We've been using various SIEM solutions in our AWS environments for about a year, focusing on centralizing logs from CloudTrail, VPC Flow Logs, and our container pipelines. While some solutions handle log ingestion well, they often struggle with speed when we experience spikes in volume. Other options may have efficient pipelines but lack the capability to work across multiple clouds. I'm reaching out to fellow AWS experts to learn which SIEM solutions have consistently provided scalable, real-time threat detection in multi-account configurations. Any insights would be greatly appreciated!
4 Answers
It really depends on your key requirements. There are always trade-offs, but knowing your must-haves can help narrow down suggestions! Let us know what you're looking for.
For us, sending logs via Kinesis to an open-source SIEM worked until our Elastic Search nodes got overwhelmed. We had to set up account partitioning and used Lambda for normalization. It works, but it's quite labor-intensive. Now I'm looking at solutions that offer built-in orchestration for easier management.
You should consider Blacklight AI! It has built-in XDR, SOAR, and a lot more. It's been a game-changer for us!
Most AWS SIEMs handle logs okay until the volume doubles; then it can become a nightmare with alert noise. We created auto-tuning rules based on IAM roles and set baselines for common CloudTrail noise. This helped us reduce false positives by about 40%. After stabilization, we plugged in Stellar Cyber, which scaled fine with minimal extra adjustments.
I've had good luck with AWS’s built-in solutions. Traditional SIEMs struggle because they are often overly focused on user or host data. They tend to throw unnecessary alerts, like when two accounts in the same org share AMIs, which lacks context and can lead to confusion.
That sounds interesting! I'm curious if it really reduces operational burden as they claim.