I am a SOC manager and work at a large health organization 29k Endpoints, around 30k users.
We use TrendMicro for our EDR, NIDS/NIPS, Email Security and Cloud Security.
We also use Splunk to ingest logs from the appropriate data sources (Cloud, Proxy, Firewalls, Trend, etc..)
The SOC only own Splunk and do not own the Trend Micro Suite, the Trend Micro suite is owned by a team full of System engineers who have no idea about security yet they are tasked with making changes to the tool, when the SOC raise requests to fix and get stuff tuned they ignore and resolve the tickets without getting them done correctly. The SOC are at the mercy of the Trend Micro platform owners who are not security focused. The CISO has stated that the SOC are a consumer of the logs and not responsible for managing the tools. I have tried to convince him but he seems stuck on thinking that the SOC are only for detection and response.
My question, SHOULD THE SOC OWN THE SECURITY TOOLS used by the org (Trend Micro) so they can make the relevant changes, tune the alerts on the tools, and prioritize where need be.