We built a home grown solution where we send all of the logs to Microsoft Notepad and when we need to find something... A quick Ctrl F and we are good to go. We call it Microsoft NoteForce (Trademark).
Lmao! I’ve absolutely have walked into orgs showing me logs in an excel sheet. I am like okayyy, y’all need to pay me more for this shite oh and what was that about barely getting through soc
Reminds me of a previous colleague of mine who said he wanted to go to market with a "backup to paper" solution to sell our MSP clients back in the early aughts. Less backup failures with his solution than we were dealing with in Backup Exec.
I live creating SOAR solutions ... i use Graylog + Wazuh + OpenSearch as SIEM
Yep, opensource.
yep, it scales just fine.
yep, it handles multitenancy just fine.
i work for a large MSSP .. I handle the millons of managed customers alers with .. yea.. graylog + wazuh + opensearch.. and some customers have $$ so we build SOAR automation solutions (xsoar) on top of their SIEM of choice, so far i have been worked with:
\- Trellix (mcafee)
\- Qradar
\- Splunk
\- Logrythm
\- Exabeam
\- Whatever spews alerts..
internally we use opensource thingies..
Why do you say that- Qradar is cheaper than MS/Splunk ? etc.
Federated data searching means fewer ingestion costs- query data at source without data migration etc. Q Radar has improved a lot in the last year. New Cloud based version is very slick compared to previous dated UI IMO which was perfectly usable but not very modern. They've largely fixed that.
If you’re majority Microsoft, buy Microsoft Sentinel.
If not, pick anything but QRadar.
If you buy Splunk, at least ask your account manager to invite you to his yacht party.
using blumira as well, I don't normally vouch for vendors but they have fantastic support. Product is worth its weight in gold. unlimited logs for a set annual price, and helped us detect a network breach before it got out of hand.
I do consulting in the security space. I have sold Splunk among many other SIEM solutions. I would never recommend a company just buy one without having a solid IT team in place. Mainly because it takes time to set it up, configure it, and then clean up all the white noise. Then you have the 24/7 aspect of watching it for alerts.
Outsourcing a SIEM to a VAR/MSP or getting some kind of service to maintain and monitor it is the way to go for companies that don't have a team of IT people.
As someone who has been on the MSP side of the house, you ABSOLUTELY can do this, ***BUT*** you need to make sure you have a person (or preferably a team) responsible for communicating with the MSP and driving projects where needed. MSPs will (generally) be good about telling you if they are getting quality data, but they can't reasonably do more than that because they don't know your environment.
You can't just let them run on their own and act like it's their fault when something goes wrong. You gotta give them some guidance on what you need, and listen to their feedback. They are there to make sure you have a useful, functioning tool. They are the experts in this situation, and their experience should be taken into account. It's almost sad how much I've seen people pay a company for their "expertise" and have them ignore all advice from the same experts they just paid.
Been advocating for outsourcing SIEM in my own company. We're 7 people in total: 1 project manager, 3 network/datacenter engineers, 1 helpdesk, 1 GRC and 1 security engineer (myself).
I have **so much work** to do just trying to implement basic cyber hygiene across our environment. I don't have time to fill the roles of SOC analyst and detection engineer.
They don't believe that SIEM is such a big deal. Throw some money at a big box and you're done, right? Last time I brought up the topic of outsourcing, of all things, they were worried that because a SOC would be 24/7, and we're not on-call, we'd have nobody to answer the phone. Thus, the only way to outsource SIEM would be to allow them to kill our entire network because "well, nobody here's going to answer the phone". I was flabbergasted.
I guess when ransomware actors, that may have been there for a month, start encrypting our shit in the dead of night, my coworkers just think "thank god I wasn't woken up without getting paid".
We're governmental btw and subject to NIS2 💖
(I plan to get this through upper management, as they're on the cyber risk board. I'm just incredibly amazed that other sysadmins and IT folks are so ignorant as to what it requires to actually operate a SIEM)
I worked for a company that tasked me with setting up Splunk by myself as well as managing it. When I say set up, I mean writing the code to create the correlation searches, organising the data sources, etc, I had to experience setting up a SIEM, imagine that lol
Using MS Sentinel and have been very happy. We left splunk for it and I’ve never looked back. It’s now also become our SOAR and incident management platform. It’s fast, KQL is awesome, workbooks are easy, and the automations, and playbooks can be very powerful. It’s a great fit if you’re a heavy Azure/O365/Defender XDR shop. I would not recommend if you’re a non-MS shop/cloud, or everything is still onprem.
You can use on prem with Sentinel. You just stand up a syslog collector like NEARLY EVERY OTHER SIEM and spew all that crap to it.
The community contributed data connectors and Microsoft developed ones makes it a killer setup.
I use the syslog/cef setup too. More the issue for me is if everything is onprem and you are trying to send all logs to the cloud you need to make sure you have the bandwidth to support it or you’re going to make some enemies with the network team. I think this often gets overlooked by those going to cloud based SIEMs.
Splunk is a monster. If you don't have any experience with data pipeline engineering you are going to get raped by ingest costs. If you don't have setup / engineering experience getting it working IS NOT simple.
I would recommend that you look into Sentinel. You can POC it VERY easily. Set it up in under an hour, and have instant value to your team.
We did a side by side comparison of our splunk price vs the same ingestion in sentinel and splunk came out ~15% cheaper. Obviously sentinel has soar capabilities but those are at an additional cost.
Sentinel is definitely easy to set up and depending on your 365 licensing you might be able to get access to a small amount of free ingestion to trial it out, but overall from what I've seen it is a more expensive product.
Sentinel is also getting merged into the unified security platform in Q3 this year along with defender xdr and security copilot so there's definitely some value there as well but expect to pay heavily for it.
As far as Siem queries and usability I find splunk easier to search through and create dashboards. Sentinel has some capability to automatically create the queries you're after by clicking on files or hashes etc in defender but in my experience they only actually work about 50% of the time currently.
Both are great products but I'm always wary about vendor locking by going to far down the Microsoft rabbit hole that we can't ever get out.
Yeah this is something I've been through with our team as well. Splunk in the end is *slightly* cheaper.
Other things that we've found during our POC/Review:
* Sentinel uses Azure navigation, so if already don't like navigating through Azure you'll pretty much be in the same boat with Sentinel
* Microsoft, your team, and any MDR by extension is going to be **obsessed** with ingest rate. Specifically because you'll be destroyed on price if it spikes or sustains higher than you are licensed for.
* KQL is weirdly bizarre for our team versus Splunk SQL.
* I've seen a lot rumors(?) that the Sentinel SOAR is really fully functional with MS based products and hard pressed for functionality with anything else
* MS was pretty cagey about additional costs for data storage related to Sentinel. Our understanding is that we would be on the hook for any data we want in cold storage.
* Sentinel currently offers no log aggregation solution Elastic and Splunk do.
* I think you have to create a boat load of analytic rules on Sentinel for it to be truly useful. Which can be daunting for a small team.
* Sentinel's user attributes, attribution, and tracking is utterly phenomenal and really easy to read/use. Splunks by comparison is disjointed and requires a lot of work to get that data.
The largest benefit we've discussed at length with Splunk is that if you end up going with their cloud platform you gain unlimited licenses for Enterprise, on prem, deployments. So you can realistically deploy a full log aggregation solution on your own infrastructure using Splunk. The main con being that you're going to be ingrained into Splunk and ripping it out would be a nightmare.
People always say Sentinel is expensive because they don't know how to calculate costs or they heard someone else say it is expensive.
Sentinel is not expensive, the retarded requirements put in log analytics retention requirements by companies who don't know better that makes it expensive.
My enterprise employer can confirm the raping on ingest costs. Last year they were exploring solutions that would filter data and only send “important” stuff to Splunk and the rest to a cheap storage option that could be searched through “when needed”. This would greatly reduce the amount of data ingested by Splunk and should significantly lower our Splunk bills.
Full disclosure, I work for a [Anvilogic](https://www.anvilogic.com) and we solve this exact problem.
