AlienVault USM Reviews

<a href='https://www.trustradius.com/static/about-trustradius-scoring#question3' target='_blank' rel='nofollow noopener noreferrer'>Customer Verified: Read more.</a>
593 Ratings
<a href='https://www.trustradius.com/static/about-trustradius-scoring' target='_blank' rel='nofollow noopener noreferrer'>trScore algorithm: Learn more.</a>
Score 7.9 out of 101

Do you work for this company?

TrustRadius Top Rated for 2019

Overall Rating

Reviewer's Company Size

Last Updated

By Topic

Industry

Department

Experience

Job Type

Role

Reviews (1-25 of 346)

Christian Holton profile photo
Score 8 out of 10
Vetted Review
Verified User
Review Source
We use AlienVault across the org, with accumulator appliances in two offices and in our cloud infrastructure. These devices are syslog targets and are used to scan traffic in each location. In addition, I also have deployed the AlientVault USM agent script to all servers and user systems. AlienVault sometimes notifies me of problems within integrated systems such as Sophos before that service itself. Notifications as simple as an improperly configured SSH config or something as significant as signs of SPECTRE traffic are delivered to my inbox so I may deal with these alerts ASAP.
  • Alienvault USM is THOROUGH. We have a highly integrated workspace that's most SAAS, and I monitor those integrations and their security with AV. If I am trying to track the uptime of a laptop, I don't go to VPN or our Directory Services... I go to AV.
  • As I mentioned before, we use Sophos to protect our laptops. If a questionable file shows up on someones laptop, I hear about it from AlienVault before I hear about it from our Sophos service.
  • The OTX Pulse feature is a built-in feature that lets you subscribe to industries and you are notified about new threats that affect that industry on a daily basis. The pulse alerts are added to your AV watchlist.
  • Personally, I've wished I could purchase a service that would configure AV for my environment. I get a lot of traffic on a daily basis and I almost need to hire an analyst that just works on AV.
  • Some of the filters when looking for a specific alert aren't that easy to use.
AlienVault is an amazing product. The only reason my rating isn't higher is that most of my colleagues work for smaller businesses where the IT staff is less than 5 people. There are a lot of moving parts to AlienVault and it is almost another job. Folks in my circle of colleagues, for the most part, don't have the bandwidth that AlienVault demands.
To be honest, I feel like I've just scratched the surface with AlienVault. For example, we are paying for a service that installs agents on each laptop or server that 1) notifies me when there are patches or updates, 2) notifies me when common features are configured in a way that would constitute a vulnerability (IE allowing password authentication in sshd_config) and 3) can automatically apply patches and reboot the machine. AlienVault can do 1 and 2 without much additional configuration and when you install the AlienVault Agent and set up some basic scripts or commands, you can mostly do 3.
Read Christian Holton's full review
Mpho Lekota profile photo
Score 7 out of 10
Vetted Review
Verified User
Review Source
AlienVault USM also enables you to centralize the storage of all your log data in the AlienVault Secure Cloud, a certified compliant environment. This alleviates the burden of having to manage and secure logs on-premises, while providing a compliance-ready log management environment. SIEM software solutions and log management tools provide valuable security information, but often require expensive and time-consuming integration efforts to bring in log files from disparate sources such as asset inventory, vulnerability assessment, endpoint agents, and IDS products. Once you have the data, you then must research and write correlation rules to identify threats in your environment.Advantages of using all-in-one security essentials is Save Time and Money in Integrating Multiple Third-Party Security Tools and Start Detecting Threats on Day One with Pre-Written Correlation Rules.
  • The USM platform provides the essential security capabilities that work together for a fast and cost-effective way for organizations to have complete visibility into the security of their environment.
  • With the information gathered during asset discovery, USM will correlated that information with known vulnerabilities for continuous vulnerability awareness. In addition, USM contains an active scanner capable of scanning for over 30,000 known vulnerabilities.
  • To give better visibility into your network, and possibly detect intrusions that don’t follow behavioral patterns, we offer Netflow information, bandwidth monitoring, and traffic capture, all part of our behavioral monitoring capabilities built into USM.
  • External threats — Coming from external attackers.
  • The value of the asset associated with the event
AlienVault USM is well suited for any small/medium businesses as well as big corporations. The reporting and dashboard alone are something I always look for in a USM because it makes it easier for me to gather and find the information I am required to have. If detailed reports are what you are looking for or an easy-to-navigate dashboard this is the software for you.
AlienVault is pretty featured rich compared to other SIEM solutions, but those features are mostly good, not great. There is also a growing list of 3rd party integrations as well, which can make the solution even stronger. With that said, there are other SIEM solutions that offer more flexible deployment models, have more 3rd party integrations, and offer more extensible in terms of holistically supporting the incident response process. Our organization has found AlienVault to work pretty well for us, as this is the first SIEM the business has deployed.
Read Mpho Lekota's full review
Stacey Medina profile photo
Score 10 out of 10
Vetted Review
Verified User
Review Source
I was put in charge of getting our company NIST-800 compliant and one of the requirements of compliance is to have a security information and event management (SIEM). The company that did our gap analysis highly recommended the AlienVault USM and after a bit of research and reviews, I decided to move forward with AlienVault. I was very impressed with how simple it was to deploy as a virtual machine and how robust the interface is. This USM does everything and more. I can't wait to delve deeper into the functionality of the dashboard. The support team is also very responsive and very knowledgeable of the product.
  • The detailed reporting it provides
  • Simple to deploy and install
  • Great dashboard
  • Excellent tech support
  • Offer more free training courses, either on-demand or scheduled webinars.
AlienVault USM is well suited for any small/medium businesses as well as big corporations. The reporting and dashboard alone are something I always look for in a USM because it makes it easier for me to gather and find the information I am required to have. If detailed reports are what you are looking for or an easy to navigate dashboard this is the software for you.
AlienVault USM is one of the best tools to use due to its the ability to notify you and also have very granular control of what you can view about the threats. It pins down the data need to track down any information needed to report or view from the threat and also has wonderful KB's on how to fix or resolve them.
Read Stacey Medina's full review
Jeremy Cejka profile photo
Score 4 out of 10
Vetted Review
Verified User
Review Source
The business problem it addresses is derived from governance and compliance set by the USG and the DFARS regulations to have a SEIM. I have experience with paid products such as QRADAR and Splunk, and open source products such as Graylog/Elk/Wazah/security_onion. This is a department tool to consume the whole organization's security related data. We currently use it as the SEIM.
  • It's a decent log aggregator.
  • Does correlation between events well, if set up correctly.
  • Control on attribute mapping within USM Anywhere or fully disclose the mappings between ingested raw logs and attributes those values map to, in order to be searchable, and give power to the end user to create meaningful alerts and queries for the right content.
  • Notifications for alerts tend to lack the essentials to make a determination off of the email. Often times alerts within cloud products are benign and part of the user experience and behavior, but get classified as violations, because they meet the criteria of equivalent alerts that are actionable.
To be honest, AlienVault is run of the mill. I can get more power out of Gralyog/ ELK and pay for the threat exchanges they have, and still have complete control over how my SIEM works for me. AlienVault USM isn't a bad product, but as an end user you give up too much control and get little back from the company when it comes to attribute mapping. Also not a fan of the updates the break my appliance for a couple days. Which falls in the category of control. I think USM is a good starter for small companies needing SIEM where resources otherwise prohibit having someone/something better. As businesses grow and compliance becomes more instituted, the businesses need may be very unique where AlienVault may not be able to satisfy the burden of their specific SIEM needs.
Read Jeremy Cejka's full review
Frank DePaola profile photo
Score 7 out of 10
Vetted Review
Verified User
Review Source
AlienVault is a great SIEM for organizations who are either new to security operational logging, and wish to purchase a sound solution at a lower price point, or those with a smaller staff and potentially IT budget that wishes to buy a solution that can accomplish many different tasks. Our use of the platform extends across the global organization. We have documented multiple use cases that we are working through within the AlienVault platform such as vulnerability management and scanning, malware detection on clients and servers, malicious network traffic moving laterally and vertically throughout our environment, etc. As is the case with any SIEM, they are only as effective as the log sources that they ingest allow them to be. We are pulling in Windows client and server event logs (filtered to specific EventID's), DNS, DHCP, AWS CloudTrail/CloudWatch logs, NIDS sensor logs, firewall logs, and are also working to integrate the solution with other corporate systems to extend its capability, such as our ITSM. AlienVault is pretty featured rich compared to other SIEM solutions, but those features are mostly good, not great. There is also a growing list of 3rd party integrations as well, which can make the solution even stronger. With that said, there are other SIEM solutions that offer more flexible deployment models, have more 3rd party integrations, and offer more extensibility in terms of holistically supporting the incident response process. Our organization has found AlienVault to work pretty well for us, as this is the first SIEM the business has deployed. Additionally, we are early on in the process of cybersecurity program development, so AlienVault's inclusion of features such as vulnerability scanning and file integrity monitoring extend its value.
  • Feature-rich includes functionality not typically present in other SIEM's such as vulnerability scanning, UEBA, file integrity monitoring, NIDS
  • Simple to configure and deploy.
  • Relatively inexpensive compared to other enterprise SIEM solutions.
  • While there are many features, many of them are not very advanced. Vulnerability scanning as an example is extremely simplistic and almost unusable for an enterprise organization. It's just enough to get a program off the ground.
  • Cloud-only deployment model (SaaS) may not fit all organizations. Not all organizations are "cloud friendly".
  • Reporting capabilities out of the box are lack luster. Vulnerability management reporting as an example does not include a single canned report.
AlienVault USM is well suited for smaller organizations or organizations of any size that are just lifting their security operations or security monitoring program off the ground.

