LogRhythm SIEM Reviews

I work with LogRhythm SIEM in a variety of ways, including monitoring security and compliance, conducting behavioral monitoring, and handling security information and event management (SIEM) tasks. The solution is used for security monitoring, user behavior analytics, NDR, and consolidating events from workstations to servers.

LogRhythm SIEM helps maintain security through continuous monitoring and provides a platform for behavioral monitoring, which can be deployed using the AI engine.

LogRhythm SIEM has some valuable features, including its ability to maintain backups of events and manage alerts separately through an engine that handles content and administration tasks.

LogRhythm SIEM needs improvement in data grouping and manipulation capabilities. The dashboard configuration capabilities are also very limited. Improvements are needed in the areas of query-based searches and pivoting table creation.

I have been working with LogRhythm SIEM just about two and a half years in my current organization.

I did not work on the stability aspect of LogRhythm, but I faced some issues with similar SIEM tools in terms of handling event per second rates.

LogRhythm SIEM comes with scalability challenges, especially related to licensing. Increasing the scale requires additional licenses, unlike Microsoft Azure's pay-as-you-go model.

I have not personally escalated any questions to LogRhythm technical support.

I have experience working with various tools like Azure Sentinel, QRadar, and Splunk. These tools often have modern capabilities that are more comfortable to use compared to LogRhythm SIEM.

I was not part of the initial setup as it is usually handled by a specialized deployment team.

In our organization, the deployment team is responsible for LogRhythm's implementation.

LogRhythm SIEM is considered cost-effective, especially for medium-sized or smaller organizations, as it offers a decent SIEM solution.

I am not aware of the specific pricing and licensing costs, but it is definitely less expensive than other tools like Splunk and Azure Sentinel.

I've evaluated Azure Sentinel and Splunk, which have distinct modern SIEM capabilities.

For smaller and medium-sized organizations, LogRhythm can be a suitable option due to its cost-effectiveness. However, for larger organizations, solutions like Splunk might be more appropriate due to their advanced capabilities.

I'd rate the solution seven out of ten.

We utilize the LogRhythm solution to monitor most of our servers and our users to make sure that nothing anomalous is happening. What I really love about the LogRhythm platform is the fact that when something anomalous happens, I can see it almost immediately through the ability to collect a massive amount of logs in a very small footprint as far as hardware goes.

We do utilize everything. I think one of the most recent things that I've really enjoyed about LogRhythm is the ability to utilize smart responses published by LogRhythm. For example, one of our use cases is that when we have a termed users group, that when someone is placed in there, we want to monitor to see if their account is ever activated again. So we have a smart response set up that when a termed user is enabled, the smart response immediately activates and says bam, that user is getting disabled again. We don't want anyone to have access to that at all.

We've seen mean time to detect and to respond go down pretty significantly. We actually recently implemented the CloudAI solution, which allowed us to look into our users' anomalous behavior. Recently, we actually had some user who's a remote user, he traveled to somewhere else in the US, and CloudAI flagged it and was like, hey, this user is authenticating from somewhere new. This isn't somewhere we've seen before. I jumped right in, and I'm saying, "Hey, what's this user doing?" We emailed their manager who emailed them, and they said, "Oh, no, I'm just on vacation in California. It's okay." We had CloudAI learn about it, and now, it's really easy to see when a user does something anomalous.

CloudAI has been something in our environment that I have enjoyed immensely. It takes really a lot of the guesswork out of what our users are doing. Right when we implemented it, our CEO was actually out of the state, and we were having a hard time getting a lot of his user data because he was out of the state on vacation. When he came back, immediately CloudAI flagged him in the 80s with a threat score being from 0 to 100. Immediately, I was like, oh crap, our CEO's account has been compromised. But no, CloudAI was still learning our environment. It took it about a month or two to learn what was happening in our environment, what was going on, and then all of our threat scores, they kind of hover around the 20s now.

When something does something anomalous, when they work out-of-state, even when they authenticate to a different Microsoft server, it lets us know immediately what's going on, and it lets us know, and it lets us understand what our users are doing. CloudAI has definitely enhanced our security operations. It helps me understand what the users are doing almost instantaneously. It helps me understand what these users are doing in a daily report, and it helps me really feel why our users are doing certain things, why they're authenticating to certain servers. It helps me understand what their job would really want them to access or what their job has them access.

