• United States



Contributing Writer

12 top SIEM tools rated and compared

Dec 19, 201812 mins
Network SecuritySecurity

Security information and event management tools are a core part of most companies' cyber defenses. Use this guide to find SIEM options that best match your needs.

security command center monitors control center getty goro denkoff
Credit: gorodenkoff/Getty

Security information and event management (SIEM) is a blue-collar tool for network security professionals. There’s nothing remotely glamorous about auditing, reviewing and managing event logs, but it’s one of the more important aspects of building a secure enterprise network.

Network security has matured to the point where myriad tools (machine-learning-backed firewalls, hardened web application servers, cloud services, etc.) make the act of attacking an enterprise network a tall order. Monitoring each layer, service and device in a holistic, top-down manner is critical to providing context to log events. Applying automated remediation tasks to log events takes many of these SIEM tools to another level.

Due to the nature of event logs, they are often a secondary attack surface for malicious users looking to obfuscate their activity and cover their tracks. SIEM tools often provide an additional layer of protection for your event logs by offloading them to a server or service purpose-built for the task, giving a means to prevent editing or deletion, and even creating backup copies.

Below are overviews of the top 12 SIEM tools and summaries of peer-review ratings from the Gartner PeerInsights.

1. AlienVault Unified Security Management

AlienVault’s Unified Security Management (USM) platform provides tools to monitor, analyze and manage your system events across a wide range of systems. Adding your system components and recognizing new candidates for inclusion is facilitated through asset discovery and inventory.

AlienVault USM is more than just an SIEM solution. In addition to monitoring and managing your event logs, the platform provides tools for both vulnerability assessment and intrusion detection (both network and host-based), adding value for customers who might not have these capabilities in place. AlienVault also offers OSSIM (Open Source Security Information and Event Management), which as the name suggests is an open-source SIEM solution that gives you a subset of the tools available with the full USM suite in an open source package.

  • Gartner PeerInsights rating: 4.3 stars
  • Target audience: IT shops of all sizes.
  • Notable features: Bundled as a multi-faceted security suite with intrusion detection and vulnerability assessment tools.
  • Pricing: AlienVault offers three tiers starting with essentials at $1,075 monthly and going up to premium, which starts at $2,595 per month when billed annually. Key tier differences are retention period, data volume constraints and support for PCI-compliant log storage.

2. Elastic Logstash

Elastic does not offer a true SIEM platform (if PCI-compliance is a requirement for your organization, you’ll need to look elsewhere), but Logstash allows for log events from a wide array of sources to be parsed and handled using its Elastic Stack platform. In particular Elastic offers tools such as Beats to move data, Elasticsearch to facilitate parsing large amounts of data, and Kibana to handle visualizations and analysis.

Logstash might be the most flexible of the tools on this list, but it comes with a couple of key concerns. Elastic’s Stack platform is incredibly powerful, but it’s largely built for a DevOps world, and expectations should be set accordingly. On the other hand, the entirety of the Elastic Stack platform is open-source software, making it incredibly cheap to put through its paces. For customers looking for enterprise support or assistance in getting your solution set up, Elastic offers services to help in either scenario.

  • Gartner PeerInsights rating: 4.3 stars
  • Target audience: Customers of all sizes, particularly those with DevOps capabilities.
  • Notable features: Open source and incredibly flexible platform.
  • Pricing: Open source and free, with enterprise support and commercial subscriptions pricing available based on sizing and usage.

3. Exabeam Security Management Platform

Exabeam boasts the highest Gartner PeerInsights rating of any of the 12 solutions in our list, and it’s not hard to see why. For starters, Exabeam’s Security Management Platform brings a big-data toolset to bear against your event logs, offering both performance and analytics benefits. Exabeam Data Lake supports as much data as you can throw at it, with pricing based on user count rather than data volume, and Exabeam offers multiple analytics strategies using both machine learning and a healthy selection of canned reports.

In addition to providing tools for compiling, aggregating, and analyzing your event logs, Exabeam offers a toolset for handling incident responses. Exabeam Incident Responder offers options for assigning incidents to personnel and tracking status updates as the incidents are worked. Incident Responder also leverages playbooks, both automatic and customized, which define the steps which should be taken for different types of incidents as well as potential opportunities for automation and integration with other systems.

  • Gartner PeerInsights rating: 4.7 stars
  • Target audience: Mid-sized to enterprise-level businesses.
  • Notable features: Tools based on big data and an integrated incident response system.
  • Pricing: Each component priced individually with annual pricing based on user counts.

