LogRhythm SIEM Reviews

The breadth and harvesting of information the SIEM is capable of doing. I've been in this probably going on 30 years, and I've seen the growth. I found a resource that's outstanding in finding information and then the most important thing, distilling it, putting it together, which is a real big challenge in this field.

We're a financial service. As our title implies we deal in mortgages, which means we see a lot of personal information, credit reports, financial instruments. We're really concerned that we are able to monitor the movement of that kind of information and protect it.

LogRhythm has been extremely efficient in helping us find the bad guys, who are really out there, they're targeting businesses like us. They specifically want the findings, the money. If you can get in the middle of a loan you may have to go after 10,000 people trying to find the data, but if you can get four houses at $400,000 or $500,000 apiece, you've just harvested $2,000,000.

For us, LogRhythm has given us the kind of insight we need to understand when those threats either are being recon-ed, found out, or when they're really trying a brute force attack to get at us. It's excellent for that.

I really can't think of a particular one, I've been very satisfied with what's happening. 

I know they're going to get another spike in customer base, hopefully they'll have the ability to ramp up people in support along with the customer ramp up. That's a hard game to play.

I've been part of a number of beta tests, so when CloudAI came out - which is phenomenal: The ability for something to give you information in a SIEM environment, you're often gathering data, writing rules to monitor the data, so you can see what you think you should see. But they're doing inference engine work, where they're looking at what a threat implies, and then presenting it to you.

In our field, false positives versus true positives are a big deal, but they've kind of taken it a step forward. I've come to call it - they may offer me information that I look at, that I didn't know about but I should know about - it's not a false positive because it didn't show a threat. It's a true insight because it showed me something that I wouldn't ever infer myself. 

So features like that, the work that they're doing moving forward in that space, especially with machine learning. The sky's the limit in that, I'm looking forward to them doing it. 

I find it very mature, it's well designed. 

I'm sure if you're speaking with other folks today here at the LogRhythm User conference, you'll find that they're talking about all the new product roll-outs. They think these things through. Since I've been in the industry for many years, I've often found people will roll out products very soon. Often before they're mature enough to be out in the field. LogRhythm doesn't have that problem. I've been very impressed with that.

Except for the experience you often have when you do upgrades - and mostly it's the human, not the software - becoming accustomed to the new material, they've done a really great job.

We tried to size what we purchased, as an appliance, properly. You never realize how much data you're gathering until, of course, you see how much you're gathering. You're thinking maybe 100 million records a month, and you find out it's 100 million records a day. But we've been able to deal with that, understand what we're using. 

They've also been very helpful about throwing away the stuff. There's a lot of information that computers generate, not all of it is relevant. So we've able with it, to look at stuff and begin to filter out, in some cases, 20% to 40% of the content that isn't relevant at all.

I've found through the past two years they've had a few bumps because they've become so popular - I was in customer support years ago, I understand it. When you get a quick rise in customers it's impossible to maintain a support staff at the same time that you're having a fast rise in people who've bought your product. But they've worked through it, they've been responsive to it. 

I've been able to talk to the Director of Training, and the Director of Support on a couple of occasions, we've come to know each other, which is really valuable, especially in our business. Because he can look at me and say, "This is what we're doing." I appreciate the fact they're honest about the situation, they know me well enough now sometimes to be blunt, which is great. It's a good rapport, intelligent people, which is really essential.

None of this is offshore, it's all inside the United States. When I used to do secret cleared work, it was always a requirement that it be carried on within the boundary of the US. I've sort of picked that up as a habit, and these guys are really good at it. It's here, occasionally I go up to Boulder and see them, but it's very satisfactory, very reliable. They get on top of my problems, we usually fix them inside 24 to 72 hours. 

I had to do a proof of concept review two years ago when we were doing a rebid, and LogRhythm was the incumbent. I looked at some other companies. The thing that was essential for me was not only that you could gather data quickly and efficiently, but how you harvested it and how you maintained it. A lot of the other vendors had different ways of doing it, nothing I considered reliable and I was worried about the fact that, as their volume increased, the performance of their appliances would decrease.

What I found with LogRhythm, especially since I picked up one of the newer XMs, is that it has the capability to handle the volume I'm looking at but also, if I want to separate certain parts off onto certain systems, to basically spread those elements out. That was a feature that became really critical for me. Without that I'd be stuck with the pressure of one box, if it fails it takes all my operation out. So I get both, strength and diversity, because I can use multiple systems, they have that flexibility, the others didn't show me that. 

