Try our new research platform with insights from 80,000+ expert users
reviewer1486083 - PeerSpot reviewer
Manager at a comms service provider with 10,001+ employees
Real User
Useful correlations tools, simple initial setup, and helpful support
Pros and Cons
  • "The most valuable feature of RSA NetWitness Logs and Packets are the alerts and correlations tools."
  • "RSA NetWitness Logs and Packets can improve the threat level aspect, it is lacking compared to other solutions. Whenever any hacking activity or any other threat factor occurred they used to provide the coverages very fast when comparing RSA NetWitness Logs and Packets. I heard the other three solutions, from a discussion with my team members who had experience in other solutions, they used to say that. Whenever any issues happened across the globe RSA NetWitness Logs and Packets are a little bit slow improving those detection mechanisms."

What is our primary use case?

RSA NetWitness Logs and Packets are used exclusively for monitoring scenarios, insider threat analysis, and log retention.

What is most valuable?

The most valuable feature of RSA NetWitness Logs and Packets are the alerts and correlations tools.

What needs improvement?

RSA NetWitness Logs and Packets can improve the threat level aspect, it is lacking compared to other solutions. Whenever any hacking activity or any other threat factor occurred they used to provide the coverages very fast when comparing RSA NetWitness Logs and Packets. I heard the other three solutions, from a discussion with my team members who had experience in other solutions, they used to say that. Whenever any issues happened across the globe RSA NetWitness Logs and Packets are a little bit slow improving those detection mechanisms.

For how long have I used the solution?

I have been using RSA NetWitness Logs and Packets for six years.

Buyer's Guide
NetWitness Platform
March 2025
Learn what your peers think about NetWitness Platform. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
848,207 professionals have used our research since 2012.

What do I think about the stability of the solution?

Some of the RSA NetWitness Logs and Packets versions are not stable. Whenever they are releasing upgrades we were facing some issues.

What do I think about the scalability of the solution?

The scalability could improve. RSA NetWitness Logs and Packets have some limitations in the on-premise sizing. It requires more workers to procure the hardware. It is time-consuming.

The solution is only being used by our security operations team of approximately 10 to 15 people.

How are customer service and support?

When we have any critical issues we escalate them to the support of RSA NetWitness Logs and Packets.

I rate the support from RSA NetWitness Logs and Packets a four out of five.

Which solution did I use previously and why did I switch?

We were using RSA Ticket Analytics and now we are using RSA NetWitness Logs and Packets.

How was the initial setup?

The initial setup of RSA NetWitness Logs and Packets is not complicated, it is easy for us. However, there are some sizing limitations.

What about the implementation team?

We did the implementation of RSA NetWitness Logs and Packets in-house. We have not had any issues with maintenance. 

What's my experience with pricing, setup cost, and licensing?

RSA NetWitness Logs and Packets do not have a subscription model, it's a one-time purchase. There is only a perpetual license.

What other advice do I have?

When comparing the cloud security solutions, RSA feels outdated. I would advise others before choosing RSA NetWitness Logs and Packets, to do a POC process and later they can do the purchase if it fits their needs.

I rate RSA NetWitness Logs and Packets an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Senior Cyber Security Specialist at a tech vendor with 10,001+ employees
Real User
Good support, powerful decoders and concentrator, but the dashboard is not reflecting events in real-time
Pros and Cons
  • "The most valuable features are the packet decoder, log decoder, and concentrator."
  • "Log aggregation is an issue with this solution because there are a huge number of alerts in a single instance."

What is our primary use case?

We are a service providing company and this is one of the products that we implement for our clients. The RSA NetWitness Logs and Packets solution is used for Event Stream Analysis (ESA), and we implement use cases based on our customers' needs. For example, suppose the security device is a Palo Alto device then at the policy level, we implement the use cases. These might be things like phishing attacks or a botnet. Most companies follow the GDPR regulations for compliance.

We have RSA NetWitness implemented in virtual appliances.

What is most valuable?

