TrustRadius
https://media.trustradius.com/product-logos/LF/Ap/TPOL9A2198T5.JPEGAlienVault USM: one of the best SIEMsI was put in charge of getting our company NIST-800 compliant and one of the requirements of compliance is to have a security information and event management (SIEM). The company that did our gap analysis highly recommended the AlienVault USM and after a bit of research and reviews, I decided to move forward with AlienVault. I was very impressed with how simple it was to deploy as a virtual machine and how robust the interface is. This USM does everything and more. I can't wait to delve deeper into the functionality of the dashboard. The support team is also very responsive and very knowledgeable of the product.,The detailed reporting it provides Simple to deploy and install Great dashboard Excellent tech support,Offer more free training courses, either on-demand or scheduled webinars.,10,SolarWinds Security Event Manager,AlienVault USM is one of the best tools to use due to its the ability to notify you and also have very granular control of what you can view about the threats. It pins down the data need to track down any information needed to report or view from the threat and also has wonderful KB's on how to fix or resolve them.,The AlienVault USM has reduced the amount of work I need to perform by centralizing all my threats, vulnerabilities and logs. It allows me to have one central login for all my needs and information. I can also share it with anyone I need via email or save logs to PDF.AlienVault USM - A Solid Tool to Launch Your SecOps ProgramAlienVault is a great SIEM for organizations who are either new to security operational logging, and wish to purchase a sound solution at a lower price point, or those with a smaller staff and potentially IT budget that wishes to buy a solution that can accomplish many different tasks. Our use of the platform extends across the global organization. We have documented multiple use cases that we are working through within the AlienVault platform such as vulnerability management and scanning, malware detection on clients and servers, malicious network traffic moving laterally and vertically throughout our environment, etc. As is the case with any SIEM, they are only as effective as the log sources that they ingest allow them to be. We are pulling in Windows client and server event logs (filtered to specific EventID's), DNS, DHCP, AWS CloudTrail/CloudWatch logs, NIDS sensor logs, firewall logs, and are also working to integrate the solution with other corporate systems to extend its capability, such as our ITSM. AlienVault is pretty featured rich compared to other SIEM solutions, but those features are mostly good, not great. There is also a growing list of 3rd party integrations as well, which can make the solution even stronger. With that said, there are other SIEM solutions that offer more flexible deployment models, have more 3rd party integrations, and offer more extensibility in terms of holistically supporting the incident response process. Our organization has found AlienVault to work pretty well for us, as this is the first SIEM the business has deployed. Additionally, we are early on in the process of cybersecurity program development, so AlienVault's inclusion of features such as vulnerability scanning and file integrity monitoring extend its value.,Feature-rich includes functionality not typically present in other SIEM's such as vulnerability scanning, UEBA, file integrity monitoring, NIDS Simple to configure and deploy. Relatively inexpensive compared to other enterprise SIEM solutions.,While there are many features, many of them are not very advanced. Vulnerability scanning as an example is extremely simplistic and almost unusable for an enterprise organization. It's just enough to get a program off the ground. Cloud-only deployment model (SaaS) may not fit all organizations. Not all organizations are "cloud friendly". Reporting capabilities out of the box are lack luster. Vulnerability management reporting as an example does not include a single canned report.,7,LogRhythm NextGen SIEM Platform, SolarWinds Security Event Manager, Splunk Enterprise Security and IBM QRadar,Like most situations, you get out what you put in. AlienVault is not going to filter up to every malicious activity occurring in an environment right out of the box. There is plenty of work to be done to get log sources ingested in a prioritized manner, to get basic rules tuned, and to integrate it with other solutions, where it makes sense. This maturity can take years to put in place in many cases. Once AlienVault USM is set up and tuned properly and has all log sources ingested, it is very good at finding things in an environment. It requires constant maintenance moving forward however to ensure that as tech landscapes change, the alarm rules are properly configured, and new ones are added.,Our organization has achieved this benefit. We send all security-related