SOC tools: SIEM, SOAR, EDR and more.
The SOC toolstack by category — SIEM, EDR/XDR, SOAR, NDR, threat intel, sandboxes and enrichment — with real OSS and commercial tools linked.
Walk into any Security Operations Center and you will not find one tool doing the work. You will find a stack: a dozen products that ingest, detect, enrich, decide, and contain, each one owning a slice of the job and handing off to the next. New analysts get lost because vendors sell every box as if it replaces all the others. It does not. A SIEM is not an EDR, an EDR is not a SOAR, and none of them is a threat intelligence platform. The fastest way to understand a SOC is to learn the categories first, then slot the real tools into each one.
This is the reference map. For every category you get what it actually does, followed by the tools people really run — clearly marked open source (OSS) or commercial — each linked to its own site. If you are still fuzzy on what a SOC is in the first place, start with what is a SOC and come back.
How the pieces fit together
Before the tool list, hold the pipeline in your head. Telemetry flows in one direction and decisions flow back out. Everything below is a variation on this shape:
LOG / TELEMETRY SOURCES SIEM DETECTION
endpoints, firewalls, ─────▶ collect, ─────▶ rules run on the data
cloud, DNS, IDS, apps normalize, (Sigma, native queries)
store, search │
▼
CONTAINMENT CASE MANAGEMENT ALERT / SOAR
isolate host, kill ◀── TheHive / Jira ◀── triage + automation
process via EDR track the case (enrich, correlate)
▲ │
│ ▼
└────────── ENRICHMENT: VirusTotal, GreyNoise, AbuseIPDB, MISP ◀─┘
Read it as a sentence: log sources feed a SIEM; detections (often written as Sigma rules) fire alerts; a SOAR or an analyst enriches those alerts against threat intel and reputation services; confirmed incidents become cases in a tracker like TheHive; and containment happens back on the endpoint through an EDR. Keep that loop in mind and every category below has an obvious place.
SIEM — the system of record
The SIEM (Security Information and Event Management) is the SOC's central nervous system. It collects logs from everywhere — endpoints, firewalls, cloud, identity providers, applications — normalizes them into a common shape, stores them, and lets you search and alert across the lot. It is where correlation happens: a failed login here plus a new admin account there plus data leaving the network become one story. If a SOC has a single hub, this is it.
- Splunk (commercial) — the market benchmark; enormous app ecosystem and the SPL search language, priced mainly by daily ingest volume.
- Microsoft Sentinel (commercial) — cloud-native SIEM on Azure, queried with KQL, strong if you already live in the Microsoft ecosystem.
- IBM QRadar (commercial) — long-standing enterprise SIEM with mature correlation and offense management.
- Elastic Security / ELK (open core) — the Elastic Stack plus a security layer; free to self-host, with advanced detection features on paid tiers.
- Wazuh (OSS) — free at any scale, bundling SIEM-style log analysis with host intrusion detection on one agent.
- Graylog (open core) — lightweight, log-management-first platform with a friendly search UI and an open-source edition.
- Google SecOps (Chronicle) (commercial) — cloud SIEM built for very large log volumes, with built-in threat intel from Google.
Choosing between the big three open and commercial options deserves its own piece — we wrote one: Splunk vs Wazuh vs ELK. The short version is a table.
| SIEM | OSS? | Strong at | Watch out for |
|---|---|---|---|
| Splunk | No | Search power, app ecosystem, vendor support | Ingest-based pricing can spiral |
| Microsoft Sentinel | No | Cloud-native, tight Microsoft/Entra integration | Cost and lock-in follow Azure |
| IBM QRadar | No | Mature correlation, enterprise deployments | Heavy, dated UX, steep licensing |
| Elastic Security / ELK | Open core | Flexible ingest, scales when tuned | Needs real Elasticsearch ops skill |
| Wazuh | Yes | Free at scale, HIDS built in | Smaller ecosystem, more DIY |
| Graylog | Open core | Simple log management, easy start | Fewer security-specific features |
| Google SecOps | No | Huge volumes, Google threat intel | Cloud-only, opaque pricing |
EDR / XDR — eyes on the endpoint
Endpoint Detection and Response puts a sensor on every laptop and server. Unlike old antivirus, it does not just match known-bad files — it records process trees, command lines, network connections, and registry changes, then flags suspicious behavior and lets you respond remotely: isolate the host, kill a process, pull a file. XDR (Extended Detection and Response) is the same idea widened to correlate endpoint, identity, email, and cloud signals in one console.