The most valuable features are the packet decoder, log decoder, and concentrator. The packet decoder is capable of collecting the flow, whereas the log decoder is capable of collecting the event. NetWitness offers a hybrid solution that collects both and also uses the concentrator.

What needs improvement?

The alert dashboard is not reflecting events in real-time. We have to refresh in order to view an alert in real-time.

Log aggregation is an issue with this solution because there are a huge number of alerts in a single instance. Compared to ArcSight or QRadar, this is a problem.

For how long have I used the solution?

We have been using RSA NetWitness for about a year and a half.

What do I think about the stability of the solution?

The stability of RSA NetWitness is good. It is used on a daily basis.

What do I think about the scalability of the solution?

The ability to scale varies from client to client, and what the client's requirements are. Sometimes the client will want to move to a lighter platform and you have to consider the many inputs related to the cloud. 

We are supporting 10 to 15 clients for this solution. 

How are customer service and technical support?

With regard to technical support, we have found that their diagnosis makes sense but in some cases, they are very late to reply. Our clients always want to resolve the issue through us, and sometimes the support takes a long time. Because RSA NetWitness is a new product, there are many things that they are trying to find out.

Overall, I would say that the support is good.

Which solution did I use previously and why did I switch?

We are using multiple tools including QRadar, RSA NetWitness, LogRhythm, and Micro 
Focus ArcSight.

The QRadar setup gave us no issues, and it also works with logs and packets.

LogRhythm fulfills the GDPR compliance.

How was the initial setup?

The initial setup is good, and it is not complex.

The length of time it takes to deploy depends on the type and size of the organization. It takes two to three days to implement this solution, including all of the installation and configuration. Once the company provides the requirements then we implement as per the organizational policy. 

What about the implementation team?

We implement this solution using our in-house team, although if an issue should occur during installation then we can raise a ticket with support. We have had issues with difficult deployments because of the database during installation, which has lead to using the support portal. 

The number of people required for deployment and maintenance depends on how many logs are being integrated. Suppose there are 100 or 200 logs, then 10 people will be sufficient if they focus on deployment and troubleshooting. It also depends on the timeline. If the timeline is longer then five people are enough to complete the implementation.

What's my experience with pricing, setup cost, and licensing?

Many clients are not able to purchase the packet capability because there is a huge amount of data, and the cost depends on the number of EPS (Events per second), as well as the number of gigabytes of data per day. 

What other advice do I have?

My advice to anybody who is researching this solution is to consider the differences between the hardware and the virtual solution. The hardware is okay, but if you have any issues and need to restart then it is easy to do this with the VM. My preference is using the VM, where they can easily increase the size of storage if necessary.

It is important to remember that ESA takes all of the main memory. The minimum requirement is 96 GB of RAM, and this is very easy to implement on a virtual machine. My advice is to implement ESA using the maximum eligibility criteria. Consider what the hardware requires are in terms of RAM and storage, and use the maximum available for ESA.

This solution has a very good dashboard with a separate tab for incidents and alerts. There is a ticketing tool as well. If the problems with the dashboard are corrected then we will not need to have any other tools. The dashboard is a very important feature for clients.

I would rate this solution a seven out of ten.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Buyer's Guide
NetWitness Platform
March 2025
Learn what your peers think about NetWitness Platform. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
848,207 professionals have used our research since 2012.
Security Operations Manager at a computer software company with 1,001-5,000 employees
Real User
Reliable, straightforward installation, but lacking multi-tenant capabilities
Pros and Cons
  • "The newer 11.5 version that my team is using has found it to have good mapping."
  • "The multi-tenant capabilities are lagging compared to IBM QRadar."

What is our primary use case?

We have two customers using this solution and one of them is a banking business. We are collecting some of the security log sources. In the main use case, we are correlating rules and we are using the endpoint detection capabilities. We are utilizing RSA NetWitness Logs and Packets, to have more insights on an endpoint level.

What is most valuable?

The newer 11.5 version that my team is using has found it to have good mapping.

What needs improvement?

The multi-tenant capabilities are lagging compared to IBM QRadar.