When they do something different from that, I really want to know why they're doing that. CloudAI helps me know what our users are doing. Rather than what hosts are doing or what servers are doing, it helps me know what the users are doing with their accounts. I think somewhere CloudAI would have room for improvement is maybe correlating hosts with IPs because often, I'll have a user, it'll come up with an anomaly score saying it's been authenticating from different hosts, but really what it is is it'll have the user's computer, then the user's IP that they're coming from, and sometimes their hostname with our domain name afterwards. Sometimes, CloudAI will usually be alerting us on some things that are really just the user's computer IP coming up multiple times.

LogRhythm has really improved, I think, my personal sense of security as far as our organization. I feel that I can trust the data that it's pulling in. Through its metrics, I can see when something isn't reporting so I know immediately if, maybe say one of our core servers isn't feeding its logs to us, I can remediate that almost immediately, and then feel secure again knowing that that data is coming to LogRhythm, and LogRhythm is correctly dealing with it. I can know that our security is in place.

We haven't used any of the LogRhythm built-in playbooks yet. Stability has been really good. The LogRhythm platform in our environment actually sat for three years with no one really using it. I came in about six months ago. I was able to pull it from generating about a thousand alarms a day that were just heartbeat errors, or critical components going down, to it actually only generating about 100 alarms a day, some of those being diagnostic alarms, but most of them being very helpful alarms that rarely ever point to having a component being down. With some short maintenance daily, LogRhythm has been a very stable platform.

I think condensing and consolidating what a user accesses over and over again and just having CloudAI understand that that's all of the user's, and you can consider it as one thing rather than multiple things, and alarming on it, and alerting me on it, having me have a mini heart attack every time it tells me that this user is authenticating from a new place.

Scalability with the LogRhythm platform has been immensely easy. We went from about five system monitors to over 200 in a week. We implemented that through our system management thing, but rolling out 200 system monitors in a week was incredibly easy through the client console, which LogRhythm has documented immensely well.

Tech support with LogRhythm has been great. I've only ever had one bad case out of about the 15 or 20 tickets I've put in. They usually immediately get back to me, and even if it's something outside of their scope, there always willing to help refer me to the person that I need to talk to, and my issue is always resolved within the week. LogRhythm's support for log sources is great. We have about 3,000 log sources right now that we're taking in. Most of that is coming into our main data collector, but anytime we've had any new log sources that we need to onboard, it's been pretty seamless, and we haven't seen any performance hit on our main box.

With our LogRhythm solution, we're processing anywhere from 800 to 1,500 messages per second. With the LogRhythm platform, we're processing anywhere from 800 to 1,500 messages per second, and we don't see a performance hit at all.

We've had CloudAI implemented into our deployment for about three months so far, and out of that three months, we've only had one day of downtime. That was with a scheduled transfer from how they were hosting it before to where they're hosting it now. Stability and uptime has been 99% plus. It's been something that I can count on every day to come in and see this report and rely on it. We really haven't had the chance to scale CloudAI. We're a growing organization, but we're not ballooning, and we're not adding on new users. CloudAI is a great option to sync with AD to pull all your users and, and you can just set up the identities and run with it on day one. The reason why we went with CloudAI and decided that it was something we needed in our environment was because we had the log data for a lot of our servers, a lot of our hosts.

We had the authentication data from our domain controller on the users, but we really wanted to understand what the users were doing and why they were doing it. So we looked into other artificial intelligence programs that would do some of the similar things, but we realized that CloudAI would do what we wanted but then feed the data right back into the LogRhythm platform. With that, we were able to see what the users were doing along with what our servers were doing, what the hosts were doing, and we would have all that data correlated, and we could understand it in one big picture right in the web console.

The implementation of CloudAI was incredibly easy. We just ran a script, added a certificate, and all of the sudden, we were sending the data to them, and we had a report the next day. When we choose a vendor to work with, the number-one thing that we want to understand is that they understand the product. We aren't just going to go to a vendor and say, "Here's our money, please go learn about this product and then implement it in our environment," because I'll just implement it, I'll just learn about it myself and do it. But if I go to a vendor and learn that they know about this product, they've implemented something before, I'm going to go with them nine times out of 10 because they will do something that I can't do myself because I don't understand what's going on.

