We performed a comparison between LogRhythm SIEM and Trellix ESM based on real PeerSpot user reviews.
Find out in this report how the two Security Information and Event Management (SIEM) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."The automation rules and playbooks are the most useful that I've seen. A number of other places segregate the automation and playbook as separate tools, whereas Microsoft is a SIEM and SOAR tool in one."
"I like the KQL query. It simplifies getting data from the table and seeing the logs. All you need to know are the table names. It's quite easy to build use cases by using KQL."
"Sentinel improved how we investigate incidents. We can create watchlists and update them to align with the latest threat intelligence. The information Microsoft provides enables us to understand thoroughly and improve as we go along. It allows us to provide monthly reports to our clients on their security posture."
"Investigations are something really remarkable. We can drill down right to the raw logs by running different queries and getting those on the console itself."
"I like the ability to run custom KQL queries. I don't know if that feature is specific to Sentinel. As far as I know, they are using technology built into Azure's Log Analytics app. Sentinel integrates with that, and we use this functionality heavily."
"The Identity Behavior tab furnishes us with the entire history linked to each IP or domain that has either accessed or attempted to access our system."
"The log analysis is excellent; it can predict what can or will happen regarding use patterns and vulnerabilities."
"It has basic out-of-the-box integrations with multiple log sources."
"I have found the Advanced Intelligence Engine has provided the most value to us because we can customize alarms based on our requirements and have created hundreds of alarms that notify different people for different scenarios."
"In terms of security, LogRhythm NextGen SIEM is great."
"LogRhythm NextGen SIEM is customizable, simple to manage, and there are many features. The solution does not require an expert to be able to use it, anyone can use it."
"Even other products we have that feed into it, instead of having to watch all of them we only have to watch one. For example, we have CrowdStrike, so instead of having to pay attention that solution - because their dashboard doesn't really pop when an alarm comes up - we can see issues with the red on the LogRhythm alarm. That is very nice."
"LogRhythm has increased productivity because all the tools that we need are in the web UI, allowing us to find threats on our network fast and efficiently."
"Overall effectiveness is very good. I like how it is oriented to both analysts and technical support people. It's easily adopted by end users as much as by technologists."
"The ability to drill down and pivot from an event is one of the biggest advantage the product has compared to other things that I have seen in the market."
"LogRhythm's GUI is easy to explore. We also like other features, such as its integration with other security solutions, log correlation, and the deployment of use cases."
"The solution's technical support is great."
"The most valuable features of McAfee ESM are intrusion detection, malware protection, and the device controller."
"It blocks the things which are not to be allowed. It has an adaptive mode where it learns for itself."
"It has good technical support, which is available around the clock. You can call up anytime and get whatever you want. My queues are resolved."
"It is a good central viewpoint for issues. These can then be investigated in more detail on the subnet server(s)/endpoints."
"It can be easily deployed with the other solutions."
"Trellix ESM is very user-friendly."
"The most valuable feature in ESM is its search and reporting feature. It's really nice."
"There is room for improvement in entity behavior and the integration site."
"If you're looking to use canned queries, the interface could be a little more straightforward. It's not immediately intuitive regarding how you use it. You have to take a canned query and paste it into an operational box and then you hit a button... They could improve the ease of deploying these queries."
"Sentinel's alerts and notifications are not fully optimized for mobile devices. The overall reporting and the analytics processes for the end user should also be improved. Also, the compatibility and availability of data sources and reports are not always perfect."
"I would like Sentinel to have more out-of-the-box analytics rules. There are already more than 400 rules, but they could add more industry-specific ones. For example, you could have sets of out-of-the-box rules for banking, financial sector, insurance, automotive, etc., so it's easier for people to use it out of the box. Structuring the rules according to industry might help us."
"The solution could improve the playbooks."
"If I can use Sentinel offline at home and use it on a local network, it would be great. I'm not sure if I can use Sentinel offline versus the tools I have."
"Add more out-of-the-box connectors with other SaaS platforms/applications."
"The following would be a challenge for any product in the market, but we have some in-house apps in our environment... our apps were built with different parameters and the APIs for them are not present in Sentinel. We are working with Microsoft to build those custom APIs that we require. That is currently in progress."
"I would like a more fuller implementation of STIX/TAXII so I can pull in some of the government lists without having to go implement a whole new STIX/TAXII platform."
"There are other security technologies outside of this SIEM that should be inside of this SIEM. I can see in their roadmap that they're trying to address a lot of these things, and have these technologies built into the solution, because there is no point in going to another vendor or opening up a second window to obtain the data that you need."
"Only area I can think of to improve on is the proof reading and using the guides before releasing them. Out the the 20+ guides I used one had issues with wrong information in it."
"We had a little bit of difficulty implementing a disaster recovery situation because it was leveraging only Microsoft native DNS and it wouldn't work with our Infoblox DNS deployment that we use in our environment. They've been working on that behind the scenes."
"One of the challenges of the SIEM for the LogRhythm 7 platform is the amount of time it takes to bring new log sources into the MDI."
"My big thing is the easability. I don't like to go to two different systems. The fat client that you have to install to configure it, then the web console which is just for reporting and analysis. These features need to collapse, and it needs to be in a single solution. Going through the web solution in the future is the way to do it, because right now, it is a bit cumbersome."
"There is room for improvement with separate running sources or better integration."
"My biggest complaint is documentation. Everyone tells me, "We have documentation on the Community site." I have searched for different types of documentation on numerous occasions, and it might be there, but it's not easily findable."
