LogRhythm SIEM Reviews

The solution is used for threat hunting. We also use it as an SIEM for our SOC.

The solution enhances our organization's threat detection and response capabilities. It prioritizes alerts. We can write rules on it. It provides a comprehensive rule list out of the box. We have compliance rules for PCI and SOC. We prioritize the rules for PCI compliance. Assets that we have ingested have PCI labels, and we can identify the websites that need PCI. We can visualize threats on important assets and analyze, mitigate, and rectify them.

The log analysis feature is valuable. The solution has an AI rule manager. AI Engine gives us plenty of options to write new rules and modify existing rules according to our requirements.

The cloud version must be scaled better. The EPS values shown are sometimes not reflective of how we see them. Log ingestion takes a couple of days. When we have errors, the turnaround time is two to three days. It should be organized for better turnaround time. The cloud infrastructure is taken care of by the cloud team. The responses provided by the cloud team are inefficient. The response time must be improved.

I have been using the solution for two years.

I rate the tool’s stability a seven out of ten.

The tool is scalable, but the tech stack is very old. It doesn't use the new generation bells and whistles like artificial intelligence. There is a lot of room for improvement. I rate the scalability a seven out of ten. In our organization, 12 to 15 security analysts use the solution.

The support team helps us a lot.

Positive

We used FireEye two years ago. The management decided to move to LogRhythm SIEM because FireEye was going through a transition, and we wanted a stable product.

The initial setup is not easy. It requires technical skills. I rate the ease of setup a six or seven out of ten. The solution is cloud-based. Our environment is very complex. The deployment takes three to four months. We have to install agents. We have multiple locations with multiple data centers and a multi-cloud presence. The setup must be done with a lot of variations.

We use Puppet for Windows deployment. The Linux deployment needs forwarders. We have multiple tiers, endpoints, and collectors. We must set up multiple things. Each aspect has its own set of rules and limitations. We cannot do everything in one go. We must scale it up gradually.

We have seen an ROI on the product.

We are moving to Google Chronicle. We are in the transition phase now.

LogRhythm SIEM is a good product for a small SOC. Overall, I rate the solution an eight out of ten.

We have 250 cases in LogRhythm. It's used for collecting logs and analyzing logs from the servers.

The solution has the ability to add and compare use cases. 

The log storage capacity should be increased.

I have been using LogRhythm SIEM for three years.

I rate it at 10 out of 10 for stability.

I rate it at 10 out of 10 for scalability.

I rate LogRhythm support 10 out of 10. 

Positive

LogRhythm SIEM is easy to set up, and it took us about two weeks. 

We had help from a person from LogRhythm.

LogRhythm is a costly solution. I rate it five out of 10 for affordability. We have a three-year license, and you need to pay to add features like endpoint licensing, behavior analytics, etc.

We looked at Splunk and IBM QRadar.

I rate LogRythm Siem at 10 out of 10. 

We use it for log ingestion and monitoring activity in our environment.

It is a simpler system than what we had before. We had IBM QRadar, which used to give us everything, and we had to dig through, figure out, and piece it all together. LogRhythm lights up when an event occurs. As opposed to just giving us everything, it will piece things together for you and let you know that you probably should look at this. It also provides the evidence. 

It is easy to find what you're looking for. It is not like a needle in the haystack like QRadar was. It is not a mystery why something popped or why you're being alerted. It provides you the details or the evidence as to why it alerted or alarmed on something, making qualifying or investigations a little bit quicker and also allowing us to close down on remediation times.

Automations are very valuable. It provides the ability to automate some of our small use cases. 

The ability to integrate with other products that use an API is also very useful. LogRhythm has a plugin for it that we can connect and start to move down towards the path of a single pane of glass instead of having multiple or different tools.

Their ticketing system for managing cases can be improved. They can either do that or adopt some of the open-source ticket systems into theirs. The current system works and gets the job done, but it is very bare-bones and basic. There are some things that could be improved there. 

