LogRhythm SIEM Reviews

LogRhythm works within the core of our SOC. It's where our analysts work every day and where we do all of our investigatory work for security incidents.

It created our security posture. It is the central component of all of our security tools and it is the heartbeat of our SOC and our daily operations. It sets the tone for everything that we do.

This solution improves our organization daily. It saves us countless hours doing correlation work and reduces our investigatory process from days to hours. It routinely brings issues to the forefront using the AI engine and the use cases that we've built that need investigating. We constantly find new sources of logs to bring into the system to continue to make it better. 

LogRhythm does a very good job of helping SOCs manage their workflows. Our SOC is very young and we're not leveraging that feature yet. I've seen other companies' SOCs and watched them use the workflow features and it's incredibly well done. We're not mature enough yet to use it. 

For cybersecurity exposures, the one downside from LogRhythm's perspective is that it can only tell me about use cases that I've already defined. It cannot identify unknown cases at this time. However, we have just recently purchased the NDR solution and that does have this capability.

This solution is our principal mechanism for doing all investigatory work. When we get alerts from LogRhythm, we'd go back to the logs and trace those events back to their source. This is is how we shut down attacks. 

One of the features that we use the most and find the most valuable includes the Web Console. My analysts really like the interface and the ability to build queries using point-and-click without having to write Query languages. My favorite feature is the actual Admin Console and the ability to monitor all aspects of the SIEM's health and the ability to build new use cases for my analysts to work with.

We also use the Machine Data Intelligence feature for classifying and contextualizing logs. It does struggle with unknown log sources and we've had some challenges over the years getting new log sources incorporated into the MDI Fabric.

The ability to authenticate successes and failures using MDI is incredibly easy. For the log sources that we bring into the SIEM, that work is pretty much done for us by the MDI. We don't have to do any additional work.

One of the challenges of the SIEM for the LogRhythm 7 platform is the amount of time it takes to bring new log sources into the MDI. We've waited a couple of years on some sources before they were incorporated. Writing our own custom MDIs is very challenging because it requires expert-level regex in order to write those rules and to make them efficient. Bringing in sources that aren't natively understood is where we've struggled the most.

We have been using LogRhythm SIEM Solution for six years.

The stability of the solution, if it's deployed properly with the right resources, is rock solid. We have not experienced any performance issues. When we first bought the SIEM, we undersized it, and the performance was compromised. 

This is a scalable solution. I've load-tested the SIEM at its current resource allocations up to four or five times as much as my daily ingest and the system handled it just fine.

Their technical support is second to none and is one of the reasons why we continue to invest in and consider LogRhythm as a strategic partner. Their support team are really good at their jobs and they always come through when we need them. I would rate their support a ten out of ten. 

Positive

LogRhythm is the first SIEM I have used and the only SIEM I have a lot of experience with. I've demoed other SIEMs and we've gone to market twice to look at whether LogRhythm was still the right decision. Both times we concluded that it was.

The setup of the SIEM is complex in its own right. LogRhythm typically recommends professional services assistance to deploy the SIEM properly. My company did not purchase those professional services so I had to figure it out for myself. Their support structure was so good and they helped me so much that we were able to get it working without professional help. 

LogRhythm is an out-of-box solution and this was why we bought it. I had no experience with SIEM when we bought it six years ago. I needed something that I could plug into the network, get up and running and get value out of immediately.

We get a vast amount of ROI from this solution. We get way more out of it than we put into it. One of the metrics that I track pretty closely in our SOC is the mean time to detect. Prior to the SIEM, the mean time to detect was measured in weeks and it's now measured in minutes.

LogRhythm's pricing and licensing are extremely competitive and it's one of the top three reasons we continue to invest in the platform. 

We looked at Securonix, Azure Sentinel, IBM's QRoC, and QRadar on Cloud. What really won us over with LogRhythm was the ease of use of the interface and the simplicity of the underlying architecture. It really lends itself to being a low-cost solution to own over time.

