Vendors

Question 1

Elastic

Answer 1

Elastic Security

Question 2

Elastic Security

Answer 2

Elastic’s SIEM offering is Elastic Security, composed of its SIEM solution and endpoint
security for Windows, macOS and Linux.
Other components used to aid in data collection include Beats and Logstash. Elastic
Security can be deployed on-premises or consumed as SaaS via Elastic Cloud. Form
factors for deploying on-premises include software, via Linux package managers, Docker
and Kubernetes. All on-premises Elastic Security deployments use an Elasticsearch cluster
and a Kibana instance.
Notable enhancements include:
The release of Elastic Security that unifies Elastic SIEM and the Elastic Agent into a
single offering
■
A dedicated SIEM detection engine■
The addition of case management■
The release of the Lens visualization capability and Timeline feature that provides
an investigation workspace for analysts
■
Elastic Security has a strong user interface and provides a unified user experience across
the solution. The solution scored lower in content, and automation and orchestration
capabilities, as Elastic Security lags in compliance content compared to many
competitors, and the solution has basic automation capabilities. Elastic relies on third-
party integrations for SOAR, as there is no SOAR solution in the Elastic product portfolio.

Question 3

Exabeam

Answer 3

Exabeam’s SIEM is available both on-premises as Security Management Platform, and as
a cloud-delivered option known as Fusion SIEM (formerly SaaS Cloud).
Exabeam’s SIEM consists of Data Lake, Advanced Analytics, Threat Hunter, Entity
Analytics, Case Manager and Incident Responder. Add-on modules include Cloud
Connectors and Cloud Archive. Exabeam Fusion SIEM uses Google Cloud Platform in
Asia/Pacific, North America and Europe. Hybrid on-premises/cloud and multicloud
deployments are also supported.
The release of Elastic Security that unifies Elastic SIEM and the Elastic Agent into a
single offering
■
A dedicated SIEM detection engine■
The addition of case management■
The release of the Lens visualization capability and Timeline feature that provides
an investigation workspace for analysts
■
This research note is restricted to the personal use of sydney_green@rapid7.com.
Gartner, Inc. | G00467445 Page 7 of 35
Notable enhancements include:
A cloud archive option for long-term searchable storage.■
Turnkey playbooks for the response module.■
An auto-parser function to enable ingestion and analytics for new event sources
Exabeam scored higher in support analytics, incident response and management,
reflecting the included machine learning analytics for a broad set of use cases, and the
timeline investigation feature. Exabeam scored lower in the availability of complementary
technologies, such as those that provide environmental context to the SIEM, or third-party
tools for threat hunting. This is because Exabeam uses integrations with third-party
solutions instead of selling its own technologies like EDR and NDR.

Question 4

FireEye

Answer 4

FireEye SIEM is delivered by the Helix platform, which integrates with other security
solutions that are powered by FireEye MVX for email, network and endpoint that are sold
separately. Mandiant Threat Intelligence (which supports detections and threat hunting)
and FireEye Security Orchestrator (for workflow automation) are also integrated into the
Helix platform.
FireEye Helix is offered as a SaaS solution only, is deployed in multiple regions in AWS,
and is managed by FireEye. On-premises data collection is handled via one or more free
communications broker agents while HelixConnect is used via a self-service portal for
cloud data sources.
Notable enhancements include:
A cloud archive option for long-term searchable storage.■
Turnkey playbooks for the response module.■
An auto-parser function to enable ingestion and analytics for new event sources.■
Improvements to the Helix Connect wizard■
Static and behavior-based analytics for third-party cloud and SaaS sources.■
Event streaming of FireEye Endpoint and Email metadata to Helix.■
This research note is restricted to the personal use of sydney_green@rapid7.com.
Gartner, Inc. | G00467445 Page 8 of 35
FireEye Helix scored highest in complementary in-house technologies, threat hunting and
out-of-the-box security content operationalized from MVX analysis and real-world
Mandiant incident response, hunting and intelligence services. FireEye offers a
comprehensive all-in-one solution when using its complementary solutions, but
customization and creation of analytics and detections is limited compared to
competitors.