They should also bring in more threat intelligence into the product and also probably start to look into the integration of more cloud or SAS products for ingesting logs. They're doing the work, but with the explosion of COVID, a lot of businesses have started to move towards more cloud applications or SAS applications. There is a whole diverse suite of SAS products out there, which is a challenge for them and I get it. They seem to be focusing on the big ones, but it'll be nice to be able to, for example, pull in Microsoft logs from Office 365. They are working towards a better way of doing that, and they have a product in the pipeline to pull logs in from other SAS applications.

The biggest thing for them is going to be moving away from a Windows Server infrastructure into a straight-up Linux, which is more stable in my eyes. For the backend, they can maybe move into more of an up-to-date Elastic search engine and use less of Microsoft products.

I have been using this solution for three years.

Bugs are there. We've encountered quite a few, but support is pretty quick at picking up and working with us through those and then escalating through their different peers until we get a solution. Now, the bugs are becoming less and less. Initially, they were rolling out features pretty quickly, and maybe some use cases weren't considered. We ran into those bugs because it was a unique use case.

It is easy to scale. We run different appliances. So, for us scaling is not an issue. Each appliance does a different piece of the function, so scalability is not a problem. We started off doing say 10,000 logs per second or MPS event, and then we quickly upgraded. Now, we're sitting at a cool 15,000. There is no need to upgrade hardware or anything. You just update the license. That is it.

We have multiple users in there. We have a security team, operations teams, server team, and network team for operations. We also have our research team, HBC team, and support desk staff. We have security teams from other universities in the States. We're sitting at a cool 50 users.

Their technical support is good. They are pretty quick at working with us. I would give them an eight out of ten. I don't know what they see on their end when a customer calls in and whether they are able to see previous tickets. It always feels like you're starting fresh every time. They could maybe improve on that end.

We had IBM QRadar for what seemed to be almost a decade. So, we just needed something different. There was a loss of knowledge transfer, as you can imagine, over a decade with different people coming in and out of security teams, and the transfer of knowledge was very limited. At the time I got on board, I had to figure out how to use it and how to maintain it and keep it going. We had some difficulties or challenges with IBM in getting a grasp on how we can keep getting support. It was a challenge just figuring out who our account rep was. After I figured that out, it was somewhat smooth sailing, and then we just decided it was time for something different, just a break-off because products change in ten years. You can either stay with it and deal with issues, or you do a break-off and get what's best for the organization.

It was complex simply because we had different products. 

We did have professional services to help us, which made the installation a little bit smoother. Onboarding of logs and having somebody with whom you can bounce ideas and who can go find an answer for you if they didn't have one readily available made the transition from one product to the other pretty straightforward.

We did a five-year agreement. We pay close to a quarter of a million dollars for our solution.

I would definitely advise giving it a look. If you're able to deal with it in your environment and just give it a chance, it'll grow on you. It is not Splunk, but it's getting there. They're gaining visibility with other vendors. The integration with third parties is starting to light up a little bit for them, unlike IBM QRadar that has already created that bond with third parties to bring in their services into the product. LogRhythm is definitely getting there, and it is a quick way to leverage in-house talent. So, if you want to do automation and you have someone who is good at Python scripting or PowerShell, you can easily build something in-house to automate some of those use cases that you may want to do. 

I would rate LogRhythm NextGen SIEM an eight out of ten. 

The biggest use case is visibility. Because we have a lot of flaws, if you don't have a tool that can bring it all in and give you that visibility, then all that log information is useless. Thus, LogRhythm helps us keep that visibility.

It has definitely improved our security program's maturity, because we have visibility that we didn't have before. We came from another SIEM platform that we had used for over ten years and we completely outgrew that platform. LogRhythm has given us more visibility. It has created more actionable items for us on a day-to-day basis, which gives us more work. At the same time, it has given us more tools than we had before, so that is definitely nice.

I wish I could just name one feature! There are so many: 

• The ability to drill down and pivot from an event is one of the biggest advantage the product has compared to other things that I have seen in the market.
• LogRhythm differentiates itself through its usability.
• Its simplicity. It can do more than just basic simplicity.