The nice thing about LogRhythm is that they continue to innovate and come up with new capabilities like their NDR solution that we recently invested in. They continue to stay relevant. 

I would rate LogRhythm a nine out of ten. The on-prem version of the solution is fantastic and is the core of my SOC. It's our daily tool for all of our investigations. 

We utilize the LogRhythm solution to monitor most of our servers and our users to make sure that nothing anomalous is happening. What I really love about the LogRhythm platform is the fact that when something anomalous happens, I can see it almost immediately through the ability to collect a massive amount of logs in a very small footprint as far as hardware goes.

We do utilize everything. I think one of the most recent things that I've really enjoyed about LogRhythm is the ability to utilize smart responses published by LogRhythm. For example, one of our use cases is that when we have a termed users group, that when someone is placed in there, we want to monitor to see if their account is ever activated again. So we have a smart response set up that when a termed user is enabled, the smart response immediately activates and says bam, that user is getting disabled again. We don't want anyone to have access to that at all.

We've seen mean time to detect and to respond go down pretty significantly. We actually recently implemented the CloudAI solution, which allowed us to look into our users' anomalous behavior. Recently, we actually had some user who's a remote user, he traveled to somewhere else in the US, and CloudAI flagged it and was like, hey, this user is authenticating from somewhere new. This isn't somewhere we've seen before. I jumped right in, and I'm saying, "Hey, what's this user doing?" We emailed their manager who emailed them, and they said, "Oh, no, I'm just on vacation in California. It's okay." We had CloudAI learn about it, and now, it's really easy to see when a user does something anomalous.

CloudAI has been something in our environment that I have enjoyed immensely. It takes really a lot of the guesswork out of what our users are doing. Right when we implemented it, our CEO was actually out of the state, and we were having a hard time getting a lot of his user data because he was out of the state on vacation. When he came back, immediately CloudAI flagged him in the 80s with a threat score being from 0 to 100. Immediately, I was like, oh crap, our CEO's account has been compromised. But no, CloudAI was still learning our environment. It took it about a month or two to learn what was happening in our environment, what was going on, and then all of our threat scores, they kind of hover around the 20s now.

When something does something anomalous, when they work out-of-state, even when they authenticate to a different Microsoft server, it lets us know immediately what's going on, and it lets us know, and it lets us understand what our users are doing. CloudAI has definitely enhanced our security operations. It helps me understand what the users are doing almost instantaneously. It helps me understand what these users are doing in a daily report, and it helps me really feel why our users are doing certain things, why they're authenticating to certain servers. It helps me understand what their job would really want them to access or what their job has them access.

When they do something different from that, I really want to know why they're doing that. CloudAI helps me know what our users are doing. Rather than what hosts are doing or what servers are doing, it helps me know what the users are doing with their accounts. I think somewhere CloudAI would have room for improvement is maybe correlating hosts with IPs because often, I'll have a user, it'll come up with an anomaly score saying it's been authenticating from different hosts, but really what it is is it'll have the user's computer, then the user's IP that they're coming from, and sometimes their hostname with our domain name afterwards. Sometimes, CloudAI will usually be alerting us on some things that are really just the user's computer IP coming up multiple times.

LogRhythm has really improved, I think, my personal sense of security as far as our organization. I feel that I can trust the data that it's pulling in. Through its metrics, I can see when something isn't reporting so I know immediately if, maybe say one of our core servers isn't feeding its logs to us, I can remediate that almost immediately, and then feel secure again knowing that that data is coming to LogRhythm, and LogRhythm is correctly dealing with it. I can know that our security is in place.

We haven't used any of the LogRhythm built-in playbooks yet. Stability has been really good. The LogRhythm platform in our environment actually sat for three years with no one really using it. I came in about six months ago. I was able to pull it from generating about a thousand alarms a day that were just heartbeat errors, or critical components going down, to it actually only generating about 100 alarms a day, some of those being diagnostic alarms, but most of them being very helpful alarms that rarely ever point to having a component being down. With some short maintenance daily, LogRhythm has been a very stable platform.

