LogRhythm SIEM Reviews

Our company manages the solution as a threat hunting platform for a semi-government client in the Hong Kong insurance industry. We collect logs for video, active directories, antivirus, and firewalls to consolidate them in the solution. 

From the central log collector, we build detection policies to identify threats or possible breaches. The solution also serves as a data storage platform to troubleshoot issues and find root causes.

In addition, logs that include performance data are created for devices such as routers and switches to monitor the availability of the office network. 

We also perform ongoing maintenance of the solution and all components to ensure everything runs smoothly. 

The correlation engine is extremely valuable because it uses machine learning to process information from the central manager and identifies issues in the network. 

The engine accurately and quickly identifies problem areas as it correlates events from various devices. 

Without this engine, logs would have to be built individually for each device. 

The security playbook could be pre-defined and available to other analysts with similar security issues. Currently, playbooks are individually written for various actions and threats. 

It would be faster and easier to react to issues if pre-defined playbooks were accessible to all analysts. 

I have been using the solution for seventeen years. 

The solution is stable. 

The solution is scalable. 

I have escalated issues to technical support and rate the assistance I received an eight out of ten. 

Positive

The initial setup is complex and I rate it a six out of ten. 

We implement the solution for our customers. 

The solution remains a top choice for our customers because of its performance, indexing rate, and coalition engine speed. Customers trying to use SIEM to collect logs and identify threats require a solution that responds quickly. 

The solution's correlation engine is very important because it uses machine learning to automatically collect and analyze quite a bit of data. 

When choosing a solution, it is important to determine what you want to achieve instead of how the solution works. Most solutions have a method for collecting logs, relaying information, and identifying issues so selection is more about the speed and accuracy of end results.

I rate the solution an eight out of ten. 

Visibility, obviously. Seeing all the logs from all the various log sources, be it perimeter, internal, overall security controls; getting it in one pane of glass. And alerting, obviously.

I started here two years ago, no SIEM. Now we have visibility into any type of external attacks, perimiter attacks. We've found operational problems, misconfigurations, things like that.

Logging improvements. I think that the template to reporting is just difficult, it's hard to go back. You can't modify the templates. So more customization. That would be key.

We could also use more information on how to integrate with specific vendors.

Threat intelligence is a big thing. LogRhythm actually has a pretty good threat intelligence deal, but we happen to use a vendor that is not built-in. It'd be great if LogRhythm could expand more on the user forum on how to integrate more with the more non-mainstream vendors.

It's good. We have all-in-one, an XM unit, because we're a smaller shop. It's been a great, a single unit. As we've needed to expand, I've put out more collector systems feeding back into the XM unit, so it's good.

We've used them many times. I'd say overall good. I was actually an ArcSight user at a previous company, I'd rank LogRhythm higher than those guys.

As I said, it was ArcSight at my previous company. I was lucky enough to try to build the security practice where I'm at now. LogRhythm was one of three that we evaluated.

I'd say straightforward. We did have PS as well, so it was very helpful.

QRadar and Splunk. And, for whatever reason - it is not really a truly a SIEM player - Tripwire. Management wanted us to evaluate Tripwire.

We're about 1200 seats, 10 locations roughly, totally a Cisco shop, from perimeter ASAs to IDS, Sourcefire, to web filtering, it's a big Cisco shop that I stepped into.

Our key security goals revolve around maturation and pulling more information into the SIEM. We started off with the low hanging fruit, the Active Directory, the SOCKS servers, things like that. But now we need to get more - all our security controls as well - security systems. We need more from executive PCs, from application servers, we need more visibility I think.

In terms of meeting these goals, this solution, on a scale of one to 10, is an eight, at least in terms of how we've been able to adopt it.

The most important criterion when selecting a vendor interoperability, the ability to pull logs, and the ease of customizing parsing logs. By far.

In terms of advice to a colleague, if they're looking at this and similar solutions: I've dealt with ArcSight before, they're a magnitude higher in terms of operationally managing the software. I haven't used QRadar, but from the surface, looking at it form 10,000 feet, I would say and Logarithm and it are probably much easier to mange, much easier to use.

LogRhythm has been really a good partner, they've reached out, they're always wanting information, "How we can improve? How can we do this or that?" Our SE and sales guy are really great. Keep in touch, so I feel like there's someone I can always reach out to if there's a problem.

