HomeCompare › SIEM & Log Management

SIEM Tools Compared

SIEM platforms centralize logs from across the enterprise, detect threats via correlation rules and machine learning, and support incident response. Side-by-side comparison across 5 tools — descriptive only, no recommendations.

8 min read Data verified: May 2026 5 tools compared
Elastic Security
SIEM
Freemium
Free (self-hosted Basic) or $95-$184/mo+ (Elastic Cloud, scales with data)
Visit official site →
Splunk Enterprise Security
SIEM
Paid
$150-$225/GB ingested + ES license ($20-$40/GB) 500GB/day deployment commonly $1.2M-$2.5M/yr
Visit official site →
Microsoft Sentinel
SIEM
Paid (consumption-based)
$2.46-$5.20/GB ingested (PAYG to Enterprise commitment tiers)
Visit official site →
Wazuh SIEM
SIEM / XDR (Open Source)
Free / OSS
Free (self-hosted) or Wazuh Cloud (managed, per-agent custom pricing)
Visit official site →
Graylog Open
SIEM / Log Management
Freemium
Free (Open Source self-hosted) or $1,250-$1,550/mo+ (Cloud) or $15K-$18K/yr+… (Enterprise/Security)
Visit official site →
Comparing →
Elastic Security
SIEM
Splunk Enterprise Security
SIEM
Microsoft Sentinel
SIEM
Wazuh SIEM
SIEM / XDR (Open Source)
Graylog Open
SIEM / Log Management
$ Pricing & plans
5 dimensions
Pricing model
Basic (free, self-hosted only
includes SIEM detection rules), Gold ($114/mo+ Elastic Cloud, adds support), Platinum ($131/mo+ adds ML, SSO, behavioral ransomware), Enterprise ($184/mo+ adds searchable snapshots, cross-cluster replication)
Workload-based or ingest-based
$150-$225/GB/day ingested + Enterprise Security $20-$40/GB premium; commitment tiers reduce per-GB cost at scale
Pay-As-You-Go
$5.20/GB. Commitment tiers: 50/100/200/300/400/500GB/day. Enterprise 1000+GB tier at $2.46/GB effective
Free under GPL-2.0
Wazuh Cloud is per-agent custom pricing; paid 24/7 support contracts (~$16K/yr median per practitioner reports)
Open (free, self-hosted, unlimited logs)
Cloud Operations ($1,250/mo for 10GB/day); Cloud Security ($1,550/mo, adds SIEM features); API Security ($1,500/mo); Enterprise self-hosted ($15K/yr+); Security self-hosted ($18K/yr+)
Pricing tier
Freemium
Paid
Paid (consumption-based)
Free / OSS
Freemium
Free tier / trial
Free tier
14-day full-feature Elastic Cloud trial; Basic tier permanently free self-hosted
Free tier
Splunk Free (500 MB/day, limited features); 60-day trial of Splunk Enterprise + ES
Trial only
31-day trial with 10GB/day free; up to 20 workspaces per Azure tenant; Microsoft security data ingestion is free
Free tier
Software permanently free; 14-day Wazuh Cloud trial
Free tier
Open tier permanently free; 30-day trial of Enterprise/Security
Volume discounts
Annual commitments typically yield 20-30% discount over monthly
Enterprise tier negotiable for high-volume
Substantial volume-based discounting at 500GB/day+ commitments
multi-year terms further reduce per-GB cost
Built into commitment tiers (40-53% discount from PAYG at higher tiers)
Microsoft Enterprise Agreement discounts further apply
Not applicable for software (free)
managed support pricing scales with agent count
Cloud: 15-35% discount on 50GB+/day commitments
Enterprise: negotiated based on volume
Hidden costs
Cloud egress, snapshot storage, support tier surcharges
self-hosted infrastructure costs; ML features only in Platinum and above
Premium TA (technology add-on) modules, professional services for content…
engineering, additional storage, search head clustering at scale
Underlying Azure Log Analytics workspace charges
data retention beyond 90 days bills separately; basic logs vs analytics logs distinction; egress costs
Infrastructure (servers, storage for OpenSearch indexer), specialized labor,…
training time, integration of SOAR (e.g., TheHive/Cortex) if needed
Self-hosted infrastructure ($500-$5,000/mo for OpenSearch + MongoDB), DevOps…
time, professional services for migrations, Detection Boost content packs
Deployment & integrations
3 dimensions
Deployment
Elastic Cloud (SaaS), Elastic Cloud Enterprise (managed self-hosted), or fully…
self-hosted (free)
Self-hosted Splunk Enterprise, Splunk Cloud Platform (SaaS), or hybrid
Federated Search available
100% cloud-native Azure service
no on-premises option
Self-hosted (all-in-one, single-node, or multi-node cluster) or Wazuh Cloud SaaS
