See it all: Best SIEM tools for enhanced security information and event management

SIEM tools provide central threat hunting based on data collected from all around your system. These utilities are also good for compliance reporting. We investigate the best.

Security Information and Event Management systems are better known as SIEMs. This is an amalgamation of two previously existing cybersecurity services: Security Information Management (SIM) and Security Event Management (SEM). A SIM scans through log files from endpoints, and a SEM looks at live data feeds from the network.

The SIEM methodology is able to identify intrusion, insider threats, account takeovers, and malware activity. Some SIEMs implement automatic responses, and all of them raise alerts to notify technicians. 

As SIEM tools are dependent on the collection of log messages, it is usual for a SIEM to be sold in a bundle with a log manager. If that isn’t the case, the provider will also have a companion log manager in its product list for an additional purchase.

Here is our list of the seven best SIEM tools:

1. ManageEngine Log360 - EDITOR’S CHOICE: This is a mega-pack of ManageEngine modules that includes a log manager and a threat hunting system. It also provides a log viewer that has analytical tools and it can implement automated responses. The software runs on Windows Server. Start a 30-day free trial.
2. SolarWinds Security Event Manager (FREE TRIAL): A reliable SIEM for large businesses with a built-in log manager. Runs on Windows Server. Access a 30-day free trial.
3. Datadog Cloud SIEM (FREE TRIAL): A cloud-based SIEM that scans on-premises systems by collecting network activity reports, operating system logs, and messages from more than 700 software systems. Start on a 14-day free trial.
4. Graylog Security: A log management platform that provides a pre-written SIEM and offers a free edition that will appeal to those who want to build their own SIEM.
5. Logpoint SIEM: An advanced SIEM platform that includes UEBA for activity baselining and SOAR for data collection and threat response. Available for Linux, AWS, and as a SaaS package.  
6. Elastic Security: This SIEM system evolved from an award-winning data processing package. Offered as a SaaS package.
7. Splunk Enterprise Security: Another data processing package that has added value with a SIEM package. Available for Windows Server and Linux or as a cloud package.

The best SIEM tools

It is possible to construct your own SIEM and three of the systems on our list provide log collection and consolidation services without a SIEM add on, so you have that option. However, we also have plenty of pre-written SIEM packages for you to consider. 

Our methodology for selecting a SIEM tool

We reviewed the SIEM market and tested tools based on the following criteria:

• A package that can gather and convert log files for analysis.
• A method to integrate live network activity reports into the data pool.
• A data analysis facility.
• Compliance management for data privacy standards.
• Options to specify playbooks for automated responses.
• A trial period or demo for an assessment before buying.
• The right balance between value for money and performance.

With these selection criteria in mind, we looked for SIEM systems that include both on-premises and cloud-based options.

1. ManageEngine Log360 (FREE TRIAL)

ManageEngine Log360 is a bundle of ManageEngine modules that provide a range of system monitoring and reporting functions. The abilities of this package include a log server and a SIEM. The package is particularly strong at tracking Microsoft systems, but it will collect logs from any service on your network and so will include those packages in its SIEM threat hunting process.

Key features:

• Collects operating system logs: Syslog and Windows Events.
• Collects software log messages: More than 750 log formats.
• Cloud platform monitoring: Collects logs from AWS, Azure, Google Cloud Platform, and Salesforce.
• Threat hunting: ML-driven UEBA, and MITRE ATT&CK threat modelling.
• Threat intelligence feeds: Accepts STIX/TAXII-based feeds.

Why do we recommend it?

ManageEngine Log360 is a large package with many features. It provides a SIEM and also offers an interface for manual threat analysis. Automated threat detection is enhanced by a threat intelligence feed and uses machine learning to establish a baseline of normal activity – this is called user and entity behavior analytics. 

I found that the service can be set up to collect logs from any service, and in some cases, the tool will use integrations to directly access log messages for software packages. Incoming logs from operating systems, software, network devices, and cloud platforms all get converted into a common format. This enables them to be searched as one body. The package will also store those log messages in files for later analysis and auditing. 