AlienVault USM is less appropriate for more mature organizations who have the staff to support more advanced security operational capabilities or engage in advanced threat hunting. Also, organizations who like more ability to add internally developed functionality into their SIEM through scripting or other automated response activities.
Like most situations, you get out what you put in. AlienVault is not going to filter up to every malicious activity occurring in an environment right out of the box. There is plenty of work to be done to get log sources ingested in a prioritized manner, to get basic rules tuned, and to integrate it with other solutions, where it makes sense. This maturity can take years to put in place in many cases. Once AlienVault USM is set up and tuned properly and has all log sources ingested, it is very good at finding things in an environment. It requires constant maintenance moving forward however to ensure that as tech landscapes change, the alarm rules are properly configured, and new ones are added.
Read Frank DePaola's full review
Matthew White profile photo
Score 10 out of 10
Vetted Review
Verified User
Review Source
AlienVault USM Anywhere provides us with SIEM, at a low price point and with a great array of functionality. SIEM is critical to our security operations and feeds incident response efforts. We use it to monitor logs and events from our applications and server platforms, integrating many of our other security products into the flow of data into USM Anywhere, for centralized logging and event management.
  • AlienVault USM Anywhere is easy to deploy with their cloud-based model and deploying the required agents on-prem (or in the cloud) is quick and easy.
  • Custom rules allow for alerting based on content from events and you can even trigger agents in response to threats, shutting down computers or grabbing forensic info for incident response.
  • USM Anywhere also takes care of reporting for ISO and PCI, allowing you to pull reports for auditors at a moment’s notice.
  • With many integrations out-of-the-box, you can pull in all the data from products you use and other sources, such as Amazon CloudWatch Logs.
  • We would love to be able to create custom rules based on a series of events, to create rule-sets where, for example, failed logins to the VPN Server are logged and then when a successful attempt follows soon after, it triggers an alarm for a Brute Force. It does this for things like OKTA already, so control over which events this applies to would be great.
  • More data tiers - something between 250GB and 500GB tiers, maybe break it down into 100GB tiers?
  • Integration with OpsGenie would be great.
AlienVault USM Anywhere is a great SIEM and if you need to deploy a SaaS solution then it is suited very well. It works very well for us being 100% AWS and integrates well with our toolset and AWS features. The AT&T Alien Labs Open Threat Intelligence (OTX) is perfect for providing context on events and feeding our incident response processes.
We have OTX to be a valuable source and the tight integration with USM really helps eliminate false positives. Being able to submit your own information into OTX also adds value and helps put context on threats. We sometimes find IP addresses can be out of date in OTX and linked to old threats, but it's good to see the history of what has occurred on this IP and you can go back and look for historical indicators of compromise in your data.
Read Matthew White's full review
Babak Oskouian profile photo
November 06, 2019

