Hands-Off Security: Instant Threat Detection and Automatic Updates
What do you like best about the product?
The best thing about Sumo is that it takes care of everything for me. I can just send the data and not worry about installing patches or keeping up with updates. Its ability to detect threats instantly is truly incredible.
What do you dislike about the product?
One thing to keep in mind is that it’s quite expensive; if you send a lot of data, your monthly bill can increase significantly.
What problems is the product solving and how is that benefiting you?
It’s fast and high-performing. The best part is that you can forget about anomalies, since the system automatically alerts you whenever it detects something unusual. Plus, thanks to its pre-configured templates, you save a lot of manual work and can focus on what matters.
Flexible Log Management with Speedy Search
What do you like best about the product?
I appreciate Sumo Logic for its flexibility and its ability to parse various log sources. The search functionality is excellent and quite fast. I value the ability to ingest various sources without worrying about how it's supported. The initial setup was easy, and although it took some time to configure all the parsers, the ongoing maintenance is relatively low.
What do you dislike about the product?
I wish Sumo Logic supported a more lightweight agent for Endpoint log collection. Currently, it relies on Syslog and WEC/WEF to gather these logs.
What problems is the product solving and how is that benefiting you?
I use Sumo Logic to collect logs from various systems and meet PCI logging requirements. It solves problems by ingesting various sources seamlessly without compatibility worries.
Security insights have enabled faster incident response and streamlined cross-team collaboration
What is our primary use case?
My main use case for Sumo Logic Security is relying on it for security insights when it comes to security alerts. This is heavily used by people who are on a weekly on-call rotation to ensure that security incidents from Sumo insights are actioned on and remediated.
A specific example of a security incident where Sumo Logic Security played a key role is when, about a couple of weeks ago, we had an incident where a user was a victim of a click-fix attack. Sumo Logic Security was able to determine that this user had performed some risky activity and also correlated the fact that the URL was associated with that incident. We were able to determine the involved entities, which included the user's device, and we were able to quickly action on it and perform a reset of the user's account in order to begin the remediation process.
In addition to the previous points, I use Sumo Logic Security for a lot of the enrichments when it comes to insights as well. An example of this is when we receive insights regarding a user entity, we are able to use Sumo enrichment automation to get user details including their manager. This is definitely beneficial in an example such as the one I provided earlier where a user was compromised, where we can at least know who the proper chain of command is if that needed to be used in that specific incident.
What is most valuable?
The best features Sumo Logic Security offers, in my opinion, are the ones that allow you to use dashboards as enrichments. For example, we had a situation where there was a suspected compromise on a specific server, a database server to be exact, and so we linked an enrichment action in the CSE component to then point us to a Qualys dashboard. In this specific case, the suspected server was suspected as being compromised, and we were able to check any available vulnerabilities from the Qualys dashboard itself by using it as an action in Sumo Logic Security.
We are actually using both out-of-the-box and custom rules from Cloud SIEM Enterprise, and it has been really great because we have a variety of ways to create rules based on our needs, such as match rules. What I really do appreciate are the first-seen rules that we can use in a fashion to determine a baseline of normal versus unexpected behavior depending on the entity, and I really do enjoy these.
In terms of threat intelligence, I was able to integrate, as an example, AlienVault, and using their actions, automated integrated actions into playbooks to enrich certain entities such as IPs, domains, URLs, and hashes. It has been very paramount to how we operate due to the fact we can all stay in the same single platform of Sumo Logic Security without having to reach out to different third-party sources, opening up different browsers, essentially saving time on trying to respond to an incident or review an incident. It has been really good in terms of integrating and using the threat intelligence features.
I find Sumo Logic Security's AI-driven analytics effective in reducing analyst workload and response times, and I have seen a difference since using those features. For example, we are using the anomaly-based AI detections in Sumo monitors, and I would say that it has been good, but the reason I say it could be better is the fact that we are seeing a bit of some false positives when it comes to understanding what is typical normal behavior and relying on AI to understand what normal behavior is versus what is unexpected. I found that when using this type of monitor, I do have to do quite a bit of tuning, which I would hope the AI would be a little bit more robust and essentially leave me hands-off when it comes to this.
