I was hoping for a general approach to the topic which is there, but at a high level. There is little detail of how to generically analyse or understand log sources and systems and a strong focus on a set of specific products. If you're using Alienvault, OSSIM, Cisco-Mars, Arcsight ot Qradar then you might have gotten more value from this book than I did. I'm not using those products so it seems like half the content isn't applicable to the general problem leaving a fairly bland introduction to the topic that doesn't provide much insight.
If you have no idea what SIEM is AND you are planning on using one of the products mentioned then this is probably a good book for you. However, as an experienced security practitioner using different products I got little value from this book.
Bit scary reading this how many 'consultants' have simply lifted entire chunks from the book and sold them to clients 'as-is'. Without any seeming consideration for the clients individual needs or in response to the specific threats their market sector attracts.
Correlation is key and it is the hopeless lack of any attempt to correlate security events received that completely bamboozle SIEM consultants who would use this book as a key resource. Reference to the need to correlate is provided and some very basic examples given, but I know from examining most customer configurations, those consultants never really had a clue how to get SIEM to do anything other than consume vast amounts of network bandwidth and disk space.
Unfortunately Miller et al aren't going to tell you what to correlate - if you are a SIEM consultant worth your salt, you should know in any case. The snag is, its obvious there are plenty of so-called consultants out there depending on the book.
For what it is it is very good. It is though just an introduction, not a workbook, and certainly not a 'how-to' guide.