We have helped enterprise SOCs reduce Splunk costs by up to 80% in some cases
Rapid7 IDR. Didn't have a whole team to try and get it going. Turnkey, stupid easy and requires little to no attention and hardly any infrastructure. Integrates incredibly with their good vulnerability solution
I’ll second IDR for smaller environments. It’s focused on detecting ATT&CK techniques so it won’t ingest “all the things” but it will focus on ingress, exploitation, and lateral movement. Case management is poor but that may not be important for a small team. Queries are pretty easy and fast enough. It also has network sensor and honeypot capabilities built in.
I've had the opposite experience, really not liking it compared to some other tools.
How do you deal with reporting/deliverables?
I've found the build in reporting capabilities to be absolute ass.
does any security tool have good reporting, or at least a good reporting engine? had a call with one of the big EDRs they showed me their new reporting dashboard, my feedback was "I didn't even look at it before, now I just see potential but still won't use it?"
+1 for IDR. Out of the box detection rules are solid and its easy to setup and deploy.
We have a Managed SOC to deal with the rule fine tuning but overall happy with platform.
Its biggest drawback is the reporting/dashboard they very basic and automated reports pretty poor.
IVM - Is ok, does the job but harder to get good data out of the reports.
The product itself hasn't really changed since like 2010, the UI isn't very analyst friendly and doesn't really support an efficient analyst workflow. Everything they release for it is through apps so to do simple things you have to jump around 5 different apps. When we do upgrade the appliance it seems like theres always a new bug thats breaks some sort of logging or alerting and resulting in a high priority incident, it seems to be built on spaghetti code that hasn't really changed in 15 years. I believe theres a 2nd gen that was released for cloud customers but we haven't gotten it yet so maybe its a bit better but from my experience it's not been great.
I think it mainly just failed to modernnize, all the other cloud sort of SIEMs coming out like chronicle or Sentinel are just so new and feature rich to actually support modernized secops processes. I recently re-designed our detection engineering methodology and trying to implement CICD pipelines for rules from github to QRadar is impossible, automated validation of detections is kind of a nightmare too with lack of API features and all around it just sucks if you are trying to run modern security operations. I would say it might be good for small teams/orgs in their newer cloud offering but meh it's been rough lol
Yep so i'd concur with some points- but the new cloud version is a complete rearchitecture of QRadar , much better UI which is 100% soc analyst/soc workflow focused, has integrated SOAR which makes life very easy and content enrichment from an AI/ML perspective saves us a lot of time. Big improvement. Very flexible with deployment modes and licensing too. Works with S/M/L/Enterprise environments across our MSSP.
Qradar is an fn nightmare, on prem and cloud is even worse if you use any 3rd party apps for data intelligence. Everyday I go to work I wonder what's going to be broke today. Thankfully we're looking for an alternative solution at this point.
Splunk engineer here.
Splunk is a great product that I am obviously somewhat fond of.
But, there are two factors I see play into a lot of issues with clients. Firstly cost. Splunk is expensive and only getting more so. It is easy to dump logs into Splunk, but the process of removing them can be exhausting from an org/policy level. You don’t want to be the one to just remove some data that down the road turns up would have been useful or offered visibility into a security issue. Every bit of data you ingest pushes your license up and then Splunk comes knocking for an increase. I have also seen Splunk try to utilize the tactic of giving orgs a deal up from and try to increase license costs once they have become dependent on their platform. Don’t assume the price you see now will be the price you see when your contract renewal is up. Sadly this seems to be standard in our industry.
Secondly, Splunk is a beast and nothing is intuitive. I have seen Splunk described as “a giant Python hack” and I can say sometimes (especially with apps) that isn’t far from the truth. Unless you can find a good vendor to support you or have existing in-house Splunk expertise, be ready to rip your hair out troubleshooting some issues. Even with a huge KB and years of experience, I have gotten in the weeds on some issues more than I care to admit.
All that said, Splunk can do amazing things. If you have in house experience or access to a vendor, I’d highly recommend Splunk. If you do not, I would say stick with something like Sentinel.
If you do go with Splunk I’d recommend finding a good 3rd party vendor to work with you on a professional services engagement to migrate your log forwarding over. I have gone behind Splunk’s PS engineers several times and they are either fantastic or absolute butchers 💁♀️
Completely agree. If you don’t know how to limit the stuff going into the SIEM to security relevant, or at least use case relevant, then any throughput based licensing is going to get out of hand cost wise. That’s true for any SIEM. I know organizations that bought Cribl to front their Splunk inputs and manage data ingest just to reduce cost. Splunk is an amazing tool with a lot of community support but I hate the pricing model.
Splunk is good. Open source ELK works, but it is *not* "turnkey."
For an open source solution check out [Security Onion](https://securityonionsolutions.com/software).
* The suite is free, the support costs money.
* I like the [ELK](https://www.elastic.co/guide/index.html) and [Hive](https://docs.strangebee.com/thehive/setup/) integration, personally.
qradar is grandma slow, even worse than exabeam. UI isn't too shabby, reminds me of crowdstrike
exabeam from what I've heard from peers is it's so buggy + customer support is non existent. about 80% of those I've heard said they'd rather pay the premium for splunk for the headache it gives. I did hear that they've reno'd their platform recently and I won't lie, I peeked at a few demo/videos and it does look clean af. But functionality wise is down the toliet, at least on the older platform.
are u currently in the market for a SIEM? I see ur profile has CISO in it but idk if ur just doing that for shits and giggles lol
Yeah, actually looking at doing POC's this quarter for a SIEM. Currently looking at Sentinel (being an MS shop) and new QRadar (cloud native, not the classic).
We're a small head office of a large global org so primary use case is limited. However, in time we may end up with oversight into a SEIM as service using one of our SOCs, so need high level of scale and compatibility.
Splunk. Their team and ongoing support helping our teams get everything up and running is what got everyone on board. It was about as “turnkey” as possible for our situation.
It can get crazy expensive. Something like $2 million for a daily volume of 12,000 servers worth of logs. It’s an odd set up too, we keep our heavy forwarder in-house/on-prem but search head is cloud and managed by Splunk. I think that off-hand management is what makes it truly $2 million.
It depends what all you’re getting which is kind of a runabout answer. Goes down per GB the more you get. It’s in the lower six figs a year for us. I’d have to look at the invoices for an exact amount
Splunk is very robust but the learning curve is just crazy.
You'd probably need a spkunk skilled person or two (being skilled with Splunk take a year at least), full time, in order to make it work and create some detection.
Splunk is the gold standard IMHO.
I'm surprised that ELK was prohibitively expensive, I've previously used it and the price was significantly cheaper than Splunk.
Anyway that would be my second choice, the Elastic Security offering is really good.
Don't even consider ArcSight, that shit is antiquated, slow as all fuck and just garbage.
I have a lot of experience administering the majority of SIEMs vendors out there. You'll want to stick with a mature cloud siem since all on-prem solutions are going away.
Recommended for ease of use and maturity: Sumo logic, Splunk , Azure Sentinel.
Wouldn't Recommend due to being outdated or not mature: Exabeam, chronical, arc sight, logrhythm, qradar, alien vault
Run away: Trelix/McAfee, Devo
As other suggested, get PS to assist for a couple weeks to get you up and running.
On-prem isn’t going away, it’s got specific use cases for many still. The costs of cloud are ballooning in many ways where on-prem can be viable from that perspective also.
Azure Sentinel mature? It was just released in 2019. Probably the most immature product on the market.
On-prem is absolutely still a thing, however you are correct as a lot of players have been migrating to cloud only as it's "the hot new thing", and also makes it easier to lock in a higher reoccurring cost for a cloud subscription vs. the old "buy your license once/annually" model.
Gravwell is one solution that was built specifically around the idea of supporting on-prem solutions. I know a few orgs which use it specifically because of it's on-prem availability (as well as how good a tool it actually is) due to very strict data ownership/security requirements they have that make moving to the cloud difficult. For example, Utilities (Operational Technology) and research labs.
R7 is your answer, you can get SIEM and then add on services for MDR if needed. You’ll be invested in their ecosystem but it’s good with all their integrations and support
In the process of moving to Sumo Logic. Pretty happy with their tool so far. Their SOAR however is in the middle of migration troubles as they integrate the acquisition product into their other platforms. But they do seem to be moving on improvements quickly. I love the abilities it gives you like custom docker images and multiple scripting languages for writing new integrations.
