The best features Sumo Logic Security offers, in my opinion, are the ones that allow you to use dashboards as enrichments. For example, we had a situation where there was a suspected compromise on a specific server, a database server to be exact, and so we linked an enrichment action in the CSE component to then point us to a Qualys dashboard. In this specific case, the suspected server was suspected as being compromised, and we were able to check any available vulnerabilities from the Qualys dashboard itself by using it as an action in Sumo Logic Security.

We are actually using both out-of-the-box and custom rules from Cloud SIEM Enterprise, and it has been really great because we have a variety of ways to create rules based on our needs, such as match rules. What I really do appreciate are the first-seen rules that we can use in a fashion to determine a baseline of normal versus unexpected behavior depending on the entity, and I really do enjoy these.

In terms of threat intelligence, I was able to integrate, as an example, AlienVault, and using their actions, automated integrated actions into playbooks to enrich certain entities such as IPs, domains, URLs, and hashes. It has been very paramount to how we operate due to the fact we can all stay in the same single platform of Sumo Logic Security without having to reach out to different third-party sources, opening up different browsers, essentially saving time on trying to respond to an incident or review an incident. It has been really good in terms of integrating and using the threat intelligence features.

I find Sumo Logic Security's AI-driven analytics effective in reducing analyst workload and response times, and I have seen a difference since using those features. For example, we are using the anomaly-based AI detections in Sumo monitors, and I would say that it has been good, but the reason I say it could be better is the fact that we are seeing a bit of some false positives when it comes to understanding what is typical normal behavior and relying on AI to understand what normal behavior is versus what is unexpected. I found that when using this type of monitor, I do have to do quite a bit of tuning, which I would hope the AI would be a little bit more robust and essentially leave me hands-off when it comes to this.

We also use the dashboard enrichment feature in Sumo Logic Security when alerts pertain to specific entities, and we use it a lot. For example, we will get insights for server entities, and it is easy for us to pivot over to a dashboard when it comes to an enrichment perspective to determine if there are any actual vulnerabilities related to it. Another example is if we have an AWS related entity, we can pivot over using an enrichment action to navigate to one of the AWS dashboards to get some quick information pertaining to the specific entity involved in the insight.

Sumo Logic Security has positively impacted my organization by increasing engagement with different teams. For example, we have the database team being onboarded to Sumo Logic Security regarding their database logs, where they use it to monitor their database when it comes to informational all the way up to critical types of events, and they use it for alerting as well. This is due to the fact that they were not able to find any solution that can provide this type of functionality for them, and they have pivoted to Sumo Logic Security for their needs.

From this increased engagement, we are able to respond faster to incidents. For example, if they are seeing a type of activity that involves a user or an admin that is not supposed to be logging in at a specific time, they do get alerts on that. In addition to that, we are able to save time on fewer alerts because we are able to perform tuning on the logs to be able to only get relevant security-related incidents.

The best features of Sumo Logic Security are automated log and event correlation, which may come from a firewall event, and User Entity Behavior Analytics (UEBA) for detecting impossible travel and unusual access times. Threat intelligence enrichments are good, and the MITRE ATT&CK framework is beneficial. The centralized log search for investigation is better compared to multiple SIEM solutions, where I can query everything in one place. The SEC records feature, something that returns index=sec_records, provides all the logs from different places. Pre-built dashboards and analytics, especially threat trends and the anomalies that return compliance patterns, are valuable. The workflow, including playbooks and workflows, can be triggered when we need to quarantine an endpoint, revoke credentials, or block IPs. Most importantly, it is cloud-native and has elastic scale. As a cloud-native SIEM, it scales up very well automatically, and real-time threat detection is available.

One of the most important things is MTTD, which is faster threat detection that reduced our MTTD, and we were able to detect alerts with multiple detections that used to take hours. Now the correlated alerts surface the real threat very quickly. Detection time has dropped significantly. We used to have MTTD of three to four hours, but now it is under 30 minutes. Automatically, our mean time to response has also increased substantially. Analysts are able to quickly pivot items and make faster decisions, especially without switching between tools. We have all our EDR tools and firewalls integrated to the same platform and viewing everything there. As a SOC, which faces major problems, it reduced the alert fatigue by over 100 days of low volume alerts, which have been made into insights, and this has greatly improved our alert efficiency and decision quality, the way we are able to enrich information. Operation stability has also improved very much. It has significantly impacted our organization, and our KPIs have improved substantially with respect to this.

Sumo Logic Security offers excellent features including ease of use. I came from a competing product, Splunk, and I was able to recycle a lot of the knowledge from that tool into Sumo because the logic was very similar.

Beyond the ease of use, the consumption model of Sumo Logic Security is also easy to understand, which was helpful. The build-out with Sumo was very good, as they spent a lot of time ensuring that we were sized correctly for the product, and the follow-ups were good. Sumo Logic Security has really good customer support.

The capabilities of Sumo Logic Security in providing security visibility across multi-cloud and hybrid environments are very good, particularly because Mambu is still a multi-cloud vendor, and the product worked extremely well in that scenario.

Regarding the automated TDRI workflows in Sumo Logic Security, they are excellent. I would put them at the top because they are truly useful and actually work as advertised.

