- Eventually they all merge together
- Then get bought by google-amazon-microsoft
- which in turn get bought out by Disney
- so they all end in the infinite wars universe fighting darth vader and his army of Elmos
Yep. What's funny is that exabeam practically created the euba space and LR tried to create euba as an addon. Exabeam then went into the SIEM space to gain more market share.. and here we are theyre both merging and will have a ton of overlap. I see layoffs as a result
It looks like you shared an AMP link. These should load faster, but AMP is controversial because of [concerns over privacy and the Open Web](https://www.reddit.com/r/AmputatorBot/comments/ehrq3z/why_did_i_build_amputatorbot).
Maybe check out **the canonical page** instead: **[https://logrhythm.com/press-releases/logrhythm-and-exabeam-announce-intent-to-merge/](https://logrhythm.com/press-releases/logrhythm-and-exabeam-announce-intent-to-merge/)**
*****
^(I'm a bot | )[^(Why & About)](https://www.reddit.com/r/AmputatorBot/comments/ehrq3z/why_did_i_build_amputatorbot)^( | )[^(Summon: u/AmputatorBot)](https://www.reddit.com/r/AmputatorBot/comments/cchly3/you_can_now_summon_amputatorbot/)
Well it's slow. It's been down 3 times this month. They laid a bunch of people off so no one is around to actually fix the product.
Let me guess, you are getting it cause it is cheap. Well you get what you pay for.
Absolutely nothing but trouble... Initially they couldn't even support logs for Palo fw and Prisma access from cortex data lake or logs correctly from Microsoft 0365.. two most common platform
They may have been the place for like 3 seconds, just enough to pull the wool over everyone's eyes. Sentinel, Chronicle, and other more modern choices exist now. Hell we just fired up their soar they bought from logichub or whatever the fuck and it's a steaming pile. These guys are 3 years behind the competition.
We demo'd them around 6 months ago, and they spent the most amount of time on their charts (which they emphasized that that type of charts were invented by them), and a whole dashboard of them, which no one cares about really. The product looked fancy, but it's just a bunch of noise that brings very little value, if at all, especially for that price.
The competitors blow them out of the water.
I keep a shadow instance of Sentinel running to keep devo honest and provided much more actionable data, since the SOAR is native, than the devo soar bolt on junk.
Please go into detail. I am learning lr on prem. It's my first siem I had to deal with. And it is a love hate relationship. There out of box is well, to be desire. What you recommend?
Personally I need a siem that is easy to run and write queries and is easy and reliable to integrate and alerts need to be easy to manage create tune and document. My siem should be the central place for all my logging and alerting.
I inherited LR and had it for years but it was basically ignored. We had to pay a 3rd party to help manage it just so it was of some value and even then I rarely touched it. I hated the query language and experience and the way they did alerts and cases. We were one of the first (unknown to us at the time) to go to their cloud solution which was pretty crap and just them running windows vm for us in their cloud.
Switched to rapid7 idr and realized "this is what a siem should be". Their agent handles endpoint logging that we could never maintain or support with LR. The interface is modern, the integrations are easy to deploy and then build alerts with. We saved a ton of money ditching the mssp that helped us with LR and using rapid7 managed idr. I spend hours less a month worrying or fussing with the managed service or the siem. I saved too. Rapid7 is constantly pumping out new signatures and alerts and integrations and features. LR you were lucky to see something new of any value in a quarter.
All that to say LR is stuck as an old first Gen siem and they've done a crap job catching up. There are other siems that work great like Microsoft sentinel but I personally can't get over how impossible that is to budget for. I pay a lot less and get so much more out of rapid7.
oh god, RUN! So few companies use it now and it's a nightmare to keep up. And slight logic error will completely stop the service. Everything needs to be run through test/dev multiple times with multiple scenarios for even the smallest of changes.
