I’m evaluating modern SIEM / XDR / SecOps platforms and would appreciate input from people who have gone through similar selection or migration projects.
Context:
We have a relatively small security team - essentially one person responsible for security operations, but the environment is not small: several thousand servers, around 1.5k users, hybrid identity with Microsoft Entra ID and on-prem Active Directory, and a mixed OS estate that is currently about 40% Windows and 60% Linux, with more Linux migration planned.
What I’m looking for is not just a log storage/search platform, but a SIEM/SecOps solution that can realistically work for a very lean team.
Key requirements:
* Strong integrations with Microsoft identity, AD, Windows, Linux, network/security tools, cloud services, and custom applications.
* Flexible detection / alerting language, similar in spirit to Splunk SPL, KQL, YARA-L, Python-based detections, etc.
* Good support for custom log ingestion, because we have internal applications and products that we will need to integrate from scratch.
* Vendor-maintained detection content, not just a marketplace of rules we have to fully own ourselves.
* Strong ML/UEBA/anomaly detection capabilities.
* AI-assisted investigation would be a plus, especially if it can explain context, summarize incidents, suggest next steps, or help build detections - but this is not the main deciding factor.
* Ability to reduce operational overhead: tuning, rule updates, parsing, correlation, triage, and detection lifecycle should be as delegated as possible to the vendor or an MSSP/MDR partner.
As a reference point, we previously used Darktrace Network. I liked the idea that many detections/models were maintained by the vendor, were relatively flexible, and heavily ML-driven. I’m looking for something with a similar operational philosophy, but in the SIEM/SecOps space.
Platforms I’m considering include Microsoft Sentinel (good fit for us as I said we have Microsoft ecosystem), Google Security Operations (ex-Chronicle), PaloAlto (XDR, XSIAM), CrowdStrike (XDR, Next-Gen SIEM), any other modern SIEM/XDR options.
**The main question**:
For a one-person security team managing a large hybrid environment, which SIEM/XDR/SecOps platform would you recommend?
***DISCLAIMER: I understand that in our context, full outsource/MSSP/MDR are the best options, but we decided to start without them for now, with the intention of transitioning to MSSP/MDR later.***
I’d especially appreciate feedback on:
* real operational effort after deployment,
* quality of out-of-the-box detections,
* custom log onboarding,
* detection language flexibility,
* false-positive tuning,
* Linux visibility,
* Microsoft identity integration,
* vendor support quality,
* pricing predictability at scale.