If I had to rate LogRhythm and CloudAI out of 10, I think I'd give it an eight. There's still room for LogRhythm to improve, and they've laid out a pretty great roadmap for what they want to do in the future. I think if they continued to innovate and continue to implement the things that they've talked about, that they'll continue to grow in my eyes. There is some room for improvement, but overall, if you want a very solid platform with stability and scalability, LogRhythm is definitely the way to go.

Our primary use case is for fraud detection and infrastructure, so we use the SIEM to detect frauds in the banking side of the house as well as infrastructure. I use it for security and UEBA purposes. 

We have seen a lot of improvement. When I first got into LogRhythm, we were just doing the fraud side of the house. Afterwards, we started doing the infrastructure side, where we're seeing a lot of events coming in. We were getting a lot of ransomware attacks that are happening or a lot of malicious actors coming in, trying to hack ours, which we can see in the SIEM right away and use the SmartResponses to block it at the firewall level.We stop them at the edge level, and we don't have to worry about them coming in.

We do have an MSSP that does our 24 hours ops, when we're not there during normal business hours.

The playbooks will come in handy for them to go through and meet our expectations, so I can design the playbooks of what I expect and what the organization expects during certain events triggering and the process that they need to take place for them to call us up at night and say, "Hey, this is something that needs your attention."

I have plenty of log sources. Roughly, I have about 500 plus different types of log sources coming into my LogRhythm, and the support's been great. The out of the box solutions with their log message processing has majority of what I need. There are some that I had to create, because obviously the products are new, and I made LogRhythm aware of it, and they're creating custom parsers for it.

We are rated for 10,000 MPSs because we have two data processors and data indexers, but I'm only using about 3,5000 combined.

The solutions have been great for us. We use the SmartResponse to do most of our automation work for us, to block attacks, and to kick off users if they're doing anything malicious. It's saved us a lot of man hours. Based on MTT and MTRs for us, we've saved a lot of considerable time.

I did see it decrease in time to detect and response by a day, because there is myself during work hours and MSSP, which we combined, and we've reduced it to about 24 hours, mean time to detect.

Some of the valuable features, I find it's very easy for me to integrate new log source types within the SIEM. The MPEs, there's plenty out of the box solutions that we can integrate new appliances with. We're constantly buying and upgrading our appliances, so it makes it easy for me to ingest logs and run correlations in the AI Engines. 

Currently, we don't have full spectrum capabilities. We're using AI Engine mostly to run correlations, and then we obviously have our dashboards and stuff, but apart from that, we're working on the UEBA implementation for users to run more correlations. We do have our net monitors that we use to run packet monitors, packet captures, and even traces.

I think where I see room for improvement for LogRhythm is probably granularization of log source types. So, if that were to happen, I think it'd be a lot more better for the product. So, we are in the current five-year security maturity program.

I've never had any issues with my SIEM. We just upgraded from physical to virtual, and it was a seamless process. Everything worked well.

LogRhythm is very scalabe. We increased our MPEs from 2,500 to 10,000 right now, and we're very happy. We have room for plenty of growth. We're only using less than half of what we have.

Tech support's always been great. Every time I had an issue, I'd go in, open up a support ticket. I usually get an engineer calling me back within the first half an hour, and they'll help me troubleshoot within a day.

The product was already set up when I first jumped on with the organization. My only process is the movement from physical to virtual and then the upgradation to 7.3 and 7.4.

So, we are in the current five-year security maturity program. We're on year one, and LogRhythm is gonna be the center point for the first two years in terms of aggregating all the different log source types within the organization. We still find that there are log source types that are not coming in, which we plan to integrate within LogRhythm and use its analytics tools to help us get more mature and establish us forward in maturity of our security for the industry.

I rate LogRhythm 10. It's very easy to use. It's very user friendly. The product is very innovative with SmartResponse and AI Engine, so it takes half the work from myself and my analysts, so I love that product for that reason.