AlienVault Review

Score 7 out of 10
Vetted Review
Verified User
Review Source
We use it across the organization but not every plan is included mainly because of limited storage. We do vulnerability scanning, traffic analysis, and SIEM.
  • Integration with G-suite and AD
  • AlienVault agents that come free of extra charge are valuable
  • Automated scans
  • Updating the agents is not straight forward
  • Agents some time go offline for no apparent reason
Because of the price and the fact that it does much more than just SIEM, it has been very valuable to us, however, a redo of the GUI might be in order as it is old and somewhat not very intuitive.
It is quite effective, however, as with any device, there are quite a few false positives that one needs to weed out.
Read Babak Oskouian's full review
Ranjith R profile photo
Score 7 out of 10
Vetted Review
Verified User
Review Source
We have procured AlienVault USM Anywhere for Monitoring and Triggering alarms/notification on the suspicious traffic and attacks. It is being used within the infosec/infra department to take necessary actions on the security events. It majorly helps us to find the real-time attack and traffic events to our organisational assets and also it helps us on finding the vulnerabilities on a specific asset.
  • AlienVault USM has the potential to identify the attack patterns by the traffic events through their sensors which is already built-in with their own correlation rules.
  • USM Anywhere sensor reduces the load for SOC analyst on writing the new set of rules.
  • And also provides an option for slack integration which myself felt very nice for an immediate action.
  • When we talk about the forensics investigation the user interface and experience is not that great as expected, when we sent an alarm/event for investigation it doesn't provide any investigation results.
  • The USM sensor doesn't have the capability of handling more jobs, It does restarts the sensor if certain limit of jobs are configured
  • The log reports are not getting downloaded when we try to attempt via safari browser
It is well suited for a Cloud environment like AWS and Azure, since GCP is a new player in cloud, AlienVault has to improve a lot in terms of support with the data and log sync of instance asset mapping and sensor capability to handle more jobs to get out of unavailability issue among other competitors like Splunk, Sumo Logic and LogRhythm
Alien vault USM has a very good team support on all aspects where other security SIEM tools miss it, and in specific to OTX it is good in reporting the latest attacks and recovering the same in the cloud environment but in terms of vulnerability assessment it doesn't do a great job like Nessus or even like openVAS it detects very less vulnerabilities and which is sometimes even false positive. AI based approach needs to be procured for advanced based attack pattern detection
Read Ranjith R's full review
Cory Watson profile photo
Score 8 out of 10
Vetted Review
Verified User
Review Source
We use it to monitor security logs across our various SaaS apps. It is the central hub for our security incident program. It is primarily being used by our Information Security Department. This tool addresses our need to be able to make actionable decisions, across various SaaS platforms, from a single pane of glass.
  • Correlate logs from different sources into actionable intelligence.
  • Provide an easy to use interface to interact with Alarms and Events.
  • Integrate with our alerting tools to make sure when an incident is happening, the right people know about it quickly.
  • Being able to make custom plugins for internal tools.
  • Being able to have a webhook plugin to send logs directly to the cloud appliance.
  • Make the management of suppression rules better. Maybe include a suppression rule visualizer to make sure your suppression rule is doing exactly what you would like it to do.
It is well suited for a small security team that does not have all the time in the world to set it up, tune it, and babysit it.

