SIEM & SOAR#

Reference of Security Information & Event Management (SIEM) and Security Orchestration / Automation / Response (SOAR) platforms. Covers ingest scale, query language, pricing model, and the open-source / cloud-native alternatives that have eaten away at legacy SIEM share since ~2018.

For detection-rule formats, see MITRE ATT&CK (Sigma). For log formats, see Log Formats. For EDR (which feeds the SIEM), see EDR & XDR.

SIEM platforms#

Product

Vendor

Notes

Splunk Enterprise

Cisco

SPL; the standard SIEM; ingest-priced; on-prem + Cloud; ES = Enterprise Security; acquired by Cisco 2024.

Splunk Cloud

Cisco

Managed Splunk; same SPL.

Microsoft Sentinel

Microsoft

KQL; Azure-native; per-GB ingest; deep Defender integration.

Google SecOps (Chron

icle) Google

YARA-L; UDM data model; petabyte-scale; bought Mandiant.

IBM QRadar

IBM

Long-running; AQL; sold to Palo Alto Cortex 2024.

Elastic Security

Elastic

Free + paid; ECS schema; on-prem or cloud; KQL / EQL / ES|QL.

Sumo Logic

Sumo Logic

Cloud-native SIEM + observability.

Exabeam Fusion

Exabeam

ML user-behavior; LogRhythm merged.

LogRhythm

Exabeam

Merged with Exabeam 2024.

Securonix

Securonix

UEBA-first SIEM; Snowflake-backed.

Devo

Devo

High-speed ingest; SOC-focused.

Rapid7 InsightIDR

Rapid7

SaaS SIEM + UEBA.

Logpoint

Logpoint

EU-focused SIEM.

Trellix Helix

Trellix

McAfee + FireEye SIEM.

ArcSight ESM

OpenText

Legacy enterprise; CEF format; sunsetting.

NetWitness

NetWitness

RSA-spinout; deep packet + log.

Stellar Cyber

Stellar Cyber

“Open XDR” SIEM hybrid.

Hunters.AI

Hunters

Auto-investigation overlay.

Anvilogic

Anvilogic

Detection content management.

Panther

Panther

Cloud-native; Snowflake / Databricks-backed.

Open-source / self-hosted#

Product

Org

Notes

Wazuh

Wazuh

Fork of OSSEC; HIDS + SIEM; Elastic-backed UI.

OSSEC

OSSEC

Original HIDS; Wazuh fork dominates.

Elastic Stack

Elastic

Self-host ELK / Elastic Security free tier.

Graylog

Graylog

OSS; commercial Enterprise tier.

SIEMonster

SIEMonster

OSS bundle.

Security Onion

SO Foundation

Suricata + Zeek + Stenographer + ELK; the OSS detection-engineer distribution.

TheHive + Cortex

TheHive Project

IR + observable analysis; SOAR-ish.

MISP

MISP Project

Threat-intel sharing; CTI feed source.

Elastic Detection

Elastic

Free-tier Elastic Security.

OpenSearch Security

OpenSearch

AWS-led OpenSearch.

Apache Metron (defun ct)

Apache

Sunset.

Apache Spot (defunct)

Apache

Sunset.

Loki + Grafana

Grafana

Logs as observability; not strict SIEM.

Quickwit

Quickwit

Log search engine.

ClickHouse + Vector

Various

DIY stack: ClickHouse for search, Vector or OTel collector for ingest; common cost-saver.

SOAR platforms#

Product

Vendor

Notes

Splunk SOAR

Cisco

Phantom-derived; Python playbooks.

Palo Alto Cortex XSO AR

Palo Alto

Demisto-derived; the playbook leader.

Tines

Tines

No-code; Y Combinator alum; growing.

Torq

Torq

No-code; growing.

Microsoft Sentinel S OAR

Microsoft

Logic Apps + Sentinel Playbooks.

Google SecOps SOAR

Google

Siemplify-derived.

