LogRhythm SIEM Reviews

In my company, we use LogRhythm SIEM for integrations. We use the product for SOC use cases. If we have SOC implementations, LogRhythm is the SIEM solution we use since it can also offer a SOAR solution.

The most valuable features of the solution are network monitoring, user behavior analytics, and log collection. Our company uses almost all the features offered by the solution.

The console installation is an area with a shortcoming in the solution that needs improvement. If LogRhythm SIEM can offer a web console, it would be great. Since the product does not offer a web console, my company must rely heavily on the client console. There need to be some improvements in design. I want LogRhythm SIEM to be more user-friendly.

The File integrity monitoring (FIM) features offered by LogRhythm are great, but it is not competitive with the other solution offering the same feature.

I have experience with LogRhythm SIEM for two years. My company is a reseller of cybersecurity solutions. I use the solution's latest version.

It is a pretty stable solution. Stability-wise, I rate the solution an eight out of ten.

It is a very scalable solution. Scalability-wise, I rate the solution a nine out of ten.

My company caters to three customers who use the solution. Mostly our customers are enterprise-sized businesses with a few hundred or thousands of people.

I rate the technical support as an eight out of ten.

Positive

The initial setup was easy. I rate the setup phase an eight on a scale of one to ten, where one is difficult, and ten is easy.

The solution is deployed on-premises.

For deployments, it can take about two to three weeks. It could take more time when it comes to tuning or fine tuning needed in the solution, and it is not the case for LogRhythm alone but the same for all SIEM solutions. The deployments and the initial configuration can take around a month.

There are two aspects when it comes to the steps involved in the deployment phase, which are organizational and technical. Our company starts the deployment with the organizational aspects first, where we have to understand the company's context, to understand the company's use cases, and where we have to implement. Then, we start with the technical stuff, like installing solutions and configuring the use cases we have already discussed with the customers.

On a scale of one to ten, where one is low, and ten is high, I rate the pricing between six and seven. Price-wise, it is not a solution for small businesses. My company works in the African market, and in African markets, LogRhythm SIEM could be very expensive for small enterprises. There are annual charges to be paid for using LogRhythm SIEM. There are no extra charges in addition to the licensing costs of the solution.

To those planning to use the solution, I suggest they get trained before starting the use and deployment of the solution.

I rate the overall solution a nine out of ten.

The primary use case for our LogRhythm product is to maintain PCI compliance across all of our environment. We also use it to monitor authentication and monitor our perimeter for security threats.

The product is improving our organization, giving us a lot more visibility. It also gives a lot of our smaller different IT organizations that we partner with better understanding of their environment and also a way to kind of structure the access to that data.

We are using a lot of the analytical capabilities. One of my favorite features is the AI engine that allows us to take multiple data events, tie them together in different patterns and different baselines in order to identify more complex threats in our environment.

Our security program is still pretty immature. It's a pretty immature company, we've existed for less than a year. We're growing very rapidly, we're trying to start with the foundational policy and compliance requirements that we have and trying to tie those and map those into LogRhythm. So that's gonna be our main tool to tie all that requirements into.

The most valuable feature I get out of the LogRhythm platform is being able to take machine data and present it in a format that's easy to understand, easy to analyze, easy to pivot through to get answers to the questions that I had that I'm investigating, whether they're security related or operationally related.

At this time, we're not using any of the playbooks in LogRhythm because it's currently not available in our version. However we are very excited about that feature coming out in the near future and we're definitely looking at using playbooks to do phishing, unauthorized access and our other use cases we're gonna identify in the future to make sure that our analysts are responding to the threats in similar ways and that the correct actions are being taken.

We have around 75 different types of log sources coming into the environment right now. The log source support is good, there's always room for improvement. One of the areas that LogRhythm's kind of pushing really hard right now is to integrate more cloud solutions, so your Office 365, your Azure, your AWS, making sure that those SaaS and other cloud platforms are getting the data you need into that platform. It's getting better but there's definitely still work to be done.

We currently have 3000 messages per second in our environment but we still have a number of different resorts to onboard in our tenant. So we're definitely looking to push above, probably the 7, 8000 range.