log sources to AlienVault, to include our corporate antivirus solution, DNS security solution, Windows logs, etc. Having all of this information in a single platform offers the ability to search through disparate logs while investigating an event. The simplicity of doing this in a single platform is significant. Also, as we configure and deploy more advanced alarm or event rules, the solution becomes even more valuable in this way. Once again, its all about the time and energy that you invest in building the solution to be as effective as it can be in your environment.AlienVault USM Anywhere - Cost effective SIEM-as-a-serviceAlienVault USM Anywhere provides us with SIEM, at a low price point and with a great array of functionality. SIEM is critical to our security operations and feeds incident response efforts. We use it to monitor logs and events from our applications and server platforms, integrating many of our other security products into the flow of data into USM Anywhere, for centralized logging and event management.,AlienVault USM Anywhere is easy to deploy with their cloud-based model and deploying the required agents on-prem (or in the cloud) is quick and easy. Custom rules allow for alerting based on content from events and you can even trigger agents in response to threats, shutting down computers or grabbing forensic info for incident response. USM Anywhere also takes care of reporting for ISO and PCI, allowing you to pull reports for auditors at a moment’s notice. With many integrations out-of-the-box, you can pull in all the data from products you use and other sources, such as Amazon CloudWatch Logs.,We would love to be able to create custom rules based on a series of events, to create rule-sets where, for example, failed logins to the VPN Server are logged and then when a successful attempt follows soon after, it triggers an alarm for a Brute Force. It does this for things like OKTA already, so control over which events this applies to would be great. More data tiers - something between 250GB and 500GB tiers, maybe break it down into 100GB tiers? Integration with OpsGenie would be great.,10,Alert Logic Cloud Insight and CloudPassage Halo,We have OTX to be a valuable source and the tight integration with USM really helps eliminate false positives. Being able to submit your own information into OTX also adds value and helps put context on threats. We sometimes find IP addresses can be out of date in OTX and linked to old threats, but it's good to see the history of what has occurred on this IP and you can go back and look for historical indicators of compromise in your data.,With a security team of 2, we are able to manage the events from hundreds of sources and 10's of applications on a daily basis and quickly filter out the noisy alerts and focus on the real events that pose a threat to us. USM Anywhere allows for quick and intuitive configuration and the daily activities don't feel like a chore and are simple to perform.A tool with great short and long term return on investmentWe use the USM Anywhere SIEM for our corporate security program currently, separate from our application security team in charge of our cloud environments our SaaS offering is hosted on. This solves the compliance and security issues we face as an organization for forensically sound log storage as well as data aggregation for correlation.,The integration setup for syslog forwarding and native web apps partnered with the platform is a very simple setup. Deploying sensors in cloud systems usually follow a pre-defined build flow for ease of sensor deployments and scaling. For perimeter defense, as long as your defended organizational structure uses Active Directory or another LDAP replication type service, vuln scanning and KIDS is a breeze.,For highly distributed workforce issues, the system requires a lot of third-party integrations to collect data for automation. Customization can be lacking in areas without significant help from their support teams. Building rules for filtering, suppression, and custom alarms can be a steep learning curve, although this is slightly offset by their training offerings.,9,Rapid7 InsightOps, InsightIDR and Splunk Cloud,The USM system is built with certain data ingress engines that work really well to identify and correlate suspicious activity. Since the company runs a threat intelligence feed in the form of the Open Threat Exchange, the IOCs they detect and report on are then built into the detection engine to give solid threat data. This can create a large amount of false positive during initial deployment depending on your environment, but the majority of noise can be effectively suppressed with their rule creation wizard that automatically brings in the fields on an alarm or event.,We have seen a return on investment for workflow efficiency in a dramatic sense. Prior to USM, individual security systems needed to be reviewed in a stand-alone format which can provide