"It is not a very advanced solution, and it is for very generic use cases. It cannot cope with the advanced requirements that we're going to have. For example, for multiple authentication failures, it is still based on Windows events for detecting multiple login failures, whereas other companies are going beyond and working on implementing two-factor authentication. It is time to correlate the two-factor authentication results with authentification failures, which is not happening with McAfee ESM. The performance of the tool should be improved because it is very slow. The data display on the console is very slow in McAfee ESM. Its data storage is still old-fashioned, and it should be improved and upgraded to the latest versions. They have to come up with some new ideas to match what other leaders in the same domain are doing. For example, in Splunk, when you search for information for the last 60 days or five months, it quickly shows the information, but that is not the case with McAfee. The results should be quicker and faster on the console. They should integrate some additional features such as User Behavior Analytics (UBA) and automation. The threat intelligence part should also be improved on McAfee."
"The initial setup is difficult and could improve."
"The product's stability is an area of concern where improvements are required."
"The user interface could be more user-friendly."
"It cannot integrate with our Next-Generation Firewall and few applications such as Cisco ACI."
"Tech support is required each time there is a system update of the solution."
"We would welcome integrations with some of the new McAfee acquisitions, e.g., behavioural analytics."
"The support from McAfee ESM could improve. They could improve the speed."
LogRhythm SIEM is ranked 6th in Security Information and Event Management (SIEM) with 166 reviews while Trellix ESM is ranked 18th in Security Information and Event Management (SIEM) with 34 reviews. LogRhythm SIEM is rated 8.4, while Trellix ESM is rated 7.4. The top reviewer of LogRhythm SIEM writes "The solution reduced our investigation time from days to hours and assists in managing our workflows". On the other hand, the top reviewer of Trellix ESM writes "Provides visibility of all the traffic within the company infrastructure". LogRhythm SIEM is most compared with IBM Security QRadar, Splunk Enterprise Security, Wazuh, Fortinet FortiSIEM and ManageEngine Log360, whereas Trellix ESM is most compared with ArcSight Enterprise Security Manager (ESM), IBM Security QRadar, Splunk Enterprise Security, Trellix Helix and Cybereason Endpoint Detection & Response. See our LogRhythm SIEM vs. Trellix ESM report.
See our list of best Security Information and Event Management (SIEM) vendors.
We monitor all Security Information and Event Management (SIEM) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
I cannot respond to the query as I have worked with solutions based on NetIQ and AcrSight.
1. I feel the query is very generic and can not have any tangible response other than users listing their side of the stories (experience) while tabulating Pros & Cons would be inconclusive.
2. The vendors mentioned (McAfee, Splunk, LogRhythm and IBM Q1 Labs) are from the top quadrant and are very much comparable based on evaluation parameters such as List of Features, capabilities and capacities, Integration to other corporate IT security tools etc.
3. Methodology used by Gartner for evaluation of vendors for SIEM Quadrant should also be kept in view to get a realistic comparison. I feel, its not a real Apple-to-Apple comparison nor can be used as a measure to influence the decision making for a new deployment (or migration to another vendor)
4. I also feel that vendor experiences, most of the times are dependent on how clear you are of your own Security Landscape, Compliance & Regulatory drivers and requirements.
Thanks
Rajendra Nag
Unfortunately while evaluating SIEM solutions I was unable to evaluate the IBM solution. I tried to work with IBM for two weeks to get an evaluation of the product and finally gave up.
I think Splunk is an incredibly diverse and flexible product; however, if you are just looking for a SIEM I think it's a bit overcomplicated.
Our company choose SolarWinds LEM due to it's ease of deployments for small to mid sized environments and we have a good track record working with SolarWinds as a vendor.
I asked this question in a previous discussion, what is your experience with the solutions?
I went to Infoworld and found some pretty interesting results - www.infoworld.com
It seems that based on price, GFI took the prize with $220/server $22/workstation.
But based on features and sheer capability, Arcsight took the prize there.
Additional findings bring up HP Arcsight, IBM Q1 Radar and McAfee Nitro as the industry leaders - Gartner Magic Quadrant from 2013 - infosecnirvana.com
But if you were to go to the comparison charts:
Cons
HP Arcsight - Complex, Suited for Medium to large deployments, learning curve, skilled employees
IBM Q1 Radar - Limited Customization, limited multitenancy support, limited use case configuration
McAfee Nitro - Very basic correlation capabilities, requires agent installs, no analytics capability, limited customization, limited support for multi-tier, multi-tenancy
There are others these seem to be the leaders in the industry.
So from the report from Gartner, Infoworld and Infosecnirvana.com, they all seem to think that HP Arcsight is the way to go
Todd
Hi,
I disgree for SME installation since Q1 is usually on a large scale
installation. While expertise on the product is still needed including
integration with other security platforms.
Splunk/LogRythm is good for Network correlation only not focusing much on the
security area.
McAfee is ok for both SME and Enterprise whilst expertise should also be
considered as they have an easy and available tool for integration with their
ticketing system, IPS, and AV.
Hope this helps.
Cheers,
Lilet
Its is now an easy and clear answer.
It depends on the environment, the integration needed, and the staff expertise.
IBM is usually a better solution for large/very large installations and integration.
But it requires much more staff and skills.
But for smaller environments Splunk and LogRhytm is better.
McAfee is correctly rated against others.
So the answer is YES/AGREE for large installations.
And NO/DISAGREE for smaller ones.