The biggest one in my mind that I want to implement is some of the AD controls. Reacting to a threat where an account password needs to be changed, or an account should be disabled, to react to that threat. Moving into first a phase where an analyst is gonna see that, review that action and then once we get comfortable, make that an automated action.

The big two big areas for improvement is TTL. Making sure that the data that we're collecting is available for a longer amount of time. So I know with some of the new releases coming in LogRhythm, that's gonna be improved which I'm really excited about. The other one that's kind of getting back to the fundamentals of why LogRhythm was chosen as a solution, being able to take your machine data, understand it, index it, classify it and give you that visibility.

I'd like to see them focus on that because there's so many different security tools being spun up these days that being able to keep up with that and having more partnerships with security vendors to make sure that security tools have new releases in their environment, they're able to keep up with those logging changes.

Stability in the LogRhythm product has been very solid for me. I'm a very experienced user, I've used the product for about five to six years now. I have a lot of administration and analyst experience with the tool. The other great feature is that LogRhythm support is really excellent, they're easy to get a hold of, they're very talented and if they aren't able to answer your question right away, they have a very good internal escalation process to get an answer to resolve your issue.

Scalability is pretty solid with LogRhythm, I know that's one of their biggest issues, is if you have a huge enterprise environment, there might be scalability issues, but for a small, medium, pretty large sized businesses, I think LogRhythm's gonna be a great tool to match that environment.

I wasn't part of the evaluation at this location, I actually took the job because I knew they had selected LogRhythm and I had the experience there. I know they did some SIEM tools comparisons with Rapid7, Splunk and QRadar which was the incumbent when evaluating LogRhythm as a replacement SIEM solution.

I was involved in the setup at our organization replacing QRadar, our previous SIEM. It was a very straightforward implementation, the TMF team at LogRhythm helped make sure we got everything deployed, gave us some examples of how to onboard the log sources and then kind of gave us a playbook to move forward and gather the rest of the data from our environment.

I'd give LogRhythm a nine out of ten because of the ease of use, especially as an analyst, being able to twist and turn all that data, drill down on it, really get an easy understand of what's going on in the environment.

From the administration side as well, it's a lot easier to use than other products that I've had and it has all the built in knowledge, whereas with some tools you dump all your data into it and it's up to you to do that classification and indexing and understanding of that data, where the value that LogRhythm's gonna provide for you is that prebuilt classification for all the data sources in your environment.

If I had a friend that was looking to implement a new SIEM solution, I would have them understand what log sources they're trying to bring into their SIEM solution and make sure that the one they chose supported those log sources. On top of that, understand your use cases that you're gonna use this SIEM for, have those ready in hand and be ready to start billing those out as you get that data in the environment.

We've been working with LogRhythm for a few weeks. We had Splunk and we're replacing it LogRhythm.

It's a general SIEM system for us, gathering the logs into one area.

We integrated Azure logs with it and that makes it simpler. Rather than having to log into the portal, we can just check everything in one place. We can compare those to our Windows and host logs to see if any problems correlate between them.

It just makes it simpler for analysts to find everything in one place. We don't have to give everyone access to ten different things, it's just one area where we can see everything.

We like the alerting features. They seem a little more hands-on and easier to set up.

It seems like a stable product. We haven't had any downtime yet. All the network monitoring seems to be going smoothly.

We have about 20,000 logs per second as our ceiling and we're at about 6,000 to 8,000 now, so we're okay. It looks like it's going to meet our needs for many years.

They're hard to get a hold of. We've tried to work with a couple of engineering department guys there. We've called them and called them but we never hear anything back.

We moved away from Splunk because we were not happy with it. Workstation monitoring seemed a little more complex than it is with LogRhythm. It's much simpler to search for issues and get alerts through it.

The setup was pretty straightforward. They sent us the appliance, we tailored it to our needs, made sure our network met everything it was looking for. We worked with their support a little bit on what they recommend for setting everything up.

We had a kick-off meeting before they sent the appliance to us and they handed all the documentation to us. That aspect's good. But working with the engineering support has lacked.

