Skip to content
Breachfolio
CYBERSECURITY · SOC

SOC tools: SIEM, SOAR, EDR and more.

The SOC toolstack by category — SIEM, EDR/XDR, SOAR, NDR, threat intel, sandboxes and enrichment — with real OSS and commercial tools linked.

July 17, 202614 min read

Walk into any Security Operations Center and you will not find one tool doing the work. You will find a stack: a dozen products that ingest, detect, enrich, decide, and contain, each one owning a slice of the job and handing off to the next. New analysts get lost because vendors sell every box as if it replaces all the others. It does not. A SIEM is not an EDR, an EDR is not a SOAR, and none of them is a threat intelligence platform. The fastest way to understand a SOC is to learn the categories first, then slot the real tools into each one.

This is the reference map. For every category you get what it actually does, followed by the tools people really run — clearly marked open source (OSS) or commercial — each linked to its own site. If you are still fuzzy on what a SOC is in the first place, start with what is a SOC and come back.

Log sourcesSIEM (correlate)Detection rulesSOAR (automate)EDR (contain)
How the SOC toolstack fits together, from log to response.

How the pieces fit together

Before the tool list, hold the pipeline in your head. Telemetry flows in one direction and decisions flow back out. Everything below is a variation on this shape:

  LOG / TELEMETRY SOURCES            SIEM                 DETECTION
  endpoints, firewalls,   ─────▶   collect,     ─────▶  rules run on the data
  cloud, DNS, IDS, apps            normalize,           (Sigma, native queries)
                                   store, search             │
                                                             ▼
       CONTAINMENT           CASE MANAGEMENT          ALERT / SOAR
   isolate host, kill    ◀──  TheHive / Jira   ◀──   triage + automation
   process via EDR             track the case         (enrich, correlate)
        ▲                                                    │
        │                                                    ▼
        └──────────  ENRICHMENT: VirusTotal, GreyNoise, AbuseIPDB, MISP  ◀─┘

Read it as a sentence: log sources feed a SIEM; detections (often written as Sigma rules) fire alerts; a SOAR or an analyst enriches those alerts against threat intel and reputation services; confirmed incidents become cases in a tracker like TheHive; and containment happens back on the endpoint through an EDR. Keep that loop in mind and every category below has an obvious place.

SIEM — the system of record

The SIEM (Security Information and Event Management) is the SOC's central nervous system. It collects logs from everywhere — endpoints, firewalls, cloud, identity providers, applications — normalizes them into a common shape, stores them, and lets you search and alert across the lot. It is where correlation happens: a failed login here plus a new admin account there plus data leaving the network become one story. If a SOC has a single hub, this is it.

  • Splunk (commercial) — the market benchmark; enormous app ecosystem and the SPL search language, priced mainly by daily ingest volume.
  • Microsoft Sentinel (commercial) — cloud-native SIEM on Azure, queried with KQL, strong if you already live in the Microsoft ecosystem.
  • IBM QRadar (commercial) — long-standing enterprise SIEM with mature correlation and offense management.
  • Elastic Security / ELK (open core) — the Elastic Stack plus a security layer; free to self-host, with advanced detection features on paid tiers.
  • Wazuh (OSS) — free at any scale, bundling SIEM-style log analysis with host intrusion detection on one agent.
  • Graylog (open core) — lightweight, log-management-first platform with a friendly search UI and an open-source edition.
  • Google SecOps (Chronicle) (commercial) — cloud SIEM built for very large log volumes, with built-in threat intel from Google.

Choosing between the big three open and commercial options deserves its own piece — we wrote one: Splunk vs Wazuh vs ELK. The short version is a table.