Question 5

Fortinet

Answer 5

FortiSIEM

Question 6

FortiSIEM

Answer 6

FortiSIEM is the SIEM solution from Fortinet, which includes an integrated CMDB,
Advanced Server Agent, native multitenancy and integrated UEBA. Complementary
solutions include FortiSOAR and FortiAnalyzer, along with the rest of Fortinet’s security
product suite. FortiSIEM is available as virtual and physical appliances depending on the
product. No cloud or SaaS options are available. FortiSIEM’s distributed architecture
consists of four kinds of nodes: Supervisor, Worker, Collector and Report Server (needed
when integrating third-party business intelligence software with FortiSIEM). For small
installations, FortiSIEM can be deployed as a single virtual appliance or as a hardware
appliance supplied by Fortinet. As complexity and performance requirements grow,
customers can scale vertically with bigger appliances, and/or can scale horizontally by
adding Worker and Collector appliances.
Notable enhancements include:
Fortinet FortiSIEM scored higher in user interface and experience as it brings a consistent
interface and experience for users across the SIEM solution. Fortinet scored lowest in the
analytics capability because while it had added more advanced analytic capabilities
through the addition of UEBA, it still lags the capabilities of several competitors in how
data is collected (requiring an endpoint agent, for example) and peer group profiling.
The addition of UEBA capabilities into FortiSIEM (from technology in Fortinet’s
FortiInsight solution).
■
The ability to precompute search results for analytic reports to speed up search
response times.
■
Nested searches that unifies CMDB and event searches.■
Case management enhancements that include a timeline view.■
New archive options.■
Searchable data archives from the user interface.■

Question 7

Gurucul

Answer 7

Gurucul SIEM is a modular solution that uses the Gurucul Risk Analytics Platform. It has
options for building a security platform based on organizational requirements by adding
modules as needed. Gurucul SIEM supports on-premises, SaaS or hybrid deployment
models and includes Data Collection and Aggregation, STUDIO, Threat Detection,
Investigations, Case Management/Incident Response, Dashboards and Reporting. Gurucul
Cloud is available in AWS, Azure, Google Cloud, IBM Cloud and other regional providers
(for hosted options).
Notable enhancements include:
Advancement of the cloud-native architecture■
Human readable machine learning analytics creation in STUDIO packaged content■
SOAR functionality■
Gurucul SIEM scored higher in architecture and deployment, and analytics. Gurucul offers
native UEBA as well as the customization and creation of analytics with its STUDIO
module. Gurucul scored lower on complementary technologies, and automation and
orchestration compared to its competitors. Gurucul does not have solutions like EDR in its
ecosystem, instead relying on integrations. Network traffic analysis (NTA) is implemented
as an analytics module within the product, and relies on network data to be fed to the
solution rather than using network sensors

Question 8

Huawei

Answer 8

HiSec Insight

Question 9

HiSec Insight

Answer 9

The Huawei SIEM solution is called HiSec Insight, and has numerous modules and
companion technologies for feature-specific or architecture-specific requirements, such as
network detection/protection, sandboxing, deception, UEBA, SOAR and threat intelligence.
Deployment options include Huawei public cloud for SaaS, and customer private clouds,
as well as on-premises.
Notable enhancements to the solution include:
Advancement of the cloud-native architecture■
Human readable machine learning analytics creation in STUDIO packaged content■
SOAR functionality■
Additional coverage of behavioral use cases via analytics.■
Enhancements to risk scoring and integration with third-party endpoint detection and
response technology.
■
This research note is restricted to the personal use of sydney_green@rapid7.com.
Gartner, Inc. | G00467445 Page 10 of 35
Scores were relatively higher for complementary technologies for network traffic analysis
and payload detection, and for the range of Huawei-branded product integrations with the
SIEM. Huawei scored lower for data collection and management, reflecting lack of
integrations for monitoring popular SaaS applications, and for native cloud monitoring
that is restricted to the Huawei cloud. Content also scored lower, reflecting a relative lack
of out-of-the-box coverage for a range of use cases through detection rules and models

