LogRhythm SIEM Reviews

It is the dashboards. Up until just a couple of weeks ago, we were just using the standard dashboards. We actually had our account manager and professional services team members come out to our Security Operations Center (SOC) and essentially walked through our processes and how the SOC operates. One of the immediate improvements was using the dashboards more effectively, so we just used the standard, out-of-the-box dashboard, and it actually wasn't really telling us much.

Now, the SOC have custom dashboards, showing them a lot more useful information, puts the information in context, and they are actively using it for proactive investigations, rather than just responding to alarms.

It has certainly helped with the visibility. We probably don't use the platform to its full extent. We've expanded the size of our SOC and the number of people in it. We are now starting to use the features, such as SmartResponse, to help automate things. We've probably been guilty of throwing people at the problem, as opposed to leveraging the tool itself. We are now trying to change that.

We host quite a volume of sensitive, personal data. We are a credit reference agency, based in the UK, and we hold records on probably, around about 50 million adults, both personal information and financial information. Our core role is protecting the confidentiality of that, so breaches, such as the Equifax breach, that happened recently, we have absolutely got to avoid that.

We are not leveraging the tool to its fullest extent at the moment. We had a focus session with our SOC, the other week, and we've got a defined roadmap now to make things a lot better.

We are at a good place now. We have just started using things, such as case management, whereas previously we were just responding to individual alarms.We're starting to use things a little bit more intelligently now, so not just using the technology, but also helping improve our processes through the use of the technology.

There are enough features that we are not using, and not to their fullest extent, at the moment.

The company has been using the platform for seven years. I joined the company three years ago.

We tend to struggle. We do see performance issues fairly regularly. I think part of this is the stress that we're putting it under, with the volume of events that it is receiving. When we put the new appliances in, which is imminently, we're hoping that it will solve a number of issues: the number of the performance issues that we see.

It seems to be scaling well.

We have currently just got a single platform manager that's been carrying out the role of the web console and AIE server. We've probably thrown too many events at it, and we are now, effectively, putting in a DR solutions, a second platform manager, and then spinning off individual components, so appliances for the web console and AIE server.

We are effectively doubling the size of the platform, at the moment, to cope with the volume of logs that we're throwing at it.

A couple of the team do tend to find that certainly the initial contact with support slows things down a little bit. I think their support has their script or their route to follow to triage the issue, whereas we've already done that because we know the platform, we've been there and we know what to do when something happens. Generally, we contact support when all else has failed. For us, we probably need to hop down the line a little bit, rather than just hit the initial support function (the first line).

When we do reach the right level, they are knowledgeable.

The risk appetite changed. We are in quite a regulated organization, and having something like LogRhythm in place gives us the visibility and the comfort that we've got the monitoring required in place.

I would not know.

Technology's important, but it is the support you get as well. Don't just focus on, necessarily, the features and technology, but also consider the support and the engagement you get with the organization.

Most important criteria when selecting a vendor: the relationship. I would not want to work with an organization that just sells you the technology, then disappears or only ever speak to when there is a problem. It is starting to look a little bit more like a partnership now with LogRhythm, that's exactly what we want to maintain.

The product was easy to deploy and easy to learn how to use. The web console is the best I’ve seen when compared to other SIEMs.

This product has made it easier for our team to correlate security events and react quicker to incidents.

Retrieving logs that have been archived can be a difficult and time consuming process. The module which performs this, called the Second Look Wizard is not very well integrated into the rest of the product. It would be nice if you had the ability to right click on a log and search the archives for more data like it (you can do this with non-archived logs) and then after restoring archived logs, easily pivot to an investigation for that data. Currently, those 3 steps all have to be run separately.

I've used it for five months.

The deployment was very smooth.

There were occasional stability problems, but they were resolved by support in a timely fashion.

No issues encountered.

Excellent, everyone I have worked with at LogRhythm has been courteous and helpful.

Technical support has been very good, and they will often go out of their way to help correct an issue, even if it is not a technical issue with the product.

This is our first SIEM.

The initial setup was done with the help of LogRhythm Professional Services and was fairly straightforward. Our version of the software is integrated into one hardware unit which made it easy to setup and understand.

We implemented with LogRhythm Professional Services and the engineer I worked with was very thorough and knowledgable.

Pricing was on the higher end when compared to other products we looked at. However, we felt the advantages with LogRhythm justified the price premium. Licensing is fair and straightforward. We evaluated SIEMs from AlienVault, Tripwire, and Solarwinds.