- CrowdStrike Falcon (commercial) — lightweight cloud agent, well regarded for detection quality and threat hunting.
- Microsoft Defender for Endpoint (commercial) — deeply integrated into Windows and the Microsoft security stack.
- SentinelOne (commercial) — behavioral, on-agent AI with automated rollback of ransomware changes.
- Elastic Defend (open core) — Elastic's own endpoint agent, feeding detections straight into Elastic Security.
- LimaCharlie (commercial, usage-based) — an "EDR engine as a service" you build on, popular with MSSPs and builders.
- Wazuh agent (OSS) — the free option; file integrity monitoring, log collection, and response actions, though lighter on real-time behavioral EDR than the commercial names.
SOAR — automating the boring parts
Security Orchestration, Automation and Response is the glue and the robot. A SOAR runs playbooks: when an alert arrives, it automatically enriches the indicators, checks reputation services, opens or updates a case, messages the analyst, and — where you trust it — takes action like blocking an IP. The goal is to delete the repetitive tier-1 clicking so humans spend time on judgment, not copy-paste.
- Palo Alto Cortex XSOAR (commercial) — one of the most established SOAR platforms, with a large marketplace of integrations.
- Splunk SOAR (commercial) — automation that plugs naturally into a Splunk-centric SOC.
- Tines (commercial, free community tier) — no-code/low-code automation loved for how quickly you can build a workflow.
- Shuffle (OSS) — open-source SOAR that pairs beautifully with TheHive and MISP in a free stack.
- Swimlane (commercial) — automation with an emphasis on case management and reporting at scale.
IDS / IPS / NDR — watching the wire
Where EDR watches hosts, this category watches network traffic. An IDS (Intrusion Detection System) inspects packets for known-bad patterns and alerts; an IPS can also block inline. NDR (Network Detection and Response) leans on behavior and metadata rather than pure signatures. These sensors feed the SIEM with the traffic story your endpoints cannot see.
- Suricata (OSS) — high-performance, multi-threaded IDS/IPS with rich protocol logging and file extraction.
- Snort (OSS) — the original signature-based IDS/IPS, backed by a huge community ruleset.
- Zeek (OSS) — not a signature engine but a network analysis framework that turns traffic into rich, structured logs; a hunter's favorite.
- Security Onion (OSS) — a whole free distro that bundles Suricata, Zeek, the Elastic Stack, and case tooling into one deployable platform.
Signature engines are close cousins with a real design split — see Snort vs Suricata for when to pick which.
Threat Intelligence Platforms (TIP)
A TIP is where a SOC collects, deduplicates, and operationalizes what it knows about attackers: indicators of compromise (IOCs), campaigns, and threat actors. Its job is to turn scattered feeds into structured intel you can push into detections and pull into enrichment. It is the memory of the SOC.
- MISP (OSS) — the de facto open-source standard for sharing IOCs, with sharing communities and easy export to your SIEM.
- OpenCTI (OSS) — a knowledge graph that models actors, techniques, and relationships on top of raw indicators.
- AlienVault OTX (free) — an open threat exchange with community "pulses" you can subscribe to.
- Recorded Future (commercial) — large-scale, real-time intelligence with heavy analytics.
- Anomali (commercial) — threat intel management and matching against your telemetry.
- ThreatConnect (commercial) — TIP with built-in workflow and automation.
- SOCRadar (commercial) — external attack surface and digital risk intel, including dark-web monitoring.
Case management and ticketing
Alerts are noise until someone owns them. Case management is where an alert becomes an investigation with a timeline, assignees, evidence, and a verdict. Without it, work falls through the cracks and you cannot prove what you did.
- TheHive (OSS) — purpose-built incident response case management, designed to pair with MISP and Cortex analyzers.
- Jira (commercial) — not security-specific, but plenty of SOCs run their incident tickets here to sit next to engineering work.
Malware sandboxes
When a suspicious file lands, you need to know what it does without detonating it on a real machine. A sandbox runs the sample in an instrumented, disposable environment and reports its behavior: files dropped, processes spawned, domains contacted. This is core to triaging phishing attachments and unknown binaries.
