LogRhythm SIEM Reviews

I found it very useful in our day-to-day operations with monitoring user activity and looking at system analytics and system performance. I found it very useful when investigating threats like IPs, and seeing what's going on with our endpoints, like certain lateral movements that we've noticed. 

I definitely found it very useful when looking at, for example, a compromised host, or a suspicious IP that has been scanning us. I've definitely found it very useful when I look at a log, it'll give me a detailed drill-down of all the information that's needed, including what the rating is, the rating of the threat, and what actions should be taken. 

It gives my team a better idea of what we should do to improve our security posture.

It's improved our organization. For example, if we have a user who's traveling overseas, or we get a suspicious login from the VPN, from a country that we're unfamiliar with, it gives us the ingest logs. The SIEM gives us a better comprehension of what type of threat activity it is and helps us decide if it's benign or legitimate.

Looking at the logs and how much detail each log has when it is ingested into our dashboards is quite useful. I found it very useful when looking at, for example, what emails are inbound and outbound of our networks. 

I like how detail-oriented the logs are in terms of what the origin is and what network it's coming from. 

I also like how the detailed logs give us what host or user it's coming from. On sight, I have a pretty cohesive understanding of what threat intelligence looks like in terms of reviewing what we have to deal with.

I use the Event Log Filtering feature daily. Every day when I look at event logs, I use the filters on certain time ranges and AIU engine rules. Overall, it's had a very positive impact. It helps us expedite certain security incidences very quickly, thanks to how detail-oriented the logs are. It really helps me report threats to my supervisor. For example, if someone's trying to scan us, my boss will ask me, "Can you look into this further?" I'll go ahead, and use the searches and the lists that the LogRhythm console has to offer, and I will get back to him in a timely fashion, with more details on the threat. 

The Event Log Filtering feature has definitely helped reduce administrative overhead. On a scale of one to ten, I would rate it a seven.

It helps us manage workflows and cybersecurity exposure. In terms of managing workflows, it definitely has given us leverage on what our overall security posture is, and gives us a better understanding of what we need to focus on more in terms of what threats are persisting. Our workflows have been pretty seamless so far. I would say our workflow is pretty seamless in terms of static manual investigations.

In terms of blind spots and our ability to shut down attacks, while we don't see all the blind spots, it gives us enough understanding and information about where we can classify a threat. 

Overall, it's had a very positive impact on our security posture. It gives us good visibility of what we need to see right now. It definitely gives us a better understanding of what we deal with, and what we should focus on in terms of what threats are more critical than others. In terms of our daily operations, it's very helpful.

It's positively affected our overall rate of efficiency. It's given us what we need for now. We're looking to improve our efficiency by looking into what LogRhythm offers in its newer products. Still, it's pretty efficient. On a scale of one to ten, I would rate it around eight or nine in terms of efficiency. My immediate coworkers in my department could use what we have right now for looking at critical alerts, user analytics, and overall IT operations since we usually have daily operations where we look at all user activity throughout our organization.

So far, it's pretty robust, and yet, we look for more improvements.

On a day-to-day basis, maybe we could look for more improvements with automation, however, so far, it's good.

In terms of blind spots, we are looking for more improvements since we don't have visibility over everything. Right now, we just use LogRhythm for our on-prem solution, not our cloud solution. We could definitely use more improvements with that in the next product.

Ingesting logs into the web console user interface and probably updating the threat intelligence database are the two places where we'd like to see improvement. We get a lot of noise. Oftentimes, we see a lot of false positives, so possibly using AI or machine learning would be ideal. Implementing that more into the next product would help us actually determine whether it's a false positive or legitimate threat.

I've used the solution for about a year and three months.

In terms of using it on-premises, it is very stable. Granted, we have some hiccups here and there. However, that's what we reach out to tech support for. They're able to provide us with immediate support, and they're willing to really put in the effort to figure out what the cause of the problem is and will work until it's fixed in a timely fashion. 

The scalability is, so far, very robust. I look forward to hearing more about the latest LogRhythm products and what they can do in terms of on-premises and cloud.

The product offers excellent service and technical sport. They're very prompt with getting back to our team regardless of the severity of the incident. Overall, I've had a great experience with this so far.

Positive

I'd rate the solution ten out of ten. 

Those that say SIEM is an outdated security system, don't understand cyber security. SIEM is what allows analysts like myself to be successful. Without a SIEM, how can we see everything? We can't.

