ManageEngine EventLog Analyzer alternatives and competitors

We work as a managed security services provider (MSSP). We have different clients who have their own security team. 

One company that I worked for recently had a security team of three people, then they hired us for 24/7 analysis and monitoring. For that, I solely worked on building this product, then there are the eight to nine people who do 24/7 monitoring and analysis.

Sentinel is a full-fledged SIEM and SOAR solution. It is made to enhance your security posture and entirely centered around enhancing security. Every feature that is built into Azure Sentinel is for enhancing security posture.

It has increased our security posture a lot because there are a lot of services natively integrated to Azure Sentinel from Microsoft, e.g., Microsoft Defender for Endpoint and Defender for Office 365. 

From an analyst's point of view, we have created a lot of automation. This has affected the productivity of analysts because we have automated a lot of tasks that we used to do manually. From an end user's perspective, they don't even notice most of the time because most of our end users are mostly non-technical. They don't feel the difference. It is all about the security and operations teams who have felt the difference after moving from LogRhythm to Azure Sentinel.

It is cloud-based, so there isn't an accessibility issue. You don't have to worry about dialing a VPN to access it. Azure does require that for an on-prem solution that the security part is entirely on Microsoft's and Azure's sign-in and login processes.

Because it is a cloud-based deployment, we don't need to worry about hardware infrastructure. That is taken care of by Microsoft.

Azure Application Gateway makes things a lot easier. You can create dashboards, alert rules, hunting and custom queries, and functions with it.

Its integration capabilities are great. We have integrated everything from on-prem to the cloud.

There are certain delays. For example, if an alert has been rated on Microsoft Defender for Endpoint, it might take up to an hour for that alert to reach Sentinel. This should ideally take no more than one or two seconds.

There are a couple of delays with the service-to-service integration with Azure Sentinel as well as the tracking point.

I have been using it for 14 to 15 months.

Azure Sentinel is pretty stable. Sometimes, the agents installed on endpoints go down for a bit. Also, we have faced a lot of issues with its correctors in particular. However, the platform is highly stable, and there have been no issues with that.

For operations, one to two people are actively using the solution. For analysis, there are eight to 10 people who are actively using it.

Sentinel is scalable. If you want, you can hook up a lower balance security corrector. So, there are no issues with scalability.

We have coverage for around 60% to 70% of our environment. While this is not an ideal state, it has the capability to go to an ideal state, if needed.

I have worked with Azure Sentinel for four clients. With only one of those clients, the support was great. For the last three clients, there were a lot of delays. For example, the issues that could have been resolved within one or two hours did not get resolved for a month or two. So, it depends on your support plan. It depends on the networking connections that you have with Microsoft. If you are on your own with a lower priority plan, it will take a lot of time to resolve minor issues. Therefore, Microsoft support is not that great. They are highly understaffed. I would rate them as six or seven out of 10.

Neutral

We had a full-fledged SIEM, LogRhythm, already working, but we wanted to migrate towards something that was cloud-based and more inclusive of all technologies. So, we shifted to Azure Sentinel and migrated all our log sources onto Azure Sentinel. We also added a lot of log sources besides those that were reporting to LogRhythm.

We have used a lot of SIEMs. We have used Wazuh, QRadar, Rapid7's SIEM, EventLog Analyzer (ELA), and Splunk. We used Wazuh with ELK Stack, then we shifted to Azure Sentinel because of client requirements.

The initial setup was really straightforward because I had already worked with FireEye Security Orchestrator, so the automation parts were not that difficult. There were a couple of things that got me confused, but it was pretty straightforward overall.

Initially, the deployment took seven and a half months.

We used a lot of forums. We used Microsoft support and online help. We used a lot of things to get everything into one picture. There is plenty of help available online for any log sources that you want to move to Azure Sentinel.

I have worked with a lot of SIEMs. We are using Sentinel three to four times more than other SIEMs that we have used. Azure Sentinel's only limitation is its price point. Sentinel costs a lot if your ingestion goes up to a certain point.