It is not appropriate if you are looking to easily be able to customize the tool. A lot of the options you have with tools like Splunk are just not here.
It is really good at this. The NIDS detects threats sometimes faster than our anti-virus solution does. Once again, for how little configuration and tuning you have to do, you are very quickly able to see actionable results compared to some of the bigger tools out there. In a previous life, this would be a much harder thing to accomplish with our small team of 4.
Read Cory Watson's full review
Fintan O'Meara profile photo
Score 8 out of 10
Vetted Review
Verified User
Review Source
Alienvault USM is used by the internal IT department to monitor activity from lots of different sources across the organisation. From O365 and Azure, AWS, on-premises servers and network equipment, and others we track vulnerability status, correlate unusual activity and monitor for IOCs from Alienvault's Intelligent Cloud.
  • Intelligence updates from the Alienvault community and security pros.
  • Writing of threat detection rules and ingestion parsing for different devices.
  • Vulnerability scanning.
  • Asset management is done purely by IP unless using the agent.
  • Agent installs and updates can be a bit flakey, and on occasion use lots of resources.
Good out of the box product, not a huge amount of configuration required to get up and running, though constant tuning is and should be required. Good integrations available, though if you have a lot of experience security analysts in your organisation there are probably more powerful tools out there, they just require you do most of the correlation and detection rules yourself.
Compared to other products we had trialled the integrated threat intelligence and vulnerability scanning provided by Alienvault UTM was very effective out of the box at being able to flag IOCs from network traffic, flag unusual login activity in O365, provide comprehensive server vulnerability scanning which we could integrate into our server patching processes.
Read Fintan O'Meara's full review
Mario Martinez profile photo
September 27, 2019

AlienVault does the job

Score 9 out of 10
Vetted Review
Verified User
Review Source
We use AlienVault USM to monitor our AWS cloud environment and the individual assets within that environment. AV also provides us with alerting and reporting that helps us attain and maintain compliance with several standards, but, more importantly, helps me sleep better at night as our Information Security Officer. An easy to overlook benefit is that It makes it easier for us to shore up process deficiencies. We can more easily audit that we documented and approved all non-emergency configuration changes within our cloud before they are applied. We also use the AV agent to monitor individual instances for vulnerabilities and the software they run.

This all gives us confidence that we are keeping our systems as secure as possible and meeting promises to keep our customer’s data secure.
  • Internal vulnerability scans
  • Monitor firewall and security group changes
  • Monitor and alert on suspicious system logs
  • Monitor and alert on suspicious cloud watch logs
  • False alarms occur occasionally
  • There is no report for only displaying vulnerabilities with an available patch. Specter class issues can only be mitigated but will remain active until we are all on next-generation processors.
AlienVault is well suited for cloud environments and sprawling internal networks. Log ingestion and analysis across your instances and, in our case, AWS, coupled with File Integrity Monitoring and other features are well worth having. It takes some time to get things right and I would suggest, like every tool, that you periodically test its different components to remain confident in its abilities. Smaller systems likely would not benefit as much and it might be a cost/benefit analysis whether to audit changes by hand or monitor them for changes.
Except for a few false alarms, AlienVault has been very effective and a great tool. I particularly like that it can alert you on S3 bucket misconfiguration and that it will generally only alert on privilege and access escalation but not deescalation. For instance, opening a port on a security group triggers an alert but closing that port later is merely logged. This ultimately helps avoid alert fatigue and keeps you on top of the more relevant alarms.
Read Mario Martinez's full review
Mark Taghap profile photo
Score 9 out of 10
Vetted Review
Verified User
Review Source
We have deployed AlienVault USM throughout the entire organization. The IT department is responsible for monitoring and making necessary configurations. This has immensely improved our visibility in regards to the daily activities of all networks and devices. It has recognized anomalies and notifies my IT department.
  • Centralization of data logs makes it easier to analyze the many application logs throughout our organization. (ie. Windows logs, PLC logs, Antivirus logs, Exchange server logs, etc).
  • Easy maneuvering with AlienVault pages as well as easy to bookmark alerts.
  • Creating SOC on a budget especially with a smaller IT dept.
  • Incident response.
  • Threat detection.
  • Compliance management.
  • AlientVault OTX is a user community that is very helpful especially when you are curious about the alerts or to help mitigate issues that arise.
  • I would like more detailed ways to mitigate issues.
AlienVault is perfect for all organizations, especially for smaller-staffed IT departments. The installation was relatively easy, especially with AlienVault's vendor partners. We did not need to integrate and monitor multiple point solutions b/c AlienVault does the automatically. Just make sure you test the data flow for PLC devices as it may disrupt the flow of data on these types of devices.
AlienVault USM is the only siem that I've worked with. During the siem discovery, we looked at LogRythm, but it cost too much and had the same features.
Read Mark Taghap's full review
John DeLay profile photo
Score 9 out of 10
Vetted Review
Verified User
Review Source
We use AlienVault USM across our entire organization, which includes 5 separate SaaS products. At a basic level, we use the core/default functionality of AlienVault to watch our AWS account. Beyond that, we use it to collect and analyze logs for suspicious activity. The ability to track and respond to suspicious events and document them completely is super key to our organization. The reporting functionality is key in allowing me to demonstrate our processes over time to show we watch and respond to alerts.
  • Log analysis, both syslog and AWS cloud trail, and searchability/reporting is actually better than most of our other related tools: All of our systems send log information using rsyslog to our AlienVault USM system. AlienVault is able to alert us of many issues with minimal configuration, including adding/removing users to sensitive groups, creating or removing resources such as EBS volumes, S3 buckets, or security groups.
  • AWS loadbalancer traffic/log analysis: AlienVault automatically identifies threatening IPs or entries that match suspicious traffic patterns.
  • The ability to search the many logs AlienVault collects in a way that even novice users can follow is super valuable. Logs can be quickly sorted by source, log type, and/or keyword searches. There have been many occasions where we were able to find non-security related issues due to the simple yet advanced search abilities of AlienVault. This has led to the challenge of deciding when and how long to allow non-security personnel access for troubleshooting.
  • AlienVaults lack of support for Docker may be its undoing at my company. It clearly stands above other products that fit our company, but we are adopting Docker at an ever-increasing rate. I don't want to support multiple security products, so it would be super cool if a solution to this challenge were found quickly.
  • Enriching data is super key to allowing us to set up alerts for and filer events. This process is rather painful. This significantly increases the cost of maintaining AlienVault. Specifically, several auditd and standard AWS logs do not allow me to filter based on keywords in the message.
  • Here is one example:
  • User: arn:aws:sts::2#########:assumed-role/qe-lambda-role/qe-batch-run-dev-frontend_batch_runner is not authorized to perform: logs:CreateLogStream on resource: arn:aws:logs:us-east-1:#########:log-group:/aws/lambda/qe-batch-run-dev-frontend_batch_runner:log-stream:2019/05/30/[$LATEST]########################
  • The ability to configure AlienVault to run security scans using SSH on systems is prohibitively difficult to use, especially when using a Bastion.
  • Making OSSIM work is a huge pain. I could not find AlienVault documentation that covers how things work and how to properly integrate it.
AlienVault is great and ingesting and processing information from multiple sources. It is excellent at monitoring AWS "things" out of the box, such as user management, network traffic through load balancers, or monitoring devices with sensitive data. I was surprised at how easy this was to start using immediately after purchase. This was a huge selling point. We had tools in place to monitor much of our environment, except AWS. Once the AlienVault system was in place, the rest happened naturally. It's now the most critical security system that we have.