I'm a user, administrator, and analyst. We are using version 7.4.

The solution is deployed on-premise. Three people are working with this product in our company.

Currently, we are in the implementation phase. LogRhythm is better than QRadar from the point of view of collecting Windows events. It has a much higher view. You can enable monitoring by default.

Sometimes the Platform Manager crashes because it's built around Windows.

Every component is on a separate device. Right now we are just integrating log sources. We didn't do any threat intel or use cases until now. I did this with another customer, but with QRadar.

They have to think like IBM. IBM did X-Force public cloud, which is a beautiful tool that gives us threat intel feeds. LogRhythm doesn't have this solution, but maybe they want to integrate this. The Client Console is very bad.

The console is for administrators to add log sources or do some basic investigation. It is a very bad GUI. I think it's very old and built upon an old OS. They have to get rid of it or use a web-based application or develop it in the Client Console application.

I have been using LogRhythm for one year.

It's very scalable. We can scale up or have vertical or horizontal. If you want to add more indexers or connectors, it's easy to implement.

We haven't opened any cases until now. I used to work with QRadar, and sometimes it takes very long to receive a reply from IBM. We didn't experience any use cases until now, but with LogRhythm, we have some delays from the implementation view.

LogRhythm is expanding in my country, Egypt. Multiple customers have moved to LogRhythm. So, they don't have many people for support. We have to schedule a session, and then in implementation engage with engineers.

Initial setup was complex.

We have multiple data indexers, and each component is on a separate device. I think QRadar has many tools from the point of view of applications integrated within the SIEM solution, like threat intel or use case manager. In LogRhythm, I don't see this.

Maybe we haven't gotten so far in the implementation, but in QRadar I can feel it's easier from the initial setup. We have only these components placed on one site. We don't have another recovery site.

I didn't see the RFP, but I heard that it is more expensive than QRadar. I remember one customer implemented only one QRadar in two sites. It cost them $2 million, I think. Maybe LogRhythm is much higher.

QRadar is built around Red Hat, so it's more stable. I think LogRhythm is more complicated than QRadar.

I would rate this solution 7 out of 10.

When you integrate a log source by default, you have to know what the customer needs or the process that is wanted, because we did the reconfiguration multiple times for log sources.

So, they have to also follow the MITRE ATT&CK Framework, because by default LogRhythm collects the common logs, so you have to enable this.

To estimate it in the licensing sizing exercise, it must be done correctly. Sometimes I see customers sizing away from the current situation. Customers sometimes buy a license that is not enough for their implementation, because they didn't expect what they would be adding in the future during the implementation.

Sometimes the implementation takes one year, and the customer adds more devices, so it exceeds their license. I think it's the presales' job to do the sizing correctly. And the customer must be aware of how or what to implement during, so that implementation doesn't take long.

It took some customers two years to implement a SIEM solution. I don't remember the solution, but it was a waste of two years' time.

We are primarily Windows-based. We have Linux. We have some Solaris. We are an isolated network. We have no connectivity to the internet, so we are more focused on insider threat and advanced persistent threat. One of the things that has really been a concern is we have a lot of software developers and engineers. These guys are gonna be able to create their own threat, so the behavioral analysis function of LogRhythm is really important, because there may not be a threat signature that we can find somewhere. We are going to need to see, "Oh hey, this guy, he is doing that at some weird hour. Okay, trigger an alert." That's probably the biggest difference. We are not going to have to worry about phishing attacks. We have really locked down. Our endpoints are going to a lot of thin clients just to eliminate a lot of potential access to systems.

LogRhythm has caught a few odds and ends, where things were done for sheer convenience. It caught this weird behavior, and alerted us, and we're like, "Why do we have a DNS server with a software install point on it?", which is completely strange because we have an official software repository where everything is supposed to be. LogRhythm caught that for us, and it was really a case of a privileged user account, which was no longer active, and someone just tried to login with it. We were like, "Who is this? It's not even the same format for the username." So, it caught something like that, and it turned out to be harmless.

Maybe years ago, they had brought someone in, not an IT guy, they were pushing out a lot of common software, and they didn't have an SCCM or a WSUS solution, so they had people going to machines, and downloading it from various locations. It is something we cleaned up, and got out of the way. We haven't had anything nefarious show up, yet.