We have gone through a few versions which has caused a lot of instability. We have logged a lot of hours with professional services. The version that we are currently on is a lot more stable than what we have experienced in the past. So, it is progressively getting better day-by-day. However, we have had some instability in the past.

There are a lot of things that are on our wishlist which I found out about on day one.

As far as scalability is concerned, it is good.

I would rate the technical support as a nine out of ten. We have had some issues. Though overall, support has been great. The portal and their interaction with us along with their full support has been fantastic.

The initial setup is complex, because it's a huge product. LogRhythm is a beast. It can do so much more than just the analytic software, so it is not your typical installation. It's more of a three to four month installation process because you are gradually bringing in logs and fine tuning them. It is not a difficult process, just a lengthy one.

We have seen a measurable decrease in the mean time to detect and respond to threats. As it comes out new features and new releases, the window is becoming a lot narrower because you can pivot a lot more with the data. Therefore, the new features and enhancements are reducing that.

I just found out about the playbooks at the conference. I plan on using them as soon as I get back.

We have about 2500 messages per second coming in.

We are about 5000 users. At this point, we only have one XM appliance with an external storage. We're looking for a vendor right now, for a sales engineer to work with us in trying to upgrade it. We're looking to expand it. We're looking at monitoring more our work stations. We have about 1000 servers on it, and about 300 to 500 routers and switches on our system. And of course, we are also a Windows shop, so we have about 4000 to 5000 units on it.

A lot of it is being a single point of log management for the whole company, not only for our compliance, but basically it has become an operational tool for our company, for our day-to-day stuff. And it's more, on my end, for the security solution.

It's a compliance tool for our needs.

Security analytics, cloud security, log management are also definitely valuable. We're looking at all the cloud features at this point, even antivirus is going to cloud. A lot of analytics are going to the cloud. So, we're looking at LogRhythm, what it's going to do at with the AI cloud stuff.

What I would like to see is improvement on the analytics, especially on the cloud and intelligence workspace.

We have one box right now. We're in the process of scaling that, so I can't speak to this.

I've been working a lot with technical support, technical professional services. We just recently did an audit of our system. I'm waiting to get a report from that, so that's one of the things I'm working with.

They're pretty much responsive. The only basic thing is, when support issues are passed on to a first-level support, it takes a while to get to the second-level support to make sure the first-level support answers all our questions. Sometimes it's a challenge to bring it to the second level of support and get the answers that we need.

No. We have always done our homework and we believe that LogRhythm continues to be our solution.

It was pretty straightforward. I was happy with the deployment team. They were onhand and they were explaining a lot of stuff that was happening, so I feel pretty good about the initial deployment.

No.

The driving factor for our company is compliance. And next, for our security team to make sure that there's no occurrence of anything that we don't know about, besides operational issues.

My key challenge is to make sure that LogRhythm stays relevant on our day-to-day stuff, making sure that we can have a quick analysis of what's happening in our network, what's going on, and what our security posture is at a given time. For my needs, I'm looking more for it to bring a more comprehensive picture of our security, for the whole network, since I'm routing all the logs to it.

The most important criteria when selecting a vendor is technical support. At the end of the day, when all is said, price and pricing and so on, you will have to deal with technical support one way or the other.

In terms of a solution being a unified end-to-end platform, it's one of the top 10 SIEM tools on my list right now. A lot of our auditors are saying, "We need to track to a one flat form where we could see a dashboard, where we could see how everything is going on in our network."

My customers use the solution for user behavior analytics and as an anti-malware and anti-threat kind of tool. My customers are in finance-related areas. I deal with some gambling companies, and in my country, it is categorized under the finance sector.

The solution's features include good visibility of events, faster response to threats, and advanced ability to analyze events and data. In general, the visibility of events and advanced analysis of events are good.

The tool needs to improve the implementation part and have a virtual list of files for a virtual appliance or something like that because it is a very complicated area when it comes to implementation. There are a lot of pieces that need to be installed and prepared, and, of course, there is a need for virtual resources. The tool must offer better virtual resources and prepare some virtual appliances with some ISO or VMDK files. I don't care, but the solution must do something to improve the product. There are too many things that are complicated during the implementation phase.