Other features in the package include file integrity monitoring and user activity tracking. There are features of data loss prevention services. The system also uses security orchestration, automation, and response (SOAR) techniques to receive alerts from other security systems and send automated response instructions out to other security packages. 

Who is it recommended for?

This package is suitable for large organizations. Its extensive functions would be a little too much for small businesses. There is no free edition for this package but the components of the bundle, such as EventLog Analyzer, do provide free versions. The SIEM can monitor activity on cloud platforms as well as on-premises systems. 

ManageEngine Log360 is a big package of different software units, so it takes quite a long time to install. The software runs on Windows Server. You can examine the package before buying by accessing a 30-day free trial.

EDITOR’S CHOICE

ManageEngine Log360 is our top pick for a SIEM tool because it is so extensive that it provides many other services as well as a SIEM. The package will protect Exchange Server on your own server and Microsoft 365 on the cloud. The system can be tweaked into a very comprehensive security service that feeds alerts into Service Desk and collaboration systems. The package gives your automated threat hunting with immediate responses and also opportunities for manual threat detection. The tool includes elements of data loss prevention and includes insider threat detection services. All the threat detection systems can be customized by a competent systems administrator, and the whole package can completely automate your cybersecurity protection.

This on-premises package includes a log server and a SIEM tool to provide automated security scanning, activity analytical tools, and compliance auditing facilities. The package also includes a threat intelligence feed. The software runs on Windows Server. 

Get a 30-day free trial.

Operating system: Windows Server

2. SolarWinds Security Event Manager (FREE TRIAL)

SolarWinds Security Event Manager is an on-premises package that runs on Windows Server. The system includes a log manager that collects logs through a library of connectors. This means that you set up channels for log message collection within the SolarWinds dashboards. This is a lot easier than the standard technique of setting up log forwarders in each device to direct logs to the log server.

Key features:

• Easy to set up: Includes connectors that can be activated within the system dashboard.
• Log consolidation: Converts all log messages into a standard format.
• Log management: Shows logs in a data viewer as they arrive and also files them.
• Threat hunting: Applies security searches to arriving log messages.

Why do we recommend it?

SolarWinds Security Event Manager is a well-planned package that removes all the technical complications of channeling logs into the SIEM. The package includes compliance management for all the major data privacy standards, and alerts from the package can be channeled to technicians while also triggering automated responses.

I noted that all the utilities in the package channel information into intrusion detection and insider threat detection through activity tracking. That data is also accessed by file integrity monitoring services that, among other tasks, protect log files against tampering.

Automated responses involve communication with third-party tools. Firewalls and access rights managers (Active Directory) are particularly useful in this phase. The Security Event Manager will send instructions to those systems to suspend accounts that display suspicious activity or block connection with malicious IP addresses. 

Who is it recommended for?

This system is a high-end tool for large businesses. Despite aiming at the top end of the market, this is not one of the most expensive SIEM services on the market. The tool is delivered as a software package for Windows Server, so companies that only have Linux servers or only want cloud-based systems won’t be interested in this system.

This SIEM is only available for Windows Server. The service is easy to set up, and you can try it for yourself with a 30-day free trial.

3. Datadog Cloud SIEM (FREE TRIAL)

Datadog Cloud SIEM is a good solution for companies that prefer to use cloud-based solutions. Although this system is running on the Datadog cloud platform it doesn’t monitor cloud services, it gathers logs from your on-premises systems. The system is similar to the SolarWinds tool because the dashboard contains a library of connectors that will set up the package to receive logs. There is a library of more than 700 of these integrations.

Key features:

• Cloud-based system: Gathers logs from on-premises assets.
• Library of integrations: Sets up channels to get logs into the system.
• Generates security graphs: Enables root cause analysis.

Why do we recommend it?