It has also been helpful for tracking a lot of stuff, like user account activity. We have our own folks, we have vendors and contractors that come in. It's great to be able to see when their accounts are being created, and when they're being locked down, because our security people can say, "Okay, this person is a new hire. We know they are supposed to be here. This person is leaving the company. Good to see their account has been locked down." There is a lot of confirmation on account activity, which is great.

We need to catch everything before it does anything bad. Our biggest challenge is we have reporting requirements with our customer. They want to see specific types of activity, and while we want to be able to provide that, we also want to be able to catch things that might be on the edge or just outside of those boundaries. So that is our biggest challenge because I can watch the industry news and see, "Oh well, we have a threat that is coming in this way now that could possibly get on our system. How do I catch that?" Well, my customer's requirements might be too vague or too specific. I have to convince them that this is also important, include it, and here is why. So keeping my customer educated as to the threats is really critical.

It gives us insight into our entire installation, where we are multiple sites, going as far as the East Coast to the Central West Coast. Our operation is small. I am a one-man shop right now, so it gives me a chance to aggregate all my events and logging, alerting, in one spot. I come in and can see exactly what is happening.

The biggest thing is when you are looking at the client console:A lot of the data, the reports that you can generate, then you are given just a pie chart, a list of data, or both. I would really love to be able to take some of that and not have to export it to a CSV file, so I can pull it into Excel to turn it into some other kind of graph. I know some of that's being handed off to the web console, but that would be the one thing that would be really helpful.

It is a little hard to get integrated.

The one thing that would help me the most, because I am sort of isolated from things, and the guides that LogRhythm puts out are really good. However, a lot of times, it is, "Do this, do this, and this works because of this, this works because you do this." I would love to see something where they show or explain why doing something would break something or wouldn't work for you. That is the one thing, because I have done some things, like created a GLPR, just done them a couple of times, and I had two of work really well, and one that seems like it should be perfect, it is just a simple exclusion, but it does not work at all.

Stability has been great.

Customer Service:

I have done a lot of good work with the account reps and engineers. It really feels like we are on the same team.

Technical Support:

Technical support has been pretty good. It has been a challenge, because we are not connected to the Internet, and when they want to get our logs, we are like, "Well, it is going to be a few days before any of it gets to you." That's our biggest challenge, but they have tried to work with us.

Overall, they have been good. They have been pretty helpful

I was not involved in the initial setup.

I would recommend talking to the rep. That's the biggest thing because they will know what questions to ask.

It does what we want, but there is so much you can do with it. It is like buying the biggest tool set you can find, then you are trying to find out, "Okay, what am I going to do with all of these tools?" Trying to tune your system with the tools that you have available is a little daunting. It was for me because I did not have the security background. If you are new, it will be a little bit daunting. The training is a big help, though.

Understand what your scope is. What are you really trying to do with this tool? If all you want to do is collect logs and pile them up somewhere on a server, this is not going to help you, and it will defeat your security goals, probably. If you are looking for something, talk to the LogRhythm rep to find out, "Okay, we are really operationally-focused. Or, we are really security-focused."

Most important criteria when selecting a vendor:

• Vendor access, which is what LogRhythm is very good at. We have got the engineers coming to us saying, "Hey, we are coming to town, is there something we can talk to you about? Do you want us to visit?"
• Very flexible.
• Really good communication is important because if something is happening, I need to be able to get it taken care of quickly, and that is what's going on.
• Scalability: It looks like it is wonderfully scalable.
• Integration: I have been interested with what I have seen with the carbon block and the endpoint stuff.

We have 250 cases in LogRhythm. It's used for collecting logs and analyzing logs from the servers.

The solution has the ability to add and compare use cases. 

The log storage capacity should be increased.

I have been using LogRhythm SIEM for three years.

I rate it at 10 out of 10 for stability.

I rate it at 10 out of 10 for scalability.

I rate LogRhythm support 10 out of 10. 

Positive

LogRhythm SIEM is easy to set up, and it took us about two weeks. 

We had help from a person from LogRhythm.

LogRhythm is a costly solution. I rate it five out of 10 for affordability. We have a three-year license, and you need to pay to add features like endpoint licensing, behavior analytics, etc.

We looked at Splunk and IBM QRadar.

I rate LogRythm Siem at 10 out of 10. 

We use it for log ingestion and monitoring activity in our environment.