I think condensing and consolidating what a user accesses over and over again and just having CloudAI understand that that's all of the user's, and you can consider it as one thing rather than multiple things, and alarming on it, and alerting me on it, having me have a mini heart attack every time it tells me that this user is authenticating from a new place.

Scalability with the LogRhythm platform has been immensely easy. We went from about five system monitors to over 200 in a week. We implemented that through our system management thing, but rolling out 200 system monitors in a week was incredibly easy through the client console, which LogRhythm has documented immensely well.

Tech support with LogRhythm has been great. I've only ever had one bad case out of about the 15 or 20 tickets I've put in. They usually immediately get back to me, and even if it's something outside of their scope, there always willing to help refer me to the person that I need to talk to, and my issue is always resolved within the week. LogRhythm's support for log sources is great. We have about 3,000 log sources right now that we're taking in. Most of that is coming into our main data collector, but anytime we've had any new log sources that we need to onboard, it's been pretty seamless, and we haven't seen any performance hit on our main box.

With our LogRhythm solution, we're processing anywhere from 800 to 1,500 messages per second. With the LogRhythm platform, we're processing anywhere from 800 to 1,500 messages per second, and we don't see a performance hit at all.

We've had CloudAI implemented into our deployment for about three months so far, and out of that three months, we've only had one day of downtime. That was with a scheduled transfer from how they were hosting it before to where they're hosting it now. Stability and uptime has been 99% plus. It's been something that I can count on every day to come in and see this report and rely on it. We really haven't had the chance to scale CloudAI. We're a growing organization, but we're not ballooning, and we're not adding on new users. CloudAI is a great option to sync with AD to pull all your users and, and you can just set up the identities and run with it on day one. The reason why we went with CloudAI and decided that it was something we needed in our environment was because we had the log data for a lot of our servers, a lot of our hosts.

We had the authentication data from our domain controller on the users, but we really wanted to understand what the users were doing and why they were doing it. So we looked into other artificial intelligence programs that would do some of the similar things, but we realized that CloudAI would do what we wanted but then feed the data right back into the LogRhythm platform. With that, we were able to see what the users were doing along with what our servers were doing, what the hosts were doing, and we would have all that data correlated, and we could understand it in one big picture right in the web console.

The implementation of CloudAI was incredibly easy. We just ran a script, added a certificate, and all of the sudden, we were sending the data to them, and we had a report the next day. When we choose a vendor to work with, the number-one thing that we want to understand is that they understand the product. We aren't just going to go to a vendor and say, "Here's our money, please go learn about this product and then implement it in our environment," because I'll just implement it, I'll just learn about it myself and do it. But if I go to a vendor and learn that they know about this product, they've implemented something before, I'm going to go with them nine times out of 10 because they will do something that I can't do myself because I don't understand what's going on.

If I had to rate LogRhythm and CloudAI out of 10, I think I'd give it an eight. There's still room for LogRhythm to improve, and they've laid out a pretty great roadmap for what they want to do in the future. I think if they continued to innovate and continue to implement the things that they've talked about, that they'll continue to grow in my eyes. There is some room for improvement, but overall, if you want a very solid platform with stability and scalability, LogRhythm is definitely the way to go.

Primary use case for the SIEM would be for log collection and threat identification.

We're still in the beginning stages of our security solution, as far as maturity. Two years ago, this security program didn't exist. 

Its benefits are broad. The solution isn't necessarily made to do any one thing, but it can do anything you tell it to. It is able to tackle any different type or size of job.

The analytics that it does.

Full-spectrum analytics capabilities, which we use for:

• User behavior.
• Watching and monitoring for login events or any anomalies. 
• Going through and watching trends. 
• Knowing what activities endpoints are doing, where they're going, what websites they visit, then making sure that they're in the normal or making sure they pick up on any outliers.

I would like to see APIs well-documented and public facing, so we can get to them all.

When it comes to a single version, it is rock solid. We haven't had any major bugs or flaws that haven't been involved with upgrading or going to another version. As long as you're on the same version, it is rock solid.

