Just as it says, I am looking for honest reviews of Chronicle Security as a whole. The product itself and a straightforward answer on how they do pricing based on total users in an organization. Good faith user count estimates? Count of user names in logs?
My company is a MSSP looking to replace a popular legacy SIEM (you can probably guess). We use our own proprietary reporting and incident/case aggregation tool on top on whatever security products we manage and our customers have access to those. In particular, we would like a tool or combination of tools that can act as a datalake for ultra fast searching and more than a month of searchable data. We also need the capability to easily do IOC alerting and creating custom detections. We also would like the ability to give the customer accounts on the backend DataLake/SIEM we decide on.
So far, Chronicle fits the description the best, however I haven’t heard from any sales representative after multiple requests the past few weeks. I’m surprised, I’d expect sales to be on top of new customers or potential partners. Chronicle honestly looks like a fantastic security product.
Some of you will probably ask if we have tried various other SIEMs/XDRs, so I will list what we will try and what doesn’t quite fit what we need as an MSSP.
Various Elastic SIEMs. We use one for some other customers, and aren’t interested in expanding beyond what exists due to the new Elastic License restrictions. We’ve also experienced abnormal failures with the product. Many seem to be only 1 month hot searchable data.
Rapid7 InsightIDR: We are interested in doing a POC.
Splunk: Too expensive, overrated imo.
Sentinel: I personally love it, but our customers don’t have an only Azure ecosystem, and have heard it is on the expensive side (I don’t have a quite myself)
Palo Alto Cortex DataLake + XDR: We are interested in POCing and getting estimates.
FortiSiEM: Initially we liked the MSSP capabilities, however we have found that rule tuning will fail for unknown reasons.