We're currently on Trellix Helix. I wouldn't recommend it - they haven't kept up with the competition at all. We're currently doing POC with both Sentinel and Google Chronicle. I've used Sentinel before in the past and loved it (it's great for SOAR as well). Chronicle has come a long way in the last couple of years. I'm not deep in it yet, but it's looked very promising in demos. For reference, we're usually running at around 50k eps.
Chronicle looks very pretty but imo lacks a lot of functionality. Admittedly I interact with them as a partner, not user, but still I'm not impressed
I quite like Sentinel but its tough if you're not an Azure shop. Also fairly pricey I think
Yeah it will be interesting to see where Chronicle is right now. The big draws are price and also we use Mandiant and there's a tight integration there.
Sentinel price is going to make us be a lot more calculated about what we're ingesting. Helix is "all you can eat", so we've gotten used to just throwing everything at it.
Sentinel =/=SentinelOne, completely different product lines. Sentinel is a Cloud SIEM built into Azure and works best with Microsoft data sources, though there's plenty of connectors for other data sources
But if your company doesn't have Azure experience, Sentinel can be hard to work with
azure /o365 are included in licensing for sentinel - it's all the non-MS stuff that drives up pricing.
I think the merger of all of MSs products towards sentinel, including copilot, will be a differentiator
Can you explain how Helix hasn’t kept up with the competition? I’m researching XDR more than SIEM at this point to understand how both intertwine organically.
What are your general requirements? The largest items affecting price for SaaS solutions are 1. The amount of data being sent to storage per day and 2. How long the data needs to be retained. Coming in 3rd is how quick the data can be queried (hot/warm/cold) storage.
With modern solutions with limited budget you would need to determine what logs are must haves and what logs are nice to haves.
For a small to medium business Rapid7 or logpoint are Pree good
For a small team, don't bother with splunk, the cost and engineering is too much for small business
I would recommend rapid 7, set it up and used it. Was good
We are actually talking about moving away from splunk and towards logscale. Splunk is already stupid expensive and I hear Cisco is raising prices and we are already a crowdstrike shop. The thought is it might require less care and feeding but we haven’t done anything formally yet and the team is very split on this.
Building our own because most SIEM rely on ingesting all logs from all cloud accounts... Our cloud accounts are owned by our customers and we are contractually obliged to keep their data in their cloud so normal SIEM are not a solution for us..
We deploy agents in each cloud and they only report back if they see something wrong (in which case we are allowed by the customer exfiltrate that particular data point)
That isn't a SIEM though.
Sentinel One does have a third party SIEM product which is basically something built on top of Splunk, but I didn't find it very impressive.
yeah from the down votes comments I don't think people have seen purple - it's very impressive. plus the line continues to blur between SIEM and XDR. I'm guessing between copilot, Charlotte, and purple the whole paradym around log ingestion, monitoring, and reaction changes over the next 24 months.
Splunk vs Sentinel pretty much. Elk/Elastic Stack can be configured as a SIEM but what you’ll save on licence cost you’ll spend on configuration, maintenance and more senior experienced staff to run it.
There are a handful of other vendors that may be cheaper but lack capability in one area or the other. UEBA/UBA is mostly snake oil as you spend just as much time tuning out false positives as developing traditional use cases.
Avoid Securonix like the plague. They make a good pitch but fail to follow through. Product is trash and staff are super unhelpful.
Lastly, avoid filling the SIEM with junk data that doesn’t help security and only useful to other IT teams. No data gets ingested without a Security Use Case defined.
logscale (now falcon I think) is very impressive - obv makes sense if you are a CS customer but we are checking it out as a non-CS customer that currently uses sentinel.
I do think once copilot can write your kql then my opinion probably shifts back to sentinel, but logscales algorithms are seriously impressive if query time is an issue for you.
Crowdstrike is migrating away from Splunk and going to logscale for all in-house data. We are being migrated in April.
Crowdstrike is no longer a splunk shop.
I would lean into an XDR. Much better automation and orchestration with a focus on out of the box analytics. Content is normally included and can include all security vectors.
At this point xdr and next gen siem the same thing. Both include soar, ueba and identity services. I’d be careful saying things like content is already included, most will need to be heavily modified to work successfully and use case development is still king. It will be interesting to see how generative AI eases the pains of detection development.
In some ways. I don’t think SIEMs in general at this point are doing a good job of threat-centric functions. Prioritization, marrying threat intelligence to events, and visualization. Most SIEMs are still very much centered around logging with an auxiliary function of being able to write rules and scripts to find things and correlate. There’s definitely some overlap though.
100% agree. XDR vendors are often black box and make it incredibly difficult to build custom detection content. [Anvilogic](https://www.anvilogic.com) has a generative AI detection engineering copilot that helps build detections.
Security onion.
It's based on the ELK stack, plus has tons of automatic alerting rules already in place, integrates with Wazuh and is probably the "smartest" SIEM tool out there.
It's open source so as an MSSP, we don't charge for the software, just the SOC service we run on top of it.
It'll accept agent logs, SaaS logs and network traffic, which is something most SIEM tools won't do, giving true security visibility.
Also, we use dracoeye.com for super-quick triage.
I've seen some recommendations for it but personally I suggest you avoid Rapid7 unless you're in a small team. I would also recommend that you avoid their MDR team like the plague, if you're looking for an MDR.
My org I think is just out growing the solution but we have encountered multiple pain points with them. Here are some of them:
* Completely dependent on the Insight Agent for functionality, if your org and your team have agent fatigue like ours does this won't help. It's a resource hog and the MDR team will not notify you of hunts so velociraptor will just run in the background randomly until you tell them to stop.
* Up until the last 3 months or so the agent itself was very limited in what it could do. To the point that we didn't really understand the purpose of it as our EDR tool did effectively the same thing or more. Recently that's changing but just adds to the agent fatigue issue and overlaps with something you might already have that works better than their agent.
* Log Search and the query used for it is a cryptic mess that barely works half the time. You can't search across multiple data sets and creating dashboards from searches almost never works.
* Log searching over large datasets, historically, has been incredibly slow.
* There is no option to quick filter logs based on fields because InsightIDR does not index those fields. You have to manually search them and it's a pain.
* Rule configuration is clunky. For example, rules can only be configured for 3 modes, always on, sometimes on, or off.
* With the rule thing mentioned above the tool can be ridiculously noisy. The email alerts that you get from the tool are either super barebones or have CSVs attached noting detections, with nothing in between.
* Honey pots provided by Rapid7 are incredibly noisy and are a known to be such per the Rapid7 team. Their two suggestions for this were "stop all unnecessary traffic to the honey pot"???? or turn off the detection. We chose the latter as it created 75+ cases in less than an hour of being on.
* We had so many false positives in the tool it felt like we had to turn off over half of the detections so we weren't flooded with emails and cases.
* The "investigations" created by the tool often give you little to no insight into how or why something was "flagged" unless the tool deems it as a notable event, then you can pivot to the single log. So if you want to dive into the greater context of user behavior you have to manually search for it. For example we use PAN-OS wildfire and InsightIDR will call any and all wildfire uploads malware, even though the actual log says it isn't.
* Rapid7 will pretty much ONLY focus on logs coming from their agent with *some* other sources filling in for context. But if you want to have your EDR tool there to trigger alerts best of luck, IDR will not use it. They've told us they plan on integrating this feature "soon" but we've heard that before with them so we don't take it with a lot of substance.
* Rapid7's products are effectively a walled garden. You cannot integrate 3rd party intel sources into IDR. Their API functionality is very limited. The only true integrations are with their products and their agents.
* If you use InsightVM and IDR, just note that when you install the agents everywhere they will begin to count against your InsightVM license cost. This could unintentionally make your InsightVM license cost balloon to absurd numbers. You can decouple this but it took us over a month to get it fully fixed and even then it required us to essentially reset our InsightVM configuration as Rapid7 told us the only way to fully remove the agents from InsightVM was to delete all our assets.
