LogRhythm NextGen SIEM Room for Improvement

Gene Cupstid
Security Engineer at a logistics company with 10,001+ employees
I think LogRhythm definitely has some opportunity to grow in its documentation space, particularly like if I just use Splunk as an example. Splunk has amazing documentation. It's great. It's almost second to none in terms of the quality of its documentation. I would almost use that as an industry standard and say, "If you can do this ..." There's no reason someone can't copy that pretty much exactly and say, "Let's do the same thing, but for LogRhythm." That way, when I have a new engineer or even an analyst come on board, I can point them to the documentation and say, "Get to work." That's not really possible today. We definitely need a little bit more hand holding when it comes to administrative features that aren't nearly as obvious when we're using the thick client or something like that. We've got a lot of work to do in terms of training people up there. But the documentation, I would say, is probably the biggest, one of the biggest things that I've come across to say, "This definitely needs some improvement here in terms of its clarity and availability." Even just finding the right documentation that you're looking for can be tricky sometimes. My best bet is usually just to do a search of the forums and hope that I can find something and get lucky on the first try, as opposed to having every part of the system thoroughly documented out in an almost open source like way, in the way that open source projects have often gone about documenting and Wiki-izing, if you will, their content. I would love to see LogRhythm do something like that. View full review »
Principal Security Analyst at a healthcare company with 10,001+ employees
There's two that I can think about off the top of my head. One is service protection. So for example to compare it to the antivirus product, if I'm an admin on a server I can't uninstall the antivirus product unless I have the administrator password for the antivirus not the domain administrator passwords. In the same way these guys that are out there doing upgrades in the middle of the night and stuff they don't know why anything isn't working. But the first thing they do is they want to peel off all the security products 'cause they think that's interfering. Then all of a sudden I'll have a server that is no longer even has the LogRhythm agent on it. I'm trying to figure out who uninstalled this and whatever. It gets into a situation where I just go well why is that possible? Product like Symantec antivirus or trapps or something. I couldn't uninstall it from my work station even if I'm a domain admin. I got to have that admin password for the product and I think that should be baked into the LogRhythm agent so we have more stability over our deployment. The second thing that I would like is, like I said our login level is about 750 million logs a day, but sometimes we'll go 850 or 1.2 billion logs a day. Sometimes maybe 680. So what in my environment changed? I don't have the ability really with the tools they give me to profile the systems very well and the log sources except for running supports which I can look at and kind of the crystal reports interface or I can export it to a big giant PDF or spreadsheet. But then I'm looking, well last month the exchange service kicked out this many logs and it's a little bit more but where did the rest of it go? If I go from 750 million logs average in a day to 850 it might not just be a delta of 100,000 logs increase, it could be 150 because something else might not have generated the same amount of logs. So for the ability for me to be able to profile a system and say what's behaving normally and abnormally you can do some of that with the AI rules and we've played a little bit with that in the past, but it would be better if it was something like what they're doing with UEBA where I can say this server kicked out 80 million logs yesterday and that's not normal for it. I'd like to see what was going on with that box. That would in some ways where my mean time to detect which servers went through a significant variance in what they typically do would be very helpful for me on a lot of days. LogRhythm gives us the ability to automate. We do have some smart response plugins that we're using. Unfortunately with healthcare you end up using more contextual smart response plugins then you do actionable ones. I can't go and shut down a system 'cause unless I have absolute 100 percent confidence in the fact that it's not actually touching a person because a biomed is a computerized medical device that connects to a person. So in our environment with a half dozen hospitals, 130 clinics. We can't just go around shutting things down or even necessarily quarantining them because it might be a client server type of situation where we can't interrupt this if maybe they're giving a radiation treatment to someone. We have a lot of different enclaves and things. But LogRhythm allows me to see things that I may want to take action on via a human resource. I can send a desktop tech out there to make sure that whatever it is I'm concerned about is not in fact taking place. View full review »
Reno Thomas
Senior Security Engineer at Augeo Marketing
Our key challenge is working with disparate IT groups. We are a brand new security team within our organization. It's a pretty small company. They have grown their infrastructure by acquisitions, so they have a lot of separate naming conventions at each location, different staff, different log sources, and firewalls, which are different at each location. It is has been a challenge. This has been one of the first applications that we've had. This and a couple others that security teams brought in recently that works across the enterprise. So, we've had a lot of challenges just getting AD or DNS to work, real basic stuff. Then, also the log sources for the servers, we didn't have a lot of the logging enabled, so we had to kind of go back and then we had to enable a lot of logs using GPOs, working with our IT, and actually doing a lot of the work ourselves, because challenges are resources. There is so much work to do and not enough staff. I did see a lot of the web console features coming up. I think those dead on, exactly what's needed. A lot of them had to do with better case management and more sorting, going through your alarms, and drilling down in different ways. I think that is really important. In terms of improvements, I would probably look for more things to go into the web console that is currently on the fat client. I think that is the trend. I think that is what LogRhythm is doing. I find myself going back and forth between the web console and the client console and I probably spend more time in the thick client and it'd be nice to just be in one. LogRhythm is really on track and they're doing a lot of things very well. In some other areas, particularly with the UI, how things are done administration-wise and a little bit on LogRhythm University, some improvements are needed. There are some challenges with registering for classes and taking them. I was not completely satisfied. I wasn't really sure what classes to take. I did not feel like I had the direction initially to understand how to deploy LogRhythm. When you get LogRhythm out-of-the-box, there are so many knobs to turn and so many things to configure and set up, that it's almost impossible to do it on your own, as an enterprise senior engineer. I have a lot of experience with a lot of advanced tools and I find LogRhythm very challenging. I do not think we really could have gotten where we are without Optiv coming out for a week and spending time setting up the appliance and optimizing it the way it should. There are some improvements that could be made to make it easier to use. View full review »
Find out what your peers are saying about LogRhythm, Splunk, IBM and others in Security Information and Event Management (SIEM). Updated: September 2019.