cracks for attackers to slip through during an exploit event. USM creates a relative single pane of glass for many of these tools and correlates event data between multiple sources to detect deeper malicious activity. This can be said for many SIEM products though and as such, a SIEM in any way will create a large return on investment when dealing with multiple security tools and log event sources.USM SaaS implementation for AWS and linux instancesWe use AlienVault USM across our entire organization, which includes 5 separate SaaS products. At a basic level, we use the core/default functionality of AlienVault to watch our AWS account. Beyond that, we use it to collect and analyze logs for suspicious activity. The ability to track and respond to suspicious events and document them completely is super key to our organization. The reporting functionality is key in allowing me to demonstrate our processes over time to show we watch and respond to alerts.,Log analysis, both syslog and AWS cloud trail, and searchability/reporting is actually better than most of our other related tools: All of our systems send log information using rsyslog to our AlienVault USM system. AlienVault is able to alert us of many issues with minimal configuration, including adding/removing users to sensitive groups, creating or removing resources such as EBS volumes, S3 buckets, or security groups. AWS loadbalancer traffic/log analysis: AlienVault automatically identifies threatening IPs or entries that match suspicious traffic patterns. The ability to search the many logs AlienVault collects in a way that even novice users can follow is super valuable. Logs can be quickly sorted by source, log type, and/or keyword searches. There have been many occasions where we were able to find non-security related issues due to the simple yet advanced search abilities of AlienVault. This has led to the challenge of deciding when and how long to allow non-security personnel access for troubleshooting.,AlienVaults lack of support for Docker may be its undoing at my company. It clearly stands above other products that fit our company, but we are adopting Docker at an ever-increasing rate. I don't want to support multiple security products, so it would be super cool if a solution to this challenge were found quickly. Enriching data is super key to allowing us to set up alerts for and filer events. This process is rather painful. This significantly increases the cost of maintaining AlienVault. Specifically, several auditd and standard AWS logs do not allow me to filter based on keywords in the message. Here is one example: User: arn:aws:sts::2#########:assumed-role/qe-lambda-role/qe-batch-run-dev-frontend_batch_runner is not authorized to perform: logs:CreateLogStream on resource: arn:aws:logs:us-east-1:#########:log-group:/aws/lambda/qe-batch-run-dev-frontend_batch_runner:log-stream:2019/05/30/[$LATEST]######################## The ability to configure AlienVault to run security scans using SSH on systems is prohibitively difficult to use, especially when using a Bastion. Making OSSIM work is a huge pain. I could not find AlienVault documentation that covers how things work and how to properly integrate it.,9,Qualys Cloud Platform (formerly Qualysguard), Snyk, AWS Config and AWS Cloud9,AWS Inspector is a product that does very well against AlienVault for doing system level scans. It is also very expensive and cannot be customized at all. PEN testing is not something that AlienVault does and I'm assuming that is intentional. Network IDS isn't integrated into AlienVault or is very basic. I am assuming the plan would be to implement something like tripwire and have logs from that system sent to AlienVault. Obviously, we would like it to do absolutely everything and do it very well:) That said, I highly doubt that is an option. If this can be done, please don't let me slow you down.,Yes, we have achieved this. Once set up, ensuring all of our systems are logging to AlienVault is very simple. Native system tools and AWS tools work easily, which simplifies the integration of all of our AWS systems with AlienVault. I am able to handle off much of the daily care and feeding of AlienVault to more junior members of my team with minimal effort. If we experience turn over, it is equally simple to bring new team members online.Great value for organizations who wish to realize the value of SIEMWe have used Alienvault USM in our PCI environment to detect the most common threats. We have discovered it added extra value to our organization by creating visibility on security issues we didn't know of before. On the downside, the on-premise version of Alienvault USM can get slow after loading it with a lot of machines (when doing big queries) and doesn't adapt very well to dynamic environments, but their on cloud version is definitely making that better.,Reports most common threats, real-time and take immediate automatic actions. I think this is strong if you don't