Those were some of the things that were important. 

Also, being able to handle tens of millions, and hundreds of millions of records from a wide variety of resources. They have something called log source types. Log source types let you ingest data from Palo Alto firewall, Cisco firewalls, big F5s, all sorts of environments, draw the data in and make it relevant. 

The other environments - whenever I hear an engineering environment tell me, "Its just a simple matter of programming." It's not. 

When somebody says, "Here's the log source type, and this will do this with your data," and you draw in 10 million records from the firewall, and that afternoon you can make sense of it. That was another reason why.

We've lived through three or four years of the product, so in the early time it was major upgrades, releases had a lot going on. But now things are almost completely seamless. 

LogRhythym uses both the central environment and then sensors that it spreads out. It used to be that you'd have to upgrade the central environment then get all the sensors. As they've moved through things I can now do one upgrade in one place and tell that central environment to upgrade everything else. It cuts down my time from being 12 or 13 hours for an entire operation, to about three or four hours to bring the main environment up, 15 minutes to start up the upgrades. Then it's time for coffee, come back, usually I'm done.

Things that are important: the first time you get a SIEM in your hands you think it's great to gather everything. Then you find out within a couple of days, gathering hundreds of millions of records and trying to make heads and tails... 

Begin slowly, focus on various systems, understand what they mean. 

A lot of people go, show me the perimeters, show me the firewall, show me the network. Pull that data in and when you've got it then turn around, look at all of your Windows servers, your domains, those environments. 

Moving slowly and classifying your data, so you can make the rules you design really specific. It helps you if you've got control on it, you can throttle volume, but also when you have anomalies pop up they don't pop up because you forgot something in a rule. They pop up because there really is something new.

It serves several different features. We can check the checkbox for HIPAA compliance, SEC-type stuff.

But really, our biggest focus was actually on our clients. Because we're an accounting firm, a lot of our clients actually audit us, or they have large security questionnaires that we have to fill out. So having a SIEM product is one of those check boxes, and being able to say "yes" on security questionnaires; or one that clients come in and say, "We want proof that you're auditing your domain controllers, that you're auditing the security files servers, you know who touched our files, how they read them, deleted them, modified them." 

Being able to pull all that information up before the auditors, it's great. Very critical.

We're fairly new to LogRhythm. One of the things that we really liked in the deployment PoC phase was the dashboard. How easily it percolated critical information up onto a screen that we could immediately review, and drill-down to look at the raw logs. That was one of the key features that we liked in the PoC. Still today, that is by far one of the best features.

Probably the biggest improvement and I've talked to several of the management here at the LogRhythm User conference on it, is their thin piece, which is their file integrity monitor, that we use on some of our security servers. The data sets are extremely large, tons of files are being modified, deleted, created. That product could use some more enhancing.

We've been working with them to enhance that product for future releases. It's been a good experience. 

Any issues that we've had, they've actually fixed the majority of the issues that we had with the initial product, by even giving us customized installation packages to adapt to our environment.

It's been real good. We've done several upgrades since then. Each time, if there has been an issue, we've just opened up a ticket with support and literally, it's hours to minutes sometimes - depending on time you open up the ticket. There's a response and then engineers calling you, and helping you out through some of those issues. It's been good.

We haven't scaled because, like I said, we're still the first-year phase. Now, when we purchased the product, we did purchase it to scale it out a little bit over time. We overbuilt it just a little bit so that we could keep adding log sources to it. But so far, we've been right on the money, as far as the initial build of it. 

We had come from two other SIEM products that were going end-of-life. The original one was the Cisco Security Manager, and then the latest one was RSA enVision. Because that was going to end-of-life, we needed to find a replacement product.

The big thing was the PoC was a great tool to get a great overview of what the product was going to be like. We also worked with an SE that helped deploy the product. Then we also were able to talk to support. So we got a good feeling to how the product was going to operate, not only from our operational standpoint, but also from a support standpoint, and also from help from our local support engineer.

We just had a great experience all round, and when comparing feature sets, the web interface to the alarm drill downs, the AI Engine drill downs, to the network monitor product, it was definitely on the top of the list.

The other big thing that we really liked about LogRhythm - we had a unique requirement - was that we had to have appliances, we didn't want virtual devices. Just from the security side of things, we wanted to be able to manage those devices ourselves, rather than having our infrastructure group manage those. LogRhythm also provided us the appliance base versus Splunk which is all virtual base.