We evaluated SIEMs from AlienVault, Tripwire, and Solarwinds.

If implementing a SIEM for the first time, it is very important to have members of the network and server teams involved from the beginning. Also, strong change management policies are necessary to keep the SIEM implemented properly.

We have a lot of distributed offices and no visibility into any of them. The use case for this product is to collect and integrate logs from all the machines at all the different sites and get better insight into the security areas that we need to tighten up.

I am hoping that we will be able to response to threats and gain visibility into our environment that we don't currently have.

The AI Engine.

I would like to see our vulnerabilities counter. We will be using Tenable to fill that void right now.

It seems like it will scale easily with the way our environment is set up.

We have not used LogRhythm's tech support yet.

We were using an MSP and were dissatisfied with its performance. What we started to do was figure out what we could bring in-house and what we needed from a security standpoint, and this SIEM kept coming up as something we should look at.

The initial setup is complex.

We are using a LogRhythm partner, at least for the first three years, to help with the monitoring and the deployment of it. We are not a big enough environment where we have people that we can dedicate to it right now.

We require one person for deployment and maintenance.

I would recommend LogRhythm. I am really impressed with it, though we haven't start using it yet.

We are just in the middle of deployment of the full-spectrum analytics capabilities. We haven't finished the configuration of the product yet.

We do plan to use the built-in playbooks.

We have approximately 931 log sources at this point.

Most important criteria when selecting a vendor: 

1. The reputation of the vendor. 
2. The quality of the product. 
3. The integration into the environment that we have right now.

The most valuable feature to me is certainly the CloudAI, which I have been a beta tester of, and also the SIEM capabilities and automation.

I see CloudAI expanding greatly. It's obviously a new product for them. It will be able to give contextual evidence of people's behavior which, at the moment, whilst the SIEM does that, AI actually is that specification and concentration on people's behavior, which is a huge component in cybersecurity.

The benefits at an organizational level would certainly be that for my company, which is in healthcare, certainly a huge compliance, but also it gives me visibility of all the departments in my company, not just the IT department. I'm able to see the actions and behaviors of the whole company, not just on my campus, but remotely as well.

What still needs improvement is automation. The SmartResponse obviously does not use open APIs at the moment, so we're having a lot of problems connecting it with things like Palo Alto Traps and some other systems, things like Cisco. I know that it's on the roadmap, but at the moment that is where the weakness lies.

For myself, I would like a HIPAA configuration out of the box where I can switch on various HIPAA rules. Obviously, HIPAA has 18 very exact identifiers and I'd like those to be already in the box ready to be switched on.

My impressions of stability are exceedingly, that I've not heard any down-time. We have had to contact support a few times, but just to see how to do a few configuration settings.

It's actually been scaling incredibly well. We have put more memory in the box and we've taken some of the Websense traffic and put it onto VMs. We can take more hardware and daisy-chain them up, so we know that when we do need to have physical hardware scalability, that feature is there.

Exceptional. One of our tickets had to go all the way to level three, but it was exceptionally covered well and the resolution was incredibly timely.

It was our very first log management solution. When I joined, we did not have a cybersecurity program. My employment was to build a cybersecurity program right from scratch, right from the start. Whilst I evaluated a couple of other programs, LogRhythm came to me, through the evaluation of those, to be the clear winner.

The criteria certainly was scalability. Our company, within a year, has gone from $600 million of revenue to $1.3 billion. At that point, I knew that we had to have that scalability function.

I've been very lucky that some of my staff have very high technical knowledge on configuration of LogRhythm. If I didn't have those staff available to me, I would certainly recommend the Co-Pilot, which is an option that LogRhythm provides. I think that gives you the confidence that you've not only bought a product but, at that point, how to configure it and use it.

Very happy. Yes.

As a guidance and recommendation, I would ask them, what is your level of comfort in configuring LogRhythm? If they say to me, "Not so much," I would say, "Well, then you have to budget not just for the product, but for the Co-Pilot solution as well." If, however, they say, "No, I'm very happy. I have the skills already in-house," then I would say obviously to buy the product with the Professional Service hours.

Key challenge, of course, is how the threat situation changes every day. LogRhythm is on top of that and very helpful. Another challenge, of course, like many other companies, staffing is not where it should be, money is not where it's supposed to be, but we do well.

We service the University of Massachusetts, but we also have other customers, all higher-end. It's up to the customer what they want us to look at and LogRhythm, absolutely, has the tools that we need to find the data threats that the customers are interested in.

