How are you currently managing SIEM costs? Have you found effective ways to actually reduce storage costs for your SIEM?

It would have been beneficial had you mentioned if your SIEM is located on premise or on the cloud and also if most of your applications are on premise or on the cloud. But assuming that your SIEM and workloads are on the cloud and bandwidth costs of transferring logs between workloads and SIEM are least of your concern, then you can try the following 5 step process:

1. Prioritize logs from critical systems and high-risk areas, as hoarding every log can bury valuable data and increase costs. 
2. Use tools to preprocess data, eliminate duplicate logs, and reduce redundancy before data enters your SIEM. 
3. Leverage different storage tiers, moving less critical or older logs to cheaper, "cold" storage options or external data lakes for compliance purposes.
4. Ensure that your data is compressed effectively before storing it in the cloud.
5. Set clear policies for how long different types of data should be retained and automatically delete old or unused data after their set period.

Let me know if you want to know beyond this give your specific environment or if my assumption of your environment is not correct.

Using lower-cost disk alternatives generally has negative effects on SIEM searches and performance. Then, I believe, it is better to focus on the size of ingested traffic.
We have two initiatives to control the size of the ingested traffic into the SIEM environment:
- First of all, we reviewed all the log sources with the help of their admins/owners to understand whether they are meaningful and whether they are really essential for security processes. After this point, we also have a review process for all new log source integration requests. So, we are ingesting only needed amount of data.
- The second part is continuous monitoring of log sources and assuring unwanted fluctuation in log volumes. We created top-N log source reports/dashboards, continuously monitor log size trends and instantly take actions to abnormal fluctuations in log sizes.