It is a simpler system than what we had before. We had IBM QRadar, which used to give us everything, and we had to dig through, figure out, and piece it all together. LogRhythm lights up when an event occurs. As opposed to just giving us everything, it will piece things together for you and let you know that you probably should look at this. It also provides the evidence. 

It is easy to find what you're looking for. It is not like a needle in the haystack like QRadar was. It is not a mystery why something popped or why you're being alerted. It provides you the details or the evidence as to why it alerted or alarmed on something, making qualifying or investigations a little bit quicker and also allowing us to close down on remediation times.

Automations are very valuable. It provides the ability to automate some of our small use cases. 

The ability to integrate with other products that use an API is also very useful. LogRhythm has a plugin for it that we can connect and start to move down towards the path of a single pane of glass instead of having multiple or different tools.

Their ticketing system for managing cases can be improved. They can either do that or adopt some of the open-source ticket systems into theirs. The current system works and gets the job done, but it is very bare-bones and basic. There are some things that could be improved there. 

They should also bring in more threat intelligence into the product and also probably start to look into the integration of more cloud or SAS products for ingesting logs. They're doing the work, but with the explosion of COVID, a lot of businesses have started to move towards more cloud applications or SAS applications. There is a whole diverse suite of SAS products out there, which is a challenge for them and I get it. They seem to be focusing on the big ones, but it'll be nice to be able to, for example, pull in Microsoft logs from Office 365. They are working towards a better way of doing that, and they have a product in the pipeline to pull logs in from other SAS applications.

The biggest thing for them is going to be moving away from a Windows Server infrastructure into a straight-up Linux, which is more stable in my eyes. For the backend, they can maybe move into more of an up-to-date Elastic search engine and use less of Microsoft products.

I have been using this solution for three years.

Bugs are there. We've encountered quite a few, but support is pretty quick at picking up and working with us through those and then escalating through their different peers until we get a solution. Now, the bugs are becoming less and less. Initially, they were rolling out features pretty quickly, and maybe some use cases weren't considered. We ran into those bugs because it was a unique use case.

It is easy to scale. We run different appliances. So, for us scaling is not an issue. Each appliance does a different piece of the function, so scalability is not a problem. We started off doing say 10,000 logs per second or MPS event, and then we quickly upgraded. Now, we're sitting at a cool 15,000. There is no need to upgrade hardware or anything. You just update the license. That is it.

We have multiple users in there. We have a security team, operations teams, server team, and network team for operations. We also have our research team, HBC team, and support desk staff. We have security teams from other universities in the States. We're sitting at a cool 50 users.

Their technical support is good. They are pretty quick at working with us. I would give them an eight out of ten. I don't know what they see on their end when a customer calls in and whether they are able to see previous tickets. It always feels like you're starting fresh every time. They could maybe improve on that end.

We had IBM QRadar for what seemed to be almost a decade. So, we just needed something different. There was a loss of knowledge transfer, as you can imagine, over a decade with different people coming in and out of security teams, and the transfer of knowledge was very limited. At the time I got on board, I had to figure out how to use it and how to maintain it and keep it going. We had some difficulties or challenges with IBM in getting a grasp on how we can keep getting support. It was a challenge just figuring out who our account rep was. After I figured that out, it was somewhat smooth sailing, and then we just decided it was time for something different, just a break-off because products change in ten years. You can either stay with it and deal with issues, or you do a break-off and get what's best for the organization.

It was complex simply because we had different products. 

We did have professional services to help us, which made the installation a little bit smoother. Onboarding of logs and having somebody with whom you can bounce ideas and who can go find an answer for you if they didn't have one readily available made the transition from one product to the other pretty straightforward.

We did a five-year agreement. We pay close to a quarter of a million dollars for our solution.

I would definitely advise giving it a look. If you're able to deal with it in your environment and just give it a chance, it'll grow on you. It is not Splunk, but it's getting there. They're gaining visibility with other vendors. The integration with third parties is starting to light up a little bit for them, unlike IBM QRadar that has already created that bond with third parties to bring in their services into the product. LogRhythm is definitely getting there, and it is a quick way to leverage in-house talent. So, if you want to do automation and you have someone who is good at Python scripting or PowerShell, you can easily build something in-house to automate some of those use cases that you may want to do. 

I would rate LogRhythm NextGen SIEM an eight out of ten. 

The biggest use case is visibility. Because we have a lot of flaws, if you don't have a tool that can bring it all in and give you that visibility, then all that log information is useless. Thus, LogRhythm helps us keep that visibility.

