Hi all! I am having a difficult time identifying a cost-effective SIEM tool for my clients. Does anyone have any suggestions? I know there are many solutions out there in the marketplace, but they are typically very expensive, too expensive for SMB. Thanks. Matt More on forums.lawrencesystems.com

Splunk if you have deep pockets. Whatever SIEM you choose, make sure you have an ACTUAL data strategy, with schemas, documentation, logging standards, etc. etc. All of the issues I’ve seen with SIEMs stem from a company that DOES NOT have a data culture and thinks “I’ll just log data and let the analytics sort it out….Fucking. No. More on reddit.com

Remember that a SIEM is a means to an end, not an actual mandatory product. Your goal is to increase visibility of unusual or malicious activity within your organisation. A SIEM, contrary to popular belief, is one of the least efficient methods to go about this. It's the thing you do once you have exhausted other methods. The other methods should be: Your EDR. Realistically this is your best source of visibility and automated response. It's amazing how many large organisations throw millions at their SOC and SIEM while leaving their EDR practically ignored and at defaults. Or completely absent on their servers. Your network configuration. Funneling your traffic through a gateway with IPS/IDS and a proxy will catch a hell of a lot more than a SIEM will out of the box. Having a full stack visibility tool from your network vendor can give you tons of analytical data. Your identity provider. Your identity provider has tons of knobs to harden your organisations authentication and alert on unusual activity. Take advantage of it. Canaries. A malicious actor will typically browse the network to determine lateral movement. Most of them will be very loud about this. A tool that pretends to be a high value target and alerts on access is a fantastic way to catch bad actors early. On top of all this is a golden rule of security: an ounce of prevention is worth a pound of cure. A SIEM is fundamentally a reactive tool, and a manual and expensive one at that. Any tools or perimeter hardening or segmentation you can apply before resorting to a SIEM is a net win. Also remember that SIEMs being horrifically expensive is usually due to the licensing being commensurate with the cost of the team required to utilise it effectively. You can go look at free SIEMs all day, but your SOC will cost you millions a year to take effective advantage of it. More on reddit.com

Microsoft Sentinel has SIEM and SOAR capabilities. Works splendid with anything Azure related. It has many connectors made by MS and the community. If you are already in Azure it will not break your bank. Open source: You could try ELK (Elastic, Logstash and Kibana) free plan. If you have any other questions let me know, I've worked with QRadar, Microfocus ESM, MS Sentinel, ELK, Splunk Phantom and XSOAR More on reddit.com