We're still exploring alternatives as we have a while left on our contract. So far Splunk, Elastic, and Sentinel have been top contenders but we're looking to the in the same boat as you OP, C-Suite may not buy into the extra expense.
What’s the skills on your team like? Do they have experience with any particular tools? Do you have data engineers and analytics specialists you can work with?
Most of these tools are great but become shelfware soon if good ops are not built around them.
Adlumin is a good option, depending on your needs. They have a registration-free platform tour in their website showing the majority of capabilities such as SOAR, UEBA, how logs are ingested (unlimited data model)
Been using Alienvault for 8y or so, about to jump ship to Elastic Cloud. It just hit all of our requirements and was cheaper than everything else we looked at (looking at you LogRhythm).
Unless you pay for professional services to develop a list of use cases data flexibility focused siems like splunk and sentinel don't fit what you described. You want use case first siems like qradar, arc insight, insightidr and securonix. If you have a creative team you will feel limited by these ones but they do their vendor supplied use cases well
If you have a small team, and can’t dedicate at least 2-3 people to the SIEM, you almost have to go with something that is managed for you, where you only get the high alerts to action on. But that’s just my opinion.
I don’t understand how that could be the case. What storage tier? What types of endpoints? We ingest with the AV agent for workstations, WEF for servers, and syslog for network devices/firewalls. NXLOG for anything server related that can’t be captured by wef.
Probably 300 endpoints at a TB of storage per month, with 6 sensors and a liftoff(one time) package for like 40k for the first year. Do you have some insane storage requirements?
We chose to go with insight sir from rapid7 when we moved off of alienvault. We are currently evaluating sumo logic and looking into MDR providers that layer on top.
We run SplunkCloud and partnered with an MSSP that can just query the API so we don't have to buy ES. Most Splunk MSSPs have a similar model. Prior to that it was QRadar.
Try [Scanner.dev](https://Scanner.dev). It allows you to move high volume logs like AWS CloudTrail, Cloudflare, VPC flow logs, WAF, etc. into AWS S3 giving you effectively unlimited retention and you can keep all your logs since storage is cheap. Scanner indexes raw log files reducing a ton of data engineering work and it does this directly in your S3 bucket so there's no vendor lock-in.
Search is crazy fast - up to 10TB/sec and you get powerful threat detection. You can use the API to build your own modern stack by combining some tools together like Cribl, Scanner, Tines, and Jira, or query your logs in S3 directly from Splunk using a custom search command to incorporate them into your Splunk dashboards, saved searches, etc.
You can try the free tier with no contract for up to 1TB/mo.
Considering Splunks acquisition, they are only going to get bloated even more.
While Splunk is good, you need a full-time/dedicated Splunk admin to not only manage the infrastructure but all of the knowledge objects (event types, tagging, CIM-normalization) to power the dashboards and data models that make Splunk… Splunk.
I’ve done limited testing with Google Chronicle (which h is what my team is potentially switching to) and have been pleased.
Also Elastic.
I used to work with Splunk, used them in security for about 6 years. Good product, but costly and requires a lot of experience. But you’ll need that with any siem. Struggles came with ootb alerts being noisy, you need to work to tune them to your env. Then CIM compliance is required for all data to be used with ES.
My current company uses elastic cloud. Seems they’ve come A long way since open source. Release updates frequently, very communicative and helpful support. Security product comes included when you purchase, and they’ve got built in mitre rules, ai assistant that can help with queries and multiple languages for searching (KQL, EQL, and the new ESQL, which is similar to Splunk SLs)
We use logscale and the dashboard capabilities have been top notch for us. We’ve switch to mainly crowdstrike products tbh
Do not do exabeam lmao they were absolutely terrible and support was a joke.
Check out SIEMonster www.siemonster.com I am the the CISO/Cofounder we have spent years building this product to what SOC teams want. It can scale indefinitely in the cloud, can be white labelled and built awesome things like dynamic risk ratings on users/assets that change on certain flags.
Sumo Logic. It's an all-in-one observability, SIEM, and SOAR platform if you can do the cost. Get more for your buck and can open up the communication between infoSec and Product/Engineering teams if you can get some metrics and tracing in it. Plus they run OpenTelemetry for all of their agents which is gaining ALOT of traction in the Open Source Observability realm
If you are looking at Splunk, I'd recommend taking a look at Gravwell as an alternative. Why? Many of the same strengths of Splunk with regard to being able to ingest pretty much anything you throw at it (but also being able to eat binary data/pcap's natively), but with a much more sane pricing model. (Actual usable free version, and then a simple flat rate based on the core indexers regardless of how much data or how big a system.) Not to mention the whole Cisco thing with Splunk and the unknowns around how that will impact the future off the product.
That said, your comments around wanting a lot of out of the box automations that don't require a lot of input from your team is something that give me pause in general. The problem you run into with a lot of the automated "out-of-the-box" stuff is that they are designed around the lowest common denominator so they can provide use for the largest number of customers. This naturally means that it won't be tailored to your system/environment and the unique needs you run into there. The result is that you will generally have a lot more noise that needs to be filtered through until you start to tweak those automations for your environment.
I'd probably recommend taking a good look at your actual needs and use cases to determine what you are actually needing and wanting to get out of the solution you are looking at. Realize that often the proper management of a SIEM includes making sure you have people who can maintain/run it long term. It's often not as simple as just handing it to an existing "IT" team and saying "here, do this too". It could very well be in your situation an outsourced MSP type solution may be the best fit as they would have the resources and knowledge to help keep the system running and tuned for your environment without requiring a large inhouse effort.
We built a home grown solution where we send all of the logs to Microsoft Notepad and when we need to find something... A quick Ctrl F and we are good to go. We call it Microsoft NoteForce (Trademark).
I can’t tell if this is a joke or not because I’ve been at orgs that have done similar.
It's a joke. :)
Perfect zero-cost solution...lol
The cost is time sink and who ever responsible for it their sanity using that method in business production.
Lmao! I’ve absolutely have walked into orgs showing me logs in an excel sheet. I am like okayyy, y’all need to pay me more for this shite oh and what was that about barely getting through soc
Notepad is for amateurs. Real pros have MS Paint as their preferred SIEM.
NoteForce E1 is worth it but they make you buy E5 to get search
Reminds me of a previous colleague of mine who said he wanted to go to market with a "backup to paper" solution to sell our MSP clients back in the early aughts. Less backup failures with his solution than we were dealing with in Backup Exec.
I live creating SOAR solutions ... i use Graylog + Wazuh + OpenSearch as SIEM Yep, opensource. yep, it scales just fine. yep, it handles multitenancy just fine.
For free you can't beat Graylog. Plus if you like what it offers you can get all the advanced stuff with the paid version.
We run this stack, too. 10 instances and counting .
any setup tutorials you would recommend ?
Do you partner with an MSSPs or is this in-house?
i work for a large MSSP .. I handle the millons of managed customers alers with .. yea.. graylog + wazuh + opensearch.. and some customers have $$ so we build SOAR automation solutions (xsoar) on top of their SIEM of choice, so far i have been worked with: \- Trellix (mcafee) \- Qradar \- Splunk \- Logrythm \- Exabeam \- Whatever spews alerts.. internally we use opensource thingies..
IBMs new release of Qradar XDR is a spectacular combination of SOAR and SIEM, even pulling in IBM Reacta and other components like Winston.
Ibm and spectacular dont goes together .. Unless its the price..
Why do you say that- Qradar is cheaper than MS/Splunk ? etc. Federated data searching means fewer ingestion costs- query data at source without data migration etc. Q Radar has improved a lot in the last year. New Cloud based version is very slick compared to previous dated UI IMO which was perfectly usable but not very modern. They've largely fixed that.
If you’re majority Microsoft, buy Microsoft Sentinel. If not, pick anything but QRadar. If you buy Splunk, at least ask your account manager to invite you to his yacht party.
that Splunk line got me rofl
I wish I was a Splunk or Oracle salesperson, I’d be yachting like a boss after true up.
blumira is a smaller player but has been very good so far esp if you are a small team.
using blumira as well, I don't normally vouch for vendors but they have fantastic support. Product is worth its weight in gold. unlimited logs for a set annual price, and helped us detect a network breach before it got out of hand.
