LogRhythm NetMon can be useful if someone wants to look into something apart from network behavior analysis, like DPA or any network forensic services. For DPA or any network forensic services, users can rely on LogRhythm NetMon, where they have to deploy the agent in their environment, or if sensors need to be deployed in TAP and SPAN port, with the help of which you can see the traffic movement. LogRhythm NDR is something based on artificial intelligence, machine learning, and real-time analytics since a user needs to see real-time lateral movement in their environment or network on a real-time basis.

Our client has given us IP addresses that must be assigned to a few devices at their end, such as networks, network devices, and firewalls, that we monitor using NetMon. We see whether those packets have been captured properly and what kind of traffic has been enabled like HTTPS, HTTP, and DNS servers. We also monitor how the traffic is flowing and how much data has been downloaded through one IP.

Most of the SIEM OEMs are now coming up with XDR solutions. It is an Extended Detection and Response that includes NetMon capabilities. Unlike the traditional standalone SIEM solution, it primarily focuses on integrated SIEM capabilities. LogRhythm's SOAR capabilities are far behind those of QRadar. It has its limitations. Some of the automated tasks we can perform on QRadar cannot be performed on LogRhythm because the solution has limitations. It's not the case where the client has procured some licenses, and the license has limitations. He can always upgrade to the next level of capability, but the solution has certain limitations.

I mainly use NetMon for traffic analysis and flow and to determine if anyone is using a previous password.

We use this product for network monitoring, to assist with our network security and performance.

Our primary use case is trying to monitor irregular network traffic - identifying the type of traffic within our network, its origin, and destination IP. It could be HTTP, HTTPS, FTP, or OBDC. Once we recognize the traffic, we then correlate it, determining whether it's normal or abnormal. The data is also send via Syslog to LogRhythm SIEM to further correlate with logs from other devices to look at threats from a holistic view