have a team monitoring 24/7. Connects with signature providers and keeps up-to-date well with 0 vulnerabilities. I don't need to explain why you may want to be protected against the newest threats. The UI is very easy to get used to, which will make you adapt to its use quickly.,This tool will become slower and slower as you start adding devices to it, the on-premise version has a lot of room for improvement here, the database is slow. The on-premise version of Alienvault USM will not support dynamic environments where people is constantly removing/adding new virtual machines and doesn't cope with puppet management. Only the most common hypervisors supported, it could be good to have an image for XEN.,6,Threat detection is very detailed and gives you all the information you need to start investigating a security issue. The simplicity to suppress or filter information is great. Alerts contain a full breakdown of the event and recommendations for response. Integrations although limited (Alien Apps) are very helpful. The correlation tools are excellent, you just need to feed it the right data.,We come from having an open-source solution based on snort that we had to add extra intelligence in order to analyze security events, where we spent a lot of time researching tools in depth like Snort. With Alienvault, we forgot about that right off the bat, all the right signatures we need are there and support has been great. It has helped us cut costs that were time-related and let us focus on what we need to.Simple and easy to install/manage SIEM tool with small infrastructure footprint.AlienVault is our SIEM tool that addresses the enterprise looking for indications of compromise. This was a finding in an internal audit a few years ago so it follows more of a compliance requirement.,Active Directory login requests Logs on the Domain Controls Only showing alerts that have a high indication of compromise and reduces false positives.,Trimming of log files to stay within limits Projecting any future storage costs from AlienVault,9,Splunk Cloud,AlienVault has been more effective than tools that I have previously used for several reasons. One is the ease of install and use compared to other products that you end up turning off since they are too hard to use. Second, the infrastructure footprint is minimal since it is cloud-based and doesn't require extensive infrastructure time.,This benefit happened within the first month since we are able to filter to only critical threats that are exploitable. Very little time spent on false positives which is typically a big FTE issue.AlienVault USM, missing the versatility of the golden days.We use AlienVault as our primary SIEM tool. Our SOC uses the tool to create alerts, monitor suspicious patterns, receive alerting, and investigate security incidents.,Creation of dashboards. Creation of metrics that we utilize in our monthly reports. We like the way alerts are being sent to us and the information they provide.,Their customer supports is the worst, and sadly this has been consistent every time we've had to reach out to them. The account execs have ZERO flexibility regarding making deals and meeting us halfway. The features do not work as advertised.,5,LogRhythm NDR, Splunk Enterprise Security and IBM QRadar,It is not very good. I have detected many times when AlienVault is behind by a span of several hours when compared to other technologies, such as Crowdstrike or LogR.,We have achieved this. However-- and believe me, I'm not trying to just pound the product, which is not bad overall, just behind on functionality-- the concept of security analytics and funneling down data is not as expected. Again, plugins make it hard to achieve this.Better than SplunkWe used to monitor our web application, firewall, and our G Suite logs. AlienVault USM solves the problem of manually monitoring logs. We were able to filter our alerts to ignore known non-threatening behaviours. AlienVault USM also gave us a more efficient way to search our logs rather than viewing the raw log files in our data provider.,Easy to Install Good use of filters Great training Good support documentation,Paying per GB of usage is not ideal,10,Splunk Cloud,AlienVault USM is only as effective as you configure the filters and ensure your data is being digested. Provided those two items are being done, AlienVault USM is a FANTASIC vendor for monitoring our security.,AlienVault USM filters through the noise and helps us monitor our logs in an intelligent way. We are able to respond to focused and relevant alerts rather than hunting and pecking to find issues in a time-intensive method after the fact.AlienVault USM: better than expected and a convenient way to maintain security complianceWe use AlienVault USM to monitor and secure our AWS, Azure, and Office 365 environments. The primary use of the product is to maintain PCI compliance. The various PCI reports save a significant amount of time each year during our