It's our central security monitoring platform. It's where we bring all of our events together so we can monitor our network.

It's helped us be more streamlined in our monitoring processes. We used to have multiple places where we'd have to do this work and now we have centralized all of it into one platform.

Also, the alarm functions have helped us cut down on the manual work. They bubble things up to us instead of our having to go look for stuff.

In terms of our security program maturity, I think we're fairly mature. We definitely have some ways to go still, but we're continually improving. We've had a security program for some 15 years, so it's been around and had time to mature. LogRhythym has definitely been a part of that. For the operations and monitoring pieces, going from what we had before to it being the central component for us, it has really helped us become more mature in those areas.

From an operational perspective, day to day, the Case Management functions are really useful for us. They allow us to track what we see in the incidents that we have.

We use the full-spectrum analytics capabilities. We have a number of rules that we've built, and built-in rules that we leverage as well. We've got a whole bunch of dashboards and the like to do the analytics. We definitely find the full-spectrum analytics to be valuable.

Hearing the roadmap items, it's pretty good. I especially like the fact that the playbook is coming with the ability to integrate the smart responses into the playbooks. That way, we can not only have the playbooks, take those steps, but start to automate those steps as well. I think that is really powerful.

We played around with the CloudAI portion during the beta. We're not currently using it. But I think more in that area is going to be really important, where we can look at machine-based patterns, as opposed to just, "I saw two of these and three of these things, so set an alarm." I'm really excited about that.

Generally, the stability has been good. We have run into problems with stability going through upgrade processes. Recently, we have been on the front edge of the upgrade path. When that happens we tend to run into issues either with certain functionality not working after the upgrades or stability issues because of the upgrades.

It will definitely meet our needs going forward. We're not a huge shop, so we haven't had a whole lot of problems there.

But going back to the upgrade issue, in a previous upgrade from 6 to 7, we ended up with some hardware problems, because of scalability, with the software change. The hardware that we had didn't meet the needs anymore. But we were able to get that resolved.

Technical support is not bad. The lower-level, first-line support is not always great, but if we can get to the right people, then it's pretty good.

At this point, it's a pretty core platform for us, so we haven't been looking around.

We do not use any of the playbooks currently. We'd definitely like to. It's a feature that we're planning to implement pretty soon.

Regarding our log sources, it's in the high hundreds, probably not in the thousands. When it comes to messages per second that we are processing, looking at the average, we're at about 1,000, but we peak somewhere north of 1,500.

I rate the solution an eight out of ten. It's a great platform, but I don't want to give them too much confidence, there's always room to improve.

Mostly in Indonesia, LogRhythm SIEM is used by government agencies that must use the on-prem solution because of the significant requirements for SIEM solutions. It sells products as a one-time solution rather than a subscription model. Many customers sometimes forget to renew their subscription. If someone doesn’t renew the subscription, the only options that could still operate are LockSystem and Elastic. If you don’t renew the subscription, it becomes basic and loses most functions, but you can still operate the system with limited functionality. It allows full access until the last bill is paid.

Secondly, LogRhythm offers more than SIEM; it has an EDR, MDR, and XDR. Compared to its competitors, it is the most complete solution. The downside of LogRhythm is that it is slow.

LogRhythm SIEM works well, but the biggest pain point is retrieving logs using multiple filters. Even though they use Logstash from the ELK stack, it becomes very slow. LogRhythm's system uses Logstash, and while it's very fast in Elastic, it's not as quick in LogRhythm.

I have been using LogRhythm SIEM since 2022, and I worked with this solution from 2012 to 2014.

LogRhythm is very stable. The big four for SIEM—LogRhythm, Splunk, and Elastic—are all very stable. They don't have many critical incidents while performing their tasks, and almost no test incidents exist. LogRhythm’s query processing is slow.

They will provide the results, but sometimes the data takes 15 to 20 minutes, or even an hour, to display. 

Scalability depends on the two types of products. One uses virtual software, and the other is an appliance system. The virtual server is very easy to scale. We can add processing power, memory, and storage, allowing it to scale up easily since it is virtual. It’s not as scalable for the appliance because they sell appliances designed for a certain number of users and capacity. LogRhythm uses EPS, which limits the scalability of the appliance systems.