I have been using LogRhythm SIEM for a year. I use the solution as a partner.

Stability-wise, I rate the solution an eight out of ten.

It is a highly scalable solution. Scalability-wise, I rate the solution a ten out of ten.

From LogRhythm's perspective, my company deals with small to medium businesses.

The solution technical support team provides quick answers to any request. The team's knowledge and way of resolving issues are also fast. We haven't had any problems reaching out and getting the support we need for the tool. I rate the technical support a ten out of ten.

Positive

The product's initial setup phase is pretty complex. The tool offers good guidance, and everything else is clear, but there are a lot of steps involved in the implementation. From the client's end, there is a need to include a lot of people, like system admin, DB admin, and network admin. Sometimes, I think the tool needs to improve something in the area of the setup phase so that there aren't difficulties during the implementation process.

If ten means easy setup and one means difficult, I rate the product's installation phase a four out of ten.

The solution is deployed on an on-premises model.

If everything is prepared already, the solution can be deployed in one or two days. In the end, there are a lot of things that you need to prepare before starting the tool's use, so it takes two to five days for the initial deployment, but after that the installation processes take just two days.

For my customer, I think the tool is reasonably priced. I think the tool is reasonably priced. There is a need to pay per year towards the licensing costs of the tool. From what I heard, the tool has a very reasonable price, and users pay on a yearly basis for its licensing charges.

Speaking about how LogRhythm SIEM influences operational costs, or if it does have any security efficiency, I would say that I don't work with the tool every day to know what the operational cost benefit is. In any case, with fewer people, the tool has better visibility. There is a need for three or four people in a team for SIEM. The tool ensures better efficiency of the team by improving costs, but I am not very sure how to explain it as the tool has centralized events as it is spread out geographically with a lot of branches. We get a better understanding of the networks in different countries with the centralization part, improving the efficiency of the SIEM team.

With LogRhythm SIEM, there is a need to deal with a lot of customized services. The tool spends a lot of time with professional services for customization. The good part is that the support team finishes their job very quickly and offers very good responses when it comes to the area of customization. There was a little disappointment since the tool did not have some of the parsers for some systems in the environments, like IBM, which was a surprise. In any case, support did the job, as there were tons of customizations needed. We were able to deal with the customization area and resolve the issue around it, making it a very customizable tool. It is a very flexible tool. I spend a lot of time with the support team doing the customizations. Customizations take a lot of time, but they are still a plus.

I have not noticed any AI elements in LogRhythm SIEM.

I recommend the tool to others.

It is a perfect search engine, and every report is analyzed really quickly and in a straightforward manner. The tool has an easy GUI, and it is the perfect choice for security analysts. The tool has consoles, including an administrative console and a web console. For some people, that can be a problem. I think it is really good when you have administrative guys who deal only with the solution and analysts who deal only with the analyzed part without some preparation for the core configuration. Everyone can deal with the day job. For me, the tool is advanced, but maybe for others, it can be an issue. In any case, it is really visible to others for documentation. The tool is scalable and really operational. The tool is easy to use and for sizing. In the end, it is a good tool. In the Serbian market, most of the tools demanded are on-premises. When it comes to the on-premises solution, I think LogRhythm is one of the best tools. We are a little different than the other parts of the world. Everyone wants to go to the cloud, but here, everything wants to be kept on an on-premises model. The market in Serbia is very strange because we aren't a part of the European Union, and so, with regard to compliance, we always have some problems. The companies in Serbia like to have on-premises solutions because most financial institutions, banks, or government institutions have data centers, so they won't go to the cloud. In Serbia, we don't like to deal with cloud solutions, especially when the data needs to be consumed somewhere in the cloud because the biggest problem is the cost of cloud solutions for SIEM tools. Most of the applications and everything is also hosted on-premises in Serbia. Normally, the SIEM tools are used in an on-premises model.

I rate the tool a nine out of ten.

We've been using this solution to aggregate and correlate logs to dive a little bit more into auditing any sort of suspicious activity or malicious ideas that are going on within our network and using it for compliance purposes.