Question 10

IBM

Answer 10

The QRadar SIEM is the core component of IBM’s QRadar Security Intelligence Platform.
QRadar can be deployed on-premises as physical or virtual appliances and software.
QRadar on Cloud (QROC) is a hosted version in IBM cloud. AWS, Azure or Google Cloud
are also supported for DIY CIPS and hybrid deployments. IBM offers numerous add-ons
for QRadar including, vulnerability management, network packet capture/analysis, risk
tools, forensics, UBA and SOAR. In addition to these IBM QRadar components, IBM offers
the Security App Exchange, with integrations and security use cases developed by IBM
and third parties.
Notable enhancements include:
QRadar scored highest in analytics, architecture and deployment. IBM offers mature real-
time correlation as well as native UBA that is included with the core offering. QRadar SIEM
is available in a variety of form factors supporting on-premises, hybrid, and cloud
delivered options. QRadar scored lower in automation and orchestration, and data
collection and management. QRadar lags some competitors in the support for popular
SaaS applications and CIPS; however, customers can use the Universal Cloud Connector
to develop their own integrations as required.
The Use Case Manager (UCM), which is used to simplify the deployment and
management of analytics.
■
A Universal Cloud Connector for REST API ingest.■
A risk prioritization modeling tool.■
A software-only version of the QRadar Network Insights (QNI) solution.■

Question 11

IBM

Answer 11

QRadar

Question 12

LogPoint

Answer 12

LogPoint’s SIEM offering includes its SIEM, UEBA and Director products. LogPoint has
complementary solutions like LogPoint for SAP and Applied Analytics. LogPoint’s SIEM
includes all features and functionality except for UEBA, which is a separate product.
LogPoint SIEM is available as a physical or software appliance. A SaaS option is not
available. The UEBA solution is only delivered as SaaS.
Notable enhancements include:

UserXDR for UEBA, NetworkXDR for NDR, CloudAI for cloud-based analytics, and NetMon
and SysMon for network and endpoint event collection.
Notable enhancements to the solution include:
The acquisition of agileSI in August 2020 for additional SAP security capabilities.■
The addition of coverage for MITRE ATT&CK via search and visualization.■
Incident management improvements within the UEBA product.■
Improvements to the platform aimed at operations and performance management
of the platform.
■
Improvements in the automation of incident detection and response.■
Common Criteria EAL 3+ certification for version 6.8.■
Link graph analytics to show host and user relationships.■
Expanded API access to the platform.■
LogPoint SIEM scored higher in analytics and operations. LogPoint offers real-time
analytics in addition to an integrated UEBA solution, which is a premium add-on. LogPoint
also has a unified interface that centralizes all functions of the solution, even UEBA, which
is delivered as SaaS. The solution scored lower in automation and orchestration as
LogPoint does not offer comprehensive SOAR capabilities either natively or via an add-on
solution, relying on integrations with third-party SOAR solutions.

Question 13

LogRhythm

Answer 13

LogRhythm NextGen SIEM Platform

Question 14

LogRhythm

Answer 14

The LogRhythm NextGen SIEM Platform includes AnalytiX for log management, DetectX
for security analytics and RespondX for SOAR capabilities. Add-on components include
UserXDR for UEBA, NetworkXDR for NDR, CloudAI for cloud-based analytics, and NetMon
and SysMon for network and endpoint event collection.
Notable enhancements to the solution include:
The acquisition of agileSI in August 2020 for additional SAP security capabilities.■
The addition of coverage for MITRE ATT&CK via search and visualization.■
Incident management improvements within the UEBA product.■
Improvements to the platform aimed at operations and performance management
of the platform.
■
Improvements in the automation of incident detection and response.■
Common Criteria EAL 3+ certification for version 6.8.■
Link graph analytics to show host and user relationships.■
Expanded API access to the platform.■
This research note is restricted to the personal use of sydney_green@rapid7.com.
Gartner, Inc. | G00467445 Page 12 of 35
LogRhythm’s architecture and deployment scores are lower due to lack of a cloud-native
deployment option, and reliance on customer-licensed third-party components like
Microsoft SQL Server. User interface and experience scores are lower, reflecting a lack of a
unified interface for all aspects of the solution. Operations and management requires a
thick application to manage the solution, as well as other apps for features such as
managing threat intelligence. Scores for complementary technologies are higher, due to
the availability of the company’s own integrated products for network and endpoint
detection