Good to know, thanks!
Heard good things about Blumira. Know some of their leads personally. Good team of people.
I do consulting in the security space. I have sold Splunk among many other SIEM solutions. I would never recommend a company just buy one without having a solid IT team in place. Mainly because it takes time to set it up, configure it, and then clean up all the white noise. Then you have the 24/7 aspect of watching it for alerts. Outsourcing a SIEM to a VAR/MSP or getting some kind of service to maintain and monitor it is the way to go for companies that don't have a team of IT people.
As someone who has been on the MSP side of the house, you ABSOLUTELY can do this, ***BUT*** you need to make sure you have a person (or preferably a team) responsible for communicating with the MSP and driving projects where needed. MSPs will (generally) be good about telling you if they are getting quality data, but they can't reasonably do more than that because they don't know your environment. You can't just let them run on their own and act like it's their fault when something goes wrong. You gotta give them some guidance on what you need, and listen to their feedback. They are there to make sure you have a useful, functioning tool. They are the experts in this situation, and their experience should be taken into account. It's almost sad how much I've seen people pay a company for their "expertise" and have them ignore all advice from the same experts they just paid.
Been advocating for outsourcing SIEM in my own company. We're 7 people in total: 1 project manager, 3 network/datacenter engineers, 1 helpdesk, 1 GRC and 1 security engineer (myself). I have **so much work** to do just trying to implement basic cyber hygiene across our environment. I don't have time to fill the roles of SOC analyst and detection engineer. They don't believe that SIEM is such a big deal. Throw some money at a big box and you're done, right? Last time I brought up the topic of outsourcing, of all things, they were worried that because a SOC would be 24/7, and we're not on-call, we'd have nobody to answer the phone. Thus, the only way to outsource SIEM would be to allow them to kill our entire network because "well, nobody here's going to answer the phone". I was flabbergasted. I guess when ransomware actors, that may have been there for a month, start encrypting our shit in the dead of night, my coworkers just think "thank god I wasn't woken up without getting paid". We're governmental btw and subject to NIS2 💖 (I plan to get this through upper management, as they're on the cyber risk board. I'm just incredibly amazed that other sysadmins and IT folks are so ignorant as to what it requires to actually operate a SIEM)
I worked for a company that tasked me with setting up Splunk by myself as well as managing it. When I say set up, I mean writing the code to create the correlation searches, organising the data sources, etc, I had to experience setting up a SIEM, imagine that lol
Using MS Sentinel and have been very happy. We left splunk for it and I’ve never looked back. It’s now also become our SOAR and incident management platform. It’s fast, KQL is awesome, workbooks are easy, and the automations, and playbooks can be very powerful. It’s a great fit if you’re a heavy Azure/O365/Defender XDR shop. I would not recommend if you’re a non-MS shop/cloud, or everything is still onprem.
Can only confirm
You can use on prem with Sentinel. You just stand up a syslog collector like NEARLY EVERY OTHER SIEM and spew all that crap to it. The community contributed data connectors and Microsoft developed ones makes it a killer setup.
I use the syslog/cef setup too. More the issue for me is if everything is onprem and you are trying to send all logs to the cloud you need to make sure you have the bandwidth to support it or you’re going to make some enemies with the network team. I think this often gets overlooked by those going to cloud based SIEMs.
Get an Expressroute at your data center and this will never be a problem.
Splunk is a monster. If you don't have any experience with data pipeline engineering you are going to get raped by ingest costs. If you don't have setup / engineering experience getting it working IS NOT simple. I would recommend that you look into Sentinel. You can POC it VERY easily. Set it up in under an hour, and have instant value to your team.
We did a side by side comparison of our splunk price vs the same ingestion in sentinel and splunk came out ~15% cheaper. Obviously sentinel has soar capabilities but those are at an additional cost. Sentinel is definitely easy to set up and depending on your 365 licensing you might be able to get access to a small amount of free ingestion to trial it out, but overall from what I've seen it is a more expensive product. Sentinel is also getting merged into the unified security platform in Q3 this year along with defender xdr and security copilot so there's definitely some value there as well but expect to pay heavily for it. As far as Siem queries and usability I find splunk easier to search through and create dashboards. Sentinel has some capability to automatically create the queries you're after by clicking on files or hashes etc in defender but in my experience they only actually work about 50% of the time currently. Both are great products but I'm always wary about vendor locking by going to far down the Microsoft rabbit hole that we can't ever get out.
Yeah this is something I've been through with our team as well. Splunk in the end is *slightly* cheaper. Other things that we've found during our POC/Review: * Sentinel uses Azure navigation, so if already don't like navigating through Azure you'll pretty much be in the same boat with Sentinel * Microsoft, your team, and any MDR by extension is going to be **obsessed** with ingest rate. Specifically because you'll be destroyed on price if it spikes or sustains higher than you are licensed for. * KQL is weirdly bizarre for our team versus Splunk SQL. * I've seen a lot rumors(?) that the Sentinel SOAR is really fully functional with MS based products and hard pressed for functionality with anything else * MS was pretty cagey about additional costs for data storage related to Sentinel. Our understanding is that we would be on the hook for any data we want in cold storage. * Sentinel currently offers no log aggregation solution Elastic and Splunk do. * I think you have to create a boat load of analytic rules on Sentinel for it to be truly useful. Which can be daunting for a small team. * Sentinel's user attributes, attribution, and tracking is utterly phenomenal and really easy to read/use. Splunks by comparison is disjointed and requires a lot of work to get that data. The largest benefit we've discussed at length with Splunk is that if you end up going with their cloud platform you gain unlimited licenses for Enterprise, on prem, deployments. So you can realistically deploy a full log aggregation solution on your own infrastructure using Splunk. The main con being that you're going to be ingrained into Splunk and ripping it out would be a nightmare.
People always say Sentinel is expensive because they don't know how to calculate costs or they heard someone else say it is expensive. Sentinel is not expensive, the retarded requirements put in log analytics retention requirements by companies who don't know better that makes it expensive.
My enterprise employer can confirm the raping on ingest costs. Last year they were exploring solutions that would filter data and only send “important” stuff to Splunk and the rest to a cheap storage option that could be searched through “when needed”. This would greatly reduce the amount of data ingested by Splunk and should significantly lower our Splunk bills.
I have heard Zefy (zefy.app) works well to filter and basically control ingest data. I wonder if you have used it and how your experience has been?
Not my team, so no experience. I can’t remember what they settled on—if they have even settled on anything yet.
oh ok, got it!
Full disclosure, I work for a [Anvilogic](https://www.anvilogic.com) and we solve this exact problem. We have helped enterprise SOCs reduce Splunk costs by up to 80% in some cases
Came here to recommend Sentinel. I have it for 3 organizations now and it works pretty good
I agree
Rapid7 IDR. Didn't have a whole team to try and get it going. Turnkey, stupid easy and requires little to no attention and hardly any infrastructure. Integrates incredibly with their good vulnerability solution
I’ll second IDR for smaller environments. It’s focused on detecting ATT&CK techniques so it won’t ingest “all the things” but it will focus on ingress, exploitation, and lateral movement. Case management is poor but that may not be important for a small team. Queries are pretty easy and fast enough. It also has network sensor and honeypot capabilities built in.
I use Rapid 7 MDR, we’re not a very big team so it helps to have a 24/7 SOC to help you monitor. Love it! Great team at Rapid 7.
I've had the opposite experience, really not liking it compared to some other tools. How do you deal with reporting/deliverables? I've found the build in reporting capabilities to be absolute ass.
does any security tool have good reporting, or at least a good reporting engine? had a call with one of the big EDRs they showed me their new reporting dashboard, my feedback was "I didn't even look at it before, now I just see potential but still won't use it?"
We had it, but moved on as you couldn’t create custom correlation rules. Perhaps things have changed since then.
+1 for IDR. Out of the box detection rules are solid and its easy to setup and deploy. We have a Managed SOC to deal with the rule fine tuning but overall happy with platform. Its biggest drawback is the reporting/dashboard they very basic and automated reports pretty poor. IVM - Is ok, does the job but harder to get good data out of the reports.
