Logs for Security (AWS Built-In)

I use Sumo Logic Security .

The first thing that I like about Sumo Logic Security  is the earlier UI and the latest one, which has a clean layout. Since I can track so many good things, the UI has improved from before when it was not as good. Compared to other tools, I prefer the UI much better as it categorizes data very well for me. If I were using other security tools or other SIEM  tools, I would need to think a bit and find something, which would be hard and fast. However, I am so adapted to this tool, and the features that they have implemented, including filters and other things, are the best.

Since we are using Sumo Logic Security on the security part, we need to look through all the things and maintain them since there might be some crashes in the data that we are receiving. If we do not update the data points each and every time, some data points might have failed. If the server is offline, it might not report in Sumo Logic, so we need to check at the server level why this issue is being caused. We need to update the agent for Sumo Logic Security and ensure it is up-to-date.

I would say there are a few more things that Sumo Logic Security can improve on. It is not the tool; it is a technical part. From the app point of view, I would say when we need to include a few latest features that have currently started in the market, such as new cloud integrations, it is a bit lengthy because it is not available on Sumo Logic Security. Then we have to get some ideas and go through workarounds. We are able to do that, but that is the hard part that I find with Sumo Logic Security. Because they are new to the market, it takes time, but still, since Sumo Logic Security is that famous, it needs to have better integration.

With the market trend, we have some cloud vendors for which we need to do some integration part. It is not directly integrated since it is a third party. On Sumo Logic Security, it is not supported that well compared to other SIEMs or other applications that we might be using. The integration is quite easy, but in Sumo Logic Security, it is not easy.

I have been using Sumo Logic Security for more than one and a half years since I joined this organization, and my team has been using it for more than three years.

Sumo Logic Security is quite scalable; it depends on your team and how you implement it.

We have a weekly meeting with the technical team for all our queries since it is included in our package.

I would rate the quality and speed of Sumo Logic Security support seven out of ten since the meetings are close to other vendors only, but they can improve on that part.

I have tried using Azure Sentinel  in our organization.

With the length of data transfer that we are having day in and day out, I do not find Azure Sentinel  to be much feasible compared to Sumo Logic Security that we are currently using. It all depends on the data transfer credits that we are using day in and day out.

It is easy to deploy Sumo Logic Security, since we are always on call with the support team, and there was a specific SME deployed for us from Sumo Logic Security who helps us whenever we get stuck in some part or cannot proceed. They help us in that part.

I would say that the pricing for Sumo Logic Security is in the medium part of the market. If you go to the well-known vendors such as Azure Sentinel or other tools like Splunk, you are going to find them costly since they are well-known and they have much more integration compared to Sumo Logic Security. They have been earlier in the market and have a vast network of backing behind them. So they charge for their integrity and their well-connectedness. Sumo Logic Security comes in the medium part; it is not very costly and not very light on the pocket. It is in the middle part, and we can say it is close to the best value that we are having right now.

My overall rating of Sumo Logic Security is seven out of ten.

The main use case for Sumo Logic Security  is as a SIEM  platform where our customers prefer it to gather logs from multiple places and have good detections, especially Sumo Logic insights, which is helping us a great deal to detect and correlate logs from different platforms and consolidate them into one insight. It helps for investigation and analysis. The major part is threat detection and threat analysis.

The best features of Sumo Logic Security  are automated log and event correlation, which may come from a firewall event, and User Entity Behavior Analytics (UEBA ) for detecting impossible travel and unusual access times. Threat intelligence enrichments are good, and the MITRE ATT&CK framework is beneficial. The centralized log search for investigation is better compared to multiple SIEM  solutions, where I can query everything in one place. The SEC records feature, something that returns index=sec_records, provides all the logs from different places. Pre-built dashboards and analytics, especially threat trends and the anomalies that return compliance patterns, are valuable. The workflow, including playbooks and workflows, can be triggered when we need to quarantine an endpoint, revoke credentials, or block IPs. Most importantly, it is cloud-native and has elastic scale. As a cloud-native SIEM, it scales up very well automatically, and real-time threat detection is available.

One of the most important things is MTTD, which is faster threat detection that reduced our MTTD, and we were able to detect alerts with multiple detections that used to take hours. Now the correlated alerts surface the real threat very quickly. Detection time has dropped significantly. We used to have MTTD of three to four hours, but now it is under 30 minutes. Automatically, our mean time to response has also increased substantially. Analysts are able to quickly pivot items and make faster decisions, especially without switching between tools. We have all our EDR tools and firewalls integrated to the same platform and viewing everything there. As a SOC, which faces major problems, it reduced the alert fatigue by over 100 days of low volume alerts, which have been made into insights, and this has greatly improved our alert efficiency and decision quality, the way we are able to enrich information. Operation stability has also improved very much. It has significantly impacted our organization, and our KPIs have improved substantially with respect to this.

If I want to mention anything related to Sumo Logic Security, I would say that with the current AI situation, AI enrichments should be very well integrated. I saw something in insights that it is doing something around 14 days of correlation, but I would prefer something around seven days would be better. Sometimes we see alerts coming from a different time frame. In some places, correlation could be much better in Sumo Logic. There is a scenario where we see five to six employees from the company log in from the same IP address, which is a shared IP address. Maybe one employee has login failures, perhaps because they forgot their password. In this situation, Sumo Logic gives us an alert saying that a brute-force alert was detected or a credential compromise was detected, stating that five people have successful logins and one user has a bad password. This is not practically correct detection. They should be doing some kind of better analysis, such as a historical analysis of this IP, to make it clear that this IP is a shared IP, so the logins that happened for all other users are normal. Sumo Logic has the capability as a modern SOC to include behavior correlation or attack chain visibility, which would be a great addition to reduce false positives. Good dashboards with AI capabilities would also be more helpful.