Question 15

ManageEngine

Answer 15

ManageEngine Log360

Question 16

ManageEngine/ManageEngine Log 360

Answer 16

ManageEngine Log360 consists of a base SIEM platform and incident management
functions for integrated response actions. Log360 is available with several modules,
individually licensed, that address security and IT operations use cases. These include
Active Directory auditing, log management, cloud security, UEBA, data security, Office 365
and Exchange Server auditing. Log360 can be deployed on-premises in software or as a
virtual appliance. Log360 can also be hosted by ManageEngine or deployed in a single-
tenant, cloud-native format in the ManageEngine Zoho data center.
Notable enhancements include:
ManageEngine Log360 scored higher in operations, and incident response and
management. Log360 offers out-of-the-box response workflows, actions, a custom
workflow feature and built-in ticket management. Integrations with ITSM tools like
ManageEngine’s ServiceDesk Plus, in addition to ServiceNow, Jira and Zendesk, are
supported. Log360 scored lower in the complementary technologies, and for data
collection and management. Log360 lags in integrating third-party security solutions, and
monitoring SaaS and CIPS.
Integrations with third-party SOAR products.■
Support for MITRE ATT&CK■
Incident investigation and triage console and dashboards for remote work security
focused on VPN usage, and VPN attacks and trends
■

Question 17

McAfee

Answer 17

McAfee’s SIEM is Enterprise Security Manager (ESM). It is composed of Event Receiver
(ERC), Enterprise Log Search (ELS), Enterprise Log Manager (ELM) and the Advanced
Correlation Engine (ACE). In addition, McAfee ESM can be extended and enhanced with
McAfee Direct Attached Storage (DAS) for additional log storage capacity, or McAfee
Global Threat Intelligence (GTI) for IP reputation.
McAfee ESM is offered as physical or virtual appliances. McAfee offers a cloud-hosted
option called McAfee Cloud ESM, which is delivered via Oracle Cloud. McAfee also has a
large ecosystem of other security solutions that integrate with ESM, like ADM, MVISION
Cloud and MVISION EDR.
Notable enhancements include:

Release of ESM Cloud for buyers that want a cloud-delivered version of McAfee
ESM.
■
Expanded support for security solutions delivered as a service (like Windows
Defender ATP, Okta and others) as delivered content packs with rules mapped to
MITRE ATT&CK.
McAfee scored higher for its complementary technologies given the ecosystem of
solutions available from McAfee and how they are integrated with ESM. McAfee scored
lower in analytics as it offers some advanced analytic capabilities but lacks UEBA that
leverages batch analytics and machine learning, instead relying on real-time, rule-based
detections and basic baselining approaches.

