- AI Engine
- Alarm rules correlation
- Web interface
- The amount of information it has throughout the web interface
- The drill-down
We've been able to go ahead and find more with less effort, just on the web interface itself.
Functionality, ease of use.
There are a few "gotchas" in the applications. One of the issues that we're having right now is on the AI Engine, when you do the drill-down. There are no events that are being populated for the drill-down. The recent upgrade and release fixed some of that.
And some of the other parsing rules. Parsing isn't done correctly.
We've only been a customer for maybe about five months.
It seems to be fairly scalable.
We have used LogRhythm technical support. The response is really good.
We were using McAfee Nitro. The administration of the application was very cumbersome, and trying to get reports, customizing the analytics on there, is a bit difficult. We looked at LogRhythm, and LogRhythm seemed to have a lot of the stuff built in, canned already.
It was pretty straightforward. There were some things that were a little bit complex after the setup, and trying to troubleshoot some things. For example, log indexer was indexing most things, but not everything. It got backed up, so we had to go in and troubleshoot some of the processes.
It was pretty significant for our solution to be a unified end-to-end platform because we did have a wide range of systems out there; trying to make sure that it was able to bring in the sources and correlate the events.
The only thing that surprised me was the logs filling up for some of the indexing jobs. Other than that, there was nothing that support wasn't able to go ahead and help us with and get resolved.
My advice to a colleague at another company who is researching a similar solution would be: Make sure you do your research. Understand what it is you're looking for in a SIEM. Have a plan of attack on what it is that you're looking for, and what do you want to get out of the tool.