LogRhythm measures throughput in Messages Per Second, not gigabytes per second. Scaling is determined by the number of messages processed per second. While storage capacity can be increased, the appliance's performance is optimized for a specific MPS range, making it challenging to scale beyond its designed capacity. 

It is for mid-sized organizations because they don't need to scale significantly. For example, if they only need 10,000 MPS or 5,000 MPS, the appliance is sufficient for their requirements without further scaling.

I rate the solution an eight out of ten.

LogRhythm had a strong presence in Indonesia between 2012 and 2014, with excellent support. From 2022 until now, their regional office has been in Singapore. If support is needed, it typically goes through a distributor. For more complex issues, we must contact Singapore for assistance. Getting LogRhythm personnel to come to Indonesia can be challenging, and arranging an on-site visit usually requires significant effort.

Positive

The initial setup is easy because LogRhythm has the most out-of-the-box integrations with Penitin. If I have a firewall, they have an out-of-the-box connection with it. If I have a switch, router, or another system, they also have out-of-the-box connections with those. It's very easy to use LogRhythm's system.

IBM QRadar is the most expensive SIEM solution, followed by LogRhythm and Splunk, which are also on the higher end in pricing. LogRhythm and Elastic are more affordable options. Elastic is open-source, making it a cost-effective choice.

LogRhythm stands out because it offers a perpetual license, meaning renewing it annually is unnecessary. Over a long period, such as five years, this makes it a cheaper option since the license does not need renewal.

LogRhythm's AI engine assist is good enough. Everyone talking about threat hunting mostly mentions continuous virtual assessment or vulnerability management. The guard will allow some people in and stop others based on their knowledge. If the SIEM determines that a person is eligible to enter, they will allow it; if not, they will stop them. 

Overall, I rate the solution a seven out of ten.

Our primary use case is for general log monitoring. We do not use it as a SIEM.

The feature that makes it usable is the web interface.

One nice feature about the product is the log message field extraction, where they try to fit every field into a field name. A log message is a string of ASCII text and its value depends on how the vendor formats it. Fields within log messages, such as a time stamp or source IP address, are delimited by spaces. Depending on the type of device, the information varies because if it's a temperature sensor you'll get temperature, or if it's a pressure sensor you'll get pressure, but if it's an active directory server you'll get an active directory message. The problem comes about because in some cases, the fields are not labeled.

Rather than an identifier for a source IP address (e.g. "SRCIP="), it will just have the address, and you have to determine what it is based on its location within the message. Of course, even though the field name is not in the log message itself, the field will still have a name. Extracting it correctly requires that you understand how the vendor formatted it. With LogRhythm, it does a better job than some products at slotting every field into a field name.

The biggest complaint I have is about their support. There is no free instructional advice available on their website. An example is with their field names inside log messages, where they have one named "Common event". That is something that LogRhythm has created, and you can't figure out what it means unless you pay a large sum of money for LogRhythm training. Compare this to Splunk, where I can go to their website and download twenty articles on field names right now. There is no documentation that we can afford to buy for this product, so we just have to wing it.

Their product has issues when it comes to hard drive management. Again, their support is not one hundred percent. We are using their hardware, and one time the product just spontaneously stopped collecting logs for about a month and nobody knew it. We called them, and it took a week or two of troubleshooting before they found the issue. To make it worse, the issue was not a misconfiguration. Rather, it was related to how they were storing temporary logs on the hard drive. The drive was shutting down and the logs were not being accepted. It took them weeks to figure this out and it shouldn't have happened in the first place, which suggests a bad design.

It is a product that is very hard to use. You have to set a wide variety of parameters before you can even start to search. The highly structured nature of it does provide some guidance, but with a lack of documentation for things like field names, I don't know what I'm looking for. 

We don't get much use out of this product because people around here consider it to be unreliable, and it's hard to do searches. The main reason for it being here is that there are audit requirements for collecting logs and maintaining them. We have been able to solve problems with it, but searching is kind of clunky.

Three years.

With respect to stability, I can only speak to our environment, but we have had issues with the hardware. It's a Windows product. We have seen the system spontaneously seizing, and we have experienced complete failure.