Self-hosted on Linux (requires OpenSearch/Elasticsearch + MongoDB) or Graylog Cloud SaaS
Typical deployment time
Hours for Elastic Cloud trial
days for production cloud; weeks for self-hosted production cluster (Elasticsearch/OpenSearch expertise required)
Weeks to months for production enterprise deployments (data onboarding, use…
case engineering, content tuning)
Days for basic deployment with Microsoft data connectors
weeks for full multi-cloud and non-Microsoft source onboarding
All-in-one PoC
hours; production multi-node cluster: days to weeks (DevOps/security engineering required)
Self-hosted PoC
hours; production single-node: days; clustered enterprise deployment: weeks
Key integrations
400+ integrations via Fleet
AWS, Azure, GCP, Cisco, Palo Alto, Okta, Microsoft 365, CrowdStrike; native APM, logs, and metrics in same stack
Largest SIEM ecosystem
2,400+ Splunkbase apps; native connectors for AWS, Azure, GCP, Microsoft 365, ServiceNow, Cisco, Palo Alto, CrowdStrike, Okta
350+ connectors
AWS, GCP, Cisco, Palo Alto, CrowdStrike, Okta, Cloudflare, Salesforce; native to entire Microsoft Defender XDR (Endpoint, Identity, Cloud Apps, Office 365)
VirusTotal, MISP, TheHive, Cortex, Slack, PagerDuty, ServiceNow, Splunk…
forwarder, Elastic, Suricata; OSSEC rule-compatible
Native syslog, GELF, Beats, NXLog
AWS CloudTrail, Azure Event Hub, GCP, Microsoft 365, Cisco, Palo Alto; Sigma rules ecosystem
📊 SIEM-specific evaluation
7 dimensions
Pricing model
Free self-hosted Basic, or Elastic Cloud subscription tiers
not per-GB
Per-GB/day ingested + Enterprise Security tier premium
workload-based pricing also offered
Per-GB ingested with commitment tier discounts
consumption-based
Free open source
managed cloud uses per-agent pricing
Fixed-fee tiers (not per-GB)
Cloud is GB/day-based but at predictable monthly cost
Log sources / connectors
400+ integrations via Fleet, growing rapidly
broad coverage of cloud, network, endpoint, and SaaS sources
2,400+ Splunkbase apps
thousands of pre-built data sources and content packs across the broadest integration ecosystem in SIEM
350+ data connectors including all Microsoft Defender products natively
broad multi-cloud and third-party support
Native agents + integrations via API for cloud platforms (AWS, Azure, GCP, M365, GitHub)
flexible rule writing for custom sources
syslog, GELF, Beats, NXLog, broad cloud connectors
smaller ecosystem than market leaders but covers most common sources
Query language
Kibana Query Language (KQL) and Lucene
ES|QL (new piped query language) recently introduced
Splunk Processing Language (SPL)
powerful pipe-based query syntax; broadly considered the most mature SIEM query language
Kusto Query Language (KQL)
used across all Microsoft 365 Defender and Azure products
OpenSearch Query DSL and Lucene via Wazuh Dashboard
Lucene query syntax via Graylog UI
Sigma rules supported in Security edition
Native UEBA / ML
Native ML in Platinum and above for anomaly detection
behavioral analytics included
Splunk User Behavior Analytics (UBA) and Splunk Machine Learning Toolkit are…
separate licensed products; native ML capabilities in ES
Built-in User and Entity Behavior Analytics (UEBA)
native ML for anomaly detection; Fusion engine for multi-stage attack detection
No native UEBA
community integrations for ML-based detection are possible but not built-in
Anomaly detection in Security edition
not as mature as commercial SIEM ML offerings
SOAR capabilities
Connectors-based automation; not a full SOAR platform
Elastic provides building blocks rather than a polished SOAR product
Splunk SOAR (formerly Phantom) is a separately licensed full SOAR platform
deep integration with ES
Native SOAR via Azure Logic Apps playbooks
deep integration with Microsoft Defender XDR for auto-remediation
Active Response framework for custom scripted responses; not a full SOAR
typically integrated with TheHive/Cortex
Alerting and notification only in Open/Enterprise
Security edition adds incident investigation workflows but not full SOAR
Data retention
Configurable via data tiers (hot/warm/cold/frozen)
searchable snapshots in Enterprise allow long-term retention at low cost
Tiered storage
hot, warm, cold, frozen; SmartStore S3-backed object storage for cost-efficient long-term retention