371,062 professionals have used our research since 2012.
Kevin Merolla
Security Manager at a manufacturing company with 1,001-5,000 employees
It honestly comes back to me for log sources. The time to get support to onboard a log source runs about 18 months, and that's just too long. Like I said, I'm a lone wolf running the system. I don't have a lot of free time to write ReGex and build out my own policies, and I tend to write bad ones that are very inefficient. It is tough when I get a critical source or when a part of the business went out and just bought something, never consulted IT, and now we have to audit it and it doesn't support LogRhythm or it doesn't even like have a function that gets us the logs. We have a cloud solution where we can't even get the logs out of it. It's crazy bad. But when we do get those logs in, it would be really helpful if we could get a supported log source policy from LogRhythm in a shorter amount of time View full review »
Jeremy Alder
Security Lead at a financial services firm with 201-500 employees
I think condensing and consolidating what a user accesses over and over again and just having CloudAI understand that that's all of the user's, and you can consider it as one thing rather than multiple things, and alarming on it, and alerting me on it, having me have a mini heart attack every time it tells me that this user is authenticating from a new place. View full review »
Joe Benjamin
SIEM Architect at Marsh & McLennan Companies, Inc.
My biggest complaint is documentation. Everyone tells me, "We have documentation on the Community site." I have searched for different types of documentation on numerous occasions, and it might be there, but it's not easily findable. We're running an HA situation and we wanted to do an upgrade. There was "Oh, and do this," in the documentation. It didn't give you an order, step one, step two. It was just, "You've got to do this and this and this." We decided to do it as they wrote it and it totally messed us up. We had to then reinstall. It just was a mess. Also, I can't really talk about features I would like until I have a stable environment. Once I have that, there are things that we would like. For example, we're doing a lot of things in-house. We're doing auto-acceptance; LogRhythm doesn't do it quickly enough. We develop something because LogRhythm is taking a long time in developing things, and then we want to present it to LogRhythm and say, "What do you think?" We don't even mind if they steal it and use it. But at the same time, we're getting a response of, "No, you're probably not doing it right. You're probably missing stuff." We're still going to do it. My biggest issue - I know that they say they're doing it - is that the API-building is extremely important. They keep saying it's coming, it's coming. It's not coming fast enough. I don't care if they need to double their team size to get it out there quicker, the world is already in the cloud and we can't monitor it. That's a big problem for us. My boss keeps coming to me about it. That's an issue. Finally, writing parsers is much easier - and I can tell you a few things about it - in Security Analytics. I would love LogRhythm to get something similar to that, instead of having to write out RegEX. That's very old-school. View full review »
Jim Mohr
Principal Security Analyst at a healthcare company with 501-1,000 employees
There are two improvements we'd like to see. I mentioned these last year and they haven't implemented them yet. The first one is service protection. I have Windows administrators who will remove the agent when they think that that is what's fouling up their upgrade or their install or their reconfiguration, etc. The first thing they do is to turn off the antivirus, turn down the firewall, and take off anything else. They don't realize that the LogRhythm agent is just sitting there monitoring. Most antivirus products have application protection features built-in where, if I'm an admin on a box, I can't uninstall antivirus. I need to have to the antivirus admin password to do that. Why does the LogRhythm agent not have that built-in so that I don't have well-intended admins removing things or shutting off agents? I don't like that. The second one is, you can imagine my logging levels vary. We do about 750 million a day and some days we do 715 million. Some days we do 820 million or 1.2 billion. But there's no way to drill in and find out: "Where did I get 400,000 extra logs today?" What was going on in my environment that I was able to absorb that peak?" I have no way to identify it without running reports, which will produce a long-running PDF that I have to somehow compare to another long-running PDF. I have to analyze it and say, "Well, last month, Exchange entity was only averaging this many logs. Now it jumped up this much. It could have been that." But then, if I find something that spiked, I still have to make sure nothing else bottomed out, because there might be a 600,000 log delta if something else wasn't producing as many logs as it normally does. I would like to see like profiling behavior awareness around systems, like they've been gunned to do around users with UEBA. View full review »
Avraham Sonenthal
Senior Network Engineer at a government with 5,001-10,000 employees
The biggest complaint I have is about their support. There is no free instructional advice available on their website. An example is with their field names inside log messages, where they have one named "Common event". That is something that LogRhythm has created, and you can't figure out what it means unless you pay a large sum of money for training. Compare this to Splunk, where I can go to their website and download twenty articles on field names right now. There is no documentation that we can afford to buy for this product, so we just have to wing it. Their product has issues when it comes to hard drive management. Again, their support is not one hundred percent. We are using their hardware, and one time the product just spontaneously stopped collecting logs for about a month and nobody knew it. We called them, and it took a week or two of troubleshooting before they found the issue. To make it worse, the issue was not a misconfiguration. Rather, it was related to how they were storing temporary logs on the hard drive. The drive was shutting down and the logs were not being accepted. It took them weeks to figure this out and it shouldn't have happened in the first place, which suggests a bad design. It is a product that is very hard to use. You have to set a wide variety of parameters before you can even start to search. The highly structured nature of it does provide some guidance, but with a lack of documentation for things like field names, I don't know what I'm looking for. We don't get much use out of this product because people around here consider it to be unreliable, and it's hard to do searches. The main reason for it being here is that there are audit requirements for collecting logs and maintaining them. We have been able to solve problems with it, but searching is kind of clunky. View full review »
Jack Callaghan
Senior Security Analyst at a financial services firm with 501-1,000 employees