We want the OEM to support us when we add a partner. They have to come forward and be ready to give a POC to the customer. For example, if we are identifying any customer, and the customer wants to see the POC but at that time we do not have that resource to showcase the POC or the environment. At this time the OEM should come forward and showcase the POC to the customer. Once the customer is satisfied, we will be gaining the business, as a win-win situation.

For how long have I used the solution?

I have been using RSA NetWitness Logs and Packets (RSA SIEM) for approximately two years.

What do I think about the stability of the solution?

The solution is reliable.

What do I think about the scalability of the solution?

I have not tried to expand the solution.

How are customer service and support?

The technical support is responsive. Professional service when it is required is expensive. I wasn't able to compare with other professional services, because we have only one tool we are using at the moment. I am not able to tell you how much other OEM professional services cost. We have heard from the support that it is expensive.

Which solution did I use previously and why did I switch?

I have previously used IBM QRadar.

How was the initial setup?

The installation is somewhat straightforward. For example, if they want a UBA or SOAR type of platform, then I don't have experience in integrating or installing the SOAR or UPA. If that kind of opportunity comes or a customer requests it, then we have to see. As it is now, RSA NetWitness Logs and Packets (RSA SIEM) installation is straightforward.

What's my experience with pricing, setup cost, and licensing?

We are on an annual license for the use of the solution.

What other advice do I have?

I would recommend version 11.5, it looks good. However, we are looking for an alternative solution.

I rate RSA NetWitness Logs and Packets (RSA SIEM) version 11.4 a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Rafał Popielski - PeerSpot reviewer
Solution Architect at NASK
Real User
Top 20
Provides good technical support services and efficient integration with other platforms
Pros and Cons
  • "NetWitness can be highly beneficial for incident detection and response."
  • "The product's licensing models are complex to understand. This particular area needs improvement."

What is our primary use case?

The primary use case for the NetWitness Platform is within large companies, particularly in their internal security operation centers (SOCs). They utilize the platform for block collections from the entire company, including subsidiaries, enabling comprehensive security monitoring and analysis. It supports functions such as collections and correlation. Additionally, some licenses may include XDR capabilities. NetWitness stood out for many customers as it was one of the first solutions to collect blocks from endpoints, networks, and logs simultaneously, providing a unified view of security events.

What is most valuable?

The most valuable feature of the NetWitness Platform, as I've found through occasional engagements, is its Total Customer Ownership (TOC) approach. It encompasses having a unified engine and database where all collected information, including logs, network traffic, and endpoint data, is correlated and analyzed. This centralized database enables efficient analysis and correlation of security events aided by artificial intelligence algorithms. Additionally, customers can develop custom parsers to integrate new data sources into the database, enhancing its speed and reliability.

What needs improvement?

The product's licensing models are complex to understand. This particular area needs improvement. 

For how long have I used the solution?

I have been using NetWitness Platform for seven years.

How are customer service and support?

My experience with customer service and support for RSA NetWitness has been positive overall. I know individuals who are specialists in the field and attend meetings organized by RSA. These specialists support customers, including those whose partners or companies sell and implement NetWitness at their sites. Despite the cost, it has a strong reputation. I have received helpful assistance from technical support when needed, such as accessing restricted areas on their website or technology database. Even in complex cases, the support team has been attentive and supportive, ensuring I am not left alone with any issues.

What's my experience with pricing, setup cost, and licensing?

Licensing models can be complex and subject to change over time. It provides tools to assist in selecting the appropriate license and usage scenarios. The trend is shifting towards subscription-based models rather than one-time payments.

Which other solutions did I evaluate?

I previously prepared comparisons between solutions such as IBM QRadar and RSA NetWitness. Having worked for several large vendors, including IBM, I have insights into various security platforms. IBM QRadar, while mature and feature-rich, was behind RSA NetWitness in certain aspects. RSA was among the first to collect data from multiple sources, including live network traffic, endpoints, and logs, offering a more comprehensive approach to threat detection. Both vendors eventually incorporated Extended Detection and Response (XDR) capabilities into their solutions, but RSA was an early adopter. Nowadays, it's challenging to pinpoint significant differences in functionalities among various vendors, as most deliver similar capabilities. Performance and cost considerations may vary depending on the specific use case and hardware infrastructure. Thus, a thorough evaluation is essential when choosing a security platform.