It has definitely improved our security program's maturity, because we have visibility that we didn't have before. We came from another SIEM platform that we had used for over ten years and we completely outgrew that platform. LogRhythm has given us more visibility. It has created more actionable items for us on a day-to-day basis, which gives us more work. At the same time, it has given us more tools than we had before, so that is definitely nice.

I wish I could just name one feature! There are so many: 

• The ability to drill down and pivot from an event is one of the biggest advantage the product has compared to other things that I have seen in the market.
• LogRhythm differentiates itself through its usability.
• Its simplicity. It can do more than just basic simplicity.

We have gone through a few versions which has caused a lot of instability. We have logged a lot of hours with professional services. The version that we are currently on is a lot more stable than what we have experienced in the past. So, it is progressively getting better day-by-day. However, we have had some instability in the past.

There are a lot of things that are on our wishlist which I found out about on day one.

As far as scalability is concerned, it is good.

I would rate the technical support as a nine out of ten. We have had some issues. Though overall, support has been great. The portal and their interaction with us along with their full support has been fantastic.

The initial setup is complex, because it's a huge product. LogRhythm is a beast. It can do so much more than just the analytic software, so it is not your typical installation. It's more of a three to four month installation process because you are gradually bringing in logs and fine tuning them. It is not a difficult process, just a lengthy one.

We have seen a measurable decrease in the mean time to detect and respond to threats. As it comes out new features and new releases, the window is becoming a lot narrower because you can pivot a lot more with the data. Therefore, the new features and enhancements are reducing that.

I just found out about the playbooks at the conference. I plan on using them as soon as I get back.

We have about 2500 messages per second coming in.

We are about 5000 users. At this point, we only have one XM appliance with an external storage. We're looking for a vendor right now, for a sales engineer to work with us in trying to upgrade it. We're looking to expand it. We're looking at monitoring more our work stations. We have about 1000 servers on it, and about 300 to 500 routers and switches on our system. And of course, we are also a Windows shop, so we have about 4000 to 5000 units on it.

A lot of it is being a single point of log management for the whole company, not only for our compliance, but basically it has become an operational tool for our company, for our day-to-day stuff. And it's more, on my end, for the security solution.

It's a compliance tool for our needs.

Security analytics, cloud security, log management are also definitely valuable. We're looking at all the cloud features at this point, even antivirus is going to cloud. A lot of analytics are going to the cloud. So, we're looking at LogRhythm, what it's going to do at with the AI cloud stuff.

What I would like to see is improvement on the analytics, especially on the cloud and intelligence workspace.

We have one box right now. We're in the process of scaling that, so I can't speak to this.

I've been working a lot with technical support, technical professional services. We just recently did an audit of our system. I'm waiting to get a report from that, so that's one of the things I'm working with.

They're pretty much responsive. The only basic thing is, when support issues are passed on to a first-level support, it takes a while to get to the second-level support to make sure the first-level support answers all our questions. Sometimes it's a challenge to bring it to the second level of support and get the answers that we need.

No. We have always done our homework and we believe that LogRhythm continues to be our solution.

It was pretty straightforward. I was happy with the deployment team. They were onhand and they were explaining a lot of stuff that was happening, so I feel pretty good about the initial deployment.

No.

The driving factor for our company is compliance. And next, for our security team to make sure that there's no occurrence of anything that we don't know about, besides operational issues.

My key challenge is to make sure that LogRhythm stays relevant on our day-to-day stuff, making sure that we can have a quick analysis of what's happening in our network, what's going on, and what our security posture is at a given time. For my needs, I'm looking more for it to bring a more comprehensive picture of our security, for the whole network, since I'm routing all the logs to it.

The most important criteria when selecting a vendor is technical support. At the end of the day, when all is said, price and pricing and so on, you will have to deal with technical support one way or the other.

In terms of a solution being a unified end-to-end platform, it's one of the top 10 SIEM tools on my list right now. A lot of our auditors are saying, "We need to track to a one flat form where we could see a dashboard, where we could see how everything is going on in our network."

My customers use the solution for user behavior analytics and as an anti-malware and anti-threat kind of tool. My customers are in finance-related areas. I deal with some gambling companies, and in my country, it is categorized under the finance sector.