We're MSSP and we've only been using LogRhythm this past year and we've actually found several instances where we've benefited our customers with the data that we have found, that we've collected. We were able to find out what was wrong, deep dive into it, and suggest to our customers what they need to do.

I would say the amount of data that it collects and the way it correlates it, extracts it, and makes it easy for an analyst to look at it and deep dive into it. I had another SIEM before LogRhythm and it was nowhere near what LogRhythm does.

The idea to me is collecting all this data and then extrapolating all that data, and it's phenomenal.

From what I saw yesterday here at the conference, they seem to be right on track with making the Web Console much easier, case management much easier.

When you're searching on something, you see something that you think may be a threat, you have to keep threat-hunting, deep diving, and from what I saw yesterday, it looks like it's going to get a lot easier and more helpful.

Unbelievable! Very good.

Very good. I was very impressed, especially yesterday, here at the LogRhythm User Conference, I did the 7.3 session, what's coming out. We've been around, as I said, less than a year and within that time frame - and from what I saw yesterday - it's unbelievable the way LogRhythm is moving forward.

If I look back to my other SIEM solution providers, the one we had before this, it's light years difference. LogRhythm support is very, very helpful, very knowledgeable. There's always somebody there. If they don't know the answer, they're going to go find someone who knows the answer. So it's very good.

We used their Professional Services, I was one of a group of three - and the professional services - that helped roll out. It was pretty straightforward. Of course, it was different because it was all new to us, and using the Professional Services was very helpful.

The driving factor in searching for a security solution would be, in this day and age, the threats that are out there are incredible. I think LogRhythm addresses a lot of the issues that are out there. Again, it's on us to make sure LogRhythm is a solution. It's a tool. If we don't use it properly it's pretty useless at that point. It's on us.

I would say it's very important that a solution be a unified, end-to-end platform, especially in a higher-end environment.

My nine out of 10 rating is based on what they offer, and what I saw yesterday at the conference, what they're coming out with. They seem to be on top of things.

Among the different SIEMs that are out there, the companies, I would definitely recommend LogRhythm.

We use this solution to examine disparate log sources and provide a cohesive method to search for anomalous behavior. 

In our compliance environments (NERC and SOX), we are able to provide evidence of compliance.

The most valuable feature is scheduling the KB update, which reduces administrative effort.

I would like to see support added for Exchange 2016, and Check Point OPSec Lea.

Adding the capability to identify and perform an auto import of new log sources (especially Windows-based systems), based on specified criteria, would be a useful feature. 

Enhancing the creation of report packages would also improve this solution.

The primary use case for this solution is to monitor our environment and ensure that we are not having any breaches. In addition, this solution allows us to maintain compliance with HIPAA .

The SIEM and the CloudAI has improved our organization by helping us track down errors in our network. It has helped out our IT services team, and it's also helped out our database team in trying to track down errors inside of our network. It's also opened our eyes to a lot of the attacks that have been coming in to our network from outside threat actors. It's helped us stop a lot of those attacks as they're happening, and it's also helped us identify some policy violations inside of our network as well. 

I haven't used the playbooks yet, but from what I've learned here at RhythmWorld, I will be integrating the playbooks as part of our incident response policy.

The most valuable features for me are the customization features. I can build it out to do whatever I want. I've created rules in there for Crypto mining and Crypto jacking. 

The compliance aspect is phenomenal. The reporting in there is fantastic. It helps our internal audit team. It also helps us with our compliance, as well, for our audit. So it's a lot of good options in there.

CloudAI gives us analytics into our user's behavior and whether or not they are acting outside of their norms. It has helped me to identify a lot of policy violations inside of our networks. A lot of bad habits. Just for a specific use case, I've identified where an account that should have been disabled was being used by another user inside of our network. A lot of policy violations. A lot of geographical location identification inside of the networks.

CloudAI-UEBA has enhanced my security operations because I've been able to track down users with anonymous behavior. To be more specific about that, I've been able to track down users that were using accounts that they shouldn't have. So for example, we had a user that left the company and another user was using that account to access servers inside of our network that they didn't have access to. So it's very powerful. It just takes some learning to get used to.

I have over 3,300 log sources. The support for log sources is pretty good, unless you want to go to the cloud where I've had some rough spots with that. I had a hard time integrating with Office 365 because my antivirus wasn't supported. I had to get some custom parsers in order to get that integrated.

