Systems Information and Event Management (SIEM) Solution

The Department is seeking to engage a suitable panellist to undertake the implementation, configuration, validation, and operationalisation of a Cloud based SIEM (Systems Information and Event Management) solution, integrated with the Department’s new ICT environment for the ingestion and processing of system logs up to PROTECTED level. To assist in realising productivity gains that newer technologies present, the solution must also include Security Orchestration, Action, and Response (SOAR) and security case management capabilities.

Services Required:

• Implementation of the overarching solution covering SIEM, SOAR, and case management capabilities. Proposals should include the Palo Alto XSIAM platform, Google Security Operations (SecOps) platform, and/or any other products respondents feel satisfy the Department’s requirements and provide value for money.
• Completion of the below in consultation with Departmental SOC and project personnel:
• Ingestion of initial log sources utilising the Department’s cyber security logging plan (up to 20)
• Development of rulesets enabling near real-time detection of anomalous events for initial log sources;
• Development of dashboards for initial log sources;
• Development of incident response plan, procedures and playbooks for events related to initial log sources based upon MITRE ATT&CK framework;
• Establish and implement workflows and procedures for security case management; and
• Production of associated process documentation for ruleset development and dashboards.
• Provide a demonstration of SOAR capabilities, including the development of up to three (3) tier-1 playbooks;
• Provide training, including provision of training material, to existing personnel (up to 10);
• Development of as-built/as-configured documentation capturing the configuration of the solution including interfaces with other systems such as externally provided threat intelligence feeds.
• Execution of half-yearly health checks of the solution for a minimum of two (2) years, including but not limited to:
• Assessment of general system health;
• reduction of false positive detections;
• analysis and provision of recommendations for improvements to existing detection rulesets improvements; and
• identification of possible cost reductions.

With the exception of the half-yearly health checks, it is envisaged that all work will be undertaken over the period mid-Feb to end June 2026.

All personnel working directly on the solution will be required to hold current NV1 AGSVA security clearance and may be required to undergo additional Police Checks with costs to be borne by the successful respondent.

Intellectual property for all material produced under the engagement will remain with the Department.

Respondents should include the following in their response:

• An overview of the approach to be taken during the engagement;
• An overview of the proposed solution including envisaged integration points with the Department;
• Response to each requirement detailed in the attached PMC SIEM – Detailed Requirements.XLS indicating compliance to the requirement;
• Detailed costings including:
• proposed payment milestones;
• Any proposal for charging of selected components (e.g. log ingestion and dashboard development) under ‘time and materials’ provisions. Where such are proposed these must be accompanied by detailed effort/cost estimates.
• Any product licensing and/or subscriptions for a minimum one (1) year.
• Detailed costing for years 2 and 3, including licensing Out year costings.
• High level schedule including key deliverables;
• CV’s of key personnel proposed for the engagement;
• Details of similar engagements within Federal Government or large Corporate environments, including referee details;
• Any GFx requirements;
• Details of any other cyber security related services they may be able to provide, such as incident response services, penetration testing, SOC analyst services, or cyber threat intelligence that the Department may optionally engage the successful respondent for in future.

PARTNERING ARRANGEMENTS:

Where respondents are not able to provide the full range of services themselves, they are welcome to partner with other organisations to deliver the full range of services required. Details of any such partnering arrangements should be provided within the response.