It seems a bit poor when creating alarm filters that only trigger after "x" number of times. I know this can be done with escalation alerts. Keeping noisy alerts out of the UI is key to prevent alert fatigue in our more junior team members.
In general, AlienVault seems to be noisy. I'd like the ability to specify a group of users that can create security groups with sensitive ports exposed to the web, but I don't believe this is possible. I know how to do this per user. I don't believe groups are something we can specify.
AWS Inspector is a product that does very well against AlienVault for doing system level scans. It is also very expensive and cannot be customized at all.

PEN testing is not something that AlienVault does and I'm assuming that is intentional.

Network IDS isn't integrated into AlienVault or is very basic. I am assuming the plan would be to implement something like tripwire and have logs from that system sent to AlienVault. Obviously, we would like it to do absolutely everything and do it very well:) That said, I highly doubt that is an option. If this can be done, please don't let me slow you down.
Read John DeLay's full review
Agustin Larrarte profile photo
Score 10 out of 10
Vetted Review
Verified User
Review Source
We have used Alienvault USM in our PCI environment to detect the most common threats. We have discovered it added extra value to our organization by creating visibility on security issues we didn't know of before. On the downside, the on-premise version of Alienvault USM can get slow after loading it with a lot of machines (when doing big queries) and doesn't adapt very well to dynamic environments, but their on cloud version is definitely making that better.
  • Reports most common threats, real-time and take immediate automatic actions. I think this is strong if you don't have a team monitoring 24/7.
  • Connects with signature providers and keeps up-to-date well with 0 vulnerabilities. I don't need to explain why you may want to be protected against the newest threats.
  • The UI is very easy to get used to, which will make you adapt to its use quickly.
  • This tool will become slower and slower as you start adding devices to it, the on-premise version has a lot of room for improvement here, the database is slow.
  • The on-premise version of Alienvault USM will not support dynamic environments where people is constantly removing/adding new virtual machines and doesn't cope with puppet management.
  • Only the most common hypervisors supported, it could be good to have an image for XEN.
The on-premise version of Alienvault will be very good for environments that don't change a lot over time, it will provide good information about security issues on your premises. I would not recommend using this if you have a big private cloud where a lot of changes are being made. Go with the cloud version if that's your case.
Threat detection is very detailed and gives you all the information you need to start investigating a security issue. The simplicity to suppress or filter information is great. Alerts contain a full breakdown of the event and recommendations for response. Integrations although limited (Alien Apps) are very helpful. The correlation tools are excellent, you just need to feed it the right data.
Read Agustin Larrarte's full review
Jesse Bickel profile photo
Score 8 out of 10
Vetted Review
Verified User
Review Source
Alienvault was used to provide security monitoring, alerting for our AWS and on-premise systems. This was deployed to all environments locally and in the cloud. It was deployed and managed by the IT team and assisted us in gaining compliance for PHI, HIPAA and other requirements on top of ensuring integrity for our environments. This assisted in addressing our security needs and proactive monitoring.
  • AlienVault USM was quick to deploy and the configuration was pretty straight forward.
  • The AlienVault USM product has great documentation and service support. Very knowledgeable and readily available. Highly recommend their support package.
  • The AlienVault UI is very comprehensive and deep tool-sets. You can monitor just about anything anywhere from anywhere. This flexibility was incredibly useful.
  • While their UI was comprehensive, it takes a while to understand how to group and tag the resources you want to monitor and how and on what schedule. The tools are deep but the usability is a bit complex. You will need to read the documentation.
  • Their pricing model for through-put was a bit challenging. I would like to see a different pricing structure. I would much prefer to see site licenses.
  • Sometimes the assessments where vague. While this shouldn't be relied upon as the only source for assessments, there were often descriptions that did not associate with the vulnerability or required us to deploy other tools to verify such as AWS Inspector, was not a big deal but some added overhead.
If you have a network that is cloud-based and you are scaling the deployable sensors are simple and fast. Security is not the hump it used to be. I believe their model is truly agile and scalable with ease. I believe if you have a fully on-prem network while this solution is still viable, we found our self relying on our local Meraki and Cisco security tools more so then USM. I believe this was out of comfort and experience more so than functionality.
Most of our environment were private and internal. We did not test public networks extensively. However, the reports were comprehensive and valuable. We did not have any "real security threats" to ward off but mostly used it to understand our holes so we could make the necessary configuration or update adjustments to prevent a security threat.
Read Jesse Bickel's full review
Erich Barlow, MIS profile photo
Score 7 out of 10
Vetted Review
Verified User
Review Source
We are using it in IT security for vulnerability management and for IDS. It is just focused as part of our IT security management process. For us, it addresses the vulnerabilities that we see all the time and it allows us to prioritize those assets based on the risk they pose to the business.
  • Scanning network assets for vulnerabilities.
  • Heuristics in determining behavior and alerts accordingly.
  • Lots of false positives for vulnerabilities, Linux malware on Windows systems????
  • Lack of third-party app support or integration.
  • Being charged based on the amount of data.
It is well suited if you are looking to identify vulnerabilities within your network environment or need to show that you are actively managing them in a meaningful manner. The application will provide a visible manner in which this can be documented for compliance and regulatory requirements. It is not as well suited for identifying potential threats as it provides a LOT of false positives and alerts.