We partner with another company to help co-manage LogRhythm SIEM, and it definitely brings everything down to a single pane of glass, especially for people who are coming into the cybersecurity industry and don't have as much experience. It helps to correlate things to where they're more human-readable.

It has also increased our overall rate of efficiency by about 10 to 15%.

The most useful feature that I've found so far is the search function. I like all the different ways you're able to search through metadata and the different ways you're able to correlate or search through logs to find out what's going on.

The Event Log Filtering feature filters out certain logs that we don't need, and it has definitely helped decrease costs and increase efficiency for all of the products. With its hardware being on-premises, it reduces resources all around and makes it more efficient.

The Event Log Filtering feature has also helped us reduce our administrative overhead by approximately 10 to 15%.

In terms of managing workflows and cybersecurity exposure, LogRhythm SIEM is very efficient and is a good tool to use for locating and auditing any sort of activity that goes on in the network. It's very helpful for tracking and finding, even down to a granular level or up to events.

It's definitely been helpful with blind spots, especially in terms of vulnerabilities that aren't picked up by the scanners that we have. There were multiple instances where we've had brute force and various types of attacks that were quickly escalated to us via alarms and that were easily read and acted on.

The user interface needs improvement. The more the user can slide around and know what's going on, the better it will be.

I've been using LogRhythm SIEM since 2016.

The stability is great. We had an agent go down on a DC once or twice, and it just involved a restart. That is about it. The stability of the hardware and the software itself is awesome.

We're going to be scaling soon, and there hasn't been any reason to switch away from LogRhythm. So far, scalability-wise, it's been able to fit our environment well.

You would be wrong to think that LogRhythm SIEM is an outdated solution. I use it every day, and it has helped me fix or see vulnerabilities or compromises in our network that I wouldn't have seen before. It's still definitely around.

On a scale from one to ten, I'd rate LogRhythm SIEM an eight.

The primary use is monitoring logs, to see what's going on.

It's head and shoulders above what we were using, which was SolarWinds LEM.

Alarms are the most valuable feature. We also like the dashboard and how things are at your fingertips. The fact that we can now edit the report templates is going to be a great thing.

My installation has some unique problems, apparently, because of our network architecture, and that's why we're looking at other solutions, and possibly a replacement. 

We're looking at user-based analysis. Granted, we haven't enabled the UEBA module, but we're forwarding all our proxy logs to LogRhythm and we have a really hard time pulling those proxy logs back out of LogRhythm. However, when we take LogRhythm and forward the same logs into somebody else's user-based analytics software, we get the majority of what we were missing. So we know the logs are making it to LogRhythm, but we still can't pull them out. If we've got all our proxy logs and I go out to Google or Facebook or the like, we should be able to go in and pull that information out ten minutes later, but it's a big challenge to do that.

As long as you don't overfeed it, it's fairly stable.

The scalability has been fairly decent so far, as long as you don't overfeed it.

Tech support is hit-or-miss. Some of the tech support agents are just wonderful and I've learned a lot from interfacing with them. Some of the tech support agents seem like they are metrics-based: How many tickets they can close in a short amount of time? I usually express my feelings in the ticket notes, so these are not unheard-of comments.

The initial setup was fairly straightforward.

My advice would be to definitely look into it. I've used other SIEMs that were a whole lot easier to program and I've used other SIEMs that were vastly oversold and cost way too much money. LogRhythm is a good product for what it is.

We have more than 500 and less than 1,000 log sources. In terms of messages per second, therein lies the rub. We bounce anywhere from 2,500 to, on certain days, a peak of over 12,000.

We are not using the full-spectrum analytics features. We don't use any automated playbooks. In terms of the number of staff for deployment and maintenance, the latter is me. I've got two other analysts that work with me.

Regarding our security program maturity, we've grown a whole lot in the last three years. LogRhythm, fortunately, was a part of that. Our previous SIEM had to be rebooted two or three times a day. Unfortunately, now that we're trying to leverage it to get more data out of it, we don't seem to to be able to do that.

I can't say I have seen any measurable decrease in the meantime to detect and respond to threats because I can't watch it all the time.