security audits. We use it to collect logs from Windows, Linux, and cloud environments into one convenient location.,The integrations are very end-user friendly. The user interface is fairly intuitive. The PCI reports are extremely time-saving. The cross-platform compatibility makes hybrid environment management much easier.,The "Agent" has caused many problems in our environment. The AlienVault server seems to get overwhelmed quickly and could use an option for greater scaling for larger installations. The documentation is often lacking on details. The documentation often covers what specific steps to take but does not cover why or how certain items work. The user interface is missing many features for bulk/large-scale operations. Such as the ability to close more than one page of alarms at once. The "report false positive" does not provide a way to easily remove items so they still show up in audits. There is no way to reconfigure many checks to avoid false positives. The system lacks transparency for many security or infrastructure operations.,7,,The ability to integrate logging from AWS, Azure, Office 365 and more has been extremely helpful. It allows me to see active security issues in multiple environments and tell if there is a correlation between any events. AlienVault is crucial in actively alerting me to issues regarding possible security breaches. The software can, in some cases, over-report. However, that is more a symptom of configuration than an issue with the product.,By integrating logs from multiple environments, automatically generating reports, and automatically generating alerts the software has saved me considerable time in detecting threats. In many cases, it lacks the ability to customize detection or integrations but thankfully for standard "threat detection" the software seems to work better than expected.AlienVault Is a SuccessAlienVault is being used for the Security Team to see all host and network traffic. This real-time SIEM is tuned to give us alarms we actually need to look at on a daily basis. This addresses anything from malware to network, system and email breaches.,Deployment with the sensors for USM anywhere. Support Responsive UI Alien Apps,Agents offline Easier agent deployment on host. Quicker response from engineers and not just send engineers a document for the fix.,9,Sophos Intercept X and Darktrace,We had a lot of false positives at first, once we tuned it to get real-time alarms this is a great tool to have. We get threat intelligence from multiple systems we run in for our organization.,It took some time to tune it how we wanted to, it sees a ton of traffic so we needed to gather together as a team to do some cleanup for about 2 months. Once this was done we are very happy with what AV shows the Security team on a daily basis. IT is a low maintenance product now.USM Anywhere does what it says.Alienvault USM is being used to aggregate, inspect, and correlate both Windows/Linux logs and our Data Center network traffic. It is used exclusively by the SOC team for threat hunting and EDR.,VMWare Sensor deployment is very easy. Dashboards are nice and clean. Network monitoring and Syslog collector just work.,USM Anywhere does not support Netflow or any variation. SPAN and RSPAN are currently the only methods to monitor IP flows. USM Anywhere tech support is lackluster. I have opened two tickets and struggled to receive knowledgeable technical assistance. USM Anywhere does not do scheduled report delivery in any format. Reports are run on demand and must be printed to pdf for distribution.,7,Splunk Enterprise Security,I started receiving actionable event and alarm data immediately upon deployment of my first sensor and a few agents. Root cause analysis is simplified by being able to drill down into Alarms and associated events.,Alienvault USM was able to provide the monitoring necessary to reduce the amount of time needed to identify a security threat and figure out root cause analysis. Analysts are spending less time threat hunting and more time recommending remediation steps.AlienVault USM - a single solution in a complex worldGlobally as a SIEM/FIM solution.,FIM with limits. Vulnerability scans (with agents installed as opposed to "NXlog"). Dashboards.,Need to be able to comment on issues flagged by AlienVault so that other users may know what has been done for triage. Single pane of glass, need to have a shared dashboard that is customizable.,5,Qualys Policy Compliance (PC), Imperva CDN (formerly Incapsula), Alert Logic Log Correlation and Analysis, Rapid7 Nexpose, Alert Logic Network Threat Detection, Rapid7 InsightOps and Fidelis Elevate,I believe so, you don't know what you don't know of course but it appears to be a good solution for our needs.AlienVault USM gives more visibility than I have ever had in one pane of glass.AlienVault is deployed across the corporate infrastructure to centrally manage security logs on all servers via the agent. Sensors are