We looked at AlienVault, that was one we demo'ed. LogRhythm does seem better.

I'm not sure that we're hands-on yet with the full-spectrum analytics capabilities and we don't use any of the built-in playbooks. We have plans to use them in the future. We want to integrate everything into it and make it more automated.

We're at about 6,000 logs per second. In terms of a measurable decrease in the meantime to detect and respond to threats, we haven't gotten there yet. We are still implementing, still learning. We have to get to all our logs correlated.

So far we're pretty happy with the overall functionality of the system. It's going to meet everything we're looking for.

It's our primary threat-hunting tool. We use it to look for anomalies. We use it for investigations. We use it for just about everything security related. If we find it in another tool, we use the SIEM to cross reference what activity we would see either from that user or from that machine that we saw in the other tool.

It's improved our organization in a number of ways. 

Before we got the current SIEM, for example, the previous SIEM was not our primary threat-hunting tool. It was a data point we would go to occasionally.  Today, LogRhythm SIEM is our primary threat-hunting tool thanks to the user-friendly interface, which is much better compared to what we've had previously.

The ability to return relevant information from a search to provide either corroborating evidence for an investigation we were already undergoing or just being in a better place to go hunt for threats has made me feel that the environment is safer than what we had previously. 

Previously, with McAfee SIEM, we had no confidence that it would help us in an investigation, so we frequently did not lean on it. It let us down so many times. LogRhythm SIEM gives us a sense of confidence that, during an investigation, it's a solid source of information that we can use to complement the investigation or perhaps complete the entire investigation within the SIEM.

Our previous SIEM did not have dashboards, so there wasn't a starting point. With our previous SIEM, we had to have a specific thing we were looking for, and only then we could find it. 

The dashboards in the LogRhythm SIEM really help us as a starting point. It gives us a starting point we can go to every day. We walk through several dashboards to see anomalous activity for further investigation. The dashboards, therefore, are our favorite feature of the SIEM.

The solution helped with productivity and the ability to process logs. We do Event Log Filtering for certain log types, which we don't want in our SIEM as they're just too noisy. Having too much noise in the SIEM makes it harder to find relevant things. Therefore, we use Log Filtering to limit the noise. It's also given us the ability to bring more logs in, so we bring them all from all of our workstations and servers. Doing the log filtering this way allowed us to bring in other log sources and keep the noise manageable.

It's helped reduce our administrative overhead. Before we started doing the log filtering, we exceeded our license capacity for what we were licensed in terms of logs in our SIEM. The filtering allowed us to bring the noise down and helped us with the removal of junk logs that are not useful. We have a lot of firewalls, and anytime you're traversing internally inside of the firewall, it generates a lot of traffic. That kind of traffic is the type of traffic we took out, allowing us to bring our workstation traffic logs in to give us a better view of our environment.

It's very big for us that the solution is out-of-the-box. To have the solution be turnkey was significant as it enabled us to ramp up and get the logs onboarded immediately. There wasn't a lot of configuration to get to a point where we could bring logs in. It was essentially turnkey.

We use Windows Event Forwarding to collect the logs from our Windows clients, and the logs get aggregated as one data source on that collector. Therefore, finding logs specific to one particular Windows system requires some creativity in how we search the SIEM. 

I've heard that in a future release, it may come to a point where the Windows systems would be dedicated log sources, so you can choose just that log source. That would greatly improve our ability to threat hunt with our SIEM.

We've been using this LogRhythm SIEM for about three and a half years.

The solution's been very stable for us. We bought a high-availability solution, so we have two systems in a high-availability pair. That redundancy gives us resilience. It comforts us to know that if we lose one data center, we've still got logs going into our SIEM in the second data center.

The hardware we bought has the ability to process logs at twice the limit that we are licensed for, and we've not had to increase that. We've had it for three and a half years, and it's robust and keeps up with our needs.

I've had to engage LogRhythm technical support on many occasions. They've always been quick to respond and are very knowledgeable, professional, and helpful.

Positive

The previous SIEM we have was McAfee Nitro. There were a couple of reasons why we switched. We switched due to the fact that it wasn't easy to just stumble into finding things. You had to know what you're looking for and we didn't like that aspect of it. Also, we had a really bad support case that was the catalyst for making the move to a different SIEM.

