For many CSOCs, there was a simpler time. A time when their security event collection and monitoring problems could, in theory, be solved by buying, installing, and optimizing one product. Today, life is not so simple. The SIEM marketspace started with many startups, consolidated to a handful of leaders, and has diversified again. Acquiring and operating an analytic platform for large and mature CSOCs is a major investment of time, money and effort. The best approach to common tasks–normalization, near-real-time correlation, analyst triage, pivot, and workflow–is not always cut and dry. In this talk, the presenter will give an overview of major design considerations and opportunities in implementing, and evolving the modern CSOC analytic platform.