Some of the documentation could be improved a little bit. A lot of times it doesn't go as deep into some of the critical issues you might run into. They've been really good to shore us up with support, but some of the documentation could be a little bit better.

The other thing is the interface. It's super easy to use, but it takes a little time to get used to. Definitely, the training helped a lot, but it's not like most other SIEMs. That's because of the way they ingest the data. So, it's totally understandable.

One major area for improvement for Devo, and people know about it, is to provide more capabilities around pre-built monitoring. They're working on integrations with different types of systems, but that integration needs to go beyond just onboarding to the platform. It needs to include applications, out-of-the-box, that immediately help people to start monitoring their systems. Such applications would include dashboards and alerts, and then people could customize them for their own needs so that they aren't starting from a blank slate. That is definitely on their roadmap. They are working with us, for example, on NetFlow logs and NSG logs, and AKF monitoring.

Those kinds of things are where the meat is because we're not just using this product for regulatory requirements. We really want to use it for operational monitoring. In comparison to some of the competitors, that is an area where Devo is a little bit weak.

I need more empowerment in reporting. For example, when I'm using Qlik or Power BI in terms of reporting for the operations teams they also need analytics. They also need to report to the senior management or other teams. The reporting needs to be customized. You can build some widgets in terms of analytics and representations, however, I want to export these dashboards or these widgets in a PDF file. While you can explore everything as a PDF, it's not very complete. I am missing some customization capabilities in order to build a robust, meaningful report.

The initial setup is a little complex.

Technical support could be better.

There do seem to be quite a few bugs within the version we are using.

In the next update, I'd like it if they explain more about the Devo framework. The Devo framework is a tool inside the product. It's a prototype. It is a tool that provides to the customer a map of processes or a workflow, for example, with an HTML application with a front end. My understanding is that each component of this front attaches data with the queries. It might be customized. I'd like to generally understand this better.

I'd like to understand DevoFlow. Up to now, usage could send data to the platform, retrieve it and enrich it by generating graphs and analytics. However, it's my understanding that Flow provides users the ability to process the data in real-time by defining complex workflows as soon as data arrives in the platform so that you can make analytics in a sequence. I'd like to better understand these new capabilities.

When it comes to the ease of use for analysts, that's an area that they may need to work on a little bit. Devo offers its version of a case management platform called Devo SecOps. They did offer it to us. It's part of our contract with them. The analysts have found that the workflow isn't very intuitive. There are a couple of bugs within the platform, and so we are actually sticking with our old case management platform right now and trying to work with Devo to help iron out the roadblocks that the analysts are facing. Mostly it seems like they have trouble figuring out where the actual case is. A lot of the search features that are in the main Devo UI don't translate over into their SecOps module. They seem separate and disjointed. So the core of the platform where we have all of the data isn't integrated as well as we would like with their case management system. There's a lot of pivoting back and forth and the analysts can't really stay in the SecOps platform which adds some bumps to their workflow.

The SecOps module also needs improvement. It should be more closely integrated with the original platform that they had. The data search abilities in the SecOps platform should be made more like the data search abilities in the administrator's side of the platform. 

From our experience, the Devo agent needs some work. They built it on top of OS Query's open-source framework. It seems like it wasn't tuned properly to handle a large volume of Windows event logs. In our experience, there would definitely be some room for improvement. A lot of SIEMs on the market have their own agent infrastructure. I think Devo's working towards that, but I think that it needs some improvement as far as keeping up with high-volume environments.

If all of the connectors for the third-parties were there, it would be a solid 10. Everything else about it is right there. It's a newer product, so we knew going in that there would be some growing pains and that some things might not be available because not all third-parties would be included.

There is room for improvement in the ability to parse different log types. I would go as far as to say the product is deficient in its ability to parse multiple, different log types, including logs from major vendors that are supported by competitors. Additionally, the time that it takes to turn around a supported parser for customers and common log source types, which are generally accepted standards in the industry, is not acceptable. This has impacted customer onboarding and customer relationships for us on multiple fronts.

I would like to see Devo rely more on the rules engine, seeing more things from the flow, correlation, and rules engine make its way into the standardized product. This would allow a lot of those pieces to be a part of SecOps so we can do advanced JOIN rules and capabilities inside of SecOps without flow. That would be a great functionality to add.

Devo's pricing mechanism, whereby parsed data is charged after metadata is added to the event itself, has led to unexpected price increases for customers based on new parsers being built. Pricing has not been competitive (log source type by log source type) with other vendors in the SEMP space.

Their internal multi-tenant architecture has not mapped directly to ours the way that it was supposed to nor has it worked as advertised. That has created challenges for us. This is something they are still actively working on, but it is not actually released and working, and it was supposed to be released and working. We got early access to it in the very beginning of our relationship. Then, as we went to market with larger customers, they were not able to enable it for those customers because it was still early access. Unfortunately, it is still not generally available for them. As a result, we don't get to use it to help get improvements on multi-tenant architecture for us.

Some basic reporting mechanisms have room for improvement. Customers can do analysis by building Activeboards, Devo’s name for interactive dashboards. This capability is quite nice, but it is not a reporting engine.  Devo does provide mechanisms to allow 3^rd-party tools to query data by their API, which is great. However, a lot of folks like or want a reporting engine, per se, and Devo simply doesn't have that. This may or may not be by design.

I say this because I’ve seen many, many times where a customer states that they absolutely need to have a reporting engine.  But based on my experience with other SIEMs, the vendor ends up building a reporting engine, and the customer acknowledges the effort, but then they don’t actually use it. They end up extracting the data into whatever reporting mechanism/tools they use already.  So, often it seems it is the most requested mandatory/nice-to-have feature. Again, not having full reporting feature may or may not be by design for Devo but it has not been a showstopper because you are able to leverage their API to query the data you need and put it into any tool or format you like.