4. Fortinet FortiSIEM

Fortinet offers a diverse range of network devices, with FortiSIEM as its SIEM solution. FortiSIEM offers asset discovery and role-based access in either an on-premises deployment using a hardware or virtual appliance, or within Amazon Web Services (AWS).

FortiSIEM is built to integrate, both in terms of gathering events and automating event response. The FortiSIEM Remediation Library offers built-in scripts that can be leveraged against devices and systems from a variety of vendors to perform remediation steps such as disabling a switch port or Active Directory account.

  • Gartner PeerInsights rating: 4.3 stars
  • Target audience: Small to large businesses, with support for both on-premises or cloud-based workloads.
  • Notable features: Script-based remediation and flexible deployment options.
  • Pricing: Hardware appliances begin at $10,525 retail for a perpetual license, with virtual appliances beginning at $21,179.

5. IBM QRadar SIEM

IBM has long been a leader in the enterprise software arena, and it’s fair to expect its QRadar SIEM platform to be able to handle large data sets and the myriad features needed in an enterprise event management solution. QRadar’s support for over 500 integrations and a built-in analytics engine are what you’ve come to expect from an IBM software product.

Watson, perhaps the world’s most marketed AI, can be leveraged against your event logs using IBM QRadar Advisor with Watson. Advisor allows your security team to focus on anomalous behavior without having to manually identify trends. Watson Advisor also incorporates new threat intel from external sources to identify zero-day attacks.

  • Gartner PeerInsights rating: 4.0 stars
  • Target audience: Medium to large enterprise customers.
  • Notable features: Numerous integration points to facilitate incident response and automation.
  • Pricing: IBM’s on-premises solution starts at $10,700 with 12 months of support included. IBM’s SaaS platform, QRadar on Cloud, has a starting price of $800 per month with an annual contract.

6. LogPoint

LogPoint users tout the easy setup process as a key point, and the licensing structure makes cost projections clear. Licensing is based on the number of devices sending data to the SIEM, not on users or throughput.

LogPoint uses User and Entity Behavior Analytics (UEBA) as its threat modeling and machine learning offering. UEBA enables customers to get up and running quickly without having to create or modify extensive rulesets.

  • Gartner PeerInsights rating: 4.5 stars
  • Target audience: LogPoint supports clients ranging from small businesses to enterprise environments, including managed service providers.
  • Notable features: LogPoint’s UEBA minimizes false positive and prioritizes threats, allowing your security team to focus where they’re needed.
  • Pricing: LogPoint would not disclose pricing details, but licensing is based on the number of devices reporting event data.

7. LogRhythm

LogRhythm offers a comprehensive SIEM suite that facilitates threat management from data collection through to remediation. LogRhythm offers LogRhythm XM in various sizes depending on your needs, or LogRhythm Enterprise, which supports scaling across multiple servers. Both are available in software or appliance-based solutions, and Enterprise supports a hybrid architecture as well.

Several add-ons are available for the core LogRhythm solutions. CloudAI is LogRhythm’s UEBA-based advanced threat detection offering. LogRhythm NetMon tracks network traffic in order to identify anomalous behavior and potential threats. LogRhythm also offers SysMon, their software agent-based sensor to monitor users, applications, and endpoints.

  • Gartner PeerInsights rating: 4.4 stars
  • Target audience: Businesses of all sizes, including managed service providers.
  • Notable features: Add-ons CloudAI, NetMon and SysMon add key functionality.
  • Pricing: LogRhythm starts at $28,000, with subscription options available.

8. McAfee Enterprise Security Manager

McAfee Enterprise Security Manager (ESM) is designed to provide analysts information critical to beginning the triage and incident response process. Events are evaluated in the context of related log entries, and ESM guides users through the process of preliminary investigative steps using actionable alerts.

Flexibility in terms of architecture and integration are key points with McAfee ESM. ESM is available in both physical and virtual appliances in a range of sizes, with virtual appliances supporting a wide array of hypervisors and cloud platforms. McAfee offers content packs that enable monitors and alerts for specific use cases or partner platforms, and integration partnerships with over a dozen third-party vendors makes ESM incredibly extensible.