What other advice do I have?

NetWitness can be highly beneficial for incident detection and response. RSA has incorporated Extended Detection and Response (XDR) functionality through collaborations and licensing agreements with other companies.

It integrates well with other tools, boasting over 600 integrations on its website. The list is continuously updated and readily accessible.

Security improvements will vary depending on the combination of integrations. It's essential to carefully assess both the list of available integrations and each customer's specific needs.

I rate it a ten out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: partner
PeerSpot user
Delivery Partner APAC and MEA at Tata Consultancy
Real User
Streamlined solution that's easy to implement
Pros and Cons
  • "The software is scalable to whatever is required, and you can also put a lot of resources in the cloud."
  • "An area for improvement would be better automation and more inbuilt use cases."

What is our primary use case?

Primarily, I use this solution to integrate with applications and systems like firewalls and routers. For example, if somebody is trying to log on from two different locations simultaneously, we can catch that.

How has it helped my organization?

Over time, NetWitness Logs and Packets has matured from a boxed solution with multiple parts to the current, more streamlined version for which we only need the software license to put it up on our own cloud and deliver it to multiple clients.

What needs improvement?

An area for improvement would be better automation and more inbuilt use cases. In the next release, RSA should include an inbuilt migration framework that can do remediation.

For how long have I used the solution?

I've been using this solution since 2011.

What do I think about the stability of the solution?

This is a stable solution.

What do I think about the scalability of the solution?

The software is scalable to whatever is required, and you can also put a lot of resources in the cloud.

How was the initial setup?

The initial setup isn't much of a challenge and can be completed in under twelve hours.

What's my experience with pricing, setup cost, and licensing?

Our license price is updated yearly, and there are no additional costs.

What other advice do I have?

I would rate NetWitness Logs and Packets as eight out of ten.

Which deployment model are you using for this solution?

Private Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
reviewer1130436 - PeerSpot reviewer
Information Technology Security and Infrastructure Expert at a government with 201-500 employees
Real User
Top 20
Helps to deal with potential attacks and is available at a reasonable price
Pros and Cons
  • "The product's initial setup phase was not at all difficult."
  • "The tool's integration capability isn't so great."

What is our primary use case?

I use the solution in my company for packets mainly and log analytics.

What is most valuable?

I don't really see any valuable features in the product. I feel that it is time to move away from NetWitness Platform. All SIEM tools have to deal with advanced use cases, and many of them are getting upgrades, but this is not the case with NetWitness Platform. NetWitness Platform has remained the same for almost four to five years. The support and RMAs offered by the product in our region have also become very bad.

What needs improvement?

From an improvement perspective, the NetWitness Platform needs to release new features and improve in areas like log correlation. The tool needs to have easier integrations with the cloud. Building a parser should be made easier in the tool.

The tool needs to have easier integrations. The tool needs to have the extra log-related suggestions. The platform and UI should be easier to use.

For how long have I used the solution?

I have been using NetWitness Platform for eight years. My company is a customer of the tool.

How are customer service and support?

I rate the technical support a six out of ten.

How would you rate customer service and support?

Neutral

How was the initial setup?

The product's initial setup phase was not at all difficult. The tool's upgrades and moving from old hardware to new hardware are difficult and time-consuming. If you have any hardware failures, as per the RMA offered by the tool, it takes a very long time to get some after-service. The product has not been working well in my region recently.

What's my experience with pricing, setup cost, and licensing?

The product price was reasonable for my region and the market.

Which other solutions did I evaluate?

My company has a hybrid environment. I have looked at other products like Splunk and Sentinel. I am still looking around for other solutions in the market. In my company, we are having discussions to move to some other solution.

What other advice do I have?

My company has had many benefits from the use of the product in the last eight years.

The tool has streamlined our company's incident response process since it serves as a log repository, which allows us to correlate events and access different technology stacks. In our company, we were able to actually find some potential attacks, so it has been very helpful.