We actually used LogRhythm's Professional Services group to help us get the product up and running. It went real smooth. Matter of fact, the amount of time that we allocated the Professional Services, we were short of that. It just went real well. 

Our group caught on to the product very quickly, which was another great benefit. We were able to do a lot of the work ourselves, versus relying on Professional Services to do it, just because we caught on much quicker than we had thought initially.

Our SIEM solutions list included several different vendors from Splunk to LogRhythm to RSA, their new product. We ended up choosing LogRhythm.

Just from the simplicity standpoint, it's met all of our expectations now. Like I said, you always have that little thing here and there that you still have to tweak, but other than that, we've really liked the product. 

The biggest thing in this product is not everybody on our security team is well versed in SIEM or analytics, but we found that LogRhythm - the Web Console UI - really simplified, especially with the metadata parsing out. It allowed those people to read those type of events much quicker, because it was right there, and it was pretty easily translated. So "user" is username, "host" is the host, and so it's very easy. You're not having to dig through this big long raw log file to actually figure it out. Then if it needs to go there, it goes to an advanced person.

Not just for security but from an operational standpoint as well. Perhaps an end user would call with a particular problem - "I can't print in this" - and, during the investigation of that, we could find perhaps there was a log message that was generated, an error from that application. Then we could create a rule, quickly and say, "Any time that you see that log generate an alert..." 

It enables our IT staff to be a lot more proactive, to fix problems, instead of having to wait for the end user to call and say something is not working.

The scalability. We had a huge problem with that before. Now, we can quickly search through all of our logs. If we have an issue that, perhaps there's something suspicious from a particular host, we can quickly go through there and search all the logs for anything that had to do with that host for a specific time frame, and anything coming to or from that host, or if it's a user, or whatever it is. Investigations, its really been helpful for.

It's not necessarily bad against LogRhythm, but I think an area that always can be improved is the parsing rules. The more information that we can get out of the logs, as far as specific metadata in the logs, whether it's an IP address, or something like that. Sometimes, LogRhythm will parse the rule but perhaps it won't get every little detail out of the rule.

Any advancement in those, could be very helpful to be able to correlate those logs against other items. Especially for items that are a little less - "mainstream" may not be the right word - that are not necessarily a top-tier vendor. Perhaps, instead of Cisco, it's a different firewall vendor. Those sorts of things, that sometimes we run into an issue where the log parsing is suboptimal. It could be a little bit better, could be some improvements there.

We have about 550 users and 150 servers or so, and I think we're feeding in approximately 800 logs per second on average, into LogRhythm. We haven't had any problems with scalability. It chews through the logs, and our searches are pretty quick, they're very responsive.

Fortunately, we haven't had to deal with them a lot, but when we have we've had really good luck with them. They have always been very knowledgeable, quick to solve our problems, very responsive. They'll follow up if there is a delay, perhaps they're still researching the solution. They're always quick to reply back and say, "Hey, I haven't forgot about you, it's still with the developers." Fortunately, we haven't had many issues with the product.

We were using a different SIEM tool before. It's probably not really fair to call it a SIEM. It just really wasn't quite robust, it was more of a log collection tool. The system worked fine, we could create some basic events from a single log: "You see this log, fire an alarm off of it," or something like that; not really correlation per se. 

We had issues with scalability with it. We could stand it up for about a month, and then after about a month, as the database started getting full, then trying to do searches and things like that, it was too slow. So you would have to clear out the database, start again, and again it would work for about a month.

Yes we did, unfortunately I don't recall exactly which other ones we looked at, but we had a number of different demos with other vendors and, obviously, chose LogRhythm. 

We are really happy with the product. We've been a customer for a number of years now and really haven't had any issues. It's done just about everything we ask it to do.

It takes good log sources. We have investments in endpoint protection and Mail Gateway, and our firewalls are going to be catching up soon. To have all the logs centralized, we haven't had that before across the enterprise. We had it logging at one or two locations, but this is the first time this year that we actually had all the logs go to one spot and be able to have alerts and alarms set up.

We use CrowdStrike as our endpoint, so we are in the process of getting those logs into the SIEM and we haven't got that done yet, but that's going to be a real big win for half our logs are on the endpoints that the employees have. To have that visibility is really important.

