Document summary
This document provides detailed information about the services offered to customers utilising our Managed Security Information and Event Management (SIEM) solution. This information clarifies the scope of items included within the overall service provision.
Core service provision
Our Managed SIEM service is designed to provide a comprehensive monitoring, alerting and response service for cyber threats. The service collects vast amounts of data from a wide range of sources within a customer environment, reviewing the data for signals of compromise or suspicious activities; with these alerts being individually reviewed to determine if further action is required.

The service enables the collection of log data and forwarding this to a centralised SIEM platform, with a team of security experts that collaborate with our team to investigate any signs of suspicious activity for a customer. Our team are on-hand to provide customer specific knowledge and to assist with remediation activities should these be required.
Service desk support

Customers can raise queries directly with our dedicated support team for assistance. Typical requests include:

  • Setting up log sources, such as Windows Event Logs and Syslog
  • Support for resolving issues related to log collection, alerting, or integration with existing systems
  • Information about the capabilities of the Managed SIEM service and how it can be tailored to meet specific needs

Service coverage is provided in line with the customer’s existing Managed IT Service support contract.

Alert management
Any alerts received from our partner are sent directly to our service team for investigation. Typically these alerts will be for possible suspicious or unusual activity, as well as notifications for maintenance activities. All of these items are individually reviewed by our team and where applicable, customers are engaged to ensure they receive the required corresponding information.
Available reporting
A periodic SIEM data and events report is available to customers and typically produced on a quarterly basis. These reports are then discussed in service review meetings to ensure that an expert is on hand to answer any queries that customers may have.
Vendor escalation
Our team collaborates with our preferred partner for SIEM and Security Operations Centre services, ensuring any investigations are conducted swiftly; as well as troubleshooting items as required. For issues such as log collection or agent based reporting, these will be investigated by both organisations jointly. 
Addition of new features
Whereby a new feature is introduced to the platform that would be of benefit to a customer, the required changes are reviewed by our team to ensure they are suitable for implementation. If the change has any requirement for disruption to service or an adjustment to core components that may alter existing functionality, these will be communicated to the customer and a route forward agreed.

For any additional functionality that requires considerable work and/or integration, these items will be scoped and discussed independently with the customer.
On-boarding
The on-boarding steps for the core components are listed below:

  1. SIEM Configuration
    • Configure SIEM platform for customer tenant
    • Configure pre-approved remediation steps for detected alerts
  2. Configure log sources
    • Deploy agent to Windows devices
    • Implement SYSLOG collection for network and other devices
    • Confirm logs received from all sources in to SIEM
  3. Execution and Monitoring
    • Review initial log collection for any identified activities that require investigation or re-configuration