SIEM & SOAR#
Reference of Security Information & Event Management (SIEM) and Security Orchestration / Automation / Response (SOAR) platforms. Covers ingest scale, query language, pricing model, and the open-source / cloud-native alternatives that have eaten away at legacy SIEM share since ~2018.
For detection-rule formats, see MITRE ATT&CK (Sigma). For log formats, see Log Formats. For EDR (which feeds the SIEM), see EDR & XDR.
SIEM platforms#
Product |
Vendor |
Notes |
|---|---|---|
Splunk Enterprise |
Cisco |
SPL; the standard SIEM; ingest-priced; on-prem + Cloud; ES = Enterprise Security; acquired by Cisco 2024. |
Splunk Cloud |
Cisco |
Managed Splunk; same SPL. |
Microsoft Sentinel |
Microsoft |
KQL; Azure-native; per-GB ingest; deep Defender integration. |
Google SecOps (Chron |
icle) Google |
YARA-L; UDM data model; petabyte-scale; bought Mandiant. |
IBM QRadar |
IBM |
Long-running; AQL; sold to Palo Alto Cortex 2024. |
Elastic Security |
Elastic |
Free + paid; ECS schema; on-prem or cloud; KQL / EQL / ES|QL. |
Sumo Logic |
Sumo Logic |
Cloud-native SIEM + observability. |
Exabeam Fusion |
Exabeam |
ML user-behavior; LogRhythm merged. |
LogRhythm |
Exabeam |
Merged with Exabeam 2024. |
Securonix |
Securonix |
UEBA-first SIEM; Snowflake-backed. |
Devo |
Devo |
High-speed ingest; SOC-focused. |
Rapid7 InsightIDR |
Rapid7 |
SaaS SIEM + UEBA. |
Logpoint |
Logpoint |
EU-focused SIEM. |
Trellix Helix |
Trellix |
McAfee + FireEye SIEM. |
ArcSight ESM |
OpenText |
Legacy enterprise; CEF format; sunsetting. |
NetWitness |
NetWitness |
RSA-spinout; deep packet + log. |
Stellar Cyber |
Stellar Cyber |
“Open XDR” SIEM hybrid. |
Hunters.AI |
Hunters |
Auto-investigation overlay. |
Anvilogic |
Anvilogic |
Detection content management. |
Panther |
Panther |
Cloud-native; Snowflake / Databricks-backed. |
Open-source / self-hosted#
Product |
Org |
Notes |
|---|---|---|
Wazuh |
Wazuh |
Fork of OSSEC; HIDS + SIEM; Elastic-backed UI. |
OSSEC |
OSSEC |
Original HIDS; Wazuh fork dominates. |
Elastic Stack |
Elastic |
Self-host ELK / Elastic Security free tier. |
Graylog |
Graylog |
OSS; commercial Enterprise tier. |
SIEMonster |
SIEMonster |
OSS bundle. |
Security Onion |
SO Foundation |
Suricata + Zeek + Stenographer + ELK; the OSS detection-engineer distribution. |
TheHive + Cortex |
TheHive Project |
IR + observable analysis; SOAR-ish. |
MISP |
MISP Project |
Threat-intel sharing; CTI feed source. |
Elastic Detection |
Elastic |
Free-tier Elastic Security. |
OpenSearch Security |
OpenSearch |
AWS-led OpenSearch. |
Apache Metron (defun ct) |
Apache |
Sunset. |
Apache Spot (defunct) |
Apache |
Sunset. |
Loki + Grafana |
Grafana |
Logs as observability; not strict SIEM. |
Quickwit |
Quickwit |
Log search engine. |
ClickHouse + Vector |
Various |
DIY stack: ClickHouse for search, Vector or OTel collector for ingest; common cost-saver. |
SOAR platforms#
Product |
Vendor |
Notes |
|---|---|---|
Splunk SOAR |
Cisco |
Phantom-derived; Python playbooks. |
Palo Alto Cortex XSO AR |
Palo Alto |
Demisto-derived; the playbook leader. |
Tines |
Tines |
No-code; Y Combinator alum; growing. |
Torq |
Torq |
No-code; growing. |
Microsoft Sentinel S OAR |
Microsoft |
Logic Apps + Sentinel Playbooks. |
Google SecOps SOAR |
Siemplify-derived. |
|
IBM SOAR |
IBM |