I would say that better API support for cloud log sources would be a definite improvement. 

Ease and setup would be a major improvement because it took over a week to get it all up and running, and that didn't even count tweaking it and getting it all set up for my environment. There's some room for growth there.

The stability is decent. During the day it works just fine. We do a lot of reporting at night and it hits the system pretty hard, but other than that, everything works perfectly. During the day, searching is perfect. It runs perfectly. The stability is fine except for those heavy hours.

Stability for CloudAI has been great. I haven't seen any issues with it dropping. I haven't had any issues with that at all.

The scalability for the most part is OK. The product has some hard stop limits on what your processor can handle.  I have an XM appliance, which means it's an all in one.

I have some hard limits on how far I can go with the processing rate. So if I go above that I'll have to spec out a whole new system and then renew my license. I don't see that happening anytime soon in my environment.

I have used tech support a few times when getting things set up. For the most part, they are pretty quick to get back to you and very helpful. They've also showed me a lot of tips and tricks to make things either run better or to get better results for my SIEM. The customer support is fantastic.

I knew that we needed a SIEM solution because we had no visibility

We didn't have any SIEM monitoring tools up until I showed up at the company. We didn't have any visibility into what was going on on our networks or on our systems. So that was one of the first steps that I took when I came on with the company.

My shortlist was Rapid7 InsightIDR, LogRhythm, and Splunk

I had a live demo of InsightIDR running in my environment and I liked LogRhythm a whole lot more, a whole lot better than their solution.

On average, I process around 1200 messages per second.

So measurable results for mean time to detect and mean time to respond. I don't have measurable results because there wasn't anything there beforehand. But now, we've responded within hours to events that could have been breach incidents, or in some cases within minutes and stopping attacks in their tracks.

My security program's maturity is still in its infancy. I'm basically starting it from scratch. LogRhythm has been a major step with giving me file integrity monitoring, the SIEM capabilities, log collection, a lot of things that we didn't have before. User behavior has been amazing for helping me keep track of what's going on in my network. So it's been a major stepping stone. It's the first in many.

I would rate LogRhythm as an eight out of ten because of the compliance factor. The modules for compliance are fantastic. The UEBA and CloudAI are solid for user behavior, and the SIEM itself is very powerful. I work very heavily in the customization aspect of it. Writing my own alarms, my own rules to try and track down events and alarms, stuff going on inside of my network. My only complaint really is just the lack of API support and how much work it takes to bring in cloud. That definitely needs some work. And just the time to set up is very time-intensive.

If I had a friend or a colleague that was looking to implement a SIEM, I would definitely recommend LogRhythm, and I would pretty much give them the same answers that I gave here where cloud support is still growing, but the tools that it has are very powerful. The behavior analytics are fantastic. It definitely would have to be on their list at least to look at.

I'm an admin and analyst, so use cases cover a lot of log sources for applications, mostly.

Being able to see when one of our assets is down and being able to restart it really quickly has been a definite benefit. It has been really helpful in the general maintenance of our whole environment.

We're able to look at our environment and see how it's being affected, according to the log sources. We can immediately see how the system responds to things that our development team does.

The Web Console is my favorite. It enables me, at a glance, to see the health of the environments. That is really important to me and to us.

I would like to see more widgets. I just love the widgets on the Web Console, I love to play with them, so more would be better.

The stability has been great since the upgrade.

We just upgraded to 7.35 and, although I wasn't involved in that, it seems like since then everything has been working really well. It scaled really well and we are taking in new network monitors. That has been really easy.

We usually do end up having to remind technical support about our issues, get back in touch with them to see what the status is on our tickets. That has been frustrating in the past, but they do find solutions. Sometimes it takes a while. And sometimes that communication gets lost. Some of our tickets had to be escalated to engineers. They get a little bit lost, at times, when that happens to a ticket.

Overall, I would rate tech support at three out of five.

I would definitely recommend LogRhythm. Work with the LogRhythm team to help learn how your environment works. Use as much help as LogRhythm can provide in your initial setup, so you can understand your environment best.

We have more than 20 log sources. We average around 3,000 messages per second. We have hit 8,000 in the past, but not since the new upgrade in which we got more room. In terms of staff for deployment and maintenance, there are just two of us who share it. But when we're on-call, all of us use it. There are nine of us who use it every day when on-call.

I rate the solution at seven out of ten. I'm very happy with it. I love how powerful it is. However, the customer service is where the points come off. I know they're working on it.