I really can't think of a particular one, I've been very satisfied with what's happening. I know they're going to get another spike in customer base, hopefully they'll have the ability to ramp up people in support along with the customer ramp up. That's a hard game to play. I've been part of a number of beta tests, so when CloudAI came out - which is phenomenal: The ability for something to give you information in a SIEM environment, you're often gathering data, writing rules to monitor the data, so you can see what you think you should see. But they're doing inference engine work, where they're looking at what a threat implies, and then presenting it to you. In our field, false positives versus true positives are a big deal, but they've kind of taken it a step forward. I've come to call it - they may offer me information that I look at, that I didn't know about but I should know about - it's not a false positive because it didn't show a threat. It's a true insight because it showed me something that I wouldn't ever infer myself. So features like that, the work that they're doing moving forward in that space, especially with machine learning. The sky's the limit in that, I'm looking forward to them doing it. View full review »
Aaron Mueller
Security Analyst at Xanterra
Global management for registry integrity monitoring. Right now you have to apply what they call RIM policies, Registry Integrity Monitoring policies, one agent at a time. If you have thousands of endpoint agents, you have to touch each one of those one at a time. That is a pain in the rear, so I would really like to see some type of group or global management for RIM policies, like they have already for FIM, the File Integrity Monitoring. You can grab hundreds of agents at one time, and apply them across the board. I don't know why you can't do that with the registry piece. View full review »
Kevin Merolla
Security Manager at a manufacturing company with 1,001-5,000 employees
My biggest challenge always come back to log sources. We are a manufacturing company, so we have a lot of old stuff, and it has been a challenge to get some of our old stuff to light up within LogRhythm in a way that makes sense. I have probably submitted half a dozen log parser requests, and I keep finding more stuff that we need to keep an eye on that doesn't have a definition in LogRhythm. I keep pressing through, and I know they are working hard on it, but that is our biggest challenge. View full review »
Administrator Executive at a individual & family service with 10,001+ employees
The biggest thing is when you are looking at the client console:A lot of the data, the reports that you can generate, then you are given just a pie chart, a list of data, or both. I would really love to be able to take some of that and not have to export it to a CSV file, so I can pull it into Excel to turn it into some other kind of graph. I know some of that's being handed off to the web console, but that would be the one thing that would be really helpful. It is a little hard to get integrated. The one thing that would help me the most, because I am sort of isolated from things, and the guides that LogRhythm puts out are really good. However, a lot of times, it is, "Do this, do this, and this works because of this, this works because you do this." I would love to see something where they show or explain why doing something would break something or wouldn't work for you. That is the one thing, because I have done some things, like created a GLPR, just done them a couple of times, and I had two of work really well, and one that seems like it should be perfect, it is just a simple exclusion, but it does not work at all. View full review »
Information Security Officer at a insurance company with 201-500 employees
The biggest thing that we need - in one of the presentations today here at the LogRhythm User conference they were talking about it - is automating your SOC and trying to get your systems to do as much as they can do without human intervention. Which is great. I provided feedback afterwards to say, "We need to be able to ingest all data. And we need to be able to parse all data." What that means is, my Checkpoints that I have today, which is my unified-threat management system, I'm only able to ingest firewall logs and events from the blade. I own all the other blades from Checkpoint: IPS, Threat Emulation, threat detection, Data Loss Prevention. All of those blades have data that I need to be able to feed down into LogRhythm. From there, we also need to be able to truly parse the data. I've had to have a couple of custom collectors built specifically for SQL Server-type events, for database analysis, to ensure that the data that's being brought in, the events are parsed, we can be actionable on that. View full review »
David Kehoe
Information Security Analyst at a pharma/biotech company with 51-200 employees
I have over 3,300 log sources. The support for log sources is pretty good, unless you want to go to the cloud where I've had some rough spots with that. I had a hard time integrating with Office 365 because my antivirus wasn't supported. I had to get some custom parsers in order to get that integrated. I would say that better API support for cloud log sources would be a definite improvement. Ease and setup would be a major improvement because it took over a week to get it all up and running, and that didn't even count tweaking it and getting it all set up for my environment. There's some room for growth there. View full review »
Eric Knopp
Data Sec Program Manager at a insurance company
I'm not really sure I can pinpoint any particular area that I see LogRhythm needing improvement in. I think they probably need to, because a lot of companies are having this cloud-first strategy, where anything that's new has to go into the cloud for some reason. So I think with CloudAI coming out, that's really good. But maybe having more of LogRhythm in the cloud. Educating people about how we get LogRhythm more into the Cloud. Part of the care and feeding of LogRhythm is staying on top of what's coming out in LogRhythm. I know that their community site has been improved and that they're wanting people to be more involved with the community. But I think making people aware of parts of LogRhythm that are new is very important. View full review »
David Schell
IT Security Analyst
The biggest one in my mind that I want to implement is some of the AD controls. Reacting to a threat where an account password needs to be changed, or an account should be disabled, to react to that threat. Moving into first a phase where an analyst is gonna see that, review that action and then once we get comfortable, make that an automated action. The big two big areas for improvement is TTL. Making sure that the data that we're collecting is available for a longer amount of time. So I know with some of the new releases coming in LogRhythm, that's gonna be improved which I'm really excited about. The other one that's kind of getting back to the fundamentals of why LogRhythm was chosen as a solution, being able to take your machine data, understand it, index it, classify it and give you that visibility. I'd like to see them focus on that because there's so many different security tools being spun up these days that being able to keep up with that and having more partnerships with security vendors to make sure that security tools have new releases in their environment, they're able to keep up with those logging changes. View full review »
Senior Network Systems Engineer at a non-profit