Datadog Cloud SIEM provides threat hunting with its cloud-based search tools, based on logs collected from your site. The package also provides opportunities for manual analysis. The tool organizes log data into a graph, which enables a drill-down analysis to find the cause of security issues, such as a user account or a remote IP address.

I discovered that the detection rules are provided by Datadog’s security analysis team, and they are updated regularly. As this is a SaaS package, each account gets updated with the new rules immediately, without any user action. It is also possible for the user to add custom rules to those supplied by Datadog. 

The Datadog platform includes a Workflow Automation unit. This can be paired with the Cloud SIEM to create playbooks that implement automated remediation when threats are discovered. It is also possible to set up feeds from other security tools, so the package can be seen as a SOAR package as well as a SIEM. 

The platform allows for user accounts to be set up per subscription account. With this, you can create access accounts for security team technicians. 

Who is it recommended for?

This package is charged for per million events that get processed by the SIEM. However, you have to pay for a throughput allowance in advance. This charging structure makes the package very scalable and suitable for businesses of all sizes. As the package is hosted in the cloud, processing capacity doesn’t need to be a consideration. 

The Datadog Cloud SIEM package is cloud-based, so you don’t need to download any software to get started; you sign up at the Datadog website. Investigate this system before buying by accessing a 14-day free trial.

4. Graylog Security

Graylog is a highly respected log management tool and in recent years, the company has expanded its services, adding value to the log management by providing a SIEM system. This tool is called Graylog Security. There is also a monitoring package available, called Graylog Operations. The threat hunting service in the package uses anomaly detection, which is based on user and entity behavior analytics. 

Key features:

• Deployment options: On-premises or cloud-based.
• Anomaly-based threat detection: Uses user and entity behavior analytics.
• Security tool integrations: Can operate as a SOAR.

Why do we recommend it?

Graylog is a free log manager that can be enhanced by a paid-for package to create a SIEM. This service is very flexible and provides the opportunity for customization of searches. The system can also be adapted by connecting inputs from other security packages, and also by triggering responses to detected threats. This is a security orchestration, automation, and response (SOAR) strategy. 

You can use Graylog for free. The base package is called Graylog Open and it costs nothing. You only pay for the addition of Graylog Security. So, those who want to create their own SIEM or SOAR can do so without paying. However, this is a complicated process, and you won’t get the library of integrations that makes reading in log messages or security tool alerts easy. 

I determined that the Graylog Security package will generate alerts for discovered problems and these can be sent to you by email, SMS, or Slack message. The package will also archive older logs and gives you the option to revive them for audit access. Another useful feature of the Graylog Security package is compliance reporting. It is possible to connect a third-party intelligence feed into the SIEM.

Who is it recommended for?

Graylog provides two options: one do-it-yourself SIEM and a pre-built SIEM. That gives the tool a wide appeal. The software isn’t available for Windows, which could be a problem for some. However, it can be installed on Docker and there is also a cloud version, which isn’t free. 

The starting point for using Graylog Security is to sign up for Graylog Cloud or download Graylog Open. The Graylog Open software will run on Ubuntu, Debian, RHEL, or SUSE Linux. It can also be installed on Docker. Once you have either of those two systems available, you can sign up for Graylog Security. 

5. Logpoint SIEM 

Logpoint SIEM is a system designed for large businesses. The minimum order size for this tool is coverage for 100 endpoints. The service is offered as a SaaS platform or as a software package to install on Linux or on your AWS account. This system uses UEBA for baselining in an anomaly-based threat hunting strategy.

Key features:

• Creates a threat hierarchy: A unique display of indicators of compromise.
• Log management: Standardizes log message formats and stores them.
• Anomaly detection: Deploys UEBA for activity baselining.

Why do we recommend it?

Logpoint SIEM offers a SOAR option that will read in alerts from third-party security tools and implement playbooks for automated responses. However, it is advisable to take advantage of the full SIEM service and use the tool to collect logs and analyze them with UEBA baselining in its anomaly detection strategy. 