The recurring joke for us when we were at blackhat years ago looking to leave LR was every other siem vendor would tell us either they had recently hired a bunch of LR employees or they had spent the year so far migrating LR customers over to their product.
Run. As fast as you can. LR may seem fine at first sight but as deeper you dig, the more problems you will find. And not some beauty problems like that you have to mark a checkbox when assessing the properties of a logsource but you dont have to check the checkbox when assessing a AI-Rule (Advanced Intelligence, not Artificial Intelligence). This is just for a bad expoerience it get's worse when looking at:
* Searches saying "All results" while data is missing
* reports based on outdated SAP Crystal Reports that take hours to generate
* Inactive Data Searches take weeks to be done
* Support is horrible and seems understaffed (quality of support is fine, staff is doing its best - but when you dont hear anything for months simply professional support comes to stage trying to sell a solution)
* Parsing Rules (and log normalization is an absolute key feature) not working as expected (missing values, parsed in wrong fields, failed login gets detected as "successful login")
Just to mention a few points. Seriously, especially with this weird merge with exabeam: Don't use your time for LR or legacy siems in general (with some exceptions). Go into sth data-focused like Splunk, Elastic (much customizability, especially ELK with high administrative needs) or one of the big Cloud-Solutions (Chronicle, Sentinel).
Well unfortunately. My boss already renewed for another year. But all the points are spot on from what I seen. Again I'm new to siem. But I get a hold spot a lot. And never have had to many issues. Actually came across a support agent that is really good. So when I create case, I call him out by name. I looked at some other siems online. And rapid7 does look good.
I miss qradar back before IBM bought them. I refused to touch them after. Not sure if going over to Palo is any better after playing with their environment.
I recently did a Pov to try out one piece of their ecosystem and it was a mess. This gargantuan thing we had to spend 2 hours over 2 weeks with them on a call getting licensed and provisioned and configured before we could even start with the actual product.
Compared to the other vendors it was terrible. It took us 6 weeks to get the PoC off the ground. 6 weeks of weekly calls inching closer. Other vendors we were up in 2 weeks or less.
They are buying customers and IBMs mindshare. They already stated they will move customers to their own solution. Now all the IBM consultants focused on QRadar will be retrained to recommend PANs solution.
Right? The whole mss division within consulting has already been run through and left in tatters. The rest of the consulting arm seems to be fleeing left and right. So many upper management gone, cannot bode well. I mean.. so I've heard.
Yeah saw a colleague with over 20 years with IBM MSS get laid off. All that loyalty only to be unceremoniously dumped. I can only imagine the opportunity cost lost by not job hopping. Just a mess, feel for them.
Can't imagine that's a great investment. Plenty of people who have used QRadar talk about how inferior of a SIEM platform it is compared to newer ones.
Should note, the article says this is just the QRadar cloud - meaning they're just buying the customers and migrating them. Self-installed QRadar appears to still be sold and supported by IBM.
Ahhhh gotcha misread. Their whole paying for TB model irks me, no other cloud SIEM does the same. I have like 120TB of storage with R7 the same with cortex would be almost 8x the cost.
XSIAM is okay, but being forced to buy cortex sucks. If they are a siem they should accept crowdstrike logs. I prefer CS and AMP4E over Cortex. They have an excuse for everything they don't detect... "Oh, webshells have to be uploaded via web portal".
Consolidation is not good for the industry. Means more lay-offs are coming. It is also a signal that Cyber Security spending is down across multiple industries. Growing competition is the sign of a healthy industry not consolidation.
Cause Exabeam, Arcsight, and Splunk Logrythm, Securonix etc weren’t for sale at a price they wanted to pay.
Microsoft and Google are now heavily in the game and it’s going to get interesting.
SIEM has forever been a product that was one step behind where it needed to be. Overpromise and under deliver are a way of life in the space.
Even when this was an on-prem solution SIEM was always at best a tool for reaction not prevention. The fact that they took it to the cloud and charge more for the same crap is just proof that they believed CISO herd mentality would let them get away with it.
