LogRhythm: A NextGen tool for NextGen analysts
Anonymous | TrustRadius Reviewer
November 25, 2019

LogRhythm: A NextGen tool for NextGen analysts

Score 8 out of 10
Vetted Review
Verified User
Review Source

Overall Satisfaction with LogRhythm NextGen SIEM Platform

Our Security Team is using LogRhyhthm NextGen SIEM Platform at the University of Colorado.
This our alarming default system that parses logs from our firewall, outlook, system logs, IDS logs, and some confidential cloud data logs and displays tickets.
LogRhythm NextGen SIEM Platform is right for our organization as it requires no knowledge in coding or programming. Therefore non-technical users can also use this product to build rules and manage the servers.
The second benefit is the "drill down" feature that goes to the depth of the event, extracts information, and display in a very well structured manner with easy to understand visualization. It is very easy to go through and detect the problem. It also has a robust search tool for parsing through a high volume of logs.

In a nutshell, our overall incident response went a lot better than what it used to be five years ago.
  • LogRhythm NextGen SIEM Platform has an alarm system that generates tickets based on the event and the way it has been configured in the LogRhythm console. Let's say we have a ticket for a malicious email attachment. The ticket will some information like the source of the log, the source IP, destination IP etc. It can be drilled down to obtain specific information like the recipient, source location, file attachment name, SHA hash of the file, source and destination port, time, mac address of the machine that downloaded it etc. This helps the analysts to go to the root of the cause and take actions easily without manually parsing them.
  • The second good thing about the LogRhythm NextGen SIEM Platform is that it is very easy to use with its well-structured interface. To use LogRhythm, an user barely require any technical skills. A little overview of IP, CIDR, hash, etc. is enough to get your hands on it. It requires no programming or coding skills, as everything is GUI based. It also provides a beautiful visualization dashboard. There is another beautiful feature that it provides for the classification of events, known as cases. Multiple users working on the same platform can create cases and add events to it. They also help to maintain future reference.
  • The third good feature is the search tool which is very powerful. For example, sometimes it is hard to find the users who downloaded a malware from the guest wireless of the institution and not the private network. The search tool helps us in searching the user by automatically correlating the MAC address from the current network logs and the previous logs as the MAC address is the same. It is highly scalable for parsing a large number of logs from various sources.
  • I particularly think this is one of the best software available for log parsing in an organization where non-technical users are working on incident response. This tool has a good amount of flexibility. However, it can only be configured with the LogRhythm NextGen SIEM Platform Console.
  • In terms of usability, as already mentioned, it is a very easy tool to use, with a GUI based interface.
  • The LogRhyhtm NextGen SIEM Platform is good in terms of looks, but sometimes it is too sophisticated to do the simplest of tasks like, for example: counting the number of occurrences of a particular IP address in total logs for that specific day or month.
  • They can provide a simple syntax bar like Splunk, for technical users who feel a syntax-based query is more powerful than just GUI.
  • There can be a feature that can help you customize the amount of data to be displayed without "drill down." A lot of the time, it isn't worth waiting 10-15 seconds to find 5% extra required information that could be displayed easily before drilling down.
  • It doesn't have any online community or proper documentation that has a user rating on it. A lot of the times, their documentation doesn't help us.
  • One of the positive impacts that we experienced from LogRhythm NextGen SIEM Platform is the Dynamic Alarming System. It shows the recent tickets, and we know what exactly to prioritize at the start of the day.
  • The search tool also helped us trace back wireless users by log correlation that we almost gave up our hope for.
  • A slightly negative impact that can be featured it relying too much on it. We have been a victim of a false alarm and went on a completely wrong direction until we tallied with the Log source and found the problem. It is good, but we must correspond against the log source to be confirmed.
The only thing we chose LogRhythm NextGen SIEM Platform for is to allow the Security Analysts to work on the dashboards which don't know much about programming and query languages but has good intuition about cyber-security. It is easy to get hands-on compared to Splunk, which has an initial learning curve before being able to start harnessing its true power.

Also, the ticketing system is quite fancy and somehow shows us the recent tickets that we need to jump on, which is not in Splunk.
The overall support for LogRhythm NextGen SIEM Platform is not that impressive. There are customer support officers to help when required. However, the biggest challenge is the non-availability of an open community. LogRhythm NextGen SIEM Platform is expensive and is not open. Those who do not have access to the Software need to buy their documentation. That's why there isn't much help online. Skimming, through the documentation, doesn't always solve the necessary problem. The company themselves haven't put any useful docs online. This needs improvement.

Do you think LogRhythm NextGen SIEM Platform delivers good value for the price?

No

Are you happy with LogRhythm NextGen SIEM Platform's feature set?

Yes

Did LogRhythm NextGen SIEM Platform live up to sales and marketing promises?

I wasn't involved with the selection/purchase process

Did implementation of LogRhythm NextGen SIEM Platform go as expected?

I wasn't involved with the implementation phase

Would you buy LogRhythm NextGen SIEM Platform again?

Yes

Splunk Enterprise, Cisco IronPort Web Security Appliance, Cisco Firepower NGFW (formerly Sourcefire), Tenable.sc (formerly SecurityCenter), Palo Alto Panorama
I will say that the LogRhythm NextGen SIEM Platform is well suited for an organization that is not very big but has multiple log sources. Or a lot of non-technical employees who do not know how to code or do write custom queries. Typically it is a good fit for universities and mid-range startups. This has an excellent interface, dashboard, useful for managing roles, but it doesn't provide the level of customization that a technical person with knowledge of coding probably would prefer. Software like Splunk and Elastic Search are much more flexible in terms of the granularity of the search.

LogRhythm NextGen SIEM Platform Feature Ratings

Centralized event and log data collection
9
Correlation
10
Event and log normalization
8
Deployment flexibility
8
Integration with Identity and Access Management Tools
8
Custom dashboards and views
10