We're a longtime customer that engaged with ThreatStack when they were a very young company.
Threat Stack aggregates all of our Linux systems-level events and automatically classifies them according to severity (1, 2, and 3). Threat Stack comes with a default rule set that is good, and there is also a set of rules tuned to HIPAA that have helped quite a bit. Additionally, we have written our own rules to reduce the amount of noise from the system. It's easy to create rules. With those rules in place, we only spend about 10 minutes per week looking at the Threat Stack console (two engineers, 5 minutes each). We send Severity 1 Alerts to email and triage those immediately/ad hoc.
We also like the fact that it looks at our systems and rates them for vulnerabilities (CVEs) so that we can keep our systems properly patched.
More recently we've been intrigued by their new machine learning process to identify anomalies (though we're not using that, yet). We also did a test-drive of their service whereby their staff alert us based on their understanding of server behavior: We liked it but we're still just a little too small to justify the expense. We are not yet using their container monitoring, but we will eventually.
We have on occasion used their API, which has been helpful for some specialized data analysis. Review collected by and hosted on G2.com.