Question 18

Micro Focus

Answer 18

Micro Focus’ Arcsight 2020 platform consists of ESM, Recon, Logger, Intelligence
(previously Interset UEBA), SOAR (from the ATAR Labs acquisition), Transformation Hub
and Connectors. Deployment form factors vary across the elements of the solution, with
AWS being the currently supported cloud option for several components. All components
of the ArcSight platform are available as software. ArcSight ESM, Recon, ArcMC and
Connectors are available as physical appliances. Some portions of the solutions are
available as containers, like Transformation Hub, Intelligence and Recon. Transformation
Hub can be deployed in Azure or AWS. A hosted or cloud native version of ArcSight is not
available.
Notable enhancements to the products include:
Further integration of advanced analytics via UEBA.■
Rationalization of multiple data stores, now called Recon.■
Further modernization of the UI/UX
Release of ESM Cloud for buyers that want a cloud-delivered version of McAfee
ESM.
■
Expanded support for security solutions delivered as a service (like Windows
Defender ATP, Okta and others) as delivered content packs with rules mapped to
MITRE ATT&CK.
■
This research note is restricted to the personal use of sydney_green@rapid7.com.
Gartner, Inc. | G00467445 Page 14 of 35
Micro Focus scored highest for analytics, reflecting the real-time correlation engine as well
as its UEBA, which is available as an add-on via the Intelligence solution. Complementary
technologies was the lowest-scoring capability as ArcSight focuses on its core SIEM
solution along with UEBA and SOAR, but doesn’t have in-house technologies like EDR and
NDR, instead relying on integrations with third-party solutions. Micro Focus’ security
product portfolio is oriented toward preventative technologies like identity and access
management, application security, and data protection and encryption

Question 19

Microsoft

Answer 19

Azure Sentinel

Question 20

Microsoft / Azure Sentinel

Answer 20

Azure Sentinel is Microsoft’s SIEM solution that became generally available in September
2019. It is delivered only as a cloud-native offering via Microsoft’s Azure cloud services.
Azure Sentinel is available in all Azure regions except for China. Automation capabilities
are integrated into Azure Sentinel and delivered via Azure Logic Apps. Microsoft also has
a large ecosystem of security solutions like EPP, EDR, CASB among others, that integrate
with Azure Sentinel.
Notable enhancements include:
Microsoft Azure Sentinel scored higher in analytics as it offers a range of real-time
analytics as well as native UEBA that is included with the core product. Azure Sentinel
scored lower for its user interface and experience as it is a service within Azure. This
requires using multiple Azure services, which requires familiarity with using the Azure
Portal, compared to other cloud SIEMs that are more of an integrated-SaaS-type user
experience.
Further integration of advanced analytics via UEBA.■
Rationalization of multiple data stores, now called Recon.■
Further modernization of the UI/UX.■
The addition of UEBA natively within the solution.■
The investigations graph.■
Ability to centrally manage other Azure Sentinel instances via Lighthouse.■
Build-out of core analytics and automation.■

Question 21

Odyssey Consultants

Answer 21

Odyssey’s ClearSkies SaaS NG SIEM product consists of the base SIEM product, real-time
analysis and log retention. Odyssey offers additional complementary technologies for
ClearSkies SIEM to include EDR, identity and access, active response, and deception.
ClearSkies SIEM uses the NG iCollector as a virtual machine or physical appliance to
collect on-premises data. ClearSkies SIEM can be deployed as a physical appliance,
virtual machine, vendor hosted, and as either cloud-native single-tenant or multitenant.
Notable enhancements include:
Support for the ENISA Threat Taxonomy, collecting and sorting cyberthreat
information.
■
The Risk Exposure dashboard for real-time security posture.■
A threat confidence level based on machine learning algorithms to assist the user in
determining which indicators of attack will be escalated.
Odyssey ClearSkies SIEM scored highest in architecture and deployment, and operations
capabilities. ClearSkies SIEM offers a single portal for their solution where different
functions for SIEM and other solutions are available as apps. ClearSkies SIEM scored
lowest in data collection and management. Buyers with CIPS and SaaS monitoring needs
must assess ClearSkies SIEM’s ability to support non-Odyssey cloud and partner cloud
environments (including SaharaNet).