We have a different setup, and we keep the SIEM in our PCI environment to limit our PCI scope. We had to think through the architecture so that we had the logs in the places we needed them without having our firewalls wide open. It was very quick to deploy since we used Windows Event Log Forwarding. We were able to use a GPO to have logs sent to a centralized server and, from there, ingested directly into the SIEM, so we were onboarded in less than a week's time. We were able to onboard the majority of our log sources quickly.

When we bought the SIEM, we bought a block of professional service hours that we utilized to help implement the SIEM. They were a tremendous help with adding dashboards and getting our fingers in it enough to where we learned our way around it before we actually even got training. It was LogRhythm professional services, and I highly recommend them. They were excellent.

We've absolutely seen an ROI. We felt it immediately since the out-of-the-box dashboards gave us visibility into our environment that we had not seen before, as we didn't have a SIEM that presented the data in a usable manner.

The license model is similar to other SIEM solutions that we looked at, which is a log volume pricing model. That pricing model works well, especially being able to filter the logs and get less important logs in so we have the ability and the headroom to put in other log sources.

We evaluated a few other options. Since we're a government entity, procurement rules limited us to just a handful of options, and of the options that we had, LogRhythm was clearly the better choice for us. 

We had the option to renew and get a refreshed McAfee SIEM, which we didn't feel good about. The other two options that we were able to use were IBM and Rapid7. IBM was just another vendor I've not had good luck with in the past. Rapid7 was a smaller player. We didn't feel they had the ecosystem, the robust ecosystem, to support what we were looking to implement.

I'm a senior security analyst. I work at a government organization that employs between 500 and 1000 people.

We are on-prem with high availability, so we have two self-contained systems, sequel logs, and everything, and they can run either box.

In terms of helping us manage workflows and cybersecurity exposure, we haven't leveraged smart responses in the SIEM. It looks like a powerful asset. We have some automated responses with a different tool for ransomware detection and prevention. However, the workflow ability in the SIEM is actually quite powerful. We just haven't leveraged it since we haven't felt that the right use case presented itself to us yet.

When it comes to affecting our rate of efficiency, we don't measure those metrics, so it's kind of hard to say there's a measurable amount or how much it's improved. It has given us a threat-hunting tool previously unavailable to us. We are very happy to have the SIEM be our primary threat-hunting tool.

Those who say SIEM is an outdated security solution should note that SIEM technology has been around for a very long time. It's still relevant thanks to the continual development that companies have done to bring more usability to extracting threats from logs. That's timeless. That's not something that's going to go away over time. The LogRhythm SIEM continues to add features, and improvements and makes finding and presenting data from raw logs easier. Digging through logs before we had a SIEM was tedious and very time-consuming. It's made it a big-time saver. To have the way it presents the logs in a usable manner has been a tremendous help for us.

I'd rate it a solid nine out of ten.

The solution is used for threat hunting. We also use it as an SIEM for our SOC.

The solution enhances our organization's threat detection and response capabilities. It prioritizes alerts. We can write rules on it. It provides a comprehensive rule list out of the box. We have compliance rules for PCI and SOC. We prioritize the rules for PCI compliance. Assets that we have ingested have PCI labels, and we can identify the websites that need PCI. We can visualize threats on important assets and analyze, mitigate, and rectify them.

The log analysis feature is valuable. The solution has an AI rule manager. AI Engine gives us plenty of options to write new rules and modify existing rules according to our requirements.

The cloud version must be scaled better. The EPS values shown are sometimes not reflective of how we see them. Log ingestion takes a couple of days. When we have errors, the turnaround time is two to three days. It should be organized for better turnaround time. The cloud infrastructure is taken care of by the cloud team. The responses provided by the cloud team are inefficient. The response time must be improved.

I have been using the solution for two years.

I rate the tool’s stability a seven out of ten.

The tool is scalable, but the tech stack is very old. It doesn't use the new generation bells and whistles like artificial intelligence. There is a lot of room for improvement. I rate the scalability a seven out of ten. In our organization, 12 to 15 security analysts use the solution.