Provides visibility into the network. We got it for PCI compliance for the most part, and we also do SOC 1 and SOC 2 compliance, so we can show that we're secure to our clients. We have a lot of financial and other customers that care about security with the kind of business that we do. But we're looking at it to do SOC Light, not 24/7, but we want have a visibility into everything that is going on in our network, be able to respond, and do incident response using LogRhythm as our main console.

Our key challenge is working with disparate IT groups. We are a brand new security team within our organization. It's a pretty small company. They have grown their infrastructure by acquisitions, so they have a lot of separate naming conventions at each location, different staff, different log sources, and firewalls, which are different at each location.

It is has been a challenge. This has been one of the first applications that we've had. This and a couple others that security teams brought in recently that works across the enterprise. So, we've had a lot of challenges just getting AD or DNS to work, real basic stuff.

Then, also the log sources for the servers, we didn't have a lot of the logging enabled, so we had to kind of go back and then we had to enable a lot of logs using GPOs, working with our IT, and actually doing a lot of the work ourselves, because challenges are resources. There is so much work to do and not enough staff.

I did see a lot of the web console features coming up. I think those dead on, exactly what's needed. A lot of them had to do with better case management and more sorting, going through your alarms, and drilling down in different ways. I think that is really important.

In terms of improvements, I would probably look for more things to go into the web console that is currently on the fat client. I think that is the trend. I think that is what LogRhythm is doing. I find myself going back and forth between the web console and the client console and I probably spend more time in the thick client and it'd be nice to just be in one.

LogRhythm is really on track and they're doing a lot of things very well. In some other areas, particularly with the UI, how things are done administration-wise and a little bit on LogRhythm University, some improvements are needed. There are some challenges with registering for classes and taking them.

I was not completely satisfied. I wasn't really sure what classes to take. I did not feel like I had the direction initially to understand how to deploy LogRhythm. When you get LogRhythm out-of-the-box, there are so many knobs to turn and so many things to configure and set up, that it's almost impossible to do it on your own, as an enterprise senior engineer. I have a lot of experience with a lot of advanced tools and I find LogRhythm very challenging. I do not think we really could have gotten where we are without Optiv coming out for a week and spending time setting up the appliance and optimizing it the way it should.

There are some improvements that could be made to make it easier to use.

We haven't had any issues. I believe we had an alarm for a service restart, it kind of self-corrected itself. Something I noticed, but other than that, it has been rock solid.

I am not even using a quarter of the resources on the appliance today, and that's good, but we still have some log sources that we are still enabling.

We got our biggest ones in there, except for Mimecast and CrowdStrike, so that will add quite a bit. Hopefully, it won't be an issue for us right away. My impression is that there's all sorts of ways to expand and build out.

We have an all-in-one appliance, but I'm fully aware that you can spread out the functionality, so we'll keep an eye on it. I feel like for our size organization, we're growing fast. We had double-digit revenue growth year-over-year for the last seven years. We are growing really fast, so I anticipate it will be a problem eventually, but not in the foreseeable future.

If they're a super, large enterprise company, they might want to weigh having a LogRhythm infrastructure that is spread out.

I am not completely convinced that LogRhythm scales to the highest, largest size enterprises. I really do like IBM QRadar, I think it is one of the best SIEM solutions. If it was a larger enterprise, I would maybe have them go head-to-head.

We have used technical support. The last issue that I opened was because I didn't have the correct parsing support for our Fortinet firewall at our main locations.

The version of firewall we're on, not very new. It's actually a year and a half going on two years, and it wasn't supported. We opened up a ticket, but it was already a known issue, and they did eventually release the parsing. We're seeing all our logs now.

We get pretty much same day response from them. I've opened up a total of two or three tickets, and each time it was right away. Their support is good.

We did buy the XM appliance, the 5GB, I forget the model number. We just got it, the largest one that they would sell us.

We are not using it completely, but it's a single appliance for the LogRhythm. We have a mixture of Microsoft clients, Linux, and Mac on the PC, the laptop side. We also have a lot of 12U servers, which is a little bit of a challenge getting support.

The other change that we made recently was upgrading to Mimecast. They don't have the integration with LogRhythm yet but it's coming. I just talked to the Mimecast SE a couple times in the last few days, and it's not here yet, but it'll be here soon.

I had a little bit of experience with QRadar and a customized SIEM solution at my last job where we had used an MSSP environment, so really a lot different scenario, and you didn't really get to work with the clients directly upfront and control the log sources. Now, I work an enterprise that is slowly gaining control of everything, and that is a lot better.

