We are an MSSP company with a SOC providing multiple security services, including forensic, pentest, incident response, etc. Initially we were only reseller and LogPoint integrator. The current SIEM we use for our SOC (LogRhythm) has many problems, is very expensive and the technical support team is slow to answer. Especially on log normalization. That is why we have started a migration to use LogPoint instead of LogRhythm in the next month.
LogPoint is not identical with LogRhythm, but has solid strengths, at least:
- license model
- technical support team (with possibility of support IP through VPN)
- log normalization creation for unknown logs are pretty fast
- no extra cost for high availability architectures
The only drawback for now are:
- To simple alert management interface. When there is 10 identical alerts, it is difficult to still have a global vision of everything and it is time consuming to resolve all of them. LogPoint is clearly not usable as is for MSSP or big customers, a SOAR solution should be used in addition.
- Clear interface, except sometime where it is a little bit confusing
- Lack of self monitoring, we cannot know from the web UI if an alert rule is consuming to much resources.
- Technical support team is fast and competent
- License management and cost
- Log parsing
- New logs can be provided to the support team for parser creation
- High Availability architecture does not cost more
- Alerts interface is too simple, hard to keep visibility if there is more that 10 alarms
- Web UI is clear but sometimes confusing
- LogPoint never warns on bad practices that could leads to performance issues
- Lack of self monitoring, to display which alert rule is consuming too much resources
LogPoint can be deployed easily in high availability to absorb a lot of log per seconds. But LogPoint only, without SOAR, is not well suited for MSSP or big companies that could have a lot of alarm rules every days. There is no link between old and new alarms (for same IOC for example), and the interface is not enough clear to manage them all.
Support team is very fast to answer and very kind.