Question 22

Rapid7

Answer 22

InsightIDR

Question 23

Rapid7 / InsightIDR

Answer 23

Rapid7’s SIEM solution is InsightIDR, and is delivered as a cloud-native solution on the
Rapid7 Insight platform. Other products available on the platform include InsightVM
(vulnerability management), InsightAppSec, InsightConnect (SOAR), InsightOps (log
management for operations support), DivvyCloud (cloud security posture management),
and Enhanced Network Traffic Analysis. The architecture includes an endpoint agent for
SIEM (also used for vulnerability management), a network sensor, and collectors to
forward log data to the Insight platform.
Notable enhancements include:
Support for the ENISA Threat Taxonomy, collecting and sorting cyberthreat
information.
■
The Risk Exposure dashboard for real-time security posture.■
A threat confidence level based on machine learning algorithms to assist the user in
determining which indicators of attack will be escalated.
■
Visibility of endpoint agents.■
Released network traffic analytics.■
This research note is restricted to the personal use of sydney_green@rapid7.com.
Gartner, Inc. | G00467445 Page 16 of 35
Rapid7 achieved good scores for its user interface and experience, with a clean and
consistent look and feel to the InsightIDR portal. Complementary technologies, described
above, also scored well. Content, and incident response and management, were the
lowest-scoring capabilities. Rapid7’s support of threat intelligence requires the use of APIs,
and MITRE ATT&CK mappings to rules are not exposed to users in the UI, but are available
offline by request.

Question 24

RSA

Answer 24

NetWitness Platform

Question 25

RSA / NetWitness Platform

Answer 25

The NetWitness Platform is composed of NetWitness Logs, Endpoint, Networks, UEBA and
Orchestrator. NetWitness can be deployed as software or appliance, both physical and
virtual. SaaS options are available only for NetWitness Orchestrator and Detect AI UEBA.
There are modular components that allow for various deployment and scaling options
(Decoders, Log Decoders Concentrators, Brokers, Event Stream Analysis [ESA], and
NetWitness Server).
Notable enhancements include:
NetWitness scored higher in complementary technologies due to the various security
solutions available with the Netwitness platform that complement the SIEM. The solution
scored lower in user interface and experience as compared to several competitors due to
the need to access different interfaces for the core Netwitness solution and its SOAR
solution for incident response and management. There was also less use of
visualizations in the solution compared to other competitors.
Added features to enable customers to create parsers.■
Improved customer log search features.■
The addition of several UX and UI enhancements, including the Springboard single
landing page that brings together all detections, risks, alerts and incidents observed
across log, packet, and endpoint data.
■
Support for Logstash to support data collection from cloud-based sources■
Platform improvements such as a new health and wellness system for operational
management of the platform.
■

Question 26

Securonix

Answer 26

Securonix SIEM

Question 27

Securonix

Answer 27

Securonix SIEM solution consists of Next-Gen SIEM, Security Data Lake, UEBA, SOAR,
NDR, Threat Intelligence, Adversary Behavior Analytics and several use-case-specific apps.
Customers can choose from multiple form factors, including SaaS (hosted in AWS regions
in NA, MEA, Europe, or in Azure regions in the U.S., Europe and UAE), hosted, on-premises,
hybrid cloud/on-premises and hybrid and federated cloud/cloud deployments. The
solution offers several levels of resource-sharing tenancy and features cloud deployments
that can support the requirements of both large enterprises and service providers.
Notable enhancements include:

Splunk Cloud. Splunk Enterprise and Splunk Cloud components consist of Universal
Forwarders, Indexers and Search Heads supporting n-tier architectures.
Notable enhancements include:
Architectural support for cross-CIPS deployments.■
More performant long-term searching.■
An analytics sandbox for testing models prior to deployment.
Securonix scored highest across most capabilities compared to its competitors, with
analytics the highest rating. Securonix offers natively integrated advanced analytics and
UEBA alongside its real-time analytics. Automation and orchestration was the lowest
scoring capability. Securonix includes some native SOAR built into the platform, but also
offers an option for a stand-alone SOAR option based on CyberSponse (now FortiSOAR
after its acquisition by Fortinet). Securonix has indicated that it will be releasing its own
stand-alone SOAR solution in 2021, which buyers should evaluate going forward.

