strong incident detection and response capability
What do you like best?
Blumira's strength is in their creation of high quality detections known as "findings" in the blumira dashboard. They are constantly improving the product by adding new finding types to respond to the latest threats. The step by step workflows that walk you through how to respond to each finding when it is received are very helpful especially for teams that do not have establised in house security teams or incident response capabilites.
What do you dislike?
While the detection and response capabilities are great, blumira's weakness is in generic log search and threat hunting through existing logs. The provided log search tools make discovery of column names and relevant information difficult when compared to the UI of other platforms such as ELK, and humio. Still, if your primary goal is real security and not digging through logs, blumira has an excellent product. Another area that could be improved is the onboarding process for getting up and running with high signal log sources. It would be easy to miss the value of blumira if GPO audit settings, linux syslogs, sysmon, and other sources are not properly configured for good coverage.
Recommendations to others considering the product:
If your current SIEM solution only does logging and generates reports, consider switching to Blumira to upgrade to real detection and response capabilites.
What problems are you solving with the product? What benefits have you realized?
Blumira provides the important SIEM corner of the SOC Visability Triad. It gives peace of mind that there is an additional layer of protection beyond basic EDR and leverages SIEM as a detection tool due to the valuable findings .