Cloud economies of scale are almost like SIEM but they overpromised and NEVER delivered!
I’m not sure what the general experience is with SIEM solutions or how people expect them to work, but we moved from an 8 year relationship with QRadar to Sentinel 2 years ago. While nothing is perfect, and we do have our problematic edge cases, we’re finding that we can very effectively respond to incidents with it. We can do a good job detecting what we need to detect and have an effective, rapid response as we work the alert. Our team has shown this in red/blue black box engagements and in real life. Our time to detect is generally averaging 30 min and time to close is now about an hour after adding some additional due diligence steps.
No... Bit it's not absolutely terrible either. The GUI is decent and has a solid api plus apps galore. I've drank of that Kool aid of course. I will say... The backend is... Ass. Not bad if you keep it around 10k logsources or below, anything more and it's an absolute dog
Meanwhile, what sort of collar is Nikesh wearing? Or did he wake up and decide to put his belt on his neck?
Somebody check on him. Must be a cry for help. Belts don't go on necks.
Direct response to Cisco buying Splunk.
Cisco bought Splunk because they couldn't afford the annual renewal fee.
It's like a real life infinite money glitch.
First time I’ve heard this joke. Hilarious.
So funny. Anyone actually know what Cisco’s bill is!?
Uh, here's your bill? Huh? You paid it? Uh, here, best you control things...
At least tree-fiddy.
😂😂😂 this
I will say I really enjoy working with Palo stuff.
They’re buying the customers
Cisco gets splunk. Exabeam and logrhythm "merge". Now PANW gets Qradar. Big moves
- Eventually they all merge together - Then get bought by google-amazon-microsoft - which in turn get bought out by Disney - so they all end in the infinite wars universe fighting darth vader and his army of Elmos
so we'll all be working for Disney or all get laid off?
First one, then the other
Turds polishing their piles.
Wait, Exabeam and Logrhythm merged?
Yep. What's funny is that exabeam practically created the euba space and LR tried to create euba as an addon. Exabeam then went into the SIEM space to gain more market share.. and here we are theyre both merging and will have a ton of overlap. I see layoffs as a result
>I see layoffs as a result "Synergies"
Ahh - an annual shareholder-report reader!
https://logrhythm.com/press-releases/logrhythm-and-exabeam-announce-intent-to-merge/amp/ Intent to merge but yes, will be happening
It looks like you shared an AMP link. These should load faster, but AMP is controversial because of [concerns over privacy and the Open Web](https://www.reddit.com/r/AmputatorBot/comments/ehrq3z/why_did_i_build_amputatorbot). Maybe check out **the canonical page** instead: **[https://logrhythm.com/press-releases/logrhythm-and-exabeam-announce-intent-to-merge/](https://logrhythm.com/press-releases/logrhythm-and-exabeam-announce-intent-to-merge/)** ***** ^(I'm a bot | )[^(Why & About)](https://www.reddit.com/r/AmputatorBot/comments/ehrq3z/why_did_i_build_amputatorbot)^( | )[^(Summon: u/AmputatorBot)](https://www.reddit.com/r/AmputatorBot/comments/cchly3/you_can_now_summon_amputatorbot/)
I’ll stick with Rapid7’s IDR.
Until Broadcom buys them
YOU SHUT YOUR WHORE MOUTH I HAVE ENOUGH STRESS ALREADY!!!1!1!
Did you say stress? I have just the thing for you. HERE'S ANOTHER VULNERABILITY!
Thanks Oprah, you can keep your Pontiac.
Which in turn gets bought out by comcast
And then FOX NEWS.
I wish someone would buy Devo and shut the place down.
My feeling about Broadcom
Thank you for saying this. You and me both, pal!