We also use the dashboard enrichment feature in Sumo Logic Security when alerts pertain to specific entities, and we use it a lot. For example, we will get insights for server entities, and it is easy for us to pivot over to a dashboard when it comes to an enrichment perspective to determine if there are any actual vulnerabilities related to it. Another example is if we have an AWS related entity, we can pivot over using an enrichment action to navigate to one of the AWS dashboards to get some quick information pertaining to the specific entity involved in the insight.
Sumo Logic Security has positively impacted my organization by increasing engagement with different teams. For example, we have the database team being onboarded to Sumo Logic Security regarding their database logs, where they use it to monitor their database when it comes to informational all the way up to critical types of events, and they use it for alerting as well. This is due to the fact that they were not able to find any solution that can provide this type of functionality for them, and they have pivoted to Sumo Logic Security for their needs.
From this increased engagement, we are able to respond faster to incidents. For example, if they are seeing a type of activity that involves a user or an admin that is not supposed to be logging in at a specific time, they do get alerts on that. In addition to that, we are able to save time on fewer alerts because we are able to perform tuning on the logs to be able to only get relevant security-related incidents.
What needs improvement?
To improve Sumo Logic Security, I would appreciate the tool being easier to use from a search perspective. For example, we have a few teams that want to use the tool itself, but they are not as savvy when it comes to creating searches from the core platform. I understand that Mobot has come out and is in the works, and it really does assist non-savvy users when it comes to querying the platform. As far as that is concerned, I wish that could be improved a bit more, but I do know that that is in the works.
I would add that I wish for improved documentation. For example, we are using Sumo Playbooks and automation integrations along with that, but I have found that there has been a lack of documentation, very little to none at all when it comes to that. With regards to automation integrations as well, there are very few details included in them. I would also appreciate the AWS automation integrations to be more secure because currently, they are using access keys, which involves a user rather than roles, which is the security best practice recommended by AWS.
I chose eight out of ten because to make it a nine or ten, I would lean heavily on the documentation. A lot of the times when we get around to configuring things such as playbooks or trying to understand playbooks, what I found was that documentation sometimes is not up to date or documentation is lacking. There are instances also where some security best practices are not being followed. So, if we are able to set up an integration that is not only secure, following security best practices, and has complete documentation, I believe it would alleviate the issue of having to go back and forth with support to check the documentation and things of that nature.
My impression of the built-in threat intelligence feature in Sumo Logic Security is that it is comprehensive, but I would say that it could do a little bit better. For example, we have the TAXI feeds, which is STIX and TAXI integrated into the core platform, but the issue I am running into is that I am able to use that feed into a CSE alert; however, I am not able to see the contents of that feed. If I integrate CISA, which we do have integrated, I cannot see what IOCs are in that feed in the core platform, and I hope that is the case because, in order for us to better tune our alerts, we need to be able to see what is in the contents of that threat intelligence feed.
For how long have I used the solution?
I have been using Sumo Logic Security for three years.
What other advice do I have?
My advice to others looking into using Sumo Logic Security is to look at the customer service side of things. The product can be great, but if the customer service side of things fails, I think pretty much the rest follows. I would also advise them to look at the automation features, for which Sumo Logic Security has been pretty great in expanding that realm. I think those are going to be the two main things as we are moving a lot more towards being hands-off with automation and also being able to utilize support and getting timely answers. Those would be the two key factors of looking at or giving advice when it comes to Sumo Logic Security.
I have additional thoughts about Sumo Logic Security in that I do appreciate the product. It can be as vague as you want to or as detailed as you want to when it comes to getting telemetry information from the product itself. That is what I appreciate about Sumo Logic Security. Overall, I am happy with the product, just a few hiccups here and there. I provided a rating of eight out of ten for this review.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Sumo Logic for Better Alering ad Logging
What do you like best about the product?
Powerful Log Management & Analytics
Strong log ingestion, real-time analysis, and deep querying capabilities that help with troubleshooting and operations.
Built-in integrations with cloud services (AWS, Kubernetes, Jira, etc.) and dashboard customization
It handles large volumes of log data well and works effectively in cloud-native setups
What do you dislike about the product?
The platform can be complex for new users, with a query language that feels unfamiliar
Expensive
Can provide more flexible visualizations and if vconfigureation can be made easy
What problems is the product solving and how is that benefiting you?
