Name: Cloud SIEM products with bring-your-own-data-lake options
Creator: The Webhound Team
Published: 2026-05-06T16:10:16.191237+00:00
Keywords: A practical dataset showing which cloud SIEM tools let customers keep log data in their own storage environments.

Cloud SIEM products with bring-your-own-data-lake options$1 spent

$1.49 spent

vendor	product_name	byo_storage_supported	supported_storage_platforms	deployment_model	evidence_url	notes
Securonix	Securonix on Snowflake	true	["Snowflake"]	Split-architecture model where Securonix hosts the analytics application while data remains in the customer's Snowflake instance.	https://www.securonix.com/products/securonix-snowflake/	None
Anvilogic	Anvilogic Multi-Platform SIEM	true	["Snowflake","Databricks","Azure Data Explorer","AWS S3"]	Multi-data platform SIEM that operates as a decoupled analytics and triage layer on top of customer-managed Snowflake, Databricks, and S3 data lakes.	https://www.anvilogic.com/snowflake	None
Panther Labs	Panther	true	["Snowflake","Databricks","AWS S3"]	Cloud-native SIEM that runs as a security analytics layer on top of customer-owned Snowflake, Databricks, or AWS S3 storage.	https://docs.panther.com/resources/panther-architecture	None
Hunters	Hunters SOC Platform	true	["Snowflake"]	Connected-app model where security data is ingested into and resides within the customer's own Snowflake account.	https://docs.hunters.ai/docs/connect-your-snowflake-to-hunters	Hunters currently supports only AWS as a cloud provider for Snowflake.
Databricks	Lakewatch	true	["AWS S3","Azure Data Lake Storage (ADLS)","Google Cloud Storage (GCS)"]	Native SIEM built on Databricks that decouples storage and compute, storing logs in open formats (Iceberg/Delta Lake) within the customer's cloud account.	https://www.databricks.com/blog/databricks-announces-lakewatch-new-open-agentic-siem	Currently in Private Preview as of May 2026.
Scanner.dev	Scanner	true	["AWS S3"]	S3-native security data lake and search engine that builds lightweight indexes alongside logs in the customer's own S3 buckets.	https://docs.scanner.dev/scanner/what-and-why/how-it-works	None
Matano	Matano	true	["AWS S3"]	Open-source S3-native SIEM built on Apache Iceberg, using a decoupled architecture where logs and indexes reside in the customer's AWS S3 bucket.	https://matanosecurity.com/solutions/security-data-lake	None
Datadog	Cloud SIEM (BYOC Logs)	true	["AWS S3","Azure Blob Storage","Google Cloud Storage"]	BYOC (Bring Your Own Cloud) model that decouples compute from data, storing logs in the customer's own cloud object storage.	https://docs.datadoghq.com/cloudprem/introduction/architecture/	None
Elastic	Elastic Security (Serverless)	true	["AWS S3","Azure Blob Storage","Google Cloud Storage"]	Serverless, stateless architecture that separates indexing and search tiers, storing all primary data in customer-accessible cloud object stores.	https://www.elastic.co/search-labs/blog/elasticsearch-serverless-stateless-architecture	None
Cribl	Cribl Search	true	["AWS S3","Azure Data Lake Storage (ADLS)","Snowflake","Google Cloud Storage"]	Search-in-place architecture that queries security data directly within customer-controlled storage (S3, ADLS, Snowflake, etc.) without rehydration.	https://cribl.io/products/search/	None
Microsoft	Microsoft Sentinel	true	["Azure Data Lake Storage (ADLS)"]	Cloud SIEM with a decoupled 'Data Lake' tier (Auxiliary logs) that stores large-volume logs in customer-managed Azure Data Lake Storage (ADLS).	https://learn.microsoft.com/en-us/azure/sentinel/basic-logs-use-cases	Data lake tier primarily supports high-volume auxiliary/basic log types for cost optimization.
CrowdStrike	Falcon Next-Gen SIEM	true	["AWS S3"]	SIEM platform utilizing an index-free architecture on LogScale with federated search capabilities to query data residing in customer-controlled AWS S3 buckets.	https://www.crowdstrike.com/en-us/blog/transform-aws-security-operations-with-falcon-next-gen-siem/	None