  • Gartner PeerInsights rating: 4.2 stars
  • Target audience: Mid-sized to large enterprise customers, typically with a user base of 500 employees or more.
  • Notable features: Partnerships make ESM integrate tightly with third-party systems, enabling quick triage and remediation through a single interface.
  • Pricing: Entry level virtual appliances are available in the $40,000-$50,000 range.

9. Micro Focus ArcSight Enterprise Security Manager

ArcSight Enterprise Security Manager (ESM) is a full-featured solution that checks all the boxes of an enterprise SIEM. ArcSight ESM supports a range of integrations and customization options, allowing security analysts to perform incident response from a single pane of glass. ArcSight’s Marketplace enables you to leverage new dashboards, reports or correlation rules with minimal fuss.

ArcSight ESM supports workflow-based automation, allowing analysts to quickly correlate events, referencing them in a case, and respond or escalate as necessary. Each action taken can be audited and reported on to maintain service-level agreement (SLA) compliance and track response time. Integrations with third-party systems allow users to begin remediation, such as disabling ports or accounts, or rule sets can even be created to automate these steps.

  • Gartner PeerInsights rating: 3.9 stars
  • Target audience: Medium to large enterprise customers.
  • Notable features: Extensible feature set through ArcSight Marketplace, actionable alerts through system integrations.
  • Pricing: Micro Focus was unable to provide pricing details.

10. RSA NetWitness

RSA’s SIEM solution, RSA NetWitness, has many of the features necessary in an enterprise-level SIEM including UEBA, automation tools and architecture flexibility (support for hardware and virtual appliances, software-based options, or cloud deployments). In addition, RSA NetWitness includes the ability to add business context to incidents based on the asset or user being impacted through integrations with RSA Archer and SecurID.

Encrypted or encoded event data or web traffic can be difficult to incorporate into your SIEM. RSA NetWitness leverages a variety of cryptography tools including decryption, decompression, and entropy measurements to surface this information and bring it into your SIEM workflow. This visibility into encrypted traffic can be the difference in determining if the traffic is malicious or legitimate in nature.

  • Gartner PeerInsights rating: 4.2 stars
  • Target audience: Enterprise clients.
  • Notable features: Ability to add business context rather than just technical or system context. Visibility into cryptographically protected data gives you a leg up on attacks.
  • Pricing: NetWitness pricing is based on throughput in both monthly or perpetual options. Retail pricing for a monthly license begins at $857 per month, which includes support.

11. SolarWinds Log & Event Manager

SolarWinds is a familiar name to many IT pros, as it has long leveraged a set of free tools and aggressive marketing to earn a place in many small to medium size IT shops. SolarWinds Log & Event Manager, its SIEM solution, offers tools to detect and investigate threats, analyze and audit events, and even automate remediation steps.

Log & Event Manager does not offer machine-learning-based analytics or the same level of integration with third-party systems you can expect from the enterprise grade tools in this list. SolarWinds does offer USB device monitoring, designed to mitigate the risks posed by USB flash drives to your network.

  • Gartner PeerInsights rating: 4.2 stars
  • Target audience: Small- to medium-sized businesses
  • Notable features: Automated remediation and USB device monitoring.
  • Pricing: SolarWinds Log & Event Manager is priced starting at $4,585 for a perpetual license, which authorizes use with up to 30 nodes and includes one year of maintenance.

12. Splunk

Splunk might well be the most well-known entry in this list, and is the standard against which SIEM platforms are judged. Gartner’s PeerInsights ratings bear this out as a rating of 4.4 stars is backed by over 500 reviews, more than any other competing solution.

Splunk offers two versions of their platform. Splunk Enterprise may be installed on premises as a server application on a variety of Unix or Windows operating systems, or as a Docker container application. Splunk Cloud allows you to realize the benefits of Splunk in a SaaS environment, minimizing infrastructure and maintenance requirements. Both platform versions support customizable dashboards and reporting, anomaly detection, and a high degree of access control.

Perhaps Splunk’s biggest selling point is Splunkbase, its app store for the Splunk platform. Splunkbase apps can run on either Splunk Enterprise or Splunk Cloud, and add third-party integrations, analytics, or automation capabilities.

  • Gartner PeerInsights rating: 4.4 stars
  • Target audience: Organizations of all sizes.
  • Notable features: Splunkbase app store, well documented both by Splunk and the user community.
  • Pricing: $150 per 1Gb of data per month for Splunk Enterprise. Splunk Cloud begins at $810 monthly (or $8,100 billed annually) for up to 5Gb per day.