I can't think of any features they should add because we haven't used everything they've already released. They have Office 365 logs integration. They've got this new phishing engine that we haven't used. They've got dashboards we haven't used, so we're basically right at the very bottom, we need to start building with what they're already doing. In terms of improvement, their community boards, where to go find things, as a customer. As they're growing and they're moving stuff around, and it would be nice if we knew exactly where to find what. They're constantly reinventing how they do things and where they put stuff, that's the one challenge I've run into. I've always found the answer when I got to the right person: "Yeah. That's over here now," but I know other customers have shared that same issue. View full review »
Steve Bonek
Information Security Manager at a healthcare company with 1,001-5,000 employees
I would say the thing that I'd like to see the LogRhythm do a better job of is staying ahead of the curve as it relates to like things like cloud. It seems like from that standpoint that maybe the cloud stuff was a little bit of an afterthought or wasn't done kind of as people started to move to cloud quicker. It's one of those things of where we kind of are doing it now, but it seems like some of the cloud connections are still buying, kind of being created as we go. So I think that's one area I think they could improve in. View full review »
Tommy Scott
Operations Team Lead at Mary Kay Inc
There is, of course, always, improved automation. Because, as we are continually needing more and more people from an analyst perspective, the more we can automate, the fewer people we need. If we can automate some of the lower-level things, that can allow our SOC to be trained on the higher-level more technical things that really give the true value. I don't want my analyst to be stuck underneath sending emails, and "alert fatigue" is the buzz word. But, on top of that, there has been a market that has grown from SIEM for security orchestration, where it's another tool you have to bolt on top of SIEM to make SIEM as effective as it should be from day one. I was in a session earlier today here at the LogRhythm User conference where they're mentioning that the web UI, and through the case management, they're actually getting an incident playbook that you can utilize. That's a big step that I'm intrigued by. Hopefully it goes the way that it's planned because that is one that saves me from having to go out and purchase a separate security orchestration tool, which is just another screen I need to look at. That feature is one that I'm very excited about, and hopefully it follows the roadmap according to what LogRhythm is projecting. That's definitely a feature that I and my managers have identified as a need. I was excited to hear about that at this conference. That's probably the only feature request that would be of drastic improvement to our SOC. View full review »
Marc White
Chief Security Officer at Optomany
In terms of the product, what really needs to improve are the metrics that you can get from it. We're all about mean time to detection, mean time to response, pulling those metrics out so I can put them into my KPI packs to present to the board. Everyone in a CISO role is having the same challenge. We've got multiple spreadsheets. Being able to leverage the SIEM to give us the information would be invaluable. The other area is Office 365. We're cloud-first as far as our enterprise goes, and what we lack at the moment is being able to pull that information into the SIEM. I understand that that's coming, so we're looking forward to that. View full review »
Jason Gagnon
Senior Cyber Security Engineer at a individual & family service with 10,001+ employees
They're addressing a lot of the things that I've thought of over the past four years, in the various releases they're coming out with. A lot of times they'll say something is coming out in a certain release and then we get to that release and they say, "No, we're pushing it back to a coming release." More engineering thought will go into when they are going to release something. Often, we'll give feedback to our management saying, "Hey it's going to come out in this release." That release comes out and it's not there and we have to go back to management and say, "Hey, they're not going to do it right now." Then management gets frustrated because they don't understand the intricacies of what goes into different components and into different releases. View full review »
Dan Ney
Sec And Risk Lead at Baker Tilly Virchow Krause, LLP
Probably the biggest improvement and I've talked to several of the management here at the LogRhythm User conference on it, is their thin piece, which is their file integrity monitor, that we use on some of our security servers. The data sets are extremely large, tons of files are being modified, deleted, created. That product could use some more enhancing. We've been working with them to enhance that product for future releases. It's been a good experience. Any issues that we've had, they've actually fixed the majority of the issues that we had with the initial product, by even giving us customized installation packages to adapt to our environment. View full review »
James Whistler
Security Administrator at a non-profit with 501-1,000 employees
For me it would be the efficiency and signing up and standing up systems, as well as a little bit cleaner on case management. That can be a little bit complicated to go through and actually be able to analyze it and compile the information that I have. At least that's what I've found so far. Those would be the two biggest things. View full review »
Punit Patel
Senior SIEM Engineer at a financial services firm with 501-1,000 employees
I think where I see room for improvement for LogRhythm is probably granularization of log source types. So, if that were to happen, I think it'd be a lot more better for the product. So, we are in the current five-year security maturity program. View full review »
Senior Architect at a energy/utilities company with 201-500 employees
We still have a lot of noise, so this is a problem. We are having a hard time visually sifting through it. We need help dialing it in. We don't have the in-house expertise. Do we hire someone just for this purpose and have them sit there all day, every day doing that? It is almost at that point. We are looking at Optiv as solution right now. It is so robust. There are so many moving pieces that you can't dabble in them. This is the problem that we are struggling with. You have to have somebody who works with it, and that is their job. Maybe a bigger company could have a whole team which could do this, but we don't have the capability right now. I would like to see the client and the web client merged, so all the administrative functions are in the same web interface. It is just clunky right now. If you leave it running, it slows down your machine. However, we are still on version 7.3. View full review »
Information Security Analyst at a non-profit with 1,001-5,000 employees
For me, room for improvement is the upgrade process. Whenever we have to do an upgrade to the next version, we're a little nervous and apprehensive about that. View full review »
Systems Architect at a university with 10,001+ employees
I would like to see more focus on it being a data lake. We have around 100 terabytes of data stored in LogRhythm, machine data, sensor data. That all could be used for operations tasks as well. It would really be awful to have to stand up another Splunk instance at 100 terabytes alongside of it. Also, seeing more analytics features, and more flexibility around that, and their schema. Bringing it out completely horizontally scalable, and also continued focus on supporting lots of different vendors, for a lot of data sources. View full review »