IBM	QRadar Log Insights	true	["AWS S3","Azure","Google Cloud Storage"]	SaaS-based SIEM platform featuring a federated search architecture (Data Explorer) that queries disparate logs directly in customer data lakes and cloud storage.	https://www.ibm.com/docs/en/security-qradar/log-insights/saas?topic=qradar-log-insights-overview	None
Query.ai	Query Federated Search	true	["AWS S3","Snowflake","Azure","Google Cloud Storage"]	Federated search overlay that decouples the query/analytics layer from the underlying storage, searching data in-place across customer-controlled data lakes and S3 buckets.	https://www.query.ai/product/	None
Gurucul	Gurucul Security Analytics on Snowflake	true	["Snowflake"]	Connected-app architecture where security analytics and detection logic run as a layer on top of the customer's owned Snowflake security data lake.	https://gurucul.com/technology-alliances/snowflake/	None
SentinelOne	Singularity Data Lake	true	["AWS S3","Azure Data Lake Storage (ADLS)","Google Cloud Storage (GCS)"]	Hyper-scalable security data lake architecture that separates compute from long-term storage, supporting data residency in customer-managed cloud object stores.	https://www.sentinelone.com/platform/data-lake/	None
Splunk	Splunk Cloud Platform (Federated Search)	true	["AWS S3","Snowflake"]	Decoupled search architecture where the Splunk Cloud compute tier performs remote queries directly against security data stored in the customer's own AWS S3 buckets.	https://help.splunk.com/splunk-cloud-platform/get-started/splunk-validated-architectures/splunk-platform-indexing-and-search/federated-search-for-amazon-s3	Supports 'search-at-rest' for S3 and selective 'promotion' of data into Splunk for forensic investigations.
Stellar Cyber	Stellar Cyber Open XDR	true	["AWS S3","Splunk","Elastic","Snowflake"]	Open XDR platform that allows security event data to be normalized and synchronized to a customer-controlled external data lake.	https://stellarcyber.ai/feature-focus-stellar-cyber-open-xdr-bring-your-own-data-lake/	None
Graylog	Graylog (Data Lake Backend)	true	["AWS S3","Google Cloud Storage","Azure Blob Storage"]	SIEM with a configurable Data Lake backend that routes logs to customer-managed object storage (S3, GCS, or Azure Blob).	https://go2docs.graylog.org/current/setting_up_graylog/create_data_lake_backend_on_amazon_s3.htm	Requires Graylog Enterprise license.
MixMode	MixMode AI SIEM	true	["AWS S3","Azure Blob Storage","Google Cloud Storage"]	AI-driven SIEM platform that decouples detection from storage, searching data in its native format across cloud and hybrid environments.	https://www.mixmode.ai/blog/building-a-better-soc-based-on-what-we-learned-in-2020	None
LimaCharlie	LimaCharlie SecOps Cloud Platform	true	["AWS S3","Google Cloud Storage"]	API-first SecOps Cloud Platform that decouples telemetry ingestion and storage, supporting data routing and search across customer-controlled cloud infrastructure.	https://limacharlie.io/	None
Wiz	Wiz (Security Analytics on Snowflake)	true	["Snowflake"]	Cloud security analytics solution that exports findings and telemetry into the customer's Snowflake security data lake for long-term retention and correlation.	https://www.wiz.io/integrations/snowflake	Primarily used for exporting Wiz findings and cloud telemetry into Snowflake for SIEM-like analytics.
Devo	Devo Security Data Lake	true	["AWS S3"]	Cloud-native SIEM built on a security data lake architecture that supports integration with customer-managed Amazon Security Lake and S3 storage.	https://www.devo.com/blog/aws-security-data-lake-and-the-devo-platform/	None
Trellix	Trellix Helix	true	["AWS S3"]	Cloud SIEM and XDR platform that integrates with customer-controlled Amazon Security Lake (S3) to query and analyze centralized security telemetry.	https://docs.trellix.com/bundle/helix_pg/page/UUID-5d35b819-de14-4255-f5ac-93ed431faff2.html	None
Lumu	Lumu SecOps Platform (Archive)	true	["AWS S3","Azure Blob Storage"]	SecOps platform with a decoupled network log archive (Lumu Archive) that stores and analyzes historical logs for long-term retention and retrospective hunting.	https://lumu.io/blog/introducing-lumu-secops-platform/	None

Made with Webhound · Ask questions about this research, build on it, or start your own