IBM SOAR

IBM

Resilient-derived; sold to Palo Alto 2024.

Swimlane

Swimlane

Independent SOAR.

DFLabs IncMan

DFLabs

Sumo Logic-acquired.

Logsign SOAR

Logsign

Commercial.

DTonomy

DTonomy

ML-augmented.

Shuffle

Shuffle

Open-source SOAR.

StackStorm

Linux Found.

OSS event-driven automation; SOAR-adjacent.

n8n

n8n

Workflow automation; SOAR-adjacent OSS.

Zapier / Make.com

Zapier / Make

Generic but used for lightweight SOAR.

Detection-content / rule formats#

Format

Notes

Sigma

Generic detection-rule YAML; converts to many SIEM dialects; actively maintained; SigmaHQ.

SPL

Splunk Search Processing Language; the standard SIEM DSL.

KQL

Kusto Query Language; Microsoft (Sentinel, Defender, Azure).

ES|QL / EQL / KQL

Elastic Search Query Language / Event Query Language / Kibana QL.

SPL2

Splunk’s next-gen SQL-like.

YARA-L

Chronicle / Google SecOps; YARA-derived for log telemetry.

Snort / Suricata rul es

Network IDS rules.

YARA

File / memory pattern matching.

EDR vendor DSLs

CrowdStrike LogScale / SentinelOne S1QL / etc.

Velociraptor VQL

Velociraptor query language for live forensics.

Log routing / pipeline#

Tool

Notes

Cribl Stream

The dominant SIEM-pipeline reduction layer (route, reduce, enrich); Bytebeam license.

Vector

Datadog OSS pipeline; Rust; common Splunk-reducer.

Fluentd / Fluent Bit

CNCF; the K8s default.

Logstash

Elastic; legacy.

NXLog

NXLog; Windows-friendly.

syslog-ng

One Identity; long-running.

rsyslog

Open-source; default on most Linux.

Calyptia Fluent Bit

Hosted Fluent Bit.

OpenTelemetry Collec torCNCF

Multi-signal pipeline; logs / metrics / traces.

Apache Kafka Apache

Common transport between collectors and SIEM.

Common detection signals#

Signal

Notes

Authentication

Failed logins, impossible travel, MFA bombing, AD audit logs.

Endpoint

Process create, file write, registry, DNS, WMI; ETW / Sysmon / auditd / EDR.

Network

Flow (NetFlow / IPFIX), DNS, TLS metadata (JA3 / JA4), suspicious LDAP, BGP anomalies.

Cloud audit

AWS CloudTrail, GCP Audit, Azure Activity, K8s audit.

Email

SEG logs (Proofpoint, Mimecast, Defender for O365); URL clicks.

DLP

File-share / SaaS data leak signals.

Threat intel feeds

IoC matches (see CTI Sources).

ATT&CK technique cov.

Tag detections by T#### for measurable coverage.

Operator notes#

  • Ingest is the cost, legacy SIEMs charge per GB / day; pipelines (Cribl, Vector) cut 30-60% by routing low-value data to cheaper storage.

  • Tier the stack: hot search (Splunk / Sentinel) + warm lake (S3 / GCS + Athena / BigQuery / Snowflake) + cold archive (Glacier).

  • Sigma rules are the portable detection content, write once, convert per-platform; pair with SigmaHQ + ATT&CK alignment.

  • MTTD / MTTR are the SIEM KPIs that matter; not “rule count”.

  • UEBA value depends on identity-graph quality; garbage AD = garbage UEBA.

  • SOAR adoption, start with high-volume / low-judgment playbooks (containment, ticket enrichment); leave high-judgment to humans.

  • Cloud-native SIEM lock-in, Sentinel ties to Microsoft 365 logs; Chronicle ties to Mandiant + GCP. Multi-cloud shops should evaluate carefully.

  • Detection backlog, enable ATT&CK technique mapping in your SIEM to spot which techniques you can’t yet detect.

References#