My experience with Sumo Logic Security has been good. My SOC analysts were crushed under Splunk, but Sumo has actually eased the workload and made it tolerable for three people.

The improvements or benefits I have seen from Sumo Logic Security relate to alerts. We were buried under alerts and Sumo actually helped us clean that up. The number one value is being able to action things in a proper time frame.

The features I find most useful in Sumo Logic Security are the ease of implementation and connectors; they have a very easy connection and many connectors to important systems, making it very easy to implement and fast to start running in production.

Sumo Logic's diverse log sources support very much for my digital transformation, and this is a strong side of the system. They have wide support for connectors, enabling me to implement almost any system with webhooks and connect whatever I want, so this aspect is definitely a strong side of this product.

The first thing that I like about Sumo Logic Security is the earlier UI and the latest one, which has a clean layout. Since I can track so many good things, the UI has improved from before when it was not as good. Compared to other tools, I prefer the UI much better as it categorizes data very well for me. If I were using other security tools or other SIEM tools, I would need to think a bit and find something, which would be hard and fast. However, I am so adapted to this tool, and the features that they have implemented, including filters and other things, are the best.

Since we are using Sumo Logic Security on the security part, we need to look through all the things and maintain them since there might be some crashes in the data that we are receiving. If we do not update the data points each and every time, some data points might have failed. If the server is offline, it might not report in Sumo Logic, so we need to check at the server level why this issue is being caused. We need to update the agent for Sumo Logic Security and ensure it is up-to-date.

Sumo Logic Security offers a single dashboard and customization, which are the most valuable features. Additionally, it has a cost-effective structure because it is based on data storage and the number of scans, rather than uploading data. This cost model impacts the customers positively by offering a more straightforward pricing structure.

The Log Analytics platform is the most effective. If we cannot find the data in other tools, like email security or NDR, we can fetch those logs in the Log Analytics platform of Sumo Logic. That is the one best feature that I can suggest.

Sumo Logic Security is a good solution for searching the logs and identifying the issues. Sumo Logic Security searches the logs to identify issues easily. Suppose we got an issue related to the application 500 error. We store the application logs in Sumo Logic Security. We can easily search those logs to identify where exactly we are facing the application 500 error.

The solution is automated. It has a good number of extensions like CrowdStrike and AWS extensions. It is very useful. We can integrate threat intelligence solutions into the product.

The most valuable features of Sumo Logic Security are the rules, use cases, and ease of use. Additionally, the integration is straightforward and good GUI.

It offers real-time observability. We're able to catch real issues right away. 

We can manage multiple screens with multiple panels. 

It's an easy solution to learn. It's also very easy to use.

The solution has been very stable.

Technical support is always great. They are very helpful.

It can scale well.

Pricing is reasonable. 

The features I found valuable with the Sumo Logic Security solution are the search option and the ability to customize the search for the information in the logs.

The tool has key features like operability. It will alert the admins whenever a device is onboarded.

What I like most is the ability to create custom alerts.

They have a really, really rich query language. I don't know the name of the product offering. I'm sure they have a specific name in the solution, but basically being able to pull all that data in, and be able to build queries in a query language and map that to actions; whether that's alerting or triggering events. And that's really where our SecOps team spends most of their time — trying to look at the forensics, look at the information, and map it to some meaningful event. And they just build all these different queries that map to those events or alerts.

There are a lot of things we like about this product. 

One is the log aggregation. It basically gives a list of matching patterns on most of the logs. When dealing with something like live error messages etc., you can group by similarities.  That way it is very easy to know where things are in real-time. It has helped us in terms of doing a top-down debugging. If, for example, you see a certain error message or an exception, then you double click to see where exactly it has affected the system. That way, at every stage you are able to go one level deeper until you find the root cause, through the logs or by other means. This is something which I find it really helpful. There are other ways within a window you can search as well. You can find out what happened one or two days before or one or two minutes before this message. It helps you follow a trail of events that will lead you to a particular state.

Users can also do a comparison with regard to the filing. Let's say, for example, you see a certain error come up today, and if you are interested in how was it yesterday or the day before, or maybe 17 days ago, you can take a look. This is one of the features that I found really helpful. 

The solution offers capture host metrics as well. Basically it could be the RAM utilization, CPU, or pretty much everything around the host, including the health of the host. That also comes in handy when we are debugging.

The out of the box applications were very useful for us. We also use the Threat Intelligence integration for our security monitoring.

• It's reliable.
• The Curry language is easy to use once you get used to it. 
• The user interface is pretty responsive. 

Therefore, it was a cost value proposition decision.

With the alerting dashboards, you can set up some patterns. Then, on these patterns, you will automatically get alerts.

• The tools that they have for searching through logs.
• Doing log comparisons.
• Time shifting the logs.
• The dashboards are good.

Being able to join logs together across many services and servers.

The key features that we have been using:

• The ability to troubleshoot production issues.
• Set up monitoring for errors. 

• The search
• Email alerts

The dashboards are great. We use them for monitoring certain events when they happen to see if we want to act upon them. The monitoring pages and the alerting pages are also very handy.

We can ingest logs and make reports out of them. It is a good tool which can help us monitor any issues.