The support team helps us a lot.

Positive

We used FireEye two years ago. The management decided to move to LogRhythm SIEM because FireEye was going through a transition, and we wanted a stable product.

The initial setup is not easy. It requires technical skills. I rate the ease of setup a six or seven out of ten. The solution is cloud-based. Our environment is very complex. The deployment takes three to four months. We have to install agents. We have multiple locations with multiple data centers and a multi-cloud presence. The setup must be done with a lot of variations.

We use Puppet for Windows deployment. The Linux deployment needs forwarders. We have multiple tiers, endpoints, and collectors. We must set up multiple things. Each aspect has its own set of rules and limitations. We cannot do everything in one go. We must scale it up gradually.

We have seen an ROI on the product.

We are moving to Google Chronicle. We are in the transition phase now.

LogRhythm SIEM is a good product for a small SOC. Overall, I rate the solution an eight out of ten.

Absolutely. It has helped us gain visibility into events that we didn't have before at all. We have a lot of remote locations. We manage national parks and point-of-sale devices on ships, at the top of mountains and little cabins, gas stations in the middle of Death Valley; we have a lot of difficulty around trying to keep an eye on things, and LogRhythm lets us have agents running almost anywhere we want.

It also has provided us ways to do compensating controls for systems that we couldn't otherwise secure, because of different product upgrade paths and costs. LogRhythm helps us on the compensating control side as well.

I think we're right around 1000 to 1500 (peak) logs per second, which is not a lot, but we've tuned it heavily in the last few months. We've added compression and we've turned off verbose logging, and just try to get the important things. We've been working with LogRhythm to tune what we collect, to make it is more useful or applicable. I wouldn't say that we're one of the higher end users or higher logs-per-second users, but we have 15,000 employees in peak season. We have six ships and we manage most of the national parks, so there's a lot of locations around the world. I don't have a number on buildings or assets though, but maybe 4,000 endpoints total, if you include routing and switching servers, desktop PCs.

Up until recently, I would speak with LogRhythm and they would ask me, "What do you want to do?" I'd say, "I don't know. What can you do?" "We can do anything. What do you want to do?" It's hard for us to know what we want. We just know that we want to be secure. We know we need to collect logs, we know we need to do basic things. But recently, LogRhythm came out with a package to help us tune our system for PCI compliance, like industry best practices. We don't know what all those are, so we're working with them to turn on all the bells and whistles that will make us more targeted in our strategy and collecting information, so that we're not just looking for things at random, or it's dealing with a crisis.

When we have a crisis we know what we're not getting, but we don't know how to predict that, we're fairly new into the maturity phases, so I think that they've compiled a lot of that for us, and I'm very happy that we're able to work with them now to get that hammered out.

The PCI compliance pieces that help us produce reports for our external auditor, and their support.

I constantly sing the praises of their support group. It's a complicated, vast product with a lot of breadth and depth. Things go wrong. But when I have a problem their support group will get a hold of me within minutes to hours, at the most. If it takes a group of people to solve the problem they pull a group of people together. They will create remote sessions. I don't have any other vendors with the same level of support that LogRhythm does.

Global management for registry integrity monitoring. Right now you have to apply what they call RIM policies, Registry Integrity Monitoring policies, one agent at a time. If you have thousands of endpoint agents, you have to touch each one of those one at a time. That is a pain in the rear, so I would really like to see some type of group or global management for RIM policies, like they have already for FIM, the File Integrity Monitoring. You can grab hundreds of agents at one time, and apply them across the board. I don't know why you can't do that with the registry piece.

It'll scale forever, and especially in the VM and cloud environment; so the time and money, those are the only two things. But it fit's our needs, where we are.

Like I said, we're not a really high volume user at this time, but that could change. We're owned by Philip Anschutz, he's always incorporating companies that he thinks will make us bigger, better, and more marketable; so that could change overnight.

But right now, where we're at, it meets our needs, I'm happy that it can scale anywhere that we need to go. There's no limitations there, as far as I know, and there are lots of options, with hardware, clusters, distributed environments, cloud-based environments, VM-based environments, combinations of all those things, so there's no problem with scalability.