We chose LogRhythm because in the Minneapolis area, the security community is pretty close and there are a lot of other customers and associates, like my manager and myself, who know a lot of people using LogRhythm. So, we got a lot of good feedback.

I was involved in the initial deployment and setup.

We had some challenges. The problem that we ran into is that without doing a lot of due diligence was management decided that let's deploy LogRhythm on the cloud on AWS because we're going in that direction for a lot of things, so we had Optiv come out and do the installation and setting it up for us, letting us drive, control the mouse, the keyboard, and so on. We ended up discovering that it would be $100,000 a year to have the virtual appliance in AWS just for the spec requirements and we pulled back on that. It was cheaper just to buy an appliance basically. The cost for one year almost paid for the appliance that we got.

We lost a few days of consulting time. Because of that, we had to delay the project a little bit and start over. Then we realized that once we did start getting all of the agents and logs coming in, we were not seeing all the logs that we needed. Then a lot of the log sources that we really needed weren't there yet because of our infrastructure challenges.

That was a learning experience, knowing what it takes to install a SIEM from scratch:

1. Have your inventory down.
2. Understand your network infrastructure challenges upfront.
3. Having the appliance versus the cloud and really understanding the pros and cons of that.

I know when we spoke to our sales engineer (SE) that there were very few cloud implementations. It is still pretty new. They tried steering us away from it and we didn't listen. We probably should have listened a lot better.

We use Optiv, and I understand its LogRhythm's largest partner for third party support, and we have had good experiences working with Optiv.

LogRhythm is successfully employed in a lot of organizations. We tried using another large SIEM, I won't name it, but we weren't able to even get it deployed. It was just too complex, and this was at CenturyLink.

QRadar, it's really easy to use, but for our size organization, we only have about 270 employees. That is not a whole lot of log sources, so it seemed like LogRhythm fit into that profile a lot better for our needs.

When it comes to the SIEM, LogRhythm was pretty much our go-to. We really wanted to go with LogRhythm and we were hoping that there wasn't any reason not to. Because my manager and myself had some experience with some other SIEMs and knowing what the success rate of those, and then just knowing people who use LogRhythm and who have said good things about it. At that point it turns into, "Is the financial investment going to work out for us?" It turned out that it did. We wanted to go with LogRhythm and we're glad that we're able to make it work out.

Smaller, medium-sized companies, I would actually steer them towards LogRhythm and have them look into it, then I would share my lessons learned.

It is important to have a unified end-to-end platform, but you also do not want to get vendor locked in. Its from a value perspective and a productivity perspective, that is where it is very important.

You do not want to be stuck with one product that then changes course or evolves. You always want to be with the leader in the market that is innovating. You want to be able to maintain that flexibility and be nimble to switch up when needed but having a real good go-to vendor, and LogRhythm seems like they are developing into that.

There are a lot of different firewalls out there. There are a lot of different network devices and different servers. They fit their niches, and it is important from a staffing and training perspective to have fewer products and technologies to support, because it is just hard to find people that are experienced.

You have to balance it out with having the best tools to do your job, because the challenges we face and all the security threats that are out there, you got to take advantage of what's available. If you're using multiple vendors, then so be it, but it is a balance.

Most important criteria when selecting a vendor:

• Interoperability with our partners and the rest of our stack that we have.
• Usability and access to support and documentation are really key.
• Being able to get the value out of your investment in a security product.

There are so many security products out there and so many tools. To be successful, you have to understand how the product works, have the documentation, and training available. That is really key. LogRhythm does a pretty good job.

We are about 5000 users. At this point, we only have one XM appliance with an external storage. We're looking for a vendor right now, for a sales engineer to work with us in trying to upgrade it. We're looking to expand it. We're looking at monitoring more our work stations. We have about 1000 servers on it, and about 300 to 500 routers and switches on our system. And of course, we are also a Windows shop, so we have about 4000 to 5000 units on it.

A lot of it is being a single point of log management for the whole company, not only for our compliance, but basically it has become an operational tool for our company, for our day-to-day stuff. And it's more, on my end, for the security solution.

It's a compliance tool for our needs.

Security analytics, cloud security, log management are also definitely valuable. We're looking at all the cloud features at this point, even antivirus is going to cloud. A lot of analytics are going to the cloud. So, we're looking at LogRhythm, what it's going to do at with the AI cloud stuff.