There are some issues from an availability and functionality standpoint, meaning the tool is somewhat slow. There were some slow response periods over the past six to nine months, though it has yet to impact us terribly as we are a relatively small shop. We've noticed it, however, so Devo could improve the responsiveness.

When we first started implementing the solution, the staff that helped us with the migration and getting it set up seemed very new. The tool could be more mature, which we knew going in, but we were hopeful for quick improvements. We would prefer to be further along than we are in that respect, but 18 months later, we still feel pretty good about adopting Devo.

The price could be more friendly as we pay significantly more than what we were paying before, but it's in line with other solutions on the market.

Devo has a lot of cloud connectors, but they need to do a little bit of work there. They've got good integrations with the public cloud, but there are a lot of cloud SaaS systems that they still need to work with on integrations, such as Salesforce and other SaaS providers where we need to get access logs.

We'll find more areas for improvement, I'm sure, as we move forward. But we've got a tight relationship with them. I'm sure we can get anything worked out.

The only downfall that I have is it is browser based. So, when you start doing some larger searches, it will cause the browser to lock up or shut down. You have to learn the sweet spot of how much data you can actually search across. The way that we found around that is to build out really good Activeboards, then it doesn't render as much data to the browser. That's the work around that we use. As far as ingestion, recording, and keeping it, I've seen no issues.

It comes down to some feature requests here and there, which is normal stuff with software. As a user, I may want to scroll through the filters, but the filter didn't allow scrolling at first. That's a feature that came in with version 6. 

We only use the core functionality and one of the reasons for this is that their security operation center needs improvement. It's great for folks that don't really understand advanced detections but for people like us, and other businesses out there that have advanced detections, that becomes problematic and we don't use it.

The detection capabilities and their vertical app capability should be enhanced.

The overall performance of extraction could be a lot faster, but that's a common problem in this space in general. 

Also, the stock or default alerting and detecting options could definitely be broader and more all-encompassing. The fact that they're not is why we had to write all our own alerts.

They could also provide more visual dashboards, what they call Activeboards, within their environment. Activeboards enable you to create custom or pre-defined dashboards. In that context, there are a couple of very useful features for us that are not available when I compare them to some of their competitors. They are features that help you quickly analyze data in a visual way. What they have is still pretty decent but they could beef it up a little bit.

Devo continues to invest in their analytic capability and the platform's durability. Regarding the service management side, Devo are maturing their service management, ensuring they are absolutely on it when they have service incidents or problems with the service. I think the tool offers a great and promising future because the platform's fundamentals are good.

In general, over time Devo should look to provide more customization options and support wraps.

We have a list of things that we'd like to see. I have had all my analysts put in suggestions. I've tested a number of solutions through the years, and I've found that companies appreciate that analyst perspective and anything that makes future releases more user-friendly.

The biggest thing we've found, when trying to integrate Devo with the SOAR solution, is the priority or severity rankings. If they could make those a little bit more intuitive that would help. It seems that when we set the priority of an alert, it doesn't always translate, in the back end, the way you would expect. The severities include "very low," "low," "medium," "high," and "very high." Those correlate to numerical value ranges one to three, four to five, six to seven. It's a little confusing. It would help if they made that priority/severity labeling and numerical system match up a little better.

Also, it would help if some of the error messaging could be a little bit more descriptive when you run a query and an error pops up. It would be good to have a log where you could find those, as well. 

Another issue is that an admin who is trying to audit user activity usually cannot go beyond a day in the UI. I would like to have access to pages and pages of that data, going back as far as the storage we have, so I could look at every command or search or deletion or anything that a user has run. As an admin, that would really help. Going back just a day in the UI is not going to help, and that means I have to find a different way to do that. That's a big one.

The price is one problem with Devo. Huawei, Lenovo, and Gigabyte are all cheaper than Devo. I rate Devo's price an eight out of ten because it is expensive.

The biggest area with room for improvement in Devo is the Security Operations module that just isn't there yet. That goes back to building out how they're going to do content and larger correlation and aggregation of data across multiple things, as well as natively ingesting CTI to create rule sets. Exchange has gone a long way to fix some of those gaps, but there's still room for improvement in that area.

Where Devo has room for improvement is the data ingestion and parsing. We tend to have to work with the Devo support team to bring on and ingest new sources of data. 

I know the Devo Exchange is supposed to make some of that easier, but we've had situations in the past where our data collectors, which are hosted by Devo, have gone down and we've not seen data ingested until we've opened a support ticket with them. 

In general, their data intake process, whether it's how to get new sources in or keep them continuously ingesting, is the biggest area for improvement.

There's room for improvement within the GUI. There is also some room for improvement within the native parsers they support. But I can say that about pretty much any solution in this space. Those are the standards where they need to improve because that's usually where they lag.

I would like to have the ability to create more complex dashboards.

I don't use the Activeboards' visual analytics that much. I just look at the data, most of the time. The Activeboards feature is not as mature regarding the look and feel. Its functionality is mature, but the look and feel is not there. For example, if you have some data sets and are trying to get some graphics, you cannot change anything. There's just one format for the graphics. You cannot change the size of the font, the font itself, etc. You get a graphic that works well in some cases, but in other cases, the numbers are too small and you cannot do anything about it. Overall, the graphic presentation of data is okay, but I miss the basic functionality of being able to change how things look.

There's always room to reduce the learning curve over how to deal with events and machine data. They could make the machine data simpler. 

Lookup tables could be used to minimize the performance impact in bringing together two different sources of data together and correlating them. This could be something that they could improve, but maybe this has already been fixed.