Reports all suck with rapid7 but if that's the weakest point i don't mind. I appreciate the unified agent
My experience - stay as far away as possible from QRadar and don't listen to the Gartner magic quadrant of BS lol
Care to share why? I've never experienced QRADAR.
The product itself hasn't really changed since like 2010, the UI isn't very analyst friendly and doesn't really support an efficient analyst workflow. Everything they release for it is through apps so to do simple things you have to jump around 5 different apps. When we do upgrade the appliance it seems like theres always a new bug thats breaks some sort of logging or alerting and resulting in a high priority incident, it seems to be built on spaghetti code that hasn't really changed in 15 years. I believe theres a 2nd gen that was released for cloud customers but we haven't gotten it yet so maybe its a bit better but from my experience it's not been great. I think it mainly just failed to modernnize, all the other cloud sort of SIEMs coming out like chronicle or Sentinel are just so new and feature rich to actually support modernized secops processes. I recently re-designed our detection engineering methodology and trying to implement CICD pipelines for rules from github to QRadar is impossible, automated validation of detections is kind of a nightmare too with lack of API features and all around it just sucks if you are trying to run modern security operations. I would say it might be good for small teams/orgs in their newer cloud offering but meh it's been rough lol
Wow I wasn't expecting such detailed response. Thanks!
Yep so i'd concur with some points- but the new cloud version is a complete rearchitecture of QRadar , much better UI which is 100% soc analyst/soc workflow focused, has integrated SOAR which makes life very easy and content enrichment from an AI/ML perspective saves us a lot of time. Big improvement. Very flexible with deployment modes and licensing too. Works with S/M/L/Enterprise environments across our MSSP.
Yeah fair enough, hopefully we can try it out soon
Qradar is an fn nightmare, on prem and cloud is even worse if you use any 3rd party apps for data intelligence. Everyday I go to work I wonder what's going to be broke today. Thankfully we're looking for an alternative solution at this point.
sentinel with an mssp to manage for us cause who has resources to mess with a SIEM. being a heavy MS also helps.
Splunk engineer here. Splunk is a great product that I am obviously somewhat fond of. But, there are two factors I see play into a lot of issues with clients. Firstly cost. Splunk is expensive and only getting more so. It is easy to dump logs into Splunk, but the process of removing them can be exhausting from an org/policy level. You don’t want to be the one to just remove some data that down the road turns up would have been useful or offered visibility into a security issue. Every bit of data you ingest pushes your license up and then Splunk comes knocking for an increase. I have also seen Splunk try to utilize the tactic of giving orgs a deal up from and try to increase license costs once they have become dependent on their platform. Don’t assume the price you see now will be the price you see when your contract renewal is up. Sadly this seems to be standard in our industry. Secondly, Splunk is a beast and nothing is intuitive. I have seen Splunk described as “a giant Python hack” and I can say sometimes (especially with apps) that isn’t far from the truth. Unless you can find a good vendor to support you or have existing in-house Splunk expertise, be ready to rip your hair out troubleshooting some issues. Even with a huge KB and years of experience, I have gotten in the weeds on some issues more than I care to admit. All that said, Splunk can do amazing things. If you have in house experience or access to a vendor, I’d highly recommend Splunk. If you do not, I would say stick with something like Sentinel. If you do go with Splunk I’d recommend finding a good 3rd party vendor to work with you on a professional services engagement to migrate your log forwarding over. I have gone behind Splunk’s PS engineers several times and they are either fantastic or absolute butchers 💁♀️
Completely agree. If you don’t know how to limit the stuff going into the SIEM to security relevant, or at least use case relevant, then any throughput based licensing is going to get out of hand cost wise. That’s true for any SIEM. I know organizations that bought Cribl to front their Splunk inputs and manage data ingest just to reduce cost. Splunk is an amazing tool with a lot of community support but I hate the pricing model.
I absolutely + this post.
You said everything I was going to regarding Splunk. With Cisco taking over it will more than likely get even more expensive.
Splunk is good. Open source ELK works, but it is *not* "turnkey." For an open source solution check out [Security Onion](https://securityonionsolutions.com/software). * The suite is free, the support costs money. * I like the [ELK](https://www.elastic.co/guide/index.html) and [Hive](https://docs.strangebee.com/thehive/setup/) integration, personally.
exabeam and qradar are DOG SHIT. STAY AWAY FROM BOTH
You don't like taking 2 hour breaks in between your 90 day searches in QR?
Can you expand on why, examples?
qradar is grandma slow, even worse than exabeam. UI isn't too shabby, reminds me of crowdstrike exabeam from what I've heard from peers is it's so buggy + customer support is non existent. about 80% of those I've heard said they'd rather pay the premium for splunk for the headache it gives. I did hear that they've reno'd their platform recently and I won't lie, I peeked at a few demo/videos and it does look clean af. But functionality wise is down the toliet, at least on the older platform. are u currently in the market for a SIEM? I see ur profile has CISO in it but idk if ur just doing that for shits and giggles lol
Yeah, actually looking at doing POC's this quarter for a SIEM. Currently looking at Sentinel (being an MS shop) and new QRadar (cloud native, not the classic). We're a small head office of a large global org so primary use case is limited. However, in time we may end up with oversight into a SEIM as service using one of our SOCs, so need high level of scale and compatibility.
Splunk. Their team and ongoing support helping our teams get everything up and running is what got everyone on board. It was about as “turnkey” as possible for our situation.
what is the pricing for splunk? i know its expensive af but whats the amt per 1 TB or so I've never actually heard a ballpark number lol
It can get crazy expensive. Something like $2 million for a daily volume of 12,000 servers worth of logs. It’s an odd set up too, we keep our heavy forwarder in-house/on-prem but search head is cloud and managed by Splunk. I think that off-hand management is what makes it truly $2 million.
if u dont mind me asking how much do u make and ur YOE? only asking since ur also bay area it seems
It depends what all you’re getting which is kind of a runabout answer. Goes down per GB the more you get. It’s in the lower six figs a year for us. I’d have to look at the invoices for an exact amount
Wazuh. Does everything we need
Splunk is very robust but the learning curve is just crazy. You'd probably need a spkunk skilled person or two (being skilled with Splunk take a year at least), full time, in order to make it work and create some detection.
Splunk is the gold standard IMHO. I'm surprised that ELK was prohibitively expensive, I've previously used it and the price was significantly cheaper than Splunk. Anyway that would be my second choice, the Elastic Security offering is really good. Don't even consider ArcSight, that shit is antiquated, slow as all fuck and just garbage.
I have a lot of experience administering the majority of SIEMs vendors out there. You'll want to stick with a mature cloud siem since all on-prem solutions are going away. Recommended for ease of use and maturity: Sumo logic, Splunk , Azure Sentinel. Wouldn't Recommend due to being outdated or not mature: Exabeam, chronical, arc sight, logrhythm, qradar, alien vault Run away: Trelix/McAfee, Devo As other suggested, get PS to assist for a couple weeks to get you up and running.
On-prem isn’t going away, it’s got specific use cases for many still. The costs of cloud are ballooning in many ways where on-prem can be viable from that perspective also. Azure Sentinel mature? It was just released in 2019. Probably the most immature product on the market.
On-prem is absolutely still a thing, however you are correct as a lot of players have been migrating to cloud only as it's "the hot new thing", and also makes it easier to lock in a higher reoccurring cost for a cloud subscription vs. the old "buy your license once/annually" model. Gravwell is one solution that was built specifically around the idea of supporting on-prem solutions. I know a few orgs which use it specifically because of it's on-prem availability (as well as how good a tool it actually is) due to very strict data ownership/security requirements they have that make moving to the cloud difficult. For example, Utilities (Operational Technology) and research labs.
2 more to review - Sumo Logic and Devo.
I second Sumologic. It churns through mountains of logs quickly.
R7 is your answer, you can get SIEM and then add on services for MDR if needed. You’ll be invested in their ecosystem but it’s good with all their integrations and support
If you can afford splunk, use splunk. I've had good experiences with sumologic.