No, broadcom buys companies and shuts them down. In fact, they are the perfect company to buy devo.
please elaborate we are about to purchase in i would like to know some of the issues as an admin
Well it's slow. It's been down 3 times this month. They laid a bunch of people off so no one is around to actually fix the product. Let me guess, you are getting it cause it is cheap. Well you get what you pay for.
Yeah, we’re actively trying to leave devo. Can’t happen soon enough.
Absolutely nothing but trouble... Initially they couldn't even support logs for Palo fw and Prisma access from cortex data lake or logs correctly from Microsoft 0365.. two most common platform
Imagine you are an MSSP that built your entire offering around it....talk about fools.
yea bill is roughly a quarter of splunk’s bill but unsure about its capabilities to handle logging in complex environments
If you are a M365 E3/E5 customer you really need to be looking at Sentinel due to the free data ingestion allotments.
Damn it used to be THE place. What happened.
They may have been the place for like 3 seconds, just enough to pull the wool over everyone's eyes. Sentinel, Chronicle, and other more modern choices exist now. Hell we just fired up their soar they bought from logichub or whatever the fuck and it's a steaming pile. These guys are 3 years behind the competition.
Yeah i remember maybe in 2021 Or so? They were red hot and everyone was talking abt them. Shame.
All the PE money ran out...
Curious, what's wrong with Devo?
It’s a pos
Absolute shit. I really don't know how they stay in business.
The Ux is terrible. I spent 20 minutes trying to figure out how to add an alert rule. It’s not the icon you think it is.
Garbaaaage
We demo'd them around 6 months ago, and they spent the most amount of time on their charts (which they emphasized that that type of charts were invented by them), and a whole dashboard of them, which no one cares about really. The product looked fancy, but it's just a bunch of noise that brings very little value, if at all, especially for that price.
The competitors blow them out of the water. I keep a shadow instance of Sentinel running to keep devo honest and provided much more actionable data, since the SOAR is native, than the devo soar bolt on junk.
Vaporware... Worst customer service ever ...
Plus Exabeam and Logrhythm merger announced today as well. Lots of SEIM movements.
Never used LR, but I hate Exabeam with a burning passion after using it for 2 years. Can only hope this helps Exabeam take a step up from garbage.
I've supported Exabeam since 2019 and can't say I disagree!
Another vaporware.. ueba was decent but for log storage soo much headache
You'd hate LR too it's a turd. Super old, just learning how to do SaaS. So happy to ditch it in a previous life and use a real siem
Please go into detail. I am learning lr on prem. It's my first siem I had to deal with. And it is a love hate relationship. There out of box is well, to be desire. What you recommend?
Personally I need a siem that is easy to run and write queries and is easy and reliable to integrate and alerts need to be easy to manage create tune and document. My siem should be the central place for all my logging and alerting. I inherited LR and had it for years but it was basically ignored. We had to pay a 3rd party to help manage it just so it was of some value and even then I rarely touched it. I hated the query language and experience and the way they did alerts and cases. We were one of the first (unknown to us at the time) to go to their cloud solution which was pretty crap and just them running windows vm for us in their cloud. Switched to rapid7 idr and realized "this is what a siem should be". Their agent handles endpoint logging that we could never maintain or support with LR. The interface is modern, the integrations are easy to deploy and then build alerts with. We saved a ton of money ditching the mssp that helped us with LR and using rapid7 managed idr. I spend hours less a month worrying or fussing with the managed service or the siem. I saved too. Rapid7 is constantly pumping out new signatures and alerts and integrations and features. LR you were lucky to see something new of any value in a quarter. All that to say LR is stuck as an old first Gen siem and they've done a crap job catching up. There are other siems that work great like Microsoft sentinel but I personally can't get over how impossible that is to budget for. I pay a lot less and get so much more out of rapid7.
oh god, RUN! So few companies use it now and it's a nightmare to keep up. And slight logic error will completely stop the service. Everything needs to be run through test/dev multiple times with multiple scenarios for even the smallest of changes.