David Butterell
Threat And Awareness Manager at a tech services company with 1,001-5,000 employees
There are enough features that we are not using, and not to their fullest extent, at the moment. View full review »
Security Admin with 1,001-5,000 employees
Definitely expansion on log parsing. There are some obscure log sources that we don't currently have parses for. We needed a new solution when our previous solution, the licensing expired on it. Hardware was out of life, as well as it wasn't scaling very well. Didn't provide a lot of the features that we needed. View full review »
Security Analyst at a financial services firm
If they continue to do innovation, and listen to their customers, then they'll move forward, and I think that will be the best thing for all parties involved. View full review »
Seth Shestack
Deputy Ciso at Temple University
The biggest thing that I think needs improvement is reporting in the Web Console. Most of our reporting is done in the thick client console. The only people that have access to that, really, are the people that work for me, the administrators of the system. So the end-users, the people whose logs we consume, we give them views to their logs but they aren't able to run reports. By moving reporting to the Web Console, that would enable all of the regular, non-administrative users to run reports as well. View full review »
Wadson Fleurigene
Information Security Engineer at Seminole Tribe of Florida
We would like to see more things out of the console into the web UI. I guess this is what they are doing in 7.4. View full review »
Shane Addison
Information Security Officer at First Mid-Illinois Bank And Trust
It's not necessarily bad against LogRhythm, but I think an area that always can be improved is the parsing rules. The more information that we can get out of the logs, as far as specific metadata in the logs, whether it's an IP address, or something like that. Sometimes, LogRhythm will parse the rule but perhaps it won't get every little detail out of the rule. Any advancement in those, could be very helpful to be able to correlate those logs against other items. Especially for items that are a little less - "mainstream" may not be the right word - that are not necessarily a top-tier vendor. Perhaps, instead of Cisco, it's a different firewall vendor. Those sorts of things, that sometimes we run into an issue where the log parsing is suboptimal. It could be a little bit better, could be some improvements there. View full review »
Alex Wood
Systems CSO at a manufacturing company with 1,001-5,000 employees
Hearing the roadmap items, it's pretty good. I especially like the fact that the playbook is coming with the ability to integrate the smart responses into the playbooks. That way, we can not only have the playbooks, take those steps, but start to automate those steps as well. I think that is really powerful. We played around with the CloudAI portion during the beta. We're not currently using it. But I think more in that area is going to be really important, where we can look at machine-based patterns, as opposed to just, "I saw two of these and three of these things, so set an alarm." I'm really excited about that. View full review »
Doug Dayley
IT Infrastructure Manager at Jeunesse Global
Better knowledge transfer during implementation. We definitely thought it was complex when we initially set it up, but that is usually just a single pain problem. It could definitely be more straightforward. View full review »
Seth Shestack
Deputy Ciso at Temple University
The biggest thing I want is, right now you have thick console and the web console. Most of the reporting has to be done in the thick console. I'd love more reporting in the web console. A lot of our users don't have access to the thick console, only administrators do, so a lot of users can't run their own reports. View full review »
Senior IT Security Analyst at a financial services firm
One of the features that we'd definitely like to see is the user inference, entity inference, where one entity would have a unique ID and then with that unique identity you could pull out the information or log associated with that. It helps a lot in the investigation, because currently what happens when we get an alert from LogRhythm it's just the tip of the iceberg. Then we need to do lot of investigation. But having this entity inference kind of tool would help us. We could tie all the logs with that unique entity, and we would be able to collect the information, I think it would be really cool to have something like that. Also, with automation, like identifying new log sources and the environment, or automation of log sources that have not been reported from last month or a week. You can put up some kind of alerting system there so you can retire or look into it. View full review »
Anthony Workman
Enterprise Information Technology Security Engineer at a government with 1,001-5,000 employees
My big thing is the easability. I don't like to go to two different systems. The fat client that you have to install to configure it, then the web console which is just for reporting and analysis. These features need to collapse, and it needs to be in a single solution. Going through the web solution in the future is the way to do it, because right now, it is a bit cumbersome. If I remember correctly, there are some compatibility issues with different browsers. The user system work only on Chrome. In order to use something like this solution, we would have to have that extra browser. It would be nice if LogRhythm had a full support compatibility across all browsers, regardless of what platform they're using and whether they are on desktop or mobile devices. View full review »
Security Architect at a leisure / travel company
Dashboards, reports. Right now I know there's a big issue with reporting. It's challenging, at least for us, to do some of the reporting within the system itself. Hopefully that's something that gets improved. Also, when you're reaching out to any other solution out there, any third party, most of them have integrations with Splunk; that's something that it's lacking on the LogRythm side. They're lagging behind when it comes to integration to main platforms. So hopefully, with the help of the entire community, we can build something a little bit more flexible when it comes to integrations. View full review »
Manager Security Operations Center at a leisure / travel company
I think a must-have feature would be better reporting. Today, as you can imagine, the organization would like to see what is happening in our environment, and the reporting feature within LogRhythm, I would say, is very limited. The reports do not provide information such as, who are your top ten end users generating the most activity within the environment, or appliances, per se, so that's very limited. View full review »
Rob Haller
Security Engineer at US Acute Care Solutions
I would like to see APIs well-documented and public facing, so we can get to them all. View full review »
Kurt Schroeder
Senior Security Engineer at a manufacturing company with 5,001-10,000 employees
I would like a more fuller implementation of STIX/TAXII so I can pull in some of the government lists without having to go implement a whole new STIX/TAXII platform. I'd like to do user based analytics, but that is a funding thing. View full review »
Senior IT Security Analyst at a retailer with 1,001-5,000 employees
What I would like to see is improvement on the analytics, especially on the cloud and intelligence workspace. View full review »