We always get false positives and there is no actionable information that AlienVault USM provides to my staff. I have no way in being able to track down or evaluating the accuracy of the information that is provided by the application itself. This is frustrating for my support personnel who are supposed to remediate the possible threat. Not enough information is provided (host name, valid IP address, threat assessment).
Read Erich Barlow, MIS's full review
Todd Fletcher profile photo
Score 10 out of 10
Vetted Review
Verified User
Review Source
I have implemented USM Anywhere as our company SIEM. Additionally, I as working to extend it's functionality with Gartner's SOAR principles. The primary business drivers (problems) include controlling costs, mitigation of risk, and supporting agile business initiatives. It is utilitzed by the security team to monitor all business information systems.
  • Deployment is quick
  • Normalization of log data and threat identification is effective and simple to understand.
  • Vulnerability analysis along with CVE identification is better than Nessus
  • Investigations feature is robust
  • Cloud sensor depoyment and capabilities is robust
  • Custom Plugin creation/modification by the user is missing. If log data is unknown to the platform, the processing of getting a new plugin developed is lengthy. It would be ideal if the user could create custom plugins for their own platform.
  • Asset discovery adds every IP address in a subnet even if no host is present. The detection method is flawed. I don't have this issue on the same network with other asset discovery tools.
  • SaaS performance can be slow. When listing items more than 20 at a time, the UI refresh can be painfully slow.
For an organization around 300 to 500 in size, it is a great tool. I feel that adding some network topology scanning and configuration features would allow it to deal with more complex networks better.
So far, I have not used a better tool for event correlation. Highlighting the events that have possible malicious intent and placing then in a kill chain has been very valuable. It provides an augmentation to an analyst's effectiveness.
Read Todd Fletcher's full review
Adam Nield profile photo
September 05, 2019

Picking up AlienVault USM

Score 8 out of 10
Vetted Review
Verified User
Review Source
We currently use AlienVault primarily for the SIEM and vulnerability scanner. We use the intrusion detection agents across our servers and are in the process of setting up the system to use other features available through AlienVault, such as availability monitoring and creating custom plugins to monitor our bespoke systems. This is all maintained by our infosec, cybersecurity and infrastructure teams.
  • SIEM is great for monitoring and maintaining our systems and networks, and with the right tuning the system becomes an incredibly powerful tool by being able to identify the difference between a high priority event and false positive.
  • The vulnerability scanning is a very useful part of the system, especially as after finding any vulnerabilities it provides lots of detail on what was found along with a solution.
  • User management has a good level of modularity, allowing us to restrict access for certain users to only certain areas.
  • The system can be a little over-complicated to set-up to perform what I would think to be simple tasks. For example, sending an email notification on a certain alarm being created.
  • The reporting module does not offer much visual customization, only allowing you to add your company logo and color scheme as a template.
For what we have the system for AlienVault ticks all the boxes, and there are still more areas for us to explore within the system. It is great as a SIEM tool, being able to not only record and log events but also correlate events, meaning it recognizes where lots of the same events are occurring and depending on how you set up the system it can react accordingly.
I haven't used any other security technology before picking up AlienVault USM, however, I can say that AlienVault makes detecting real threats from the false positives much easier than I had expected. The fact that the system is smart enough to correlate events should there be multiple of the same, and the fact that you have to option to add in your own custom policies/directives to filter out any unwanted events makes it much easier and clearer to see what needs investigating in what order.
Read Adam Nield's full review
Pankaj KC profile photo
Score 9 out of 10
Vetted Review
Verified User
Review Source
We use it to detect network risks and vulnerabilities to a reasonable and appropriate level. Using across the whole organization. It's also being used to comply with current legislation (security related logs should be recorded).
  • As for us, it casually integrated to AWS cloud and local infrastructures, in simple words easy to implement
  • Processes different types to logs using its very own inbuilt plugins and display it in an understandable manner for the non-technical users as well
  • Has its own very accurate correlation rules to generate alarms from the processed logs
  • Has an open threat intelligence community which can be integrated with the AlienVault account
  • In order to collect the system logs from various servers, it has an AlienVault agent that can be installed on the windows, MAC and Linux. It collects the various types of logs such as user activity, shell history, file integrity, etc., logs
  • Any suspicious alarm can be added as a ticket on its console and can be processed according to severity type.
  • Server and Network vulnerabilities details can be scanned through the USM.
  • Customizable dashboards view in the console makes easy to monitor logs from the different sources.
  • Events view can be customized according to the data source plugins.
  • USM has a feature of suppressing and filtering out the logs from the console. Suppression hides the logs from the console dashboard whereas filtering block the similar type of log entering the alienvault console which helps to reduce the storage usage
  • Asset Discovery: Maintains and scans dynamic asset inventory and software inventory for large scale organization
  • Security & Compliance Reporting: contains customizable reports for regulation standards and compliance frameworks
  • It uses sensors to collect data from different sources which results in extra cost for the sensor server
  • Support is very poor
  • It would be great if there was document to study on how can we identify and monitor suspicous logs
If you have a bigger organization that has a bigger network infrastructure which needs to be monitored in every aspect, then AlienVault USM is perfect for it. It automatically detects threats and sends out email notifications from which necessary actions can be taken. It has a correlation engine, which quickly detects and alerts on different variants of malware that can affect your organization. It provides full details on the attack method and strategy, the systems in the network involved in the attack (source and destination)with the geo-location, and the associated event that comprised the attack, along with response guidance.