Question 28

Splunk

Answer 28

Splunk Enterprise Security (ES)

Splunks Security Operations Suite includes core products, Splunk Enterprise or Splunk Cloud, and three security-specific solutions: Splunk Enterprise Security (ES), Splunk UBA, Splunk Phantom

Question 29

Splunk

Answer 29

Splunk’s Security Operations Suite includes core products, Splunk Enterprise or Splunk
Cloud, and three security-specific solutions: Splunk Enterprise Security (ES) which is the
SIEM offering, Splunk UBA and Splunk Phantom. Splunk core and the three security
solutions are sold as stand-alone products. Splunk can be deployed as software or via
Splunk Cloud. Splunk Enterprise and Splunk Cloud components consist of Universal
Forwarders, Indexers and Search Heads supporting n-tier architectures.
Notable enhancements include:
Architectural support for cross-CIPS deployments.■
More performant long-term searching.■
An analytics sandbox for testing models prior to deployment.■
The introduction of Splunk Mission Control■
A unified SaaS delivered visual interface for Enterprise Security, UBA, Phantom, Risk
Based and Alerting.
■An expansion of monitoring capabilities for cloud environments.
This research note is restricted to the personal use of sydney_green@rapid7.com.
Gartner, Inc. | G00467445 Page 18 of 35
Splunk Enterprise Security scored highest in content. Splunk offers a range of out-of-the-
box content available as part of Enterprise Security, as well as a plethora of applications
available in Splunkbase. Splunk scored lowest for its user interface and experience. While
Splunk Enterprise and Enterprise Security are well integrated, separate interfaces are still
required for the UBA and Phantom applications. Splunk has introduced Mission Control to
unify these three products into a single interface regardless of where the solutions are
deployed. However, Mission Control is a new offering for customers

Question 30

Sumo Logic

Answer 30

Cloud SIEM Enterprise

Question 31

Sumo Logic / Cloud SIEM Enterprise

Answer 31

Sumo Logic’s SIEM solution is Cloud SIEM Enterprise, and is available as an AWS-based
SaaS offering hosted in North America, Europe and Asia/Pacific regions. The product is
cloud-native and supports several agent and hosted collection options for data ingestion
from cloud, on-premises and hybrid environments.
Notable enhancements include:
Improvements to scalability.■
Support for a broader range of security use cases released via rule engine
enhancements.
■
Additional user, entity and anonymized cross-customer analytics.■

Cloud SIEM Enterprise scored well in operations, such as updating out-of-the-box content
and deployment/management of analytics content. Behavioral analytics features, such as
dynamic profiling and peer group analysis, are not as mature as those of several UEBA-
focused SIEM competitors

Question 32

Venustech

Answer 32

Venustech’s Venusense Unified Security Management (USM) product consists of the base
USM SIEM solution. Venustech offers multiple add-on module subscriptions to include
analytics, SOAR, network analysis, configuration management, asset management,
security program management, EDR and threat intelligence.
Notable enhancements include:
SOAR functionality.■
Threat tracing coupled with forensic functions
■Better network traffic analysis to detect abnormalities in traffic
Additional user, entity and anonymized cross-customer analytics.■
Better network traffic analysis to detect abnormalities in traffic.■
This research note is restricted to the personal use of sydney_green@rapid7.com.
Gartner, Inc. | G00467445 Page 19 of 35
Venusense USM scored highest in analytics. For example, custom rule creation allowing
the user to create complex conditional trees that is complimented by a graphical view is
provided. Nesting, thresholds and defined next action enhance this strength of the USM
SIEM. USM scored lower in content and complementary technologies. Buyers with
compliance reporting requirements outside of the China market will find a lack of support
for non-Chinese frameworks. China market buyers will have to pay for an add-on
compliance module