SIEMOSS?Strong atWatch out for
SplunkNoSearch power, app ecosystem, vendor supportIngest-based pricing can spiral
Microsoft SentinelNoCloud-native, tight Microsoft/Entra integrationCost and lock-in follow Azure
IBM QRadarNoMature correlation, enterprise deploymentsHeavy, dated UX, steep licensing
Elastic Security / ELKOpen coreFlexible ingest, scales when tunedNeeds real Elasticsearch ops skill
WazuhYesFree at scale, HIDS built inSmaller ecosystem, more DIY
GraylogOpen coreSimple log management, easy startFewer security-specific features
Google SecOpsNoHuge volumes, Google threat intelCloud-only, opaque pricing

EDR / XDR — eyes on the endpoint

Endpoint Detection and Response puts a sensor on every laptop and server. Unlike old antivirus, it does not just match known-bad files — it records process trees, command lines, network connections, and registry changes, then flags suspicious behavior and lets you respond remotely: isolate the host, kill a process, pull a file. XDR (Extended Detection and Response) is the same idea widened to correlate endpoint, identity, email, and cloud signals in one console.

  • CrowdStrike Falcon (commercial) — lightweight cloud agent, well regarded for detection quality and threat hunting.
  • Microsoft Defender for Endpoint (commercial) — deeply integrated into Windows and the Microsoft security stack.
  • SentinelOne (commercial) — behavioral, on-agent AI with automated rollback of ransomware changes.
  • Elastic Defend (open core) — Elastic's own endpoint agent, feeding detections straight into Elastic Security.
  • LimaCharlie (commercial, usage-based) — an "EDR engine as a service" you build on, popular with MSSPs and builders.
  • Wazuh agent (OSS) — the free option; file integrity monitoring, log collection, and response actions, though lighter on real-time behavioral EDR than the commercial names.

SOAR — automating the boring parts

Security Orchestration, Automation and Response is the glue and the robot. A SOAR runs playbooks: when an alert arrives, it automatically enriches the indicators, checks reputation services, opens or updates a case, messages the analyst, and — where you trust it — takes action like blocking an IP. The goal is to delete the repetitive tier-1 clicking so humans spend time on judgment, not copy-paste.

  • Palo Alto Cortex XSOAR (commercial) — one of the most established SOAR platforms, with a large marketplace of integrations.
  • Splunk SOAR (commercial) — automation that plugs naturally into a Splunk-centric SOC.
  • Tines (commercial, free community tier) — no-code/low-code automation loved for how quickly you can build a workflow.
  • Shuffle (OSS) — open-source SOAR that pairs beautifully with TheHive and MISP in a free stack.
  • Swimlane (commercial) — automation with an emphasis on case management and reporting at scale.

IDS / IPS / NDR — watching the wire

Where EDR watches hosts, this category watches network traffic. An IDS (Intrusion Detection System) inspects packets for known-bad patterns and alerts; an IPS can also block inline. NDR (Network Detection and Response) leans on behavior and metadata rather than pure signatures. These sensors feed the SIEM with the traffic story your endpoints cannot see.

  • Suricata (OSS) — high-performance, multi-threaded IDS/IPS with rich protocol logging and file extraction.
  • Snort (OSS) — the original signature-based IDS/IPS, backed by a huge community ruleset.
  • Zeek (OSS) — not a signature engine but a network analysis framework that turns traffic into rich, structured logs; a hunter's favorite.
  • Security Onion (OSS) — a whole free distro that bundles Suricata, Zeek, the Elastic Stack, and case tooling into one deployable platform.

Signature engines are close cousins with a real design split — see Snort vs Suricata for when to pick which.

Threat Intelligence Platforms (TIP)

A TIP is where a SOC collects, deduplicates, and operationalizes what it knows about attackers: indicators of compromise (IOCs), campaigns, and threat actors. Its job is to turn scattered feeds into structured intel you can push into detections and pull into enrichment. It is the memory of the SOC.

  • MISP (OSS) — the de facto open-source standard for sharing IOCs, with sharing communities and easy export to your SIEM.
  • OpenCTI (OSS) — a knowledge graph that models actors, techniques, and relationships on top of raw indicators.
  • AlienVault OTX (free) — an open threat exchange with community "pulses" you can subscribe to.
  • Recorded Future (commercial) — large-scale, real-time intelligence with heavy analytics.
  • Anomali (commercial) — threat intel management and matching against your telemetry.
  • ThreatConnect (commercial) — TIP with built-in workflow and automation.
  • SOCRadar (commercial) — external attack surface and digital risk intel, including dark-web monitoring.

