IT Central Station is now PeerSpot: Here's why
Buyer's Guide
User Behavior Analytics - UEBA
June 2022
Get our free report covering Darktrace, Cisco, Splunk, and other competitors of LogRhythm Enterprise UEBA. Updated: June 2022.
609,272 professionals have used our research since 2012.

Read reviews of LogRhythm Enterprise UEBA alternatives and competitors

Cyber Security Specialist at a tech vendor with 10,001+ employees
Real User
Good dashboard and helpful third-party plugins but technical support could be better
Pros and Cons
  • "There are other third-party plugins that we can use."
  • "The AQL queries could be better."

What is most valuable?

There is a Pulse dashboard that they have. From a reporting perspective, we'll be creating dashboards based on the pulse functionalities. 

There are other third-party plugins that we can use as well. We can initiate in the QRadar platform, however, Pulse is one of the most user-friendly options. 

Along with that, there are out the box rules and out the box dashboards that we have available to us. Mostly what we are concentrating on is creating the rules and fine-tuning the rules to align properly with the customer infrastructure depending upon the customer's requirements. Pulse, UEBA, and NBAD are the features that are the best. They are the most useful from a SOC manager perspective.

What needs improvement?

The AQL queries could be better. With the queries, there's an option for you to create dashboards based on the queries that they have. The documentation that is available for AQL queries is not well received. They could maybe look at how Microsoft is leveraging AQLs from a Sentinel perspective and create more documentation and training materials and make those more available to the general public.

They have to facilitate more learning opportunities. Microsoft has something called Playground where you have some sample logs and where you can learn how to work on all this stuff, however, there is nothing like that for IBM. They really could make it more generalized and accessible to the general analyst population.

Technical support should be improved.

For how long have I used the solution?

In terms of QRadar, I've used it for close to two years. I worked for a customer that is a managed security service provider. What we do is we will provide SOC as a service and QRadar. IBM is one of the partners that we have. Depending upon the customer considerations and customer preferences, we will either engage QRadar or Sentinel according to the customer preferences. Splunk and LogRhythm we also use on an as-needed basis. 

What do I think about the stability of the solution?

What they have claimed is 99.5% uptime. However, I'm not very sure whether there's an implementation problem or not. Sometimes the system gets hung and then we have to restart everything from the scratch. You have got these multi printing options, though not functionally. Sometimes it gets some jitters there. Sometimes there are cases where we are finding it very difficult to get into the system as there can be three or four people logging into the same platform at the same time and sometimes the reduces the speed a lot.

What do I think about the scalability of the solution?

From an architect implementation perspective, the role that I have played is very limited. I'm not very sure about scaling. I'm not in a position to comment on that part. That said, once everything is implemented, I've noted that it's not as scalable as Sentinel or Splunk on the cloud, for sure. That is the same for LogRhythm and QRadar. Obviously, cloud-hosted applications will be more scalable and more resilient.

How are customer service and support?

Technical support is something that has always been an issue for us. We have to raise a ticket and the products team will be available, however, depending upon the criticality, sometimes the support is not very easily accessible on weekends and on Friday evenings.

Which solution did I use previously and why did I switch?

I've also worked with Sentinel, Splunk, QRadar, and LogRhythm. 

How was the initial setup?

Compared to Sentinel, the initial setup is a bit complex. Depending upon whether you're going ahead with the cloud version or on-prem version, there is human involvement, however, normally everything is done by the platform engineer. I don't have to get my head into that part. Once everything is up and running, that is when we have to start working from our side. I'm sure it is more complex than a plug-and-play Sentinel, where connectors are easily available and just have to click, click and get things done.

The administration and maintenance would be two or three people depending upon the availability. I'm not very sure about troubleshooting. I'm coming at the solution from a user perspective. I'm more concerned with the rule fine-tuning and rule-building part. That kind of troubleshooting will be done with the platform team, which specializes in that. 

What's my experience with pricing, setup cost, and licensing?

Licensing is mostly dependent on the EPS, events per second. Depending upon the number of products that are integrated with the platform, we have to come to an optimal EPS value. I'm not very sure about the financials, however, the licensing cost cannot be as much as that for Sentinel, which is not very low. For customers who need medium EPS values, we advise QRadar.

The basic out the box cost covers, the EPS value that you have specified, and then some archiving maybe. It should include at least six months of archiving and other functionalities. Most of the customers will go for the standard package and we don't have to go for extra archival or enhanced DPS. 10% to 15% of DPS can always be increased. It will not completely shut down the system, however, it'll start sending us notifications that the DPS is getting increased and then we can go for a higher licensing.

What other advice do I have?