Since our product is also AI-based, something where they can focus more on AI with the possibility of detection engineering, writing custom correlation rules, and tuning detections to make more valid true positives would be beneficial. I have experienced some situations where false positives occurred. There can be more improvement in MITRE ATT&CK mapping, especially, as it helps us measure coverage gaps and where we are positioned. Beyond that, SOAR  capabilities with automation focus should include more enrichments into the detection part and provide higher levels of true positives overall. When I compare Sumo Logic Security with other solutions like Splunk, Azure Sentinel , or Sentinel  One, these are improvements I would expect to see.

Automation should be improved further. As we move to AI SOC, there is talk of automated multi-step response workflows where playbooks should be enriched for logs of different activities based on IP, user, user agent, or other fields. More advanced playbook-based correlation should be coming up with a set of rules that can help detect real true positives. Rich incident response playbooks and better integrations with ticketing tools would be beneficial so that we can take quick actions if a breach has been identified. Advanced attack path visualizations would be helpful. Creating a good attack graph showing when something has been detected, how quickly it has been investigated, what the timeline of all these activities was, and including entities such as user, host, network, cloud, or indicators of compromise would be valuable. Built-in threat group playbooks would be very helpful, whether for ransomware, account compromise, or data exfiltration. AI-driven threat insights at the automated flow of investigation would be more helpful. Sumo Logic Security is very good at role-based access controls, and we were able to manage that very well without any issues. Advanced attack path visualizations and built-in threat group playbooks for ransomware, account compromise, or data exfiltration scenarios would enhance the platform significantly.

I have been using Sumo Logic Security for the past four years in my previous two organizations.

Sumo Logic Security is stable. It operates very well as a cloud-native SaaS platform with high availability, and there is no downtime that I have experienced. Sometimes we had API integration issues, but the platform scales up automatically without any performance degradation, especially with large volumes of logs without any failures in ingestion. This is something that I have seen be difficult in other places. It does not require any hardware and patch management, which is another good thing for being stable. These are some of the reasons why I would say it is stable.

Sumo Logic Security scales up automatically because it is a cloud-native SIEM, and I do not need to worry about hardware clusters or capacity planning. The platform grows as security data grows. Real-world ingestion limits, cold versus hot data performance, and retention implications on the cost and query performance under high load are all handled very well. It supports business growth, as when the company grows, security analytics also grows with more servers, more users, and more applications, but without infrastructure headaches. Onboarding is something that I need to mention as well. I can ingest identity logs, endpoint detections, or any type of logs without worrying about underlying capacity. I was able to ingest all types of logs with Sumo Logic Security. In other platforms, we faced some challenges with complexities, especially in terms of handling the hardware part as well.

Support for Sumo Logic Security is good. We have had a couple of issues, especially with the technical support team troubleshooting problems, particularly around API integration issues, but they had a faster response time. I would score them around 9 out of 10. Direct support includes documentations, tutorials, and training access along with community forums, which helps us resolve many questions independently without reaching out to them. Where we have faced some challenges, I would say it may be because of region-specific support in India or Europe, as some support times were slower. Some tickets even took two weeks when we were finding issues with email-related matters. Everything else is good because their documentation is very helpful and querying is also very good. They have a limited direct call option for support, but the response is good, and technically they will explain everything we need to do. Premium support is also available. The customer support is very good with them, and the documentation is helping us to fix issues today.

We used Devo  and Splunk before Sumo Logic Security. Due to our organization's budget platforms and other factors, we switched to Sumo Logic to have our SIEM. We used to face challenges before, such as storage clusters and scaling issues, and the detection part was very much worse in other SIEMs. I may not give specific details, but Sumo Logic insights are playing a major role today in our investigation and reporting parts. I have used Splunk, Devo , and even ArcSight.

As I mentioned, we have 100% return on investment very well. I have experienced that we used to have over 100 alerts where we needed eight analysts, but now we are able to operate with five analysts because the time drop in investigation has been from 20 to 40 minutes. We have saved 64 hours of our time overall. Before we used to have eight analysts, now we have at least five analysts and we are able to do the work completely. We have a good return on investment in terms of even the log retention part as well.

We have not typically evaluated other solutions as alternatives. As I mentioned, we used Splunk, Azure Sentinel , and Devo. We directly switched to Sumo Logic Security as per our organization's needs. We had used different SIEM platforms as well.

I would say to define especially what problems they have, particularly the threat detection part, incident response part, reporting part, cloud security monitoring, or insider threat analytics. They need to plan their log strategy about how much quality versus quantity they require and send only meaningful logs while filtering out debug and low-level information that makes noise. Categorizing the logs by priority is one of the most important things. Using something with very much tiered retention periods is helpful because Sumo Logic Security provides pre-built dashboards, correlation rules, analytics, and threat intelligence feeds. That is going to be helping. I would recommend investing in training, as good training helps the team write more effective queries, build custom correlation rules, alert tuning, and perform threat hunting. These are things to focus on, which especially help the organization. Measure metrics as well, such as MTTD, MTTR, false positive rate, analyst hours worked, and threat signals escalated, as these are outstanding for Sumo Logic Security.

Regarding additional thoughts about Sumo Logic Security before wrapping up, I would mention improvement in the detection part with AI integration regarding log summarization and advanced analytics, which should be part of the roadmap. Also, how Sumo Logic Security is going to handle scalability, such as onboarding different data sources or tuning alerts. The major direction I am interested in seeing is how Sumo Logic Security will move forward with AI-based SOC capabilities, as that is the next era of SIEM tools. I would give Sumo Logic Security an overall rating of 8 out of 10.