Centralizes logs and telemetry data into a scalable platform with fast search/query capabilities. It is prividing Real-time monitoring and alerting based on search queries or thresholds.
Game-Changer for Cloud-Native Observability
What do you like best about the product?
Sumo Logic excels at unifying logs from Kubernetes and AWS, slashing MTTR through real-time correlation, my favorite for chaotic microservices debugging.
What do you dislike about the product?
Query learning curve frustrates quick starts, though power users adapt fast.
What problems is the product solving and how is that benefiting you?
Transforms security noise into prioritized alerts, cutting false positives and compliance audits effortlessly
Powerful Threat Detection and Data Evaluation
What do you like best about the product?
I want to emphasize its robust data evaluation capabilities, as well as its effectiveness in proactively identifying security threats.
What do you dislike about the product?
One aspect I dislike is that the query language is relatively complex and not very intuitive at first.
What problems is the product solving and how is that benefiting you?
This has proven to be an excellent security solution for cloud operations. It has helped decrease MTTR by allowing for quick identification of the root cause of incidents. Additionally, its unified observability means I no longer have to switch between several different tools.
Powerful Integration with Some Complexities
What do you like best about the product?
I like the integration that Sumo Logic has with various tools. I also really like the way it is possible to manage data and create dashboards. The data collection part is something I really appreciate, as well as the possibility of using agents for data collection. The integration with tools like Jira, Atlas, and Google Workspace makes the work much easier, especially because it already comes with pre-made dashboards. I also appreciate the extensive documentation it has, which helps a lot in daily tasks.
What do you dislike about the product?
I think the query language of Sumo Logic is a bit complex to handle. Additionally, in some dashboard elements, the way elements are organized on the screen is not very flexible, which could be a bit more adaptable, especially since the sizes are quite fixed. This hinders a bit. Another point is the new contract model that charges per query, which ends up being quite costly for companies, especially those from countries that do not have the dollar as their main currency.
What problems is the product solving and how is that benefiting you?
Sumo Logic facilitates data cross-referencing, dashboard creation, and precise queries in specific periods, improving information security.
Centralized, cloud-native log ingestion & analytics
What do you like best about the product?
Centralized, cloud-native log ingestion & analytics, Sumo Logic makes it fairly easy to collect logs (and other machine data) from many sources (cloud, servers, apps) into a centralized platform and analyze them.
What do you dislike about the product?
For very large volumes of logs or long time-range searches, queries may be slow. Some users report significant delays or slowness compared to alternatives.
What problems is the product solving and how is that benefiting you?
real-time monitoring and alerting, For log analytics, operations, security use cases (e.g. cloud/SIEM), Sumo’s near real-time ingestion + alerting helps spot and respond to problems faster.
Unified Monitoring Made Easy and Effective
What do you like best about the product?
I appreciate how this platform brings together log ingestion, metrics, and tracking in one place. It makes it easy to correlate performance events, and I find that it works very well overall.
What do you dislike about the product?
One aspect I didn't appreciate is that when handling large volumes of records, the performance decreases noticeably.
What problems is the product solving and how is that benefiting you?
We have seen significant benefits from their advanced analytics, which are highly effective at identifying anomalies. This capability enables us to set behavioral baselines and configure proactive alerts. Sumo Logic performs exceptionally well, leading to fewer disruptions and a consistently positive experience overall.
Easy to Use with Powerful Trace Finding
What do you like best about the product?
I like how easy it is to use Sumo Logic, which makes my tasks smoother, particularly when it comes to searching for traces I am looking for. The usability of the search feature stands out as it simplifies finding necessary information effectively. Additionally, the initial setup of Sumo Logic was very easy, which made the transition seamless and quick. This has enhanced my security operations as I can efficiently utilize the software without unnecessary hurdles, boosting my overall productivity.
What do you dislike about the product?
I dislike the speed at which Sumo Logic loads results. It can be slow, which hampers efficiency and creates frustration when waiting for important search outcomes.
What problems is the product solving and how is that benefiting you?
I use Sumo Logic for security operations, as it helps me find traces effortlessly. Its ease of use, especially the search functionality, makes it intuitive and user-friendly.