I noted that this system offers compliance reporting for GDPR. This standard requires that all log messages are made available for auditing. The service stores all logs and manages archiving and reviving. The package can also detect problems that could spoil compliance with HIPAA. 

Whether installed on site, on a cloud account, or taken as a SaaS subscription, all the data collection is performed through an on-premises agent. This is called AgentX, and it needs to be installed in each endpoint that is included in the protection plan.  

Who is it recommended for?

This system is a little pricey. In fact, it is the most expensive option on this list. So, it is going to appeal to large organizations with big budgets. The rate you pay depends on the number of endpoints on your network. The price starts with a package for 100 computers. 

This is a comprehensive security package that gives you lots of configurations thanks to its SOAR capabilities. Investigate the tool by accessing a free demo.

6. Elastic Security

Elastic Security is a paid, cloud-hosted system, but it is based on a free data processing package. This is a similar service to Graylog, except the Elastic Stack is much more successful. However, as with the Graylog solution, you can choose to download the supporting system for free and create your own SIEM. 

Key features:

• Based on the free Elastic Stack: You could use the software to create your own free SIEM.
• Collects log messages: Consolidates logs for searching.
• Pre-written searches: Performs threat hunting.

Why do we recommend it?

Elastic Security is a good option for those who want a cloud-based system. The team behind the package is highly respected and gained much acclaim for its Elastic Stick, which is the suite of tools that support the SIEM.

I found that while Elastic Stack is available on the cloud and for download, the Elastic Security service is only available on the cloud. This means that it isn’t available for free, but you can get it on a free trial. All the plans for Elastic Cloud include some security features, but you have to go up to the top two of the four plans to get the SIEM service. 

Who is it recommended for?

This package will appeal to all types and sizes of businesses. However, the requirement to go up to the top two plans of Elastic Cloud in order to get the SIEM service makes this package a little pricey, even for small implementations. This system will appeal to mid-sized and large businesses. Small businesses could try creating a custom SIEM on the free Elastic Stack tools. 

Opt for the Elastic Cloud service if you want to get the Elastic Security package, or download the Elastic Stack for free if you want to create your own SIEM. You can access Elastic Cloud with a 14-day free trial.

7. Splunk Enterprise Security

Splunk Enterprise Security is a SIEM that is available on the cloud or for on-premises installation. Splunk offers a SOAR option and a UEBA enhancement as well, but the system can be run without those two features.

This is another system like Graylog and Elastic Stack because it is possible to just use the underlying Splunk either on the cloud or on-premises and build your own SIEM. While Splunk was originally available in a free version, that option is no longer available. 

Key features:

• Risk-based alerting: Reduces false-positive reporting.
• Threat intelligence: Enhances threat detection.
• Automated responses: Can be enhanced by SOAR.

Why do we recommend it?

Splunk Enterprise Security is a complicated package because of all of its options. However, once you have decided which version, which options, which add-ons, and which integrations you are going to use, you will end up with a very competent SIEM system.

I observed that Splunk Enterprise Security is available on the Splunk Cloud SaaS platform or will run on top of the Splunk Enterprise on-premises package. Splunk Enterprise is available for Windows Server and Linux. Splunk SOAR and Splunk UEBA are available as add-ons. Businesses with technical expertise on site can save money by building a custom SIEM on the Splunk platform. 

Who is it recommended for?

Just as the choice of options for Splunk is very complicated, so is the pricing. It all works out to be a bit too expensive for small businesses, even though many of the price elements are based on throughout volumes. This package would be suitable for mid-sized and large companies. 

The free trial situation for Splunk is complicated. You can get a 14-day free trial of Splunk Cloud or a 60-day free trial of Splunk Enterprise. There are free trials for Splunk SOAR and Splunk UEBA for download, but not for the cloud version. There is no free trial for Splunk Enterprise Security, but you can get a demo.