Contact suricata and siem use cases

Suricata was installed normally, and it is actually running on 1g network.
However, since there is no SIEM yet, logs are being loaded into Elasticsearch.

I tried to use Elasticsearch for the first time, but there are so many limitations in creating a correlation with Elasticsearch, so I judge that I need to use another one (only some specific rules can be triggered. IP-based correlation is not possible.)

im currently looking at datadog, sumo logic, LogRhythm, etc. If you use it, can you tell how you are creating the correlation rules?