They're a 10 - out of five stars! I have great success with them, very pleased. Love working with them, they're funny. They're also right here in Colorado, so when we need somebody on site it's not difficult. But it's rare that we can't solve problems with GoToMeeting or WebEx.

We used AlienVault, and before that Splunk, but neither one of them worked, and even their pro-services people couldn't get the products to really perform well in our environment. I understand the LogRhythm sales engineer who came out the first time to demo or do a proof of concept, was doing things in minutes that the other folks were trying to do in weeks, and my boss said, "That's what we want. I want that."

We need stability, ease of use, ease of investigation, so we had looked at a number of products in the past. Again, that was mostly before I came on board, but I understand the challenges with them included having to write a lot of custom parsing, and you either had to have Linux gurus on staff, coding gurus on staff, to make those products sing. LogRhythm has all that built in, and you just need to let them know what you want to turn on. They have all the features and policies and alerts that you could ever hope for, so you just have to know what you want to do.

The only other SIEM tool company that was even close to LogRhythm was QRadar, IBM's SIEM solution, in performance and cost and features. Actually, not cost. I think they're very expensive, and that company makes a lot of people nervous. LogRhythm is, like I said, local, and stable, growing, aggressive, helpful. IBM is a big monolithic company, which I have a lot of respect for and they've come a long way, but they're constantly splitting off and selling pieces, and you never really know where that product's going to be in a few years. LogRhythm hasn't had that problem.

It's effective, it's like a Ferrari. You have to have a lot of mechanics, and you have to fine tune it, and when it's running well it runs very well, but there are a lot of things that can go wrong too. I'm pretty much a one-man shop, and it's difficult for me, but that goes back to having good support and good communication with them. It's a struggle, but the product is strong and we just need to continue growing with it, in our understanding, in our use of it, so we'll get where we want to go. But it's a partnership, so we appreciate that.

I already mentioned some of the most important criteria when selecting a vendor, but the main ones for us were

• local presence: so we have a door to kick down when we need help
• support: LogRhythm has very strong support features
• scalability and cost: LogRhythm had a higher initial cost, but it had almost everything built in that we needed, there were no additional or hidden costs later, so it was much easier for us to plan ahead.

Also, our company likes to spend capital dollars, so the hardware option was more attractive to us. I like the VM and cloud, and I'd like to move in that direction, but having the multitude of options that they have was a big plus for us.

It's very important for us to have a unified end-to-end platform because we have so many different locations and we have such a small team. Having 50 different products and 50 different interfaces doesn't help anyone, even if they're good products. Having one single product that can do a lot of things is very important.

It's a 10 our of 10 for sure. Even 11. I love it.

Don't just look at cost because, as I said, LogRhythm was a little bit higher in the beginning, but look at the features that they have and the support, everything, especially in this field. It's a complicated business, so everybody's going to have problems. Can they fix those problems, and will they work with you to grow? Look at the big picture. Long term.

We use it for log ingestion and monitoring activity in our environment.

It is a simpler system than what we had before. We had IBM QRadar, which used to give us everything, and we had to dig through, figure out, and piece it all together. LogRhythm lights up when an event occurs. As opposed to just giving us everything, it will piece things together for you and let you know that you probably should look at this. It also provides the evidence. 

It is easy to find what you're looking for. It is not like a needle in the haystack like QRadar was. It is not a mystery why something popped or why you're being alerted. It provides you the details or the evidence as to why it alerted or alarmed on something, making qualifying or investigations a little bit quicker and also allowing us to close down on remediation times.

Automations are very valuable. It provides the ability to automate some of our small use cases. 

The ability to integrate with other products that use an API is also very useful. LogRhythm has a plugin for it that we can connect and start to move down towards the path of a single pane of glass instead of having multiple or different tools.

Their ticketing system for managing cases can be improved. They can either do that or adopt some of the open-source ticket systems into theirs. The current system works and gets the job done, but it is very bare-bones and basic. There are some things that could be improved there. 