When an incoming log message is processed there are a lot of operations that have to take place. These include analyzing the time, identifying fields to see which are present, naming the fields, and indexing the information. We have seen this process fail quite a few times. With the recent purchase of new hardware, however, I don't think that we have had this problem lately. It may be related to an older version of the hardware, but I don't know.

I think scalability would be more difficult. Unlike Splunk, where the licensing is based on the volume of incoming gigabytes, you have to buy additional hardware to handle an increase in data. These boxes are then added to a cluster, and it is expensive.

We have four or five people who use this product, and we're all network engineers.

I don't like their support.

If you go on their website and you want to get a training video for how to do X then forget about it. They're not going to give it to you until you pay. They don't give you any information unless you pay for it. I think that stinks about the product.

Let's say that I am using Splunk, and I need to know how to write a regex (regular expression), or if I need to know how to configure an index or something, then I go on to the website, find an instructional article, read it, and finish what I'm doing. With LogRhythm it's "Where's the money?"

I understand that you have to pay for training courses, and I understand that you have to pay for certification, but it is the same with Splunk. With LogRhythm, it doesn't give you anything without paying first.

LogRhythm came in and deployed the product, and there is no maintenance required that I know of.

This is a solution for people who have cash to spend. Everything is expensive with LogRhythm, and you don't get anything for free.

I suggest that everybody who uses this product receive the full training and certification, and can also afford to pay for the high-level engineering support. If you don't have the money for the training, then it's not for you. It costs approximately $5,000, but if you don't get it then you won't be an efficient user. It is a very complicated product, so the training has to be a commitment that you're willing to make. The training cannot be for a single person, but everybody who will be using the product.

LogRhythm sells you a box that has a certain capacity for incoming log messages. Once you exceed that capacity, you have to buy another box and cluster it. It's expensive. It is for environments where the money is not a barrier.

The solution was already in place when I arrived, so I was not involved in the decision.

Honestly, I don't like this solution so much. I'm actually a Splunk Certified Architect and so I know Splunk pretty well, and when I compare them, I really don't like this product. The best advice that I can give is not to install this product unless you have a use case that matches its capabilities.

The use case for this product, the LogRhythm SIEM, is in a regulatory environment such as HIPAA, SOC, PCI, or banking. These are heavily audited environments where you have precise requirements for reporting. They have pre-configured lots of different types of inputs but it's a very rigid environment. You can only collect information from certain types of sources and it's very complex as to how to instruct the product to obtain a certain type of log message.

Once you configure a new log message source, you'll have to go on to the LogRhythm platform and conduct a variety of clicks and actions to vet or verify that log source and allow LogRhythm to start collecting logs. Not only that, but there's one more annoying thing. I'd say for these highly audited environments, regulatory environments that I mentioned, they have many, many pre-configured reports.

So, it's designed very rigidly. In other words, they have done a lot of work in pre-identifying what the fields are in every type of log message. If you're getting log messages from Active Directory or the firewall then they know exactly what every field is. But, they have their own particular naming convention for fields and with the rigidity, you can't change that so easily.

I'm in the networking team and we're using it to monitor log messages from our networking equipment. For that, it's not such a good product. For example, consider a jet engine with a lot of sensors such as temperature, pressure, rotational speed, wind speed, fuel flow, etc, they have lots and lots of sensors in them that are all connected by ethernet. If you want to use Splunk to monitor a jet engine you can do it, easily. Forget about doing with LogRhythm, that's not happening.

The bottom line is that for highly regulated industries it may work well, but you cannot use LogRhythm to monitor equipment. You also have to make sure that everybody who uses the product has full training and certification. If you're not willing to commit to the full training then don't even consider it.

I would rate this solution a five out of ten.

The primary use case is to monitor for compliance and the behavioral analytics of our users, tracking for potential threats to the company's infrastructure.

We are using both products. We are using NetMon integrated with the LogRhythm platform.

It has centralized monitoring for our security operations. Therefore, it improves our analysts' work. 

Our security program's maturity has been transformational for my staff. First from an educational standpoint, all the staff has started to go through either admin or analyst tracks and education. This definitely organizes my security operations to the point that it makes it easy for me to do security operations. It facilitates it throughout the organization.