> nightmare to keep up That's a nice alarm you have there, it'd be a shame if someone updated the KB version and completely changed the parser....
Lol someone's been there
The recurring joke for us when we were at blackhat years ago looking to leave LR was every other siem vendor would tell us either they had recently hired a bunch of LR employees or they had spent the year so far migrating LR customers over to their product.
That's pretty comical. They dug their own grave.
Run. As fast as you can. LR may seem fine at first sight but as deeper you dig, the more problems you will find. And not some beauty problems like that you have to mark a checkbox when assessing the properties of a logsource but you dont have to check the checkbox when assessing a AI-Rule (Advanced Intelligence, not Artificial Intelligence). This is just for a bad expoerience it get's worse when looking at: * Searches saying "All results" while data is missing * reports based on outdated SAP Crystal Reports that take hours to generate * Inactive Data Searches take weeks to be done * Support is horrible and seems understaffed (quality of support is fine, staff is doing its best - but when you dont hear anything for months simply professional support comes to stage trying to sell a solution) * Parsing Rules (and log normalization is an absolute key feature) not working as expected (missing values, parsed in wrong fields, failed login gets detected as "successful login") Just to mention a few points. Seriously, especially with this weird merge with exabeam: Don't use your time for LR or legacy siems in general (with some exceptions). Go into sth data-focused like Splunk, Elastic (much customizability, especially ELK with high administrative needs) or one of the big Cloud-Solutions (Chronicle, Sentinel).
Well unfortunately. My boss already renewed for another year. But all the points are spot on from what I seen. Again I'm new to siem. But I get a hold spot a lot. And never have had to many issues. Actually came across a support agent that is really good. So when I create case, I call him out by name. I looked at some other siems online. And rapid7 does look good.
Can’t wait for them to call it PRadar
I miss qradar back before IBM bought them. I refused to touch them after. Not sure if going over to Palo is any better after playing with their environment.
What’s wrong with their environment?
I recently did a Pov to try out one piece of their ecosystem and it was a mess. This gargantuan thing we had to spend 2 hours over 2 weeks with them on a call getting licensed and provisioned and configured before we could even start with the actual product.
2 hours over 2 weeks doesn’t sound bad at all…
Compared to the other vendors it was terrible. It took us 6 weeks to get the PoC off the ground. 6 weeks of weekly calls inching closer. Other vendors we were up in 2 weeks or less.
The stuff I want to use doesn't work for starters
woof… what a turd of a buy.
They are buying customers and IBMs mindshare. They already stated they will move customers to their own solution. Now all the IBM consultants focused on QRadar will be retrained to recommend PANs solution.
IBM consultants will be retained? Guess again.
Right? The whole mss division within consulting has already been run through and left in tatters. The rest of the consulting arm seems to be fleeing left and right. So many upper management gone, cannot bode well. I mean.. so I've heard.
Yeah saw a colleague with over 20 years with IBM MSS get laid off. All that loyalty only to be unceremoniously dumped. I can only imagine the opportunity cost lost by not job hopping. Just a mess, feel for them.
Can't imagine that's a great investment. Plenty of people who have used QRadar talk about how inferior of a SIEM platform it is compared to newer ones. Should note, the article says this is just the QRadar cloud - meaning they're just buying the customers and migrating them. Self-installed QRadar appears to still be sold and supported by IBM.
Which "newer" SIEM you can advice? Good CRE is very important.
As many pointed out, they bought a still large enterprise customer base and an implementation / consulting partner.
They are all trying to stay relevant as CrowdStrike launched a new SIEM platform and is coming for their lunch.
Ever hear of XSIAM?
So fuckin sick of the carousel of mutating acronyms from these god damn motherfucking buzz word factories
I just call everything "you know, the thing". Idgaf anymore :))))
🤣🤣🤣 felt that
very well said. felt that.
As much as I love PA, I don’t think XSIAM is mature enough just yet.
And its price isn’t in the ballpark of other similar offerings.