Robert Sweeney
Information Security Engineer at Lancaster General Health
I would like to be able to use the Web Console, but because of our volume I can't. Also, it needs to stay healthy. A lot of the problems seem to pop up out of nowhere, and a lot of them seem to be somewhat debilitating. We were fine for a long time, and then eventually one day our processing just dropped. I ended up talking to support for something like a month, and eventually I got to someone who said, "You should check the BIOS settings on your data processors and your indexers." Turned out there was some read-head caching setting that wasn't enabled by Dell. We were fine for over a year, and then all of a sudden, problems. It's a great tool, just random dragons seem to cause problems. View full review »
Manager Of Cyber Security at a healthcare company
What still needs improvement is automation. The SmartResponse obviously does not use open APIs at the moment, so we're having a lot of problems connecting it with things like Palo Alto Traps and some other systems, things like Cisco. I know that it's on the roadmap, but at the moment that is where the weakness lies. For myself, I would like a HIPAA configuration out of the box where I can switch on various HIPAA rules. Obviously, HIPAA has 18 very exact identifiers and I'd like those to be already in the box ready to be switched on. View full review »
Daniel Galvin
Principal Security Specialist at University Of Massachusetts
From what I saw yesterday here at the conference, they seem to be right on track with making the Web Console much easier, case management much easier. When you're searching on something, you see something that you think may be a threat, you have to keep threat-hunting, deep diving, and from what I saw yesterday, it looks like it's going to get a lot easier and more helpful. View full review »
Technical Architect at a financial services firm with 10,001+ employees
I would like to see case management become more independent from LogRhythm itself. Right now, it is very oriented to LogRhythm based events, but not manual events, such as user reported things and incidents where we might have large volumes of data that we have to store as part of the case. It works real well as a workflow device, but not real well for overall case management for an organization. View full review »
Jorge Trujillo
Information Security Engineer at a financial services firm with 501-1,000 employees
I think the dashboard could definitely have more features. I've seen some of their roadmaps that they're going towards. I really like it. One of the features that I actually put in a request for was, they have the ability to build this great case and have it all ready. But you can't export it, right now on my specific 7.2 product, you can't export it from there. So, I can't have a nice PDF to give to a CEO, or give to legal, or wherever it needs to go to further their investigation. That's definitely a product that their actually going to come out really soon with. View full review »
IT Analyst at a energy/utilities company with 501-1,000 employees
Logging improvements. I think that the template to reporting is just difficult, it's hard to go back. You can't modify the templates. So more customization. That would be key. We could also use more information on how to integrate with specific vendors. Threat intelligence is a big thing. LogRhythm actually has a pretty good threat intelligence deal, but we happen to use a vendor that is not built-in. It'd be great if LogRhythm could expand more on the user forum on how to integrate more with the more non-mainstream vendors. View full review »
Technical Systems Analyst
I'm really excited about the CloudAI stuff. One thing I've asked, and I don't know if it's in the works or not, is for a better way to test our AI rules, to make sure they're working correctly, instead of having to manually go in to each one and doing an invalid login to see if the rule fires. Some better way to test all those rules that we have turned on and enabled would help. View full review »
Briane Harris
SOC Analyst at a financial services firm with 1,001-5,000 employees
One thing we have mentioned to them before is that we'd like to be able to do searches, or drill-downs, directly from an alarm. When you click it and the Inspector tab slides out, that might be a good place to be able to click the host to search for the last 24 hours. I know the search is right there but it would be even nicer to just click that and then have an option to search something there. View full review »
IT Security Architect at a construction company with 10,001+ employees
Their current roadmap is what I want to see implemented. I want to be able to upgrade to 7.4 and have the playbooks implemented as fast as possible. View full review »
Mike Natale
Information Security Analyst at Endicott College
I would like it to do a lot of the automation (which I still need to learn more about), because I am essentially a one man shop doing all the jobs. I'd like for it to be able to do more for me, so I can focus my attention on my other job responsibilities, because there are a lot of them. View full review »
Chris Goff
Senior Security Engineer at a healthcare company with 10,001+ employees
Maybe it's just my lack of understanding of it, but I would like to see the web UI expanded further. I would also like to see - and there might be some documentation around it - building your own smart response plug-ins. I think those would be pretty nice. View full review »
Security Operations Center Manager at a financial services firm with 1,001-5,000 employees
The reporting could be improved. There are other security technologies outside of this SIEM that should be inside of this SIEM. I can see in their roadmap that they're trying to address a lot of these things, and have these technologies built into the solution, because there is no point in going to another vendor or opening up a second window to obtain the data that you need. View full review »
Security Engineer Analyst Admin at a aerospace/defense firm with 1,001-5,000 employees
My installation has some unique problems, apparently, because of our network architecture, and that's why we're looking at other solutions, and possibly a replacement. We're looking at user-based analysis. Granted, we haven't enabled the UEBA module, but we're forwarding all our proxy logs to LogRhythm and we have a really hard time pulling those proxy logs back out of LogRhythm. However, when we take LogRhythm and forward the same logs into somebody else's user-based analytics software, we get the majority of what we were missing. So we know the logs are making it to LogRhythm, but we still can't pull them out. If we've got all our proxy logs and I go out to Google or Facebook or the like, we should be able to go in and pull that information out ten minutes later, but it's a big challenge to do that. View full review »
Junior Information Security Analyst at a financial services firm with 51-200 employees
There is a Group-By field that they're breaking out, which stopped me from being able to have certain events. They're breaking it out in 7.3, so they've already got it. That was the one thing that bothered me, so I'm happy about that. View full review »
Security Administrator at a tech services company