The solution's features include good visibility of events, faster response to threats, and advanced ability to analyze events and data. In general, the visibility of events and advanced analysis of events are good.

The tool needs to improve the implementation part and have a virtual list of files for a virtual appliance or something like that because it is a very complicated area when it comes to implementation. There are a lot of pieces that need to be installed and prepared, and, of course, there is a need for virtual resources. The tool must offer better virtual resources and prepare some virtual appliances with some ISO or VMDK files. I don't care, but the solution must do something to improve the product. There are too many things that are complicated during the implementation phase.

I have been using LogRhythm SIEM for a year. I use the solution as a partner.

Stability-wise, I rate the solution an eight out of ten.

It is a highly scalable solution. Scalability-wise, I rate the solution a ten out of ten.

From LogRhythm's perspective, my company deals with small to medium businesses.

The solution technical support team provides quick answers to any request. The team's knowledge and way of resolving issues are also fast. We haven't had any problems reaching out and getting the support we need for the tool. I rate the technical support a ten out of ten.

Positive

The product's initial setup phase is pretty complex. The tool offers good guidance, and everything else is clear, but there are a lot of steps involved in the implementation. From the client's end, there is a need to include a lot of people, like system admin, DB admin, and network admin. Sometimes, I think the tool needs to improve something in the area of the setup phase so that there aren't difficulties during the implementation process.

If ten means easy setup and one means difficult, I rate the product's installation phase a four out of ten.

The solution is deployed on an on-premises model.

If everything is prepared already, the solution can be deployed in one or two days. In the end, there are a lot of things that you need to prepare before starting the tool's use, so it takes two to five days for the initial deployment, but after that the installation processes take just two days.

For my customer, I think the tool is reasonably priced. I think the tool is reasonably priced. There is a need to pay per year towards the licensing costs of the tool. From what I heard, the tool has a very reasonable price, and users pay on a yearly basis for its licensing charges.

Speaking about how LogRhythm SIEM influences operational costs, or if it does have any security efficiency, I would say that I don't work with the tool every day to know what the operational cost benefit is. In any case, with fewer people, the tool has better visibility. There is a need for three or four people in a team for SIEM. The tool ensures better efficiency of the team by improving costs, but I am not very sure how to explain it as the tool has centralized events as it is spread out geographically with a lot of branches. We get a better understanding of the networks in different countries with the centralization part, improving the efficiency of the SIEM team.

With LogRhythm SIEM, there is a need to deal with a lot of customized services. The tool spends a lot of time with professional services for customization. The good part is that the support team finishes their job very quickly and offers very good responses when it comes to the area of customization. There was a little disappointment since the tool did not have some of the parsers for some systems in the environments, like IBM, which was a surprise. In any case, support did the job, as there were tons of customizations needed. We were able to deal with the customization area and resolve the issue around it, making it a very customizable tool. It is a very flexible tool. I spend a lot of time with the support team doing the customizations. Customizations take a lot of time, but they are still a plus.

I have not noticed any AI elements in LogRhythm SIEM.

I recommend the tool to others.

It is a perfect search engine, and every report is analyzed really quickly and in a straightforward manner. The tool has an easy GUI, and it is the perfect choice for security analysts. The tool has consoles, including an administrative console and a web console. For some people, that can be a problem. I think it is really good when you have administrative guys who deal only with the solution and analysts who deal only with the analyzed part without some preparation for the core configuration. Everyone can deal with the day job. For me, the tool is advanced, but maybe for others, it can be an issue. In any case, it is really visible to others for documentation. The tool is scalable and really operational. The tool is easy to use and for sizing. In the end, it is a good tool. In the Serbian market, most of the tools demanded are on-premises. When it comes to the on-premises solution, I think LogRhythm is one of the best tools. We are a little different than the other parts of the world. Everyone wants to go to the cloud, but here, everything wants to be kept on an on-premises model. The market in Serbia is very strange because we aren't a part of the European Union, and so, with regard to compliance, we always have some problems. The companies in Serbia like to have on-premises solutions because most financial institutions, banks, or government institutions have data centers, so they won't go to the cloud. In Serbia, we don't like to deal with cloud solutions, especially when the data needs to be consumed somewhere in the cloud because the biggest problem is the cost of cloud solutions for SIEM tools. Most of the applications and everything is also hosted on-premises in Serbia. Normally, the SIEM tools are used in an on-premises model.

I rate the tool a nine out of ten.