The version we use depends on when the customer is onboarded. Whenever recent onboarding takes place, we use the most up-to-date versions. However, there are customers that we have been facilitating for the past two or two and a half years and they might be using the previous versions. There are proper version upgrades that happen on a quarterly basis. 

I'd rate the solution seven out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
Lead Security Engineer at a tech services company with 1-10 employees
Reseller
Top 5
Useful for behavioral analysis of users and behavioral analysis of network traffic
Pros and Cons
  • "One of the most valuable features is UEBA. It's pretty helpful for us to make sure of our thresholds for any of our clients."
  • "The area that needs improvement is reporting."

What is our primary use case?

We are using the solution for behavioral analysis of the users and behavioral analysis of network traffic. For example, if we know that there is an IP address that keeps reaching out, we confirm it with the client, put that in behavioral analysis and say, "Okay. This is a regular behavior." It's not going to trigger us if they reach out to a certain threshold. If that IP reaches out to over that threshold, then we are going to tell the client, "Something seems to be wrong over here. This machine does not go to that IP address a lot, but this is going on a lot today."

From a behavioral analysis perspective, the use cases are data exportation by contractors, by determination, account accessing, removal of media.

The version we are using is SNYPR.

What is most valuable?

One of the most valuable features is UEBA. It's pretty helpful for us to make sure of our thresholds for any of our clients. Another great feature is how Investigation Workbench works with all of the user analysis.

They are continuously improving things. They keep putting new policies and new rules as well as updating the old ones.

What needs improvement?

The area that needs improvement is reporting. They don't focus on that area enough, but everything else is good.

For how long have I used the solution?

We have been using this solution for a year and a half.

What do I think about the stability of the solution?

It's stable but every product has ups and downs. Sometimes it gets extraordinarily overloaded because sometimes I push billions of events in an hour. It takes a little bit of time to run the analysis, but it is pretty stable in the back end.

What do I think about the scalability of the solution?

The solution is scalable.

How are customer service and support?

I deal with their tech support on an almost daily basis. I would give it a 6 out of 10.

Which solution did I use previously and why did I switch?

I have also used Loglogic and LogRhythm, which is not a good tool. I prefer Splunk. Securonix is my second choice. Third would be QRadar, and my fourth choice would be AlienVault.

We are not currently using Splunk, but we are considering them to be our secondary SIEM.

How was the initial setup?

Setup is pretty straightforward. If you are going to set up everything on the back end, on cloud port and everything, then they're going to send you a forwarder package. You just install that on the VM and get going from there.

It's pretty easy to maintain if you go through the documents.

What's my experience with pricing, setup cost, and licensing?

Their pricing is pretty comfortable. They will work with you on the cost.

What other advice do I have?

I would give this solution and 8 out of 10.

Make sure that you get the training properly and get a hold of the correct people so that things are done properly. Don't try to find a way in the middle.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
Sanjay-Kulkarni - PeerSpot reviewer
Manager Security Operation Center at a tech services company with 51-200 employees
Real User
Top 20
A stable and scalable solution for small and medium sized companies
Pros and Cons
  • "The solution is stable and scalable."
  • "We would like to see better integration with other products."

What is our primary use case?

We are a services company, so we provide services for our clients' companies.

What needs improvement?

We would like to see better integration with other products. 

For how long have I used the solution?

We have been using Securonix Security Analytics for around six months.

What do I think about the stability of the solution?

The solution is stable. 

What do I think about the scalability of the solution?

The solution is scalable.

How are customer service and technical support?

The technical support is okay. 

Which solution did I use previously and why did I switch?

We work with different SIEM solutions, including IBM QRadar and LogRythm. Although I prefer IBM QRadar to Securonix Security Analytics, there are no features of this product that I wish to see included in it, as these two platforms are disparate. 

The reason I prefer IBM QRadar is because we already utilize this solution with our customers, whereas with Securonix Security Analytics we are talking about a process which we have yet to complete. 

How was the initial setup?

The initial setup was relatively uncomplicated. It basically involved operations, with which we had some issues. 

What's my experience with pricing, setup cost, and licensing?

I cannot comment on pricing as this is not within my purview. 

What other advice do I have?

Our clientele includes small and medium sized companies, not enterprise.

I rate Securonix Security Analytics as an eight out of ten. 

Disclosure: My company has a business relationship with this vendor other than being a customer: partner
Buyer's Guide
User Behavior Analytics - UEBA
June 2022
Get our free report covering Darktrace, Cisco, Splunk, and other competitors of LogRhythm Enterprise UEBA. Updated: June 2022.
609,272 professionals have used our research since 2012.