Focus on open source, long sources like Linux and Docker, and those kind of things. More help and assistance with some of the open source products, everything seems to be focused on Windows versus giving some guidance and some documentation on how to use it. This seems to be lacking. It would be a huge help if there were some guidelines or some new technologies that were developed specifically for that. View full review »
SOC Manager at a energy/utilities company with 10,001+ employees
The Web Dashboard UI: Maybe it can improve more to indicate some of what Splunk is doing, because I also compare with other SIEM products. Maybe LogRhythm can have some sort of dashboard similar to what Splunk is giving to their customers. The product is good, but maybe they can further improve what they are doing in the roadmap, such as cloud AI and some of the web dashboard enhancements. View full review »
Eric Hart
Senior Security Engineer at a healthcare company with 1,001-5,000 employees
The largest room for improvement would be inside the web platform, being able to have a longer log live time. Currently, we manage about five days of live log data inside the web console. Ideally, that should be 30 days-plus. View full review »
Tom Bies
Security Advisor at a manufacturing company
The CloudAI obviously, that's going to be big for us. Hopefully that matures. I saw the problem statement video they did today at this conference, which is great. But I haven't seen anything tangible out of that yet, so looking forward to that. I wouldn't give them a 10 out of 10 because there is definitely some room for improvement as far as in the GUI. Some of the things don't make sense. I think they need to better understand how a SOC would use that platform. I don't think they understand that every morning we do a case review and we need a quick dashboard to go review open cases for our SOC. And that's not built into the dashboard, so we have to create that. There are some use cases that I think they should sit down a little bit more with the customer and understand how we use it. View full review »
Derek Perri
Senior Security Analyst at a energy/utilities company with 1,001-5,000 employees
I would like to see additional features around alarm management. We are producing alarms right now, and we are able to change statuses on them. But, I would like to see more details around having timers on those alarms. So, if I have a new alarm that has been sitting there for 15 minutes and no one has gotten to it, I would want some sort of alert to tell me that or a threshold I can set. View full review »
Cyber Security Engineer at a healthcare company with 1,001-5,000 employees
We were having some challenges initially, especially ingesting those standard log sources. We ran into issues where it was not parsing correctly. That wasn't our expectation, because we considered them standard log sources, but there was some issue with parsing our logs. As far as adding log sources, it is not as straightforward. At the same time, granting access we have noticed it's not using AD groups. It's more of the organizational unit in AD. It will definitely help if the parsing side would be much easier, meaning it would be better if we could easily make adjustments on the parser, both on standard and non-standard log sources. The way it works right now, it looks like we have to engage LogRhythm in order for us to make adjustments on the parser. View full review »
Brian Bolton
SYM Engineer Specialist at FIS
Easier creation of rules and parsing, and more user-friendly. A more user-friendly basis of using the tool to create rules and alarms to be able to report off of, and quickly stop any attacks and the like. Also, more in-depth training on how the security platform works with other pieces of software like Sequel, firewalls, or PowerShell. View full review »
Security Engineer at a financial services firm with 1,001-5,000 employees
I would like to see more widgets. I just love the widgets on the Web Console, I love to play with them, so more would be better. View full review »
William Spencer
Senior Manager IT Security at Virginia Premier Health
I work in a highly regulated industry. I know the product has compliance mechanisms, but being able to get more governance surrounding some of the compliance. Merging things that we have to be on top of would be helpful. View full review »
Senior Cyber Security Engineer at a healthcare company with 1,001-5,000 employees
It's hard to say what should be improved because we're still trying to get an understanding of what the tool does. I think in all the sessions we have at the LogRhythm User Conference, we'll find out more what the tool does. Then, from there, we'll probably decide if we really wish it would do this or that. View full review »
Manager Of Cyber Security at a healthcare company
* The greater AI * API support Increased total costs of ownership (TCO): We have had to staff up our SOC. This has required analysts, which has required salary and staffing requirements. In the next release, I would certainly like to see more HIPAA compliance. I would also like to see more integration with Palo Alto Networks, particularly their Traps, which is their endpoint solution. In addition, I'd like to see more automation coming in. Whilst they have SmartResponse, it does not yet configure with OpenAPI support. That is something that I feel they need to look at in their next edition. View full review »
IT Security Administrator at a financial services firm
I would definitely like to see more things in the Web Console, in terms of the ability to run reports and generate reports out of it, and schedule those. Instead of having to go to the FAT client, you would just do it out of the Web Console. Right now there are two brains, there are the Web Console and the FAT console so that hinders a little bit of flexibility or innovation that they can do. It is a tough spot to be in, but otherwise it is a pretty good product. View full review »
Timothy Sueck
Security Analyst at a financial services firm with 501-1,000 employees
I see room for improvement in the log ingestion. Customizing a log source is very technical, probably more technical than it has to be. View full review »
Senior Security Engineer at a marketing services firm with 1,001-5,000 employees
Functionality, ease of use. There are a few "gotchas" in the applications. One of the issues that we're having right now is on the AI Engine, when you do the drill-down. There are no events that are being populated for the drill-down. The recent upgrade and release fixed some of that. And some of the other parsing rules. Parsing isn't done correctly. View full review »
Director Of Infrastructure And Security
Just integration into our ticketing system, which we're using service now. Just being able to integrate LogRhythm with that so we can track incidents. Continued support to help us understand the solution better. View full review »
Information Security Analyst at Aims Community College
There are a lot of pieces of it that are very complex and time consuming. If we can try somehow to just make it more simple, that would be better. I would like to see more pre-integrated SmartResponses. Right now, I'm on 7.1.10, so I'm not even to the current version. If there were more pre-integrated SmartResponses, that would be really cool. View full review »
Information Security Analyst 2 at a non-profit with 1,001-5,000 employees
It's pretty effective. In some cases we have run into some issues: The way that the rules work, and the alarms trigger. We get a good number of false positives. I wish that there were more instructional videos on how to do different things and more walk-throughs. Also, easier generation of AIE rules, or custom ones. View full review »