Out-of-the-box, it already has a knowledge base solution. Therefore, if you do a little bit of work, such as configure the lists and log sources, you can have use cases implemented quickly.

Their current roadmap is what I want to see implemented. I want to be able to upgrade to 7.4 and have the playbooks implemented as fast as possible. 

Stability has probably been one area where Health Checks have not been great with the product. We have been told that they are going to improve Health Checks on product, though we do struggle with them on a daily basis.

Scalability misses the mark sometimes, especially when you have an integrated disaster recovery built into the solution. 

LogRhythm is looking at elasticity and trying to make the product more scalable.

We use the tech support on a daily basis. They are very easy to reach. There is always a person whom you can talk to and is focused on my issue at hand. They really pay attention to me, and that's worth it in my book.

I maintain the solution. Right now, I have two dedicated engineers and two analysts. However, we need more staff and are looking to hire more because we want to grow this solution to suit our needs.

It improves our mean time to be able to respond and remediate issues that we come across.

There is a different reason why you pick LogRhythm over its competitors. It is a security SIEM, where others are SIEMs but not focused on just security.

The capabilities of playbooks is in 7.4, which we are not able to utilize yet. Therefore, we have built outside of the solution playbooks. However, we are looking forward to the integration of playbooks in 7.4, or even version 8. 

We were shown today a couple of things where playbooks will be enhanced, even having SMARTResponse coming right out of the playbooks, so hopefully advanced SOAR capabilities.

We run two independent LogRhythms. On one, we have about 33,000 different log sources, which include endpoints and now IoT devices. On the other, we have a very small footprint. It somewhere around 3000 log sources.

On one of my LogRhythms, I have a message per second around 2400 to 2500. That spikes depending on the time of day. Sometimes, it goes up to 17,000. On average, it comes back down to about 2300. On the other LogRhythm, there are very few messages per second. It is around 600. 

Do your homework first. See what pie in the sky solution is supposed to be for your SIEM. Do not just check a box. LogRhythm will more than likely suit your needs.

The solution is used for threat hunting. We also use it as an SIEM for our SOC.

The solution enhances our organization's threat detection and response capabilities. It prioritizes alerts. We can write rules on it. It provides a comprehensive rule list out of the box. We have compliance rules for PCI and SOC. We prioritize the rules for PCI compliance. Assets that we have ingested have PCI labels, and we can identify the websites that need PCI. We can visualize threats on important assets and analyze, mitigate, and rectify them.

The log analysis feature is valuable. The solution has an AI rule manager. AI Engine gives us plenty of options to write new rules and modify existing rules according to our requirements.

The cloud version must be scaled better. The EPS values shown are sometimes not reflective of how we see them. Log ingestion takes a couple of days. When we have errors, the turnaround time is two to three days. It should be organized for better turnaround time. The cloud infrastructure is taken care of by the cloud team. The responses provided by the cloud team are inefficient. The response time must be improved.

I have been using the solution for two years.

I rate the tool’s stability a seven out of ten.

The tool is scalable, but the tech stack is very old. It doesn't use the new generation bells and whistles like artificial intelligence. There is a lot of room for improvement. I rate the scalability a seven out of ten. In our organization, 12 to 15 security analysts use the solution.

The support team helps us a lot.

Positive

We used FireEye two years ago. The management decided to move to LogRhythm SIEM because FireEye was going through a transition, and we wanted a stable product.

The initial setup is not easy. It requires technical skills. I rate the ease of setup a six or seven out of ten. The solution is cloud-based. Our environment is very complex. The deployment takes three to four months. We have to install agents. We have multiple locations with multiple data centers and a multi-cloud presence. The setup must be done with a lot of variations.

We use Puppet for Windows deployment. The Linux deployment needs forwarders. We have multiple tiers, endpoints, and collectors. We must set up multiple things. Each aspect has its own set of rules and limitations. We cannot do everything in one go. We must scale it up gradually.

We have seen an ROI on the product.

We are moving to Google Chronicle. We are in the transition phase now.

LogRhythm SIEM is a good product for a small SOC. Overall, I rate the solution an eight out of ten.