Default 90-day interactive retention
extensible to 2 years (billed separately); Data Lake tier with 6:1 compression for long-term archive
Configured by user
limited only by indexer (OpenSearch) storage; typical clusters handle months of retention
Configurable
Enterprise adds Data Lake for low-cost long-term retention (logs in Data Lake don't count against license)
Multi-tenancy / MSSP
Elastic Cloud Enterprise supports multi-tenant deployments
widely used by MSSPs
Splunk for MSSPs offering with multi-tenant deployment patterns
many MSSPs build managed services on Splunk
Azure Lighthouse enables multi-tenant SOC management
MSSP partner ecosystem broadly adopts Sentinel
Strong MSSP fit
widely used by MSSPs to deliver multi-tenant SOC services; cluster architecture supports multi-tenant deployment patterns
Multi-tenant deployments via cluster architecture
used by MSSPs but smaller MSSP ecosystem than Splunk
Compliance & certifications
1 dimension
Compliance certifications
FedRAMP Moderate (Elastic Cloud), SOC 2 Type II, ISO 27001, HIPAA, PCI DSS, GDPR
FedRAMP High (Splunk Cloud), SOC 2 Type II, ISO 27001, HIPAA, PCI DSS, GDPR,…
IL5 (FedRAMP-aligned)
FedRAMP High, SOC 1/2/3, ISO 27001/27018, HIPAA, PCI DSS Level 1, GDPR, IRAP,…
C5, FACT, HITRUST
Wazuh Cloud: SOC 2 Type II, PCI DSS Level 1, GDPR-ready
built-in compliance modules for PCI DSS, HIPAA, NIST 800-53, GDPR, TSC, GPG13
Graylog Cloud
SOC 2; built-in compliance dashboards for GDPR, HIPAA, SOX (Enterprise tier and above)
Positioning
3 dimensions
Target deployment
Engineering-heavy teams, cloud-first companies, organizations wanting unified…
log management + SIEM
Large enterprises with mature SOC operations and budget for premium SIEM
Microsoft 365/Azure-centric organizations, cloud-first SOCs
SMB to mid-market with engineering capacity, MSSPs, compliance-driven…
workloads, organizations avoiding vendor lock-in
Mid-market teams wanting SIEM-lite at lower cost than premium SIEM,…
log-intensive engineering teams, compliance reporting
Strengths cited
Usable SIEM in free Basic tier when self-hosted, flexible deployment options,…
unified search across logs/metrics/traces, no per-GB tax in self-hosted, ML and EDR included in Platinum and above
Most mature SIEM market platform with extensive content library, broadest…
integration ecosystem, powerful Search Processing Language (SPL), strong analytics and ML via Splunk ITSI/UBA
Cloud-native scaling, deep Microsoft ecosystem integration (Defender XDR,…
Entra, Intune), built-in AI/ML and SOAR, lower per-GB cost than many enterprise SIEMs, free ingestion of Microsoft security signals
Unified XDR + SIEM in one platform, 100% free open source (GPL-2.0) with no…
feature gating, built-in PCI DSS/HIPAA/NIST 800-53/GDPR compliance mappings, scales horizontally
Fixed-fee pricing model (not per-GB), powerful pipeline processing for log…
enrichment, Sigma rule support in Security edition, free tier with unlimited ingestion when self-hosted
Where it fits less well
Self-managed deployment requires Elasticsearch expertise
cloud-based costs scale with data; some SIEM features gated to paid tiers
Premium pricing positioned for enterprise
per-GB licensing requires careful sizing; Cisco acquisition (2024) has prompted ongoing evaluation of platform direction
Best value realized when organization is Microsoft-centric
Azure platform costs add on top of Sentinel pricing; retention beyond 90 days bills separately
Production deployment requires security engineering and DevOps expertise
commercial SLA available only via paid support contract
Requires OpenSearch and MongoDB stack to operate
free tier omits SSO, RBAC, archival, and ML features
Head-to-head comparisons
3 pairs
Splunk Enterprise Security vs Microsoft Sentinel Splunk Enterprise Security vs Elastic Security Microsoft Sentinel vs Elastic Security
Methodology Comparison data synthesized from publicly available vendor documentation, MITRE Engenuity ATT&CK Evaluations, AV-TEST results, Gartner Peer Insights, G2/Capterra/TrustRadius reviews, anonymized transaction data (Vendr, CostBench, CheckThat.ai), and publicly reported pricing as of May 2026. defend.network is independent and has no commercial relationship with the vendors compared.