They should also bring in more threat intelligence into the product and also probably start to look into the integration of more cloud or SAS products for ingesting logs. They're doing the work, but with the explosion of COVID, a lot of businesses have started to move towards more cloud applications or SAS applications. There is a whole diverse suite of SAS products out there, which is a challenge for them and I get it. They seem to be focusing on the big ones, but it'll be nice to be able to, for example, pull in Microsoft logs from Office 365. They are working towards a better way of doing that, and they have a product in the pipeline to pull logs in from other SAS applications.

The biggest thing for them is going to be moving away from a Windows Server infrastructure into a straight-up Linux, which is more stable in my eyes. For the backend, they can maybe move into more of an up-to-date Elastic search engine and use less of Microsoft products.

I have been using this solution for three years.

Bugs are there. We've encountered quite a few, but support is pretty quick at picking up and working with us through those and then escalating through their different peers until we get a solution. Now, the bugs are becoming less and less. Initially, they were rolling out features pretty quickly, and maybe some use cases weren't considered. We ran into those bugs because it was a unique use case.

It is easy to scale. We run different appliances. So, for us scaling is not an issue. Each appliance does a different piece of the function, so scalability is not a problem. We started off doing say 10,000 logs per second or MPS event, and then we quickly upgraded. Now, we're sitting at a cool 15,000. There is no need to upgrade hardware or anything. You just update the license. That is it.

We have multiple users in there. We have a security team, operations teams, server team, and network team for operations. We also have our research team, HBC team, and support desk staff. We have security teams from other universities in the States. We're sitting at a cool 50 users.

Their technical support is good. They are pretty quick at working with us. I would give them an eight out of ten. I don't know what they see on their end when a customer calls in and whether they are able to see previous tickets. It always feels like you're starting fresh every time. They could maybe improve on that end.

We had IBM QRadar for what seemed to be almost a decade. So, we just needed something different. There was a loss of knowledge transfer, as you can imagine, over a decade with different people coming in and out of security teams, and the transfer of knowledge was very limited. At the time I got on board, I had to figure out how to use it and how to maintain it and keep it going. We had some difficulties or challenges with IBM in getting a grasp on how we can keep getting support. It was a challenge just figuring out who our account rep was. After I figured that out, it was somewhat smooth sailing, and then we just decided it was time for something different, just a break-off because products change in ten years. You can either stay with it and deal with issues, or you do a break-off and get what's best for the organization.

It was complex simply because we had different products. 

We did have professional services to help us, which made the installation a little bit smoother. Onboarding of logs and having somebody with whom you can bounce ideas and who can go find an answer for you if they didn't have one readily available made the transition from one product to the other pretty straightforward.

We did a five-year agreement. We pay close to a quarter of a million dollars for our solution.

I would definitely advise giving it a look. If you're able to deal with it in your environment and just give it a chance, it'll grow on you. It is not Splunk, but it's getting there. They're gaining visibility with other vendors. The integration with third parties is starting to light up a little bit for them, unlike IBM QRadar that has already created that bond with third parties to bring in their services into the product. LogRhythm is definitely getting there, and it is a quick way to leverage in-house talent. So, if you want to do automation and you have someone who is good at Python scripting or PowerShell, you can easily build something in-house to automate some of those use cases that you may want to do. 

I would rate LogRhythm NextGen SIEM an eight out of ten. 

We are primarily Windows-based. We have Linux. We have some Solaris. We are an isolated network. We have no connectivity to the internet, so we are more focused on insider threat and advanced persistent threat. One of the things that has really been a concern is we have a lot of software developers and engineers. These guys are gonna be able to create their own threat, so the behavioral analysis function of LogRhythm is really important, because there may not be a threat signature that we can find somewhere. We are going to need to see, "Oh hey, this guy, he is doing that at some weird hour. Okay, trigger an alert." That's probably the biggest difference. We are not going to have to worry about phishing attacks. We have really locked down. Our endpoints are going to a lot of thin clients just to eliminate a lot of potential access to systems.