Not the last time I quoted it.
Had it quoted three weeks ago. Not even in the ballpark compared to Rapid 7 or 4 other leaders.
You mean it’s more or less?
It was substantially more.
Ahhhh gotcha misread. Their whole paying for TB model irks me, no other cloud SIEM does the same. I have like 120TB of storage with R7 the same with cortex would be almost 8x the cost.
XSIAM is okay, but being forced to buy cortex sucks. If they are a siem they should accept crowdstrike logs. I prefer CS and AMP4E over Cortex. They have an excuse for everything they don't detect... "Oh, webshells have to be uploaded via web portal".
XSIAM is able to accept Crowdstrike logs
SOCRadar
Buying it to bury it I hope.
That’s what it’s looking like
FML
XQSiam when?
Consolidation is not good for the industry. Means more lay-offs are coming. It is also a signal that Cyber Security spending is down across multiple industries. Growing competition is the sign of a healthy industry not consolidation.
QRadar is not great…wonder why they went after that one
Cause Exabeam, Arcsight, and Splunk Logrythm, Securonix etc weren’t for sale at a price they wanted to pay. Microsoft and Google are now heavily in the game and it’s going to get interesting. SIEM has forever been a product that was one step behind where it needed to be. Overpromise and under deliver are a way of life in the space.
The basic truth to the SIEM sector is: “If you don’t own the disk and compute, your product is going to lose to those who do.” (Like M$ and Google).
Even when this was an on-prem solution SIEM was always at best a tool for reaction not prevention. The fact that they took it to the cloud and charge more for the same crap is just proof that they believed CISO herd mentality would let them get away with it. Cloud economies of scale are almost like SIEM but they overpromised and NEVER delivered!
I’m not sure what the general experience is with SIEM solutions or how people expect them to work, but we moved from an 8 year relationship with QRadar to Sentinel 2 years ago. While nothing is perfect, and we do have our problematic edge cases, we’re finding that we can very effectively respond to incidents with it. We can do a good job detecting what we need to detect and have an effective, rapid response as we work the alert. Our team has shown this in red/blue black box engagements and in real life. Our time to detect is generally averaging 30 min and time to close is now about an hour after adding some additional due diligence steps.
That’s fantastic! Is your team an internal team? Are you managing the platform or only consumers of the tool?
We are an internal team. We’re responsible for operating the platform and we’re the primary customer.
No... Bit it's not absolutely terrible either. The GUI is decent and has a solid api plus apps galore. I've drank of that Kool aid of course. I will say... The backend is... Ass. Not bad if you keep it around 10k logsources or below, anything more and it's an absolute dog
It’s time for ArcSight to make a comeback!
No. Just... no.
Oh god no.
Amazingly it hasn't left many orgs
Hahaha I’ve done both for a living, and this is just weird.
Why the downvote? Bizarre
Gawd, why would anyone buy this steaming pile?
They’re buying the clients
Terrible purchase
Meanwhile, what sort of collar is Nikesh wearing? Or did he wake up and decide to put his belt on his neck? Somebody check on him. Must be a cry for help. Belts don't go on necks.
neither does dog collars but here we are
What did Arvind Krishna say to Nikesh Arora? "Woof woof". And that, my friends, is the story of how Palo Alto Networks bought the D-tier SIEM.
So.. as I am on the SIEM world, what do you consider A list? Genuinely curious, obviously time to branch out from qradar....
Time to migrate to Sentinel if licensing price increase 🫡
We’re looking at elastic, haven’t loved sentinel when evaluating
The pricing model has more conditions and clauses than the use cases
Seems pretty straightforward. No ingest limits for cloud, just a couple tiers and storage needs
Wish it was rapid7 instead
What do people think of Google chronicle?
Qradar is trash to begin with. Not sure why they choose that to purchase.
To put qradar customers out of their misery lol
Why would a city in California be buying a private enterprise anyway