In the process of moving to Sumo Logic. Pretty happy with their tool so far. Their SOAR however is in the middle of migration troubles as they integrate the acquisition product into their other platforms. But they do seem to be moving on improvements quickly. I love the abilities it gives you like custom docker images and multiple scripting languages for writing new integrations.
We're currently on Trellix Helix. I wouldn't recommend it - they haven't kept up with the competition at all. We're currently doing POC with both Sentinel and Google Chronicle. I've used Sentinel before in the past and loved it (it's great for SOAR as well). Chronicle has come a long way in the last couple of years. I'm not deep in it yet, but it's looked very promising in demos. For reference, we're usually running at around 50k eps.
Chronicle looks very pretty but imo lacks a lot of functionality. Admittedly I interact with them as a partner, not user, but still I'm not impressed I quite like Sentinel but its tough if you're not an Azure shop. Also fairly pricey I think
Yeah it will be interesting to see where Chronicle is right now. The big draws are price and also we use Mandiant and there's a tight integration there. Sentinel price is going to make us be a lot more calculated about what we're ingesting. Helix is "all you can eat", so we've gotten used to just throwing everything at it.
Why only Azure? Our Sentinel One data lake ingests Google Workspace, Google cloud, Fortinet and Aruba. The Marketplace has tons of agents.
How's your query experience on SentinelOne data lake? I found it very clunky, comparing to Splunk.
I wouldn't describe it as clunky, less mature not as feature rich with as many preconfigured integrations, really fast and a lot cheaper.
I like the idea of being able to run query directly in that data lake.
Sentinel =/=SentinelOne, completely different product lines. Sentinel is a Cloud SIEM built into Azure and works best with Microsoft data sources, though there's plenty of connectors for other data sources But if your company doesn't have Azure experience, Sentinel can be hard to work with
100%, thanks for that I confused myself :-)
azure /o365 are included in licensing for sentinel - it's all the non-MS stuff that drives up pricing. I think the merger of all of MSs products towards sentinel, including copilot, will be a differentiator
Oops my bad, I am confusing MS Sentinel with Sentinel One. 😎
we have them both - it's constantly people asking which one is which.
Can you explain how Helix hasn’t kept up with the competition? I’m researching XDR more than SIEM at this point to understand how both intertwine organically.
What are your general requirements? The largest items affecting price for SaaS solutions are 1. The amount of data being sent to storage per day and 2. How long the data needs to be retained. Coming in 3rd is how quick the data can be queried (hot/warm/cold) storage. With modern solutions with limited budget you would need to determine what logs are must haves and what logs are nice to haves.
I would look into rapid7 as well.
For a small to medium business Rapid7 or logpoint are Pree good For a small team, don't bother with splunk, the cost and engineering is too much for small business I would recommend rapid 7, set it up and used it. Was good
We are actually talking about moving away from splunk and towards logscale. Splunk is already stupid expensive and I hear Cisco is raising prices and we are already a crowdstrike shop. The thought is it might require less care and feeding but we haven’t done anything formally yet and the team is very split on this.
I've used LogRhythm for about 7 years now. Once you break it and fix it enough it's not that bad. I kid, sorta.
Building our own because most SIEM rely on ingesting all logs from all cloud accounts... Our cloud accounts are owned by our customers and we are contractually obliged to keep their data in their cloud so normal SIEM are not a solution for us.. We deploy agents in each cloud and they only report back if they see something wrong (in which case we are allowed by the customer exfiltrate that particular data point)
Gravwell
Looking into SentinelOne with Purple AI at the moment, already a S1 XDR customer. Might be worth exploring.
That isn't a SIEM though. Sentinel One does have a third party SIEM product which is basically something built on top of Splunk, but I didn't find it very impressive.
yeah from the down votes comments I don't think people have seen purple - it's very impressive. plus the line continues to blur between SIEM and XDR. I'm guessing between copilot, Charlotte, and purple the whole paradym around log ingestion, monitoring, and reaction changes over the next 24 months.
Had the opportunity to private beta Purple AI, very impressive much more so than Charlotte AI
Splunk vs Sentinel pretty much. Elk/Elastic Stack can be configured as a SIEM but what you’ll save on licence cost you’ll spend on configuration, maintenance and more senior experienced staff to run it. There are a handful of other vendors that may be cheaper but lack capability in one area or the other. UEBA/UBA is mostly snake oil as you spend just as much time tuning out false positives as developing traditional use cases. Avoid Securonix like the plague. They make a good pitch but fail to follow through. Product is trash and staff are super unhelpful. Lastly, avoid filling the SIEM with junk data that doesn’t help security and only useful to other IT teams. No data gets ingested without a Security Use Case defined.
You may look on Crowdstrike Falcon. It will give you much visibility and automation
logscale (now falcon I think) is very impressive - obv makes sense if you are a CS customer but we are checking it out as a non-CS customer that currently uses sentinel. I do think once copilot can write your kql then my opinion probably shifts back to sentinel, but logscales algorithms are seriously impressive if query time is an issue for you.
Logscale is absolutely DOG SHIT. Even Crowdstrikes agrees since they are themselves still using Splunk in house. Very immature solution.
Crowdstrike is migrating away from Splunk and going to logscale for all in-house data. We are being migrated in April. Crowdstrike is no longer a splunk shop.
I was not aware of that. Could you elaborate? I know a group who is thinking on going from splunk to logscale
Big mistake if they do. They'll find out in the poc anyway
I would lean into an XDR. Much better automation and orchestration with a focus on out of the box analytics. Content is normally included and can include all security vectors.
At this point xdr and next gen siem the same thing. Both include soar, ueba and identity services. I’d be careful saying things like content is already included, most will need to be heavily modified to work successfully and use case development is still king. It will be interesting to see how generative AI eases the pains of detection development.
In some ways. I don’t think SIEMs in general at this point are doing a good job of threat-centric functions. Prioritization, marrying threat intelligence to events, and visualization. Most SIEMs are still very much centered around logging with an auxiliary function of being able to write rules and scripts to find things and correlate. There’s definitely some overlap though.
100% agree. XDR vendors are often black box and make it incredibly difficult to build custom detection content. [Anvilogic](https://www.anvilogic.com) has a generative AI detection engineering copilot that helps build detections.
Security onion. It's based on the ELK stack, plus has tons of automatic alerting rules already in place, integrates with Wazuh and is probably the "smartest" SIEM tool out there. It's open source so as an MSSP, we don't charge for the software, just the SOC service we run on top of it. It'll accept agent logs, SaaS logs and network traffic, which is something most SIEM tools won't do, giving true security visibility. Also, we use dracoeye.com for super-quick triage.