Since it is very expensive I do not recommend it for small organizations it requires additional infrastructures to implement the AlienVault within the premise.
In the current scenario, threat actors are using more sophisticated tools, techniques and procedures to penetrate the organization networks, USM provides real-time log processing and notification alerts for the threats. With the help of threat intelligence, it can constantly harvest and process knowledge about different threat actors and severe external threats, such as APT (Advanced persistent threats). One example can be as follows:
  1. You have the list of domains that were visited from your organization employee
  2. You compare this list of domains with lists of malicious domains obtained from different OTX(open threat exchange pulse) providers that have already been posted on OTX.
  3. If a match is found, an alert is raised to take appropriate action.
  4. The same process is repeated at regular intervals to check all the new domains.
Read Pankaj KC's full review
Ariel Lucas Sandor profile photo
Score 8 out of 10
Vetted Review
Verified User
Review Source
We used AlienVault for 5 years in our PCI and non-PCI environment. AlienVault USM does nearly everything we need to detect threats we didn't know of. The setup was very easy with little deployment time. The price point is very competitive. The tools for data filtering that the appliance has been very powerful. It also comes with predefined PCI-DSS reports. The main problem we addressed is that sometimes the appliance gets slow when doing some particular queries.
  • Very easy to use. The UI is very intuitive.
  • Out of the box predefined reports that make the initial filtering easy.
  • Very easy to setup.
  • Sometimes it gets slow with large queries.
  • When the upgrading fails you have to debug extensively to know what happened.
  • When we massively add hosts, sometimes some of them are not added so you have to be careful.
It's a very nice solution for small and medium deployment scenarios (at least the on-premise version) with slow changes, also is very easy and fast to deploy. On bigger scenarios, it gets slow and a little bit hard to maintain. It's affordable so I would recommend it for small companies.
The solution automatically detects threats without so many configurations, so compared with other open source solutions, where the event correlation gets complicated and messy, this tool made our life easier. From day zero, we started detecting threat we didn't know of.
Read Ariel Lucas Sandor's full review
Brian Lindow profile photo
Score 9 out of 10
Vetted Review
Verified User
Review Source
AlienVault is our SIEM tool that addresses the enterprise looking for indications of compromise. This was a finding in an internal audit a few years ago so it follows more of a compliance requirement.
  • Active Directory login requests
  • Logs on the Domain Controls
  • Only showing alerts that have a high indication of compromise and reduces false positives.
  • Trimming of log files to stay within limits
  • Projecting any future storage costs from AlienVault
Well suited for a small InfoSec team that has limited time to manage the tool and respond to alerts. If you have a larger team that wants more detailed data that could be used for AppDev troubleshooting then a different products is probably better.
AlienVault has been more effective than tools that I have previously used for several reasons. One is the ease of install and use compared to other products that you end up turning off since they are too hard to use. Second, the infrastructure footprint is minimal since it is cloud-based and doesn't require extensive infrastructure time.
Read Brian Lindow's full review
Magdiel Hernandez profile photo
Score 5 out of 10
Vetted Review
Verified User
Review Source
We use AlienVault as our primary SIEM tool. Our SOC uses the tool to create alerts, monitor suspicious patterns, receive alerting, and investigate security incidents.
  • Creation of dashboards.
  • Creation of metrics that we utilize in our monthly reports.
  • We like the way alerts are being sent to us and the information they provide.
  • Their customer supports is the worst, and sadly this has been consistent every time we've had to reach out to them.
  • The account execs have ZERO flexibility regarding making deals and meeting us halfway.
  • The features do not work as advertised.
While is well suited if you are small organization starting a security practice, AlienVault fails to deliver when it comes to medium or large corporations, as there is very little flexibility from the tool to create alerts. Also, plugins in this time are definitely not the way to go.
It is not very good. I have detected many times when AlienVault is behind by a span of several hours when compared to other technologies, such as Crowdstrike or LogR.
Read Magdiel Hernandez's full review
Ryan Hart, MBA profile photo
July 29, 2019