What I would like to see is improvement on the analytics, especially on the cloud and intelligence workspace.

We have one box right now. We're in the process of scaling that, so I can't speak to this.

I've been working a lot with technical support, technical professional services. We just recently did an audit of our system. I'm waiting to get a report from that, so that's one of the things I'm working with.

They're pretty much responsive. The only basic thing is, when support issues are passed on to a first-level support, it takes a while to get to the second-level support to make sure the first-level support answers all our questions. Sometimes it's a challenge to bring it to the second level of support and get the answers that we need.

No. We have always done our homework and we believe that LogRhythm continues to be our solution.

It was pretty straightforward. I was happy with the deployment team. They were onhand and they were explaining a lot of stuff that was happening, so I feel pretty good about the initial deployment.

No.

The driving factor for our company is compliance. And next, for our security team to make sure that there's no occurrence of anything that we don't know about, besides operational issues.

My key challenge is to make sure that LogRhythm stays relevant on our day-to-day stuff, making sure that we can have a quick analysis of what's happening in our network, what's going on, and what our security posture is at a given time. For my needs, I'm looking more for it to bring a more comprehensive picture of our security, for the whole network, since I'm routing all the logs to it.

The most important criteria when selecting a vendor is technical support. At the end of the day, when all is said, price and pricing and so on, you will have to deal with technical support one way or the other.

In terms of a solution being a unified end-to-end platform, it's one of the top 10 SIEM tools on my list right now. A lot of our auditors are saying, "We need to track to a one flat form where we could see a dashboard, where we could see how everything is going on in our network."

LogRhythm NextGen SIEM is great. We use it for log management for security purposes.

The security operation center is excellent, and we can pick logs from any system, not only the IPS or firewall. In addition, it has the capacity to accept logs and provide smart dashboards and analysis.

The most valuable feature is the SOC Security Operations Center feature. This solution has two types of systems, virtualization and the appliance. The appliance is ready and configured, so we use the IP addresses and trigger the endpoint. It's very user-friendly, and whenever anyone deploys a virtualization system, they can experience it.

The customer support system is time-consuming and needs to be improved because it is not very good. For other solutions, you can deliver whenever you have a customer problem. All you need to do is open a ticket, log into the system, and the issue is resolved. However, for LogRhytm, we have to flag the problem and then send the log, and we never know if we will receive a response in one hour or one week.

In addition, LogRhythm NextGen SIEM has one of the best analysis features, but it can still be improved. However, I believe they plan to make improvements since they're only selling the product for two systems currently.

We have been using this solution for three years.

It is a very stable solution.

It is a scalable solution.

I rate the customer support a four out of ten.

Neutral

The setup was very easy. I rate the setup a ten out of ten.

The price is very good, and it is very cheap compared to other solutions. If we compare it to SolarWind, SolarWind is not as advanced as LogRhythm NextGen SIEM.

I rate the price a nine out of ten. We always consider the features and quality before the price, but the cost is still very good. We get about 98% of the features we want.

I rate LogRhythm NextGen SIEM a nine out of ten.

Our primary use case is for fraud detection and infrastructure, so we use the SIEM to detect frauds in the banking side of the house as well as infrastructure. I use it for security and UEBA purposes. 

We have seen a lot of improvement. When I first got into LogRhythm, we were just doing the fraud side of the house. Afterwards, we started doing the infrastructure side, where we're seeing a lot of events coming in. We were getting a lot of ransomware attacks that are happening or a lot of malicious actors coming in, trying to hack ours, which we can see in the SIEM right away and use the SmartResponses to block it at the firewall level.We stop them at the edge level, and we don't have to worry about them coming in.

We do have an MSSP that does our 24 hours ops, when we're not there during normal business hours.

The playbooks will come in handy for them to go through and meet our expectations, so I can design the playbooks of what I expect and what the organization expects during certain events triggering and the process that they need to take place for them to call us up at night and say, "Hey, this is something that needs your attention."

I have plenty of log sources. Roughly, I have about 500 plus different types of log sources coming into my LogRhythm, and the support's been great. The out of the box solutions with their log message processing has majority of what I need. There are some that I had to create, because obviously the products are new, and I made LogRhythm aware of it, and they're creating custom parsers for it.

We are rated for 10,000 MPSs because we have two data processors and data indexers, but I'm only using about 3,5000 combined.

