Hello!
Currently Security Engineers/Administrators are usually assigned with LEM Administrator role and responsible for creating and managing those security /correlation rules. LEM Administrator role has the power to create LEM rules with actions like Shutting down or restarting servers. This generates a big issue, actually a show stopper at implementation. Shutting down or restarting servers are really System Administrator's duty, not Security Administrator's. With FISMA, PCI compliance and SANS top 20 security controls, separation of duties is a must requirement. Think if you were Windows Admin who is responsible for Windows Domain controller, you wouldn’t want to be called midnight because a LEM Security Admin's rule that shut down his domain controller.
Thanks,
Lucy