LogRhythm: A NextGen tool for NextGen analysts
November 25, 2019
LogRhythm: A NextGen tool for NextGen analysts
Score 8 out of 10
Vetted Review
Verified User
Overall Satisfaction with LogRhythm NextGen SIEM Platform
Our Security Team is using LogRhyhthm NextGen SIEM Platform at the University of Colorado.
This our alarming default system that parses logs from our firewall, outlook, system logs, IDS logs, and some confidential cloud data logs and displays tickets.
LogRhythm NextGen SIEM Platform is right for our organization as it requires no knowledge in coding or programming. Therefore non-technical users can also use this product to build rules and manage the servers.
The second benefit is the "drill down" feature that goes to the depth of the event, extracts information, and display in a very well structured manner with easy to understand visualization. It is very easy to go through and detect the problem. It also has a robust search tool for parsing through a high volume of logs.
In a nutshell, our overall incident response went a lot better than what it used to be five years ago.
Pros
- LogRhythm NextGen SIEM Platform has an alarm system that generates tickets based on the event and the way it has been configured in the LogRhythm console. Let's say we have a ticket for a malicious email attachment. The ticket will some information like the source of the log, the source IP, destination IP etc. It can be drilled down to obtain specific information like the recipient, source location, file attachment name, SHA hash of the file, source and destination port, time, mac address of the machine that downloaded it etc. This helps the analysts to go to the root of the cause and take actions easily without manually parsing them.
- The second good thing about the LogRhythm NextGen SIEM Platform is that it is very easy to use with its well-structured interface. To use LogRhythm, an user barely require any technical skills. A little overview of IP, CIDR, hash, etc. is enough to get your hands on it. It requires no programming or coding skills, as everything is GUI based. It also provides a beautiful visualization dashboard. There is another beautiful feature that it provides for the classification of events, known as cases. Multiple users working on the same platform can create cases and add events to it. They also help to maintain future reference.
- The third good feature is the search tool which is very powerful. For example, sometimes it is hard to find the users who downloaded a malware from the guest wireless of the institution and not the private network. The search tool helps us in searching the user by automatically correlating the MAC address from the current network logs and the previous logs as the MAC address is the same. It is highly scalable for parsing a large number of logs from various sources.
- I particularly think this is one of the best software available for log parsing in an organization where non-technical users are working on incident response. This tool has a good amount of flexibility. However, it can only be configured with the LogRhythm NextGen SIEM Platform Console.
- In terms of usability, as already mentioned, it is a very easy tool to use, with a GUI based interface.
Cons
- The LogRhyhtm NextGen SIEM Platform is good in terms of looks, but sometimes it is too sophisticated to do the simplest of tasks like, for example: counting the number of occurrences of a particular IP address in total logs for that specific day or month.
- They can provide a simple syntax bar like Splunk, for technical users who feel a syntax-based query is more powerful than just GUI.
- There can be a feature that can help you customize the amount of data to be displayed without "drill down." A lot of the time, it isn't worth waiting 10-15 seconds to find 5% extra required information that could be displayed easily before drilling down.
- It doesn't have any online community or proper documentation that has a user rating on it. A lot of the times, their documentation doesn't help us.
- One of the positive impacts that we experienced from LogRhythm NextGen SIEM Platform is the Dynamic Alarming System. It shows the recent tickets, and we know what exactly to prioritize at the start of the day.
- The search tool also helped us trace back wireless users by log correlation that we almost gave up our hope for.
- A slightly negative impact that can be featured it relying too much on it. We have been a victim of a false alarm and went on a completely wrong direction until we tallied with the Log source and found the problem. It is good, but we must correspond against the log source to be confirmed.
The only thing we chose LogRhythm NextGen SIEM Platform for is to allow the Security Analysts to work on the dashboards which don't know much about programming and query languages but has good intuition about cyber-security. It is easy to get hands-on compared to Splunk, which has an initial learning curve before being able to start harnessing its true power.
Also, the ticketing system is quite fancy and somehow shows us the recent tickets that we need to jump on, which is not in Splunk.
Also, the ticketing system is quite fancy and somehow shows us the recent tickets that we need to jump on, which is not in Splunk.
Do you think LogRhythm NextGen SIEM Platform delivers good value for the price?
No
Are you happy with LogRhythm NextGen SIEM Platform's feature set?
Yes
Did LogRhythm NextGen SIEM Platform live up to sales and marketing promises?
I wasn't involved with the selection/purchase process
Did implementation of LogRhythm NextGen SIEM Platform go as expected?
I wasn't involved with the implementation phase
Would you buy LogRhythm NextGen SIEM Platform again?
Yes
Comments
Please log in to join the conversation