The solutions have been great for us. We use the SmartResponse to do most of our automation work for us, to block attacks, and to kick off users if they're doing anything malicious. It's saved us a lot of man hours. Based on MTT and MTRs for us, we've saved a lot of considerable time.

I did see it decrease in time to detect and response by a day, because there is myself during work hours and MSSP, which we combined, and we've reduced it to about 24 hours, mean time to detect.

Some of the valuable features, I find it's very easy for me to integrate new log source types within the SIEM. The MPEs, there's plenty out of the box solutions that we can integrate new appliances with. We're constantly buying and upgrading our appliances, so it makes it easy for me to ingest logs and run correlations in the AI Engines. 

Currently, we don't have full spectrum capabilities. We're using AI Engine mostly to run correlations, and then we obviously have our dashboards and stuff, but apart from that, we're working on the UEBA implementation for users to run more correlations. We do have our net monitors that we use to run packet monitors, packet captures, and even traces.

I think where I see room for improvement for LogRhythm is probably granularization of log source types. So, if that were to happen, I think it'd be a lot more better for the product. So, we are in the current five-year security maturity program.

I've never had any issues with my SIEM. We just upgraded from physical to virtual, and it was a seamless process. Everything worked well.

LogRhythm is very scalabe. We increased our MPEs from 2,500 to 10,000 right now, and we're very happy. We have room for plenty of growth. We're only using less than half of what we have.

Tech support's always been great. Every time I had an issue, I'd go in, open up a support ticket. I usually get an engineer calling me back within the first half an hour, and they'll help me troubleshoot within a day.

The product was already set up when I first jumped on with the organization. My only process is the movement from physical to virtual and then the upgradation to 7.3 and 7.4.

So, we are in the current five-year security maturity program. We're on year one, and LogRhythm is gonna be the center point for the first two years in terms of aggregating all the different log source types within the organization. We still find that there are log source types that are not coming in, which we plan to integrate within LogRhythm and use its analytics tools to help us get more mature and establish us forward in maturity of our security for the industry.

I rate LogRhythm 10. It's very easy to use. It's very user friendly. The product is very innovative with SmartResponse and AI Engine, so it takes half the work from myself and my analysts, so I love that product for that reason.

It monitors any potential security threats within any of our important network security appliances, like our firewall, or any of our important databases. The idea being that you can't look at all the logs at once, so we now have a central point of monitoring for all potential threats.

I have been using LogRhythm for just a few months, but the college has had it for over a year. Until I worked with it, there was no monitoring it and the solution just sat there. The solution is just picking up speed now.

• The threat analytics
• Seeing what potentially could be happening; what are the riskiest things going on.

I would like it to do a lot of the automation (which I still need to learn more about), because I am essentially a one man shop doing all the jobs. I'd like for it to be able to do more for me, so I can focus my attention on my other job responsibilities, because there are a lot of them.

The only issues that we have had with it were Windows-based. The actual appliance has been up and continuously logging everything that we have, and CIS logging through it. There have been no signs of any problems nor instability.

When it comes to dealing with support, all my interactions have been great. Everyone has known what they're doing and have been quick to respond. They seem to always know the answer. I haven't stumped anybody yet. That's not something that I typically encounter. Usually, I wind up being the person finding the weird thing where people have to get back to me and it is left up to the developers.The few issues that I have had while doing upgrades, LogRhythm's support answered them incredibly quickly.

When it comes to dealing with support, all my interactions have been great. Everyone has known what they're doing and have been quick to respond. They seem to always know the answer. I haven't stumped anybody yet. That's not something that I typically encounter. Usually, I wind up being the person finding the weird thing where people have to get back to me and it is left up to the developers.

The few issues that I have had while doing upgrades, LogRhythm's support answered them incredibly quickly.

I have never used a competing product.

I love the potential of this solution. It sounds like a "set it and forget" type of solution. Let it deal with all the problems. It is good at doing that.

On the day-to-day, I haven't had a huge amount of time to work with the full-spectrum analytics. I have been focusing on getting it updated and up-and-running.

Currently, we have a Windows agent. Therefore, we technically have just two log sources, because the Windows agent is picking up all the domain logs onto one box and forwarding them on. It is taking all the Windows Servers and single-sourcing them. Then, currently, the only other thing that we have actively logging is our Sonic logs and CIS logs. We only have two individual sources listed, but it is more logs than that.