LogRhythm has caught a few odds and ends, where things were done for sheer convenience. It caught this weird behavior, and alerted us, and we're like, "Why do we have a DNS server with a software install point on it?", which is completely strange because we have an official software repository where everything is supposed to be. LogRhythm caught that for us, and it was really a case of a privileged user account, which was no longer active, and someone just tried to login with it. We were like, "Who is this? It's not even the same format for the username." So, it caught something like that, and it turned out to be harmless.

Maybe years ago, they had brought someone in, not an IT guy, they were pushing out a lot of common software, and they didn't have an SCCM or a WSUS solution, so they had people going to machines, and downloading it from various locations. It is something we cleaned up, and got out of the way. We haven't had anything nefarious show up, yet.

It has also been helpful for tracking a lot of stuff, like user account activity. We have our own folks, we have vendors and contractors that come in. It's great to be able to see when their accounts are being created, and when they're being locked down, because our security people can say, "Okay, this person is a new hire. We know they are supposed to be here. This person is leaving the company. Good to see their account has been locked down." There is a lot of confirmation on account activity, which is great.

We need to catch everything before it does anything bad. Our biggest challenge is we have reporting requirements with our customer. They want to see specific types of activity, and while we want to be able to provide that, we also want to be able to catch things that might be on the edge or just outside of those boundaries. So that is our biggest challenge because I can watch the industry news and see, "Oh well, we have a threat that is coming in this way now that could possibly get on our system. How do I catch that?" Well, my customer's requirements might be too vague or too specific. I have to convince them that this is also important, include it, and here is why. So keeping my customer educated as to the threats is really critical.

It gives us insight into our entire installation, where we are multiple sites, going as far as the East Coast to the Central West Coast. Our operation is small. I am a one-man shop right now, so it gives me a chance to aggregate all my events and logging, alerting, in one spot. I come in and can see exactly what is happening.

The biggest thing is when you are looking at the client console:A lot of the data, the reports that you can generate, then you are given just a pie chart, a list of data, or both. I would really love to be able to take some of that and not have to export it to a CSV file, so I can pull it into Excel to turn it into some other kind of graph. I know some of that's being handed off to the web console, but that would be the one thing that would be really helpful.

It is a little hard to get integrated.

The one thing that would help me the most, because I am sort of isolated from things, and the guides that LogRhythm puts out are really good. However, a lot of times, it is, "Do this, do this, and this works because of this, this works because you do this." I would love to see something where they show or explain why doing something would break something or wouldn't work for you. That is the one thing, because I have done some things, like created a GLPR, just done them a couple of times, and I had two of work really well, and one that seems like it should be perfect, it is just a simple exclusion, but it does not work at all.

Stability has been great.

Customer Service:

I have done a lot of good work with the account reps and engineers. It really feels like we are on the same team.

Technical Support:

Technical support has been pretty good. It has been a challenge, because we are not connected to the Internet, and when they want to get our logs, we are like, "Well, it is going to be a few days before any of it gets to you." That's our biggest challenge, but they have tried to work with us.

Overall, they have been good. They have been pretty helpful

I was not involved in the initial setup.

I would recommend talking to the rep. That's the biggest thing because they will know what questions to ask.

It does what we want, but there is so much you can do with it. It is like buying the biggest tool set you can find, then you are trying to find out, "Okay, what am I going to do with all of these tools?" Trying to tune your system with the tools that you have available is a little daunting. It was for me because I did not have the security background. If you are new, it will be a little bit daunting. The training is a big help, though.

Understand what your scope is. What are you really trying to do with this tool? If all you want to do is collect logs and pile them up somewhere on a server, this is not going to help you, and it will defeat your security goals, probably. If you are looking for something, talk to the LogRhythm rep to find out, "Okay, we are really operationally-focused. Or, we are really security-focused."

Most important criteria when selecting a vendor:

• Vendor access, which is what LogRhythm is very good at. We have got the engineers coming to us saying, "Hey, we are coming to town, is there something we can talk to you about? Do you want us to visit?"
• Very flexible.
• Really good communication is important because if something is happening, I need to be able to get it taken care of quickly, and that is what's going on.
• Scalability: It looks like it is wonderfully scalable.
• Integration: I have been interested with what I have seen with the carbon block and the endpoint stuff.