The tool's integration capability isn't so great. In my company, we managed to integrate it with our Microsoft Azure Subscription, after which we managed to integrate it with other tools. You will face a lot of difficulties if you want to integrate it with your database monitoring tool, PAM solutions, or IAM products.

The product has done well overall for my company's teams to deal with their workflow efficiency.

I would not recommend the product to others.

I rate the tool a seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Cyber security Lead at a manufacturing company with 1,001-5,000 employees
Real User
Great wireless feature, provides many automatic rules that are very helpful
Pros and Cons
  • "Offers a good wireless feature."
  • "Technical support could be improved."

What is our primary use case?

The RSA Netwitness packet plays a major role in identifying cyber attacks from different sources. We integrated in a very large environment, deploying it in a container corporation in India. The company has around 86 locations across the country. Another use case of RSA is for running full scans and the third use case is for blocking malware and viruses. Nowadays, people hide behind encaptured networks and use proxies to look through the door. Then they'll try to come in. 

What is most valuable?

The wireless feature is good, it tells you when to check a spot, which file it has used to encrypt, whether it is spreading and how many hosts have been infected. It's about data analysis. Looking at the network logs, it's difficult to figure out where the problem is coming from and where it's going, but those kinds of features help me a lot. The solution provides lots of automatic rules which is helpful. Technically speaking, this is a good product. 

What needs improvement?

I believe they could improve their support, there are often delays. The price of the solution could be reduced, it's very costly. 

What do I think about the stability of the solution?

This is a stable product. 

What do I think about the scalability of the solution?

We're using the solution extensively in our shipping business so it is scalable. We probably have seven or eight users and the solution is in use 24/7. 

How are customer service and technical support?

Getting technical support takes time, they get a lot of calls and we generally only get a response the following day. Cisco is better with technical support. 

How was the initial setup?

The initial setup is not straightforward because of all the integrations required. It needs the aggregate data, data concentrator, defense, correlation roots, and more. 

What's my experience with pricing, setup cost, and licensing?

It would help if they could provide the malware analytics in the core package as that would make the cost more reasonable. Licensing is paid annually and I believe the cost is somewhere between 12,000 - 15,000 Pounds per year. It's very high. 

What other advice do I have?

I would recommend this solution. 

I rate this solution a nine out of 10. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Computer Security Consultant at SECURE SOFT
Real User
Top 5
Deployment flexibility and robust integration enhance reporting and analytics capabilities in financial industry
Pros and Cons
  • "NetWitness Platform offers flexibility for deployment and robust integration capabilities."

    What is our primary use case?

    I use NetWitness Platform in the financial industry as a good product with excellent capabilities and integration with various devices.

    What is most valuable?

    NetWitness Platform offers flexibility for deployment and robust integration capabilities. It excels in research events, analytics data, and reporting. It is particularly beneficial for reporting purposes, offering efficient solutions.

    What needs improvement?

    There is currently no need for improvement in the SIEM, though there could be potential enhancements by integrating with AI.

    How are customer service and support?

    The support is good, and I would rate it nine out of ten.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    In the financial industry, I used other solutions like Exabeam or UEBA from other providers.

    How was the initial setup?

    The initial setup was not complex. On a scale of zero to ten, where ten is the easiest, I would rate it seven or eight.

    What was our ROI?

    The solution is efficient, though I do not provide specific ROI details.

    What's my experience with pricing, setup cost, and licensing?

    The pricing is comparable to others, and I consider the cost to be intermediate. Specific cost details are unknown to me.

    Which other solutions did I evaluate?

    I used alternatives like Exabeam or UEBA from other providers in other industries.

    What other advice do I have?

    I would rate the SIEM eight out of ten.

    Which deployment model are you using for this solution?

    I am using the on-premises deployment model.
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Download our free NetWitness Platform Report and get advice and tips from experienced pros sharing their opinions.
    Updated: March 2025
    Buyer's Guide
    Download our free NetWitness Platform Report and get advice and tips from experienced pros sharing their opinions.