Case management and ticketing

Alerts are noise until someone owns them. Case management is where an alert becomes an investigation with a timeline, assignees, evidence, and a verdict. Without it, work falls through the cracks and you cannot prove what you did.

  • TheHive (OSS) — purpose-built incident response case management, designed to pair with MISP and Cortex analyzers.
  • Jira (commercial) — not security-specific, but plenty of SOCs run their incident tickets here to sit next to engineering work.

Malware sandboxes

When a suspicious file lands, you need to know what it does without detonating it on a real machine. A sandbox runs the sample in an instrumented, disposable environment and reports its behavior: files dropped, processes spawned, domains contacted. This is core to triaging phishing attachments and unknown binaries.

  • ANY.RUN (commercial, free community tier) — interactive sandbox where you watch and click through detonation live.
  • Joe Sandbox (commercial) — deep, detailed analysis across Windows, macOS, Linux, and mobile.
  • Hybrid Analysis (free) — CrowdStrike's public sandbox and community report repository.
  • CAPEv2 / Cuckoo (OSS) — the self-hosted classic; CAPEv2 is the actively maintained successor to Cuckoo Sandbox.
  • VMRay (commercial) — evasion-resistant analysis aimed at hard-to-detonate samples.
  • Triage (tria.ge) (commercial, free tier) — fast, high-throughput automated sandboxing with clean reports.

Enrichment and reputation

These are the lookups an analyst hits fifty times a day: is this hash, IP, domain, or URL known bad? Enrichment services answer that in seconds and are the first thing a SOAR playbook automates. They turn a bare indicator into context.

  • VirusTotal (free / commercial) — multi-engine scanning of files, URLs, and hashes; the reflex first stop.
  • AbuseIPDB (free / commercial) — community-reported abuse history and confidence score for an IP.
  • GreyNoise (commercial, free lookups) — tells you whether an IP is mass-internet noise or something targeted, cutting false positives.
  • urlscan.io (free / commercial) — safely renders and dissects a URL, screenshotting and mapping what it loads.
  • Shodan (commercial, free tier) — search engine for internet-exposed hosts and services.
  • Censys (commercial, free tier) — internet-wide host and certificate scanning for exposure and attribution.
  • URLhaus (free, abuse.ch) — a live feed of malware distribution URLs.
  • ThreatFox (free, abuse.ch) — a free, sharable database of IOCs tied to malware families.

Detection-as-code

Modern SOCs treat detections like software: written as text, version-controlled in Git, reviewed, and tested. That is what "detection-as-code" means, and two open standards carry it. Sigma is a generic, tool-agnostic format for log-based detections you write once and convert to your SIEM's query language. YARA describes patterns to identify and classify malware files. Both are OSS, both are portable, and both belong in a repo rather than pasted into a single console.

  • Sigma (OSS) — the "write once, run anywhere" rule format for SIEM detections, with a huge public ruleset.
  • YARA (OSS) — pattern-matching rules for files and memory; the lingua franca of malware identification.
  • pySigma / sigma-cli (OSS) — the toolchain that converts a Sigma rule into Splunk SPL, KQL, Elasticsearch, and more.

Here is the detection-as-code promise in one console session — take a portable Sigma rule and compile it into a Splunk search you can paste straight into your SIEM:

$ pip install sigma-cli
$ sigma plugin install splunk

# Convert a Sigma rule to a Splunk SPL search
$ sigma convert -t splunk rules/windows/process_creation/proc_creation_win_whoami.yml

(source="WinEventLog:Security" EventCode=4688 Image="*\\whoami.exe")
| table _time, ComputerName, User, CommandLine

Change one flag — -t microsoft365defender, -t elasticsearch — and the same rule becomes KQL or a Lucene query. That portability is why detection engineers standardize on Sigma. We go deep on writing your own in Sigma and YARA rules explained.