It works. The biggest thing with scalability is looking at how much data you have to ingest, so if you have to build the DX to be a specific size then you have to plan out how big its going to be. Therefore, it doesn't necessarily scale easily, but you can add additional data indexers at any point.

The technical support is very good. They are in the top two to three companies that we work with.

Its very complex. As with anything, it takes time to get it working and know all the different nomenclature with it.

I do the deployment and maintenance of the solution myself.

I have seen a measurable decrease in the mean time to detect and respond to threats. We went from not detecting them to detecting them. We can actually pick up what is anomalous in our network now.

The solution has provided us with consistency and increased staff productivity through orchestrated automated work flows by at least 20 percent. 

Our top choices were LogRhythm and Splunk. 

Splunk is a data lake that doesn't necessarily do any analytics. Whereas, with this solution, we're looking at all the analytics. We can quantify data, we can drop data, and we can do what we need to, plus the pricing model is better.

Know what you want it to do. If you buy a SIEM because its called a SIEM or someone says it's a SIEM, you're gonna end up with what someone else believes they need. Figure out what you need beforehand and make sure that those bullet points are covered because there are a lot of options.

We're currently using the built-in manual playbooks. So far, the features are very good. They are growing. I am looking forward to seeing how they expand upon it.

The automation is coming. The API access and everything else we're looking for to be able to deeply automate a lot of common tasks is still being built-in. Right now, we can do automation on simple tasks. E.g., if it sees something bad, it can take it off the network and put it in our remediation subnet. However, it does not have the capability for complex investigative actions yet.

Right now, we have about 3000 log sources and 3000 messages per second.

It's our central security monitoring platform. It's where we bring all of our events together so we can monitor our network.

It's helped us be more streamlined in our monitoring processes. We used to have multiple places where we'd have to do this work and now we have centralized all of it into one platform.

Also, the alarm functions have helped us cut down on the manual work. They bubble things up to us instead of our having to go look for stuff.

In terms of our security program maturity, I think we're fairly mature. We definitely have some ways to go still, but we're continually improving. We've had a security program for some 15 years, so it's been around and had time to mature. LogRhythym has definitely been a part of that. For the operations and monitoring pieces, going from what we had before to it being the central component for us, it has really helped us become more mature in those areas.

From an operational perspective, day to day, the Case Management functions are really useful for us. They allow us to track what we see in the incidents that we have.

We use the full-spectrum analytics capabilities. We have a number of rules that we've built, and built-in rules that we leverage as well. We've got a whole bunch of dashboards and the like to do the analytics. We definitely find the full-spectrum analytics to be valuable.

Hearing the roadmap items, it's pretty good. I especially like the fact that the playbook is coming with the ability to integrate the smart responses into the playbooks. That way, we can not only have the playbooks, take those steps, but start to automate those steps as well. I think that is really powerful.

We played around with the CloudAI portion during the beta. We're not currently using it. But I think more in that area is going to be really important, where we can look at machine-based patterns, as opposed to just, "I saw two of these and three of these things, so set an alarm." I'm really excited about that.

Generally, the stability has been good. We have run into problems with stability going through upgrade processes. Recently, we have been on the front edge of the upgrade path. When that happens we tend to run into issues either with certain functionality not working after the upgrades or stability issues because of the upgrades.

It will definitely meet our needs going forward. We're not a huge shop, so we haven't had a whole lot of problems there.

But going back to the upgrade issue, in a previous upgrade from 6 to 7, we ended up with some hardware problems, because of scalability, with the software change. The hardware that we had didn't meet the needs anymore. But we were able to get that resolved.

Technical support is not bad. The lower-level, first-line support is not always great, but if we can get to the right people, then it's pretty good.

At this point, it's a pretty core platform for us, so we haven't been looking around.

We do not use any of the playbooks currently. We'd definitely like to. It's a feature that we're planning to implement pretty soon.

Regarding our log sources, it's in the high hundreds, probably not in the thousands. When it comes to messages per second that we are processing, looking at the average, we're at about 1,000, but we peak somewhere north of 1,500.