Resilient-derived; sold to Palo Alto 2024. |
Swimlane |
Swimlane |
Independent SOAR. |
DFLabs IncMan |
DFLabs |
Sumo Logic-acquired. |
Logsign SOAR |
Logsign |
Commercial. |
DTonomy |
DTonomy |
ML-augmented. |
Shuffle |
Shuffle |
Open-source SOAR. |
StackStorm |
Linux Found. |
OSS event-driven automation; SOAR-adjacent. |
n8n |
n8n |
Workflow automation; SOAR-adjacent OSS. |
Zapier / Make.com |
Zapier / Make |
Generic but used for lightweight SOAR. |
Detection-content / rule formats#
Format |
Notes |
|---|---|
Sigma |
Generic detection-rule YAML; converts to many SIEM dialects; actively maintained; SigmaHQ. |
SPL |
Splunk Search Processing Language; the standard SIEM DSL. |
KQL |
Kusto Query Language; Microsoft (Sentinel, Defender, Azure). |
ES|QL / EQL / KQL |
Elastic Search Query Language / Event Query Language / Kibana QL. |
SPL2 |
Splunk’s next-gen SQL-like. |
YARA-L |
Chronicle / Google SecOps; YARA-derived for log telemetry. |
Snort / Suricata rul es |
Network IDS rules. |
YARA |
File / memory pattern matching. |
EDR vendor DSLs |
CrowdStrike LogScale / SentinelOne S1QL / etc. |
Velociraptor VQL |
Velociraptor query language for live forensics. |
Log routing / pipeline#
Tool |
Notes |
|---|---|
Cribl Stream |
The dominant SIEM-pipeline reduction layer (route, reduce, enrich); Bytebeam license. |
Vector |
Datadog OSS pipeline; Rust; common Splunk-reducer. |
Fluentd / Fluent Bit |
CNCF; the K8s default. |
Logstash |
Elastic; legacy. |
NXLog |
NXLog; Windows-friendly. |
syslog-ng |
One Identity; long-running. |
rsyslog |
Open-source; default on most Linux. |
Calyptia Fluent Bit |
Hosted Fluent Bit. |
OpenTelemetry Collec torCNCF |
Multi-signal pipeline; logs / metrics / traces. |
Apache Kafka Apache |
Common transport between collectors and SIEM. |
Common detection signals#
Signal |
Notes |
|---|---|
Authentication |
Failed logins, impossible travel, MFA bombing, AD audit logs. |
Endpoint |
Process create, file write, registry, DNS, WMI; ETW / Sysmon / auditd / EDR. |
Network |
Flow (NetFlow / IPFIX), DNS, TLS metadata (JA3 / JA4), suspicious LDAP, BGP anomalies. |
Cloud audit |
AWS CloudTrail, GCP Audit, Azure Activity, K8s audit. |
SEG logs (Proofpoint, Mimecast, Defender for O365); URL clicks. |
|
DLP |
File-share / SaaS data leak signals. |
Threat intel feeds |
IoC matches (see CTI Sources). |
ATT&CK technique cov. |
Tag detections by T#### for measurable coverage. |
Operator notes#
Ingest is the cost, legacy SIEMs charge per GB / day; pipelines (Cribl, Vector) cut 30-60% by routing low-value data to cheaper storage.
Tier the stack: hot search (Splunk / Sentinel) + warm lake (S3 / GCS + Athena / BigQuery / Snowflake) + cold archive (Glacier).
Sigma rules are the portable detection content, write once, convert per-platform; pair with SigmaHQ + ATT&CK alignment.
MTTD / MTTR are the SIEM KPIs that matter; not “rule count”.
UEBA value depends on identity-graph quality; garbage AD = garbage UEBA.
SOAR adoption, start with high-volume / low-judgment playbooks (containment, ticket enrichment); leave high-judgment to humans.
Cloud-native SIEM lock-in, Sentinel ties to Microsoft 365 logs; Chronicle ties to Mandiant + GCP. Multi-cloud shops should evaluate carefully.
Detection backlog, enable ATT&CK technique mapping in your SIEM to spot which techniques you can’t yet detect.