deployed in the corporate network to monitor and scan workstations and servers for vulnerabilities and perform discovery scans for new systems on the network. The firewalls also supply syslogs to the sensors. Office 365 is monitored via an Azure sensor, along with Azure infrastructure. Production systems are monitored using agents and a sensor.,Effective correlation of various log sources to provide useful alerts. An agent provides detailed logs of events on every system, be it Windows, Linux, or MacOS, to the point you do not have to log in to each machine to review security logs. Provides auto detection of log sources and effective mapping of the log data to key fields. Pre-built alerts allow AlienVault to be effective right away. There's no need to spend days creating alerts for it to be usable. Has powerful search capabilities once the logs are in AlienVault. Has the ability to run queries on agent systems based on an alert trigger (eg. list of logged on users).,The biggest challenge is the deployment of the Agent. It requires logging onto each system and running the install script manually. You need a GPO or a scriptable way to push the agent. We would like the ability to limit access to specific sensors for users that have been given access to AlienVault. Currently, if an analyst has access to AlienVault, they can see all data sources and logs. We saw a lot of false positive results in the beginning, requiring a bit of tuning to suppress some rules. There's no ability to suppress Vulnerabilities identified in the vulnerability scanning component.,9,,AlienVault is very effective in detecting O365 logins from multiple regions for the same users, allowing us to detect compromised accounts. The integrations with Palo Alto FWs allows the detection of users connecting to known C&C addresses.,AlienVault has given us great visibility into security threats in O365, on servers, workstations, and FWs, all using one pane of glass. Without having to manually collect threat intelligence and maintain on-premise hardware. We see user AD account and group changes, we see when someone modifies a configuration on a firewall and if someone launches an attack against an FW using an exploit. I am surprised by all the details I was missing before we deployed AlienVault USM.Alienvault gives you eyes without the extra bodies :)Alienvault was selected as our SIEM solution to provide cutting-edge monitoring, analytics and alerting, and it has the added benefit of being able to conduct vulnerability assessments and provide endpoint detection and response. There is a lot of noise when deploying any SIEM solution, but Alienvault is unique in that it can be effective, practically right out-of-the-box, and anything required beyond that is satisfied by their great support team and available training. I have found that USM Anywhere can fill a critical gap in your security program, and I would recommend it for both small, medium, and large businesses.,Anomaly Detection and Identification Digital Forensics/Incident Response Log Correlation and Built-in Attack Signatures Cloud Security Monitoring,Would be nice to have better error messaging, specifically around credential failures.,8,Due to the predefined correlation and orchestration rules, baked-in dashboards and reports, I would say it is a leader in providing effective threat detection and ROI within a very short period after deployment, from my experience.,In our situation, USM Anywhere was put in place to allow for extra analysis and intelligence without additional analyst resources. USM Anywhere has accomplished this.AlienVault USM..making senseThe USM is being used by the IT department as a SIEM, giving our organization a 360 view of what's going on in the network infrastructure, and more focus on the critical infrastructures which has been plugged-in to send all their log activities. The AlienVault USM has made it simple by the creation of plugins which makes it easier to express the logs in simple expression for easy understanding.,Large plugin base to accommodate different devices. Easy to deploy. Easy management. Makes network monitoring and actionable steps clear and simple.,Updating the appliance to a newer version. More control over which devices will be allowed to log into a database and which ones that should just appear, so that the database will not get filled up quickly.,8,IBM QRadar,AlienVault helps in: - Threat insight through OTX.- Network Intrusion Detection System.- Host Based Intrusion Detecting Solution.- Alienvault gives the ability to monitor up to 5 public IPs, which we use in knowing the hits trends to our network.- The deployment steps are direct and easy.,Our Organization has benefited from this. Before now we were managing a number of appliances, going from one to another, checking and interpreting the different logs and looking for scripts to read those logs, was really making our threat intelligence and detection process slow and tiring, but