I rate the solution an eight out of ten. It's a great platform, but I don't want to give them too much confidence, there's always room to improve.

The primary use case is to monitor for compliance and the behavioral analytics of our users, tracking for potential threats to the company's infrastructure.

We are using both products. We are using NetMon integrated with the LogRhythm platform.

It has centralized monitoring for our security operations. Therefore, it improves our analysts' work. 

Our security program's maturity has been transformational for my staff. First from an educational standpoint, all the staff has started to go through either admin or analyst tracks and education. This definitely organizes my security operations to the point that it makes it easy for me to do security operations. It facilitates it throughout the organization.

Out-of-the-box, it already has a knowledge base solution. Therefore, if you do a little bit of work, such as configure the lists and log sources, you can have use cases implemented quickly.

Their current roadmap is what I want to see implemented. I want to be able to upgrade to 7.4 and have the playbooks implemented as fast as possible. 

Stability has probably been one area where Health Checks have not been great with the product. We have been told that they are going to improve Health Checks on product, though we do struggle with them on a daily basis.

Scalability misses the mark sometimes, especially when you have an integrated disaster recovery built into the solution. 

LogRhythm is looking at elasticity and trying to make the product more scalable.

We use the tech support on a daily basis. They are very easy to reach. There is always a person whom you can talk to and is focused on my issue at hand. They really pay attention to me, and that's worth it in my book.

I maintain the solution. Right now, I have two dedicated engineers and two analysts. However, we need more staff and are looking to hire more because we want to grow this solution to suit our needs.

It improves our mean time to be able to respond and remediate issues that we come across.

There is a different reason why you pick LogRhythm over its competitors. It is a security SIEM, where others are SIEMs but not focused on just security.

The capabilities of playbooks is in 7.4, which we are not able to utilize yet. Therefore, we have built outside of the solution playbooks. However, we are looking forward to the integration of playbooks in 7.4, or even version 8. 

We were shown today a couple of things where playbooks will be enhanced, even having SMARTResponse coming right out of the playbooks, so hopefully advanced SOAR capabilities.

We run two independent LogRhythms. On one, we have about 33,000 different log sources, which include endpoints and now IoT devices. On the other, we have a very small footprint. It somewhere around 3000 log sources.

On one of my LogRhythms, I have a message per second around 2400 to 2500. That spikes depending on the time of day. Sometimes, it goes up to 17,000. On average, it comes back down to about 2300. On the other LogRhythm, there are very few messages per second. It is around 600. 

Do your homework first. See what pie in the sky solution is supposed to be for your SIEM. Do not just check a box. LogRhythm will more than likely suit your needs.

We use multiple instances as dark sites. We have roughly 350-400 hosts per site consisting of 4K to 5K log sources.

It has not only helped us meet requirements on a development program, but it has also allowed us to focus on insider threats as well as provide forensics capabilities to identify potential security risks.

I have found the Advanced Intelligence Engine has provided the most value to us because we can customize alarms based on our requirements and have created hundreds of alarms that notify different people for different scenarios.

There used to be the ability to create alarms based on message text that was included in LR Version 6.x that has been removed in LogRhythm 7.x, and on that, I would like to see it added back. I was told that this was due to processor overhead but with the amount of CPU and memory suggested, I don't see why this would be an issue.

I have been using LogRhythm NextGen SIEM for six years.

It is stable when all the resource recommendations are met.

Scalability is endless with this product.

Technical support has been great.

We did not use another product prior to this one.

The initial setup is pretty straight forward.

Our in-house team handled deployment.

I don't get involved with pricing.

We did not evaluate other options.

The primary use case is looking at our security as a whole, as an organization, trying to get all the logs collected, see how things can be integrated or what's happening through the different products. We also use it to see how people are trying to potentially circumvent security and what we can do to prevent people from doing that. Finally, we use it to get training out to end-users for certain things that they may be doing inaccurately.

We don't currently use the full-spectrum analytics or the built-in playbooks.

