The appliance installs readily enough and the three-layer architecture consists of the controller (where most of the action takes place), the agents (very lightweight sensors on monitored devices over the enterprise), and consoles (the user interfaces). The controllers can be cascaded across the enterprise for scalability and multiple responders can collaborate on incident data.
We found logging to be robust. The variety of data that can be collected includes just about everything that one might need when analyzing an incident. There are about two terabytes of storage and data is encrypted both in motion and at rest. The controller queries the agents and the data is used to analyze the root cause of the incident. Additionally, because the data is handled following forensic practice it can survive court challenges. This is very important when data collected and analyzed on MIR is presented as evidence in criminal or civil litigation.
Documentation is on a supplied CD along with agent software. The administrator's guide is first-rate. Mandiant offers 24/7 support, but there is no obvious place on the website to access a support site. That said, Mandiant offers a very complete suite of professional services, although we would have preferred an easily accessible support section on the website directly addressing the Intelligent Response product.
This is an expensive box. However, cost must be taken in the context of what it does for the organization, and that is considerable. The difference between solving a very costly incident and leaving it unaddressed or poorly addressed can be huge, especially when one considers regulatory requirements and potential upstream liability. We find that the product is a good value given its responsibility and the competent way it addresses that responsibility.