Better than Splunk

Score 10 out of 10
Vetted Review
Verified User
Review Source
We used to monitor our web application, firewall, and our G Suite logs. AlienVault USM solves the problem of manually monitoring logs. We were able to filter our alerts to ignore known non-threatening behaviours. AlienVault USM also gave us a more efficient way to search our logs rather than viewing the raw log files in our data provider.
  • Easy to Install
  • Good use of filters
  • Great training
  • Good support documentation
  • Paying per GB of usage is not ideal
AlienVault USM provides good overall value and support. I am not a fan of on-prem monitoring hardware. Alien Vault USM has fantastic cloud-based monitoring solutions which we host in our cloud environment.
AlienVault USM is only as effective as you configure the filters and ensure your data is being digested. Provided those two items are being done, AlienVault USM is a FANTASIC vendor for monitoring our security.
Read Ryan Hart, MBA's full review
Daniel Jones profile photo
Score 9 out of 10
Vetted Review
Verified User
Review Source
AlienVault is being used for the Security Team to see all host and network traffic. This real-time SIEM is tuned to give us alarms we actually need to look at on a daily basis. This addresses anything from malware to network, system and email breaches.
  • Deployment with the sensors for USM anywhere.
  • Support
  • Responsive UI
  • Alien Apps
  • Agents offline
  • Easier agent deployment on host.
  • Quicker response from engineers and not just send engineers a document for the fix.
AV is beneficial for monitoring all hosts in an environment. I can't think of a scenario where it is less appropriate.
We had a lot of false positives at first, once we tuned it to get real-time alarms this is a great tool to have. We get threat intelligence from multiple systems we run in for our organization.
Read Daniel Jones's full review
Jeremy Wilkins profile photo
Score 7 out of 10
Vetted Review
Verified User
Review Source
Alienvault USM is being used to aggregate, inspect, and correlate both Windows/Linux logs and our Data Center network traffic. It is used exclusively by the SOC team for threat hunting and EDR.
  • VMWare Sensor deployment is very easy.
  • Dashboards are nice and clean.
  • Network monitoring and Syslog collector just work.
  • USM Anywhere does not support Netflow or any variation. SPAN and RSPAN are currently the only methods to monitor IP flows.
  • USM Anywhere tech support is lackluster. I have opened two tickets and struggled to receive knowledgeable technical assistance.
  • USM Anywhere does not do scheduled report delivery in any format. Reports are run on demand and must be printed to pdf for distribution.
Well suited for smaller SOC teams or lean IT departments. A self-driven admin with experience in networking and server administration can find all the resources needed online.
I started receiving actionable event and alarm data immediately upon deployment of my first sensor and a few agents. Root cause analysis is simplified by being able to drill down into Alarms and associated events.
Read Jeremy Wilkins's full review

Feature Scorecard Summary

Centralized event and log data collection (1)
8
Correlation (1)
8
Event and log normalization (1)
8
Deployment flexibility (1)
7
Custom dashboards and views (1)
6
Host and network-based intrusion detection (1)
7

About AlienVault USM

AlienVault® Unified Security Management® (USM) delivers threat detection, incident response, and compliance management in one unified platform. It is designed to combine all the essential security capabilities needed for effective security monitoring across cloud and on-premises environments, including SIEM, intrusion detection, vulnerability management, as well as continuous threat intelligence updates. The vendor states that even for resource-limited IT security teams, AlienVault USM can be affordable, fast to deploy, and easy to use. It eliminates the need to deploy, integrate, and maintain multiple point solutions in the data center.

Smart, automated data collection & analysis: USM Anywhere automatically collects and analyzes data across the attack surface, helping to quickly gain centralized security visibility without the complexity of multiple disparate security technologies.

Automated threat detection powered by AT&T Alien Labs: With threat intelligence provided by AT&T Alien Labs, USM Anywhere is updated automatically to stay on top of evolving and emerging threats, so the security team can focus on responding to alerts.

Incident response orchestration with AlienApps: USM Anywhere supports a growing ecosystem of AlienApps, enabling the user to orchestrate and automate actions towards other security technologies, able to respond to incidents quickly and easily.

AlienVault USM Features

Security Information and Event Management (SIEM) Features
Has featureCentralized event and log data collection
Has featureCorrelation
Has featureEvent and log normalization
Has featureDeployment flexibility
Has featureIntegration with Identity and Access Management Tools
Has featureCustom dashboards and views
Has featureHost and network-based intrusion detection
Additional Features
Has featureAlienVault Open Threat Exchange

AlienVault USM Screenshots

AlienVault USM Videos (2)

Watch AlienVault USM Anywhere: Five Essential Cloud Security Capabilities in a Single SaaS Platform

Watch See How We're Pushing the Outer Limits of Security

AlienVault USM Downloadables

AlienVault USM Competitors

Pricing

Has featureFree Trial Available?Yes
Has featureFree or Freemium Version Available?Yes
Has featurePremium Consulting/Integration Services Available?Yes
Entry-level set up fee?Optional

AlienVault USM Support Options

 Free VersionPaid Version
Phone
Email
Forum/Community
FAQ/Knowledgebase
Social Media
Video Tutorials / Webinar
Live Chat

AlienVault USM Technical Details

Deployment Types:SaaS
Operating Systems: Unspecified
Mobile Application:No
Supported Countries:Global