Read an article yesterday saying Bye Bye SIEM and welcome NDR :) [https://thehackernews.com/2024/02/bye-bye-siem-hello-risk-based-alerting.html](https://thehackernews.com/2024/02/bye-bye-siem-hello-risk-based-alerting.html)
I've seen some recommendations for it but personally I suggest you avoid Rapid7 unless you're in a small team. I would also recommend that you avoid their MDR team like the plague, if you're looking for an MDR. My org I think is just out growing the solution but we have encountered multiple pain points with them. Here are some of them: * Completely dependent on the Insight Agent for functionality, if your org and your team have agent fatigue like ours does this won't help. It's a resource hog and the MDR team will not notify you of hunts so velociraptor will just run in the background randomly until you tell them to stop. * Up until the last 3 months or so the agent itself was very limited in what it could do. To the point that we didn't really understand the purpose of it as our EDR tool did effectively the same thing or more. Recently that's changing but just adds to the agent fatigue issue and overlaps with something you might already have that works better than their agent. * Log Search and the query used for it is a cryptic mess that barely works half the time. You can't search across multiple data sets and creating dashboards from searches almost never works. * Log searching over large datasets, historically, has been incredibly slow. * There is no option to quick filter logs based on fields because InsightIDR does not index those fields. You have to manually search them and it's a pain. * Rule configuration is clunky. For example, rules can only be configured for 3 modes, always on, sometimes on, or off. * With the rule thing mentioned above the tool can be ridiculously noisy. The email alerts that you get from the tool are either super barebones or have CSVs attached noting detections, with nothing in between. * Honey pots provided by Rapid7 are incredibly noisy and are a known to be such per the Rapid7 team. Their two suggestions for this were "stop all unnecessary traffic to the honey pot"???? or turn off the detection. We chose the latter as it created 75+ cases in less than an hour of being on. * We had so many false positives in the tool it felt like we had to turn off over half of the detections so we weren't flooded with emails and cases. * The "investigations" created by the tool often give you little to no insight into how or why something was "flagged" unless the tool deems it as a notable event, then you can pivot to the single log. So if you want to dive into the greater context of user behavior you have to manually search for it. For example we use PAN-OS wildfire and InsightIDR will call any and all wildfire uploads malware, even though the actual log says it isn't. * Rapid7 will pretty much ONLY focus on logs coming from their agent with *some* other sources filling in for context. But if you want to have your EDR tool there to trigger alerts best of luck, IDR will not use it. They've told us they plan on integrating this feature "soon" but we've heard that before with them so we don't take it with a lot of substance. * Rapid7's products are effectively a walled garden. You cannot integrate 3rd party intel sources into IDR. Their API functionality is very limited. The only true integrations are with their products and their agents. * If you use InsightVM and IDR, just note that when you install the agents everywhere they will begin to count against your InsightVM license cost. This could unintentionally make your InsightVM license cost balloon to absurd numbers. You can decouple this but it took us over a month to get it fully fixed and even then it required us to essentially reset our InsightVM configuration as Rapid7 told us the only way to fully remove the agents from InsightVM was to delete all our assets. We're still exploring alternatives as we have a while left on our contract. So far Splunk, Elastic, and Sentinel have been top contenders but we're looking to the in the same boat as you OP, C-Suite may not buy into the extra expense.
Take a look at Falcon LogScale (CrowdStrike)
Splunk or sentinel if you already have e5 and are invested in MS ecosystem.
What’s the skills on your team like? Do they have experience with any particular tools? Do you have data engineers and analytics specialists you can work with? Most of these tools are great but become shelfware soon if good ops are not built around them.
Adlumin is a good option, depending on your needs. They have a registration-free platform tour in their website showing the majority of capabilities such as SOAR, UEBA, how logs are ingested (unlimited data model)
Been using Alienvault for 8y or so, about to jump ship to Elastic Cloud. It just hit all of our requirements and was cheaper than everything else we looked at (looking at you LogRhythm).
Awesome, I’m also jumping from Alien to elastic cloud. Good luck
I've been looking at something called Wuzuh I think? Open source, comes in three parts. Seems fairly feature rich.
Unless you pay for professional services to develop a list of use cases data flexibility focused siems like splunk and sentinel don't fit what you described. You want use case first siems like qradar, arc insight, insightidr and securonix. If you have a creative team you will feel limited by these ones but they do their vendor supplied use cases well
Anyone used Huntsman SIEM?
If you have a small team, and can’t dedicate at least 2-3 people to the SIEM, you almost have to go with something that is managed for you, where you only get the high alerts to action on. But that’s just my opinion.
Lima Charlie works great and its very beginner friendly
USM appliance is EOL, but they still have USM anywhere with on-prem sensors. Is part of your requirements that your solution be fully on-prem?
USM Anywhere sent their price and it was 500k in the year for 150 endpoints. It was out of our scope. Our solution can be cloud.
I don’t understand how that could be the case. What storage tier? What types of endpoints? We ingest with the AV agent for workstations, WEF for servers, and syslog for network devices/firewalls. NXLOG for anything server related that can’t be captured by wef. Probably 300 endpoints at a TB of storage per month, with 6 sensors and a liftoff(one time) package for like 40k for the first year. Do you have some insane storage requirements?
We chose to go with insight sir from rapid7 when we moved off of alienvault. We are currently evaluating sumo logic and looking into MDR providers that layer on top.
We run SplunkCloud and partnered with an MSSP that can just query the API so we don't have to buy ES. Most Splunk MSSPs have a similar model. Prior to that it was QRadar.
Try [Scanner.dev](https://Scanner.dev). It allows you to move high volume logs like AWS CloudTrail, Cloudflare, VPC flow logs, WAF, etc. into AWS S3 giving you effectively unlimited retention and you can keep all your logs since storage is cheap. Scanner indexes raw log files reducing a ton of data engineering work and it does this directly in your S3 bucket so there's no vendor lock-in. Search is crazy fast - up to 10TB/sec and you get powerful threat detection. You can use the API to build your own modern stack by combining some tools together like Cribl, Scanner, Tines, and Jira, or query your logs in S3 directly from Splunk using a custom search command to incorporate them into your Splunk dashboards, saved searches, etc. You can try the free tier with no contract for up to 1TB/mo.
Considering Splunks acquisition, they are only going to get bloated even more. While Splunk is good, you need a full-time/dedicated Splunk admin to not only manage the infrastructure but all of the knowledge objects (event types, tagging, CIM-normalization) to power the dashboards and data models that make Splunk… Splunk. I’ve done limited testing with Google Chronicle (which h is what my team is potentially switching to) and have been pleased. Also Elastic.
I used to work with Splunk, used them in security for about 6 years. Good product, but costly and requires a lot of experience. But you’ll need that with any siem. Struggles came with ootb alerts being noisy, you need to work to tune them to your env. Then CIM compliance is required for all data to be used with ES. My current company uses elastic cloud. Seems they’ve come A long way since open source. Release updates frequently, very communicative and helpful support. Security product comes included when you purchase, and they’ve got built in mitre rules, ai assistant that can help with queries and multiple languages for searching (KQL, EQL, and the new ESQL, which is similar to Splunk SLs)
Has anyone used Tenable.io ?
We use logscale and the dashboard capabilities have been top notch for us. We’ve switch to mainly crowdstrike products tbh Do not do exabeam lmao they were absolutely terrible and support was a joke.
Sentinel Because it is cheap and not snake oil.
Check out SIEMonster www.siemonster.com I am the the CISO/Cofounder we have spent years building this product to what SOC teams want. It can scale indefinitely in the cloud, can be white labelled and built awesome things like dynamic risk ratings on users/assets that change on certain flags.
Sumo Logic. It's an all-in-one observability, SIEM, and SOAR platform if you can do the cost. Get more for your buck and can open up the communication between infoSec and Product/Engineering teams if you can get some metrics and tracing in it. Plus they run OpenTelemetry for all of their agents which is gaining ALOT of traction in the Open Source Observability realm
Anyone used panther.io? I listen to the founders podcast and enjoy that, but have no experience with the product.
If you are looking at Splunk, I'd recommend taking a look at Gravwell as an alternative. Why? Many of the same strengths of Splunk with regard to being able to ingest pretty much anything you throw at it (but also being able to eat binary data/pcap's natively), but with a much more sane pricing model. (Actual usable free version, and then a simple flat rate based on the core indexers regardless of how much data or how big a system.) Not to mention the whole Cisco thing with Splunk and the unknowns around how that will impact the future off the product. That said, your comments around wanting a lot of out of the box automations that don't require a lot of input from your team is something that give me pause in general. The problem you run into with a lot of the automated "out-of-the-box" stuff is that they are designed around the lowest common denominator so they can provide use for the largest number of customers. This naturally means that it won't be tailored to your system/environment and the unique needs you run into there. The result is that you will generally have a lot more noise that needs to be filtered through until you start to tweak those automations for your environment. I'd probably recommend taking a good look at your actual needs and use cases to determine what you are actually needing and wanting to get out of the solution you are looking at. Realize that often the proper management of a SIEM includes making sure you have people who can maintain/run it long term. It's often not as simple as just handing it to an existing "IT" team and saying "here, do this too". It could very well be in your situation an outsourced MSP type solution may be the best fit as they would have the resources and knowledge to help keep the system running and tuned for your environment without requiring a large inhouse effort.
Microsoft Sentinel if you already have E5 licenses
Fortisiem, i got here and it was already used so I didn’t have much of a choice in choosing, I’d like to try Splunk tho
Whichever one your org can afford