The benefits are having a deeper look into some of the applications, what's happening within them and possibly seeing configuration errors, enhancing not only the security but the functionality of different applications.

It has also provided us with increased staff productivity through orchestrated, automated workflows.

The most valuable features are the alarms, and some of the reporting features in the product are great. The web interface is awesome, it's very intuitive and gives a lot of great information.

So far the stability has been great. No issues whatsoever.

We're actually going through an expansion at the beginning of next month and it seems to be fairly easy.

We have used technical support in the past and it hasn't been an issue. They get back with us fairly quickly. Great people to talk to, very knowledgeable.

We were using another product before, McAfee Nitro SIEM, and that product was just getting too hard to maintain. We had other people on the team and within the organization who had used LogRhythm in the past, so it came highly recommended. We checked into it, checked reviews on some of the different vendors, and LogRhythm is the one that came out on top.

The initial setup was pretty straightforward.

In terms of the deployment and maintenance of the solution, for us right now, it was very light staff for the setup. It was two or three people that racked and stacked the servers. Once that is done, you don't really need them anymore. For maintenance, we've got two or three people on staff who manage and maintain it.

I'd highly recommend going with the product.

Our security program is pretty much in its infancy. We're always looking to improve things. Just as IT, in general, constantly changes on a daily basis, LogRhythm is always evolving and coming out with different things, helping with innovation. It's been great.

Right now we have roughly 70 to 80 different log sources. We have about 5,000 to 6,000 events per second, and we're looking at expanding that.

I rate it at eight out of ten. It's up there, top-of-the-line, but just like with any other application or program, as you grow, there are going to be some small hiccups. They're very minor.

We have 10 hospitals or so throughout Minnesota, and a lot of clinics and smaller health facilities. The technology stack is mostly Microsoft based. We do about 25,000 MPS.

Key challenge is just protecting PHI, personal healthcare information, that's a challenge in our industry. Patient care comes first, even before security. Then also, healthcare is a bit behind the loop. It's a large organization, we've got over 30,000 end points.

Just like any SIEM product, LogRhythm gives you a lot of insight into your organization. The web UI has been particularly helpful for our analysts and our budding SOC program. Being able to give them a nice kind of sexy layout, dashboard. And the reporting is great for management.

Then there are all the "cobwebs" that we're discovering, that LogRhythm gives us insight into.

We can't feed it fast enough, is basically what it comes down to. It's given us a ton of insight that we didn't have before. It's been magic.

The functionality of it. It definitely does a lot of things out of the box. You don't have to do a ton of tweaking and tuning, but that's there for you if you want it. Big-time usability and implementation is easy.

Maybe it's just my lack of understanding of it, but I would like to see the web UI expanded further.

I would also like to see - and there might be some documentation around it - building your own smart response plug-ins.

I think those would be pretty nice.

So far so good. No complaints.

It's been very good. I've had a couple instances where it's taken a week or more to figure out the issue. But usually, when it gets to the tier-2, tier-3 guys, they get it answered really quickly. We've also had a lot of success sending logs to them so they can do RegX on those for us, some custom parsing. It's nice.

The issues we had surrounded integrating the Qualys API, and some questions that we had. It ended up taking awhile to get it figured out, that we needed to get a feature request put in.

In terms of a solution being unified, end-to-end, for us it's huge. We have a ton of different security controls. I'm sure we're not any different than any other organization. Being able to bring it all in and put it on a single pane of glass is awesome.

My rating of eight out of 10 for LogRhythm is because, while I think the support is great, the solution is a little rough around the edges. Like I said, I'd like to see the web UI built out more, and be able to jam more data into it. The fat client console feels a little rough around the edges to me, even though I use it every day. But overall, not a ton of complaints.

Definitely check out LogRhythm. That's one of the things that I've noticed in talking to other people, it seems like people really focus on other top 10 SIEM tools like ArcSight and such. I don't hear LogRhythm talked about that much, so usually I'll bring it up and say, "Hey, go check out Logger."