Initially, you should create cost alerts in the cost management of Azure. With one of my clients, we deployed the solution. We estimated that the ingestion would be up to this particular mark, but that ingestion somehow got way beyond that. Within a month to a month and a half, they got charged 35,000 CAD, which was a huge turn off for us. So, at the very beginning, do your cost estimation, then apply a cost alert in the cost management of Azure. You will then get notified if anything goes out of bounds or unexpected happens. After that, start building your entire security operation center on Sentinel.

The SOAR capabilities of Azure Sentinel are great. FireEye Security Orchestrator looks like an infant in front of Azure Sentinel's SOAR capabilities, which is great.

The solution is great. As far as the product itself is concerned, not the pricing, I would rate it as nine out of 10. Including pricing, I would rate the product as five to six out of 10.

I mainly use this solution to meet PCI compliance.

The automation of compliance reports and the correlation of the log have been major improvements. 

The most valuable feature is the predefined reports for PCI compliance.

The correlation suite needs to be improved. I also think they need to improve the product's handling of large amounts of data. In the next release, I would like to see real-time data correlation.

I've been using NNT Log Tracker Enterprise for around three years.

There are some issues with the stability - the correlation engine has failed multiple times, and the reports sometimes take too long, so we have to involve the tech team to get them.

This solution can scale vertically and horizontally, depending on the Windows server where it is deployed. I think this tool can be used for an endpoint of between 100-200 - however, if the count increases, it may create performance issues.

NNT's technical support is sound, but the overall time for resolutions could be improved.

Neutral

The initial setup was straightforward and smooth, and deployment took no more than two weeks. I would rate the setup process as four out of five.

Our implementation was done by a vendor team.

We have seen some ROI from this solution - I would rate the ROI as between three and four out of five.

NNT's pricing is moderate - I would rate their pricing two-and-a-half out of ten. There are no additional costs, they include the entire package in a single license.

We evaluated ManageEngine Event Log and SolarWinds Log Tracker.

I would recommend this solution to anyone looking to meet PCI requirements. I would give this solution a rating of seven out of ten.

We use it for log and threat management and compliance.

The correlation rules and the user platform are most valuable.

They can add behavior analytics and AI or machine learning technology. They also improve their correlation engine. In addition to collecting logs from devices, they can collect the traffic and then correlate these logs and the traffic information. 

They can also improve a lot of rules and vulnerability assessment. For vulnerability management, they can add more features. 

I have been using this solution for three years. 

It is stable. You just log in, and there are no issues.

I use it as software as a service. Scalability depends on whether I have included redundancy in the link or communication between my network and the third-party network.

Their technical support is okay. I have contacted them for technical issues, and they have dealt with those issues very well.

Its initial setup is of medium complexity. I would rate it a seven out of ten in terms of complexity.

They have changed the pricing policy. Its price is competitive. Its price is less than half of the price of QRadar, LogRhythm, and Splunk.

We evaluated AlienVault and ManageEngine.

I would recommend this solution depending on the size of the organization and whether you require software as a service or on-prem. I prefer ClearSkies for small organizations that require software as a service and have up to 500 employees. In Saudi Arabia, we consider organizations with up to 500 employees as small. Organizations with 500 to 1,000 employees are considered mid-sized. Organizations with more than 1,000 employees are considered large. This categorization would vary based on the region. ClearSkies is the best for software as a service and small organizations with up to 500 employees.

I would rate ClearSkies SaaS NG SIEM an eight out of ten.

The primary use case of this solution is to monitor Cyber Mission databases.

I create the diagrams to create an architecture that is then implemented. However, creating these diagrams are for my own learnings since these implementations are usually already available in the cloud office logs.

The features I have found most valuable are the dashboards. 

I monitor the complete capacity that users are using in the company.

An area of improvement would be the licensing of the solution. They need a free license, which would allow faster lead times.

They also need to update their documentation.

The solution is stable.

The scalability of the solution is amazing because it can collect a lot of data and you can have your own structure to monitor this data.

The customer service/technical support was helpful and they answered my questions as best they could.

The setup was easy, but you have to have a VPN connection depending on the security protocols in place.

The deployment was in-house and took about two days with the correct licenses and permissions.

It is important to define different guidelines to integrate Splunk in development, QA, and production deployments. Additionally, define the applications that will be used and the configuration of the databases to collect the data. If this is not done, there will be a lot of issues due to, for example, master access or permissions to use the database collector and blocks.