For me, the NERC compliance modules are probably the best thing. And the system monitors, they really pick up a lot for me.

It helps you get an eagle-eye view and then delve down granularly. The ease of that is pretty amazing.

I've got three main datacenters and then I'm processing somewhere in the vicinity of 20 million logs a day. My key challenge is making sure that I'm complying with federal regulations.

It's helping me in my compliance role. Helping me to provide evidence for our audits so that I can show we're doing what we're doing.

My main thing I'd like to see is, when you're using canned reports, that they're not blank. If there's no log source say, "No log source", or if it didn't find anything say, "It didn't find anything". I hate blank reports.

I think it's pretty amazing. We have two deployments. My deployment is a small one that is on secured systems. We also have another deployment that's way bigger and for our normal corporate environment. So it fits from small to huge.

I have used LogRhythm tech support and I would say those guys are phenomenal, outstanding. They get back to you quick. If they can't answer it right off the bat they get an engineer to give you a call back, and they follow it through till it's good.

I gave it an eight out of 10 because you can kind of dig around and find what you need, so it's fairly user friendly. And the support that you get from their tech teams is pretty phenomenal.

I'd say definitely give it a look, and talk with them. I would definitely say that the support that you're going to get is well worth it.

Being able to centralize and have one view of all the threat events coming out of all my multiple security sensors.

It has been the easiest SIEM platform that I have worked with or seen in production.

It is an easy, centralized view of our environment.

Our key challenges and goals are maturing our security operations and security event management process.

• Better correlation of all events: We seem to get a lot of misinterpreted data coming from multiple sources. It would be nice to have an easier way to interpret the data and correlate it.
• The challenge of maintaining it: Maintaining compatibility with all of our log sources is still a challenge for us.

We have implemented it as a necessary feature, but we need to be able to mature that.

I was just involved in the decision-making process. However, I know that the deployment was straightforward.

It seems to be highly scalable and easy to scale.

I have not used LogRhythm technical support.

I was just involved in the decision-making process. However, I know that the setup was straightforward.

It is extremely important for our solution to be a unified internal platform.

I would recommend looking into it.

• Log correlation
• Aggregation
• Being able to quickly identify threats in our network.

Key challenges, right now, are just having the resources. Whether it be humans in the seats, because, as of know, it's just me. I'm our security program. So the challenges involve just having the time and the resources to stay on top of threats.

The solution is pretty effective towards meeting these challenges. Though we don't utilize it heavily at this point in time, but we're looking to it. I think it will be a big help to us in the future.

There are a lot of pieces of it that are very complex and time consuming. If we can try somehow to just make it more simple, that would be better.

I would like to see more pre-integrated SmartResponses. Right now, I'm on 7.1.10, so I'm not even to the current version. If there were more pre-integrated SmartResponses, that would be really cool.

We are in our infancy stage right now.

It was deployed before I was there.

It's very scalable. Right now, we have the XML appliance cell all-in-one, but I am looking to move the web platform off to another server. Clustering has really been impressive to me with the product.

It is really good. I've had a few interactions with them. The first was really good. The second one, he was good, but I could tell he was new, which isn't a problem. Overall, I've been really satisfied with it.

Really understand what's important to you as far as what are you hoping to gain out of the product, what threats are you looking at, and what are your critical logs sources. Just have a fundamental foundation before you start looking into it.

Having a unified end-to-end platform is really important to me, because I am the only security professional at the college. If I can avoid having systems all over the place, that is only going to be beneficial.

Most important criteria when selecting a vendor:

• It is the problem that they are solving and solving effectively.
• Being able to rely on really good support.

• Investigation
• Advanced Intelligence Engine
• Alarming and Response

We have made this the foundation of our security intelligence within our organization. It has allows us to detect and remediate Advanced Persistent Threats.

I would like to the log management database perform more efficiently.

I've used it for five years.

Some minor bugs with the mediator. Those have been fixed in patch releases a long time ago.

9/10.

9/10.

Setup was fairly straightforward. We were up and running with coverage of most log sources within two days.

We implemented it in-house. Active Directory import makes initial configuration quick and easy.

We also evaluated Splunk, and we chose LogRhythm as the correlation rules performed it handled clients on DHCP better.

We recommend that people implementing it choose to log everything, including logs from desktops, laptops, servers, switches and routers.

Our primary use case is for financial companies and telcos.