A realistic open-source SOC stack you can build

You do not need a six-figure budget to run a competent SOC. Here is a coherent free stack — the same philosophy Security Onion packages — where every piece has a clear job and they actually talk to each other:

  • Wazuh as the SIEM and endpoint agent — one deployment gives you log collection, correlation, and host intrusion detection at zero license cost, no matter how much data you ship.
  • Suricata and Zeek on the network — Suricata alerts on known-bad signatures, Zeek turns raw traffic into rich logs for hunting. Together they are your eyes on the wire.
  • MISP as the threat intel platform — pull in community feeds, store your own IOCs, and push them into Wazuh so detections stay current.
  • TheHive for case management — every real alert becomes a tracked investigation with evidence and a verdict, and it integrates natively with MISP.
  • Shuffle as the SOAR — wire the others together: on a Wazuh alert, auto-enrich with VirusTotal and GreyNoise, then open a case in TheHive.

That is a full loop — collect, detect, enrich, track, respond — built entirely on open source. If you would rather deploy it pre-assembled, Security Onion ships most of it in one image. The lesson is that the categories, not the price tags, are what make a SOC work. Learn the boxes and what each one owns, and any stack — free, commercial, or a blend — stops looking like alphabet soup and starts looking like a pipeline you can reason about.

Frequently asked questions

What is the difference between SIEM and SOAR?
A SIEM collects, stores, and searches log data and raises alerts when its detections fire — it is the system of record. A SOAR sits on top and acts on those alerts, running automated playbooks that enrich indicators, open cases, and take response actions. Put simply: the SIEM tells you something happened; the SOAR does something about it. Many teams start with a SIEM alone and add a SOAR once alert volume outgrows manual triage.
What is the difference between EDR and antivirus?
Traditional antivirus matches files against a list of known-bad signatures and blocks them — it is essentially a filter. EDR (Endpoint Detection and Response) records behavior on the endpoint — process trees, command lines, network connections — and detects suspicious activity even from never-before-seen malware, then lets an analyst respond remotely by isolating the host or killing a process. Antivirus prevents known threats; EDR detects and lets you investigate and contain unknown ones.
What is the best open source SIEM?
For most teams, Wazuh. It is free at any scale and bundles SIEM-style log analysis with host intrusion detection on a single agent, so you get endpoint visibility without a second product. Elastic Security (the ELK stack) is the strong alternative if you want maximum flexibility and have Elasticsearch operations skill in-house, and Graylog is a lighter option focused on log management. See our Splunk vs Wazuh vs ELK comparison for the trade-offs.
Do you actually need a SOAR?
Not at first. A small team drowning in a handful of alerts a day is better off getting detections and case management right before automating anything. You need a SOAR when repetitive tier-1 work — enriching the same indicators, copying data between tools, opening tickets — starts eating hours you do not have. When that happens, a free option like Shuffle or a community tier of Tines lets you automate the drudgery without a big spend.
What is a TIP, and do I need MISP?
A Threat Intelligence Platform (TIP) collects, deduplicates, and organizes what you know about attackers — indicators of compromise, campaigns, and actors — so you can push that knowledge into detections and pull it into enrichment. MISP is the open-source standard and is worth running the moment you are consuming more than one threat feed or sharing intel with other teams. Below that threshold, free lookups like VirusTotal and AbuseIPDB may be enough, but MISP is where scattered feeds become an organized, queryable memory.
SIEM vs XDR — what is the difference?
A SIEM is data-source-agnostic: you point any log at it, define your own detections, and own the correlation and tuning. XDR (Extended Detection and Response) is a vendor-integrated suite that stitches together that vendor's endpoint, identity, email, and cloud telemetry with detections built in, trading flexibility for less setup. SIEM gives you total control and broad coverage at the cost of engineering effort; XDR gives you fast, opinionated detection inside one ecosystem at the cost of lock-in. Larger SOCs often run both, with XDR feeding the SIEM.