Vice President at a financial services firm with 201-500 employees
I would like to see more integration with more products that are out there within the same security field. There has to be some improvement with SecondLook Wizard. It's one of the functionalities on LogRhythm where you can restore inactive logs. For instance, it's a forensic analysis point of view if something happened around a year ago that you have to look into. I wish there was a smoother, more seamless feature. View full review »
Security Analyst at a tech services company
Adding more integration for security products would be an improvement. View full review »
Anthony Stein
Security Analyst 3 at a comms service provider with 1,001-5,000 employees
We run across the odd vendor which we are using that we think are large players in their environment, but there is not necessarily a native support for their log ingestion per se, where it requires customization in order to be able to parse and accept their logs. I would also like to see them expand on some of the ability to interact with other technologies in real time via the programming platforms. View full review »
Information Security Architect at a healthcare company with 1,001-5,000 employees
I'm sure there are always areas, in stability and scaling, that need improvement. I don't have anything right off that I can say I know needs improvement right at this point. View full review »
Manuel Ayala
EMS-Scada Infrastructure Engineer at a energy/utilities company
* More seminars. * Reporting: A reporting tool would be good for us, especially if we have better knowledge of them. View full review »
Sr. Systems Support Analyst at a manufacturing company with 10,001+ employees
CloudAI is amazing from what I've heard about it so far, and I'm looking forward to it. There is always room for improvement. Everybody continues to integrate. They've been a great company to work with so far. I'm one of those who is optimistic, there's always room for improvements. View full review »
Mark Baksh
IT Specialist at a healthcare company with 51-200 employees
I would like to see our vulnerabilities counter. We will be using Tenable to fill that void right now. View full review »
Jon Nicholson
Cyber Security Operations Manager at Old National Bancorp
What I'm looking for was actually in a session, here at the LogRhythm User conference, about the PIE phishing analytics. That was real interesting because right now we've got a guy that walks through that process attempting to see if the email came in, who got it, and whether or not it was exploited. That's all manual at this point. I think they're limited now with this to Office 365. We've got on-prem Exchange and it would be interesting to act like they're going to evolve that into that, to have that ability to look at that information a lot quicker. View full review »
Network Security at a energy/utilities company
In the canned reports, I would like to see, rather than a blank report come out, for it to say something like, "No logs found," or "No log sources available." I don’t like blank reports. View full review »
Network Security at a energy/utilities company
My main thing I'd like to see is, when you're using canned reports, that they're not blank. If there's no log source say, "No log source", or if it didn't find anything say, "It didn't find anything". I hate blank reports. View full review »
Senior Security Analyst at a consultancy with 1,001-5,000 employees
I would like to have threat indexing and a cloud version. View full review »
Senior IT Security Analyst at a retailer with 1,001-5,000 employees
More features that I would like to see more development in are the automation and the smart response. A lot of the attendees here at the LogRhythm User conference are working towards that, and most of us are not even developers. But we're trying to figure what are the skill sets and how do we make sure that LogRhythm gets more intuitive in automating and responding to alarms and notifications that we get. View full review »
Information Security Analyst at a legal firm
A cleaner interface. I keep getting confused and forgetting where everything is. A more intuitive interface would be helpful. It does seem to be good at gathering data. Like I said, it's hard for me to get that data. I would just like it to be more intuitive. When I go to look for stuff I frequently can't find it. Either it's not there or I just don't know the program. View full review »
Steven McDonald
Sec Eng at a financial services firm
One of the things I find that would be helpful is the GLPR information, to be able to understand what is actually being processed. I've got, say, 20 different rules, but I don't know which one is getting more of the data, which is getting none of the data, because there's not really a good interface for that. View full review »
Senior Network Engineer with 201-500 employees
* Move it to Linux. I would like to see it get off the SQL Server. * I would like it to be containerized. View full review »
Mark Semkiw
Senior Network Engineer at a transportation company
Sometimes our rules don't fire correctly, events don't get created correctly, but that's mostly just because we have to write custom regex. Also, moving from away from the fat console, more into the web console for log sources and tuning and things like that, would be helpful. At times It gets a little clunky, or resource-intensive, but it works. View full review »
Systems Administrator at a construction company
It seems with all of the advanced features that we haven't quite figured them out. It is very complex. More training maybe, in addition to the LogRhythm training on the community website, which is a lot. Better adoption starting out, so we are more comfortable when we start and when we go live. View full review »
Melissa Vidrine
IT Security Analyst at a financial services firm with 201-500 employees
I did hear about the new playbook edition coming up and I am excited about it. View full review »
Jeff Hawkins
Director Information Security at Vail Resorts
* Better correlation of all events: We seem to get a lot of misinterpreted data coming from multiple sources. It would be nice to have an easier way to interpret the data and correlate it. * The challenge of maintaining it: Maintaining compatibility with all of our log sources is still a challenge for us. We have implemented it as a necessary feature, but we need to be able to mature that. View full review »
Timothy Sueck
Security Analyst at a financial services firm with 501-1,000 employees
Mostly they should just expand on the features that are already there. More pre-built parsers, more pre-built AI rules, more dashboard widgets that we can put to use. View full review »
Sr IT Security Engineer at a energy/utilities company with 1,001-5,000 employees
I would like to see support added for Exchange 2016, and Check Point OPSec Lea. Adding the capability to identify and perform an auto import of new log sources (especially Windows-based systems), based on specified criteria, would be a useful feature. Enhancing the creation of report packages would also improve this solution. View full review »
Lindsay Mieth
CISO with 1-10 employees
More detail in the alerts given to avoid additional searches, as often the source or destination associated with the alert is not evidenced. View full review »
Find out what your peers are saying about LogRhythm, Splunk, IBM and others in Security Information and Event Management (SIEM). Updated: September 2019.
371,062 professionals have used our research since 2012.
Sign Up with Email