The most valuable feature is that we can alternate incident automations.

We need to get better training for things like creating code and playlists. The way it's done now takes a long time. 

I have been using LogRhythm NextGen SIEM for two years. 

The stability depends on the client we installing or integrating for based on the server's requirements. We can create them according to that defined time period. It's not that difficult but depending on the customer or the other server requirements.

We can have a dashboard in a single platform, we can get notifications via email or SMS, and we have Smart Response actions. So that kind of possibility is there.

Our clients are mostly on a larger scale. 

You can request support and they respond immediately. They're really good. 

The initial setup is easy. It can take two hours. The first day of deployment is easy. Then depending on the devices and log servers, it can take time. We can give them predefined or pre-created devices and logs. The deployment depends on the devices and systems we are integrating. But the initial stage is easy.

Because we are a developing country, the costs depend on country development. We implement it for large-scale companies because normal companies, startup companies, can't afford products at that price. We mainly focus on large-scale companies.

I would definitely recommend this solution if you can afford it. 

We get customized reports and we get reports including all the details, but when we start using them we couldn't start with the Outlook editor. We can customize a document and we can write a report. The dashboards are very user-friendly and very attractive. But when it comes to the reporting part, I think that could use improvement in the next release. 

I would rate it a seven out of ten. 

My primary use case is threat detection.

LogRhythm SIEM has improved our organization by allowing us to bring in very widely diverse log sources, correlate them, and very easily create rules around alerting. We also use the case management features of the product to easily integrate both products into a single pane of glass for our analysts so they don't have to use two different products for alarming, as well as case management.

I would say we have seen a decrease in mean time to detect and respond over our previous SIEM. Basically, I think it can be attributed to the integrated case management. We are able to create cases, get eyes on those cases much more quickly than we were before.

The most valuable features are probably the AI Engine is very valuable, as well as Netmon.

We plan on using the playbooks, and the value I think we'll get is automating the or scripting their responses that our analysts use, rather than using our existing playbooks, which are somewhat incomplete. I think the playbooks will be a lot of out of the box pre-scripted playbooks that should be extremely helpful to us, as well as integrating some of the smart response capabilities into the playbooks.

Definitely expansion on log parsing. There are some obscure log sources that we don't currently have parses for. We needed a new solution when our previous solution, the licensing expired on it. Hardware was out of life, as well as it wasn't scaling very well. Didn't provide a lot of the features that we needed.

Stability has been pretty good. We've had some road blocks, or some, I'm sorry, some road bumps, in terms of A&E stability, as well as with some log parsing with some of our larger log sources.

Scalability seems great. We actually did an expansion recently, and so far, it seems to be scaled well.

Tech support has been extremely helpful. They are generally very quick to respond. If the first level is not able to resolve the issue, they generally escalate pretty quickly, gather logs. They seem to be hands-on. They generally will take over your session, actually do a WebEx, take over your WebEx section and actually do most of the driving, to make things run a little smoother, a little more, than, you know, directing you to where to find logs in Linux or things that can be kind of obscure. They generally will do everything for you, short of making, you know, impactful changes.

As far as for supportive log sources, we find it to be very good for very common log sources, Palo Alto firewalls, you know, Windows log sources. There have been a few security tools that we've found that weren't supported out of the box, so we've had to either use professional services, try to create those parsing rules ourselves, or opened cases with LogRhythm support to have those created.

The reason we switched to LogRhythm, one of the core reasons, was the case management, and, as well as the Netmon. We liked having the integrated Netmon, and the case management, again, gave us a single pane of glass for our analysts to view the data, import the relevant data into the cases without having to use separate systems.

LogRhythm is definitely influencing. Since investing in LogRhythm, we've seen a lot more visibility into our product, into LogRhythm. We have a lot of non-security operations teams that are using the SIEM tools, just to view logs, Windows logs, troubleshooting issues, troubleshooting security events, so we're getting a lot of by-in from other teams into the program, which has accelerated the maturity of our program.

I was involved in the initial setup, and it was fairly complex. We did use a professional services to do most of the work, but, yeah, it was somewhat complex compared to some other solutions I've used in the past. However, with the capabilities of the product, it wasn't surprising, because, you know, with the feature-rich product, you're gonna have some complexity with it, as well.

I would probably rate it as an eight or a nine, currently, mainly, probably due to the complexity of importing log sources that aren't natively supported.