Question 33

SIM

Answer 33

Security information management

Question 34

SEM

Answer 34

Security event management

Question 35

Core Functions of a SIEM

Answer 35

The collection of and access to security event information from a wide variety of
sources in a repository where it can be processed and stored in various forms
(original, enriched and normalized, for example)
■
Detection and alerting of events — such as threats, anomalous behavior and
noncompliance — supported by both real-time and historical, or batch, analysis
capabilities.
■
Reporting and dashboards■
Searching across historical data for incident investigation, forensics and threat-
hunting activities.
■
Workflow and incident (case) management.■
Automation to support the response to detected events, alerts and incidents.■
Integrations with products from the same vendor and third-party solutions to
enhance the features and functionality of the core SIEM solution.
■
Creation and management of threat detection and compliance content in the form of
rules, analytics, reports and dashboards, for example.
■

Question 36

SIEM technology is typically deployed to:

Answer 36

Analyze activity across multiple systems, applications and environments.■
Detect activities associated with threat actors, such as external attackers attempting
to breach an organization.
■
Support compliance monitoring and reporting.■
Aid in the monitoring, investigation and response to detected activities and events.■
This research note is restricted to the personal use of sydney_green@rapid7.com.
Gartner, Inc. | G00467445 Page 22 of 35

Question 37

The event data that SIEM solutions analyze is produced by what?

Answer 37

Networks, devices, systems, applications

Question 38

Critical Capabilities of a SIEM

Answer 38

Architecture and Deployment
Data Collection Management
Analytics
Content
Incident Response and Management
Automation and Orchestration
Operations
User Interface and Experience
Complementary Technologies

Question 39

SIEM Use Cases

Answer 39

Essential SIEM
This use case supports broad-based threat detection, as well as features that help new
and less-mature SIEM buyers and users.
This use case is appropriate for first-time SIEM solution buyers, and buyers focused on
less-sophisticated use cases. These buyers may be more likely to adopt a cloud SIEM or
“single box” solution. The focus is on solutions that are easier to implement and manage
with packaged content that solves discrete use cases for threat-monitoring (including
ransomware and business email compromise), compliance (PCI DSS, HIPAA, SOX and
GDPR, for example), and particular best practices or frameworks (including NIST
Cybersecurity Framework and ISO 27001)

Complex SIEM
This use case focuses on SIEM solutions with complex architectures, the need to
customize threat detection content and analytics, a variety of in-scope environments, and
user populations, as well as big data-type log and event challenges.
N-tier or hybrid architectures are required to support environments with challenges such as
distributed geographies and multiple environments (whether that be on-premises, IaaS or
SaaS) for data collection; high volumes, velocities and varieties of data collection; and
multitenancy requirements. Event monitoring, both real-time and batch, leverages a variety
of analytics in varying degrees of complexity. Best-of-breed security technologies may be
employed, which requires integrations for both data collection as well as incident
investigation and response activities.

Supporting a Modern SOC
This use case is applicable to organizations that want to support the functions of a
modern security operations center.

Buyers preferring a sole-vendor approach may be attracted to a SIEM vendor that offers
complementary tools, or at a minimum integrations with third-party solutions, to support
their core SIEM capabilities, such as SOAR, EDR and NDR. This use case arises when
organizations have a greenfield modern SOC build-out, or are modernizing an existing
SOC with improvements to threat intelligence, incident response and threat hunting (see
Selecting the Right SOC Model for Your Organization and Tips for Selecting the Right
Tools for Your Security Operations Center).

Question 40

Weighting of Critical Capabilities

Answer 40

Essential SIEM
Architecture and deployment - 10%
Data Collection and Management - 5%
Analytics - 10%
Content - 20%
Incident Response and Management - 5%
Automation and Orchestration 5%
Operations - 20%
User Interface and Experience - 20%
Complementary Technologies 5%

Complex SIEM
Architecture and deployment - 15%
Data Collection and Management - 15%
Analytics - 15%
Content - 10%
Incident Response and Management - 10%
Automation and Orchestration 5%
Operations - 10%
User Interface and Experience - 10%
Complementary Technologies 10%

Supporting a Modern SOC
Architecture and Deployment - 5%
Data Collection and Management - 10%
Analytics - 10%
Content - 15%
Incident Response and Management - 15%
Automation and Orchestration - 10%
Operations - 10%
User Interface and Experience - 10%
Complementary Technologies - 15%