- The SmartResponse and the alarming
- The ability to write your own rule set
It allows us to delegate some of the alarming, where there's not just one person looking at it all the time. Some lower-level techs can handle basic alarming.
Sometimes our rules don't fire correctly, events don't get created correctly, but that's mostly just because we have to write custom regex.
Also, moving from away from the fat console, more into the web console for log sources and tuning and things like that, would be helpful.
At times It gets a little clunky, or resource-intensive, but it works.
It works pretty well. It's somewhat hard to delete something out of the system. That's probably our only challenge, because we reuse an IP address and then it's difficult.
We've used them a few times. They were pretty good.
We actually weren't using anything before. It was a conglomerate of a firewall and the Windows logs. But we had an IT architect that was more into security.
It was pretty easy.
Regarding a solution being a unified, end-to-end platfrom, it helps, but it's not completely necessary.
For what it does, LogRhythm works pretty well.
If I were to advise a colleague who is looking into a this solution, I would say train someone, as their full-time, job to use it. It's not an easy product to get around.