- ANY.RUN (commercial, free community tier) — interactive sandbox where you watch and click through detonation live.
- Joe Sandbox (commercial) — deep, detailed analysis across Windows, macOS, Linux, and mobile.
- Hybrid Analysis (free) — CrowdStrike's public sandbox and community report repository.
- CAPEv2 / Cuckoo (OSS) — the self-hosted classic; CAPEv2 is the actively maintained successor to Cuckoo Sandbox.
- VMRay (commercial) — evasion-resistant analysis aimed at hard-to-detonate samples.
- Triage (tria.ge) (commercial, free tier) — fast, high-throughput automated sandboxing with clean reports.
Enrichment and reputation
These are the lookups an analyst hits fifty times a day: is this hash, IP, domain, or URL known bad? Enrichment services answer that in seconds and are the first thing a SOAR playbook automates. They turn a bare indicator into context.
- VirusTotal (free / commercial) — multi-engine scanning of files, URLs, and hashes; the reflex first stop.
- AbuseIPDB (free / commercial) — community-reported abuse history and confidence score for an IP.
- GreyNoise (commercial, free lookups) — tells you whether an IP is mass-internet noise or something targeted, cutting false positives.
- urlscan.io (free / commercial) — safely renders and dissects a URL, screenshotting and mapping what it loads.
- Shodan (commercial, free tier) — search engine for internet-exposed hosts and services.
- Censys (commercial, free tier) — internet-wide host and certificate scanning for exposure and attribution.
- URLhaus (free, abuse.ch) — a live feed of malware distribution URLs.
- ThreatFox (free, abuse.ch) — a free, sharable database of IOCs tied to malware families.
Detection-as-code
Modern SOCs treat detections like software: written as text, version-controlled in Git, reviewed, and tested. That is what "detection-as-code" means, and two open standards carry it. Sigma is a generic, tool-agnostic format for log-based detections you write once and convert to your SIEM's query language. YARA describes patterns to identify and classify malware files. Both are OSS, both are portable, and both belong in a repo rather than pasted into a single console.
- Sigma (OSS) — the "write once, run anywhere" rule format for SIEM detections, with a huge public ruleset.
- YARA (OSS) — pattern-matching rules for files and memory; the lingua franca of malware identification.
- pySigma / sigma-cli (OSS) — the toolchain that converts a Sigma rule into Splunk SPL, KQL, Elasticsearch, and more.
Here is the detection-as-code promise in one console session — take a portable Sigma rule and compile it into a Splunk search you can paste straight into your SIEM:
$ pip install sigma-cli
$ sigma plugin install splunk
# Convert a Sigma rule to a Splunk SPL search
$ sigma convert -t splunk rules/windows/process_creation/proc_creation_win_whoami.yml
(source="WinEventLog:Security" EventCode=4688 Image="*\\whoami.exe")
| table _time, ComputerName, User, CommandLine
Change one flag — -t microsoft365defender, -t elasticsearch — and the same rule becomes KQL or a Lucene query. That portability is why detection engineers standardize on Sigma. We go deep on writing your own in Sigma and YARA rules explained.
A realistic open-source SOC stack you can build
You do not need a six-figure budget to run a competent SOC. Here is a coherent free stack — the same philosophy Security Onion packages — where every piece has a clear job and they actually talk to each other:
- Wazuh as the SIEM and endpoint agent — one deployment gives you log collection, correlation, and host intrusion detection at zero license cost, no matter how much data you ship.
- Suricata and Zeek on the network — Suricata alerts on known-bad signatures, Zeek turns raw traffic into rich logs for hunting. Together they are your eyes on the wire.
- MISP as the threat intel platform — pull in community feeds, store your own IOCs, and push them into Wazuh so detections stay current.
- TheHive for case management — every real alert becomes a tracked investigation with evidence and a verdict, and it integrates natively with MISP.
- Shuffle as the SOAR — wire the others together: on a Wazuh alert, auto-enrich with VirusTotal and GreyNoise, then open a case in TheHive.
That is a full loop — collect, detect, enrich, track, respond — built entirely on open source. If you would rather deploy it pre-assembled, Security Onion ships most of it in one image. The lesson is that the categories, not the price tags, are what make a SOC work. Learn the boxes and what each one owns, and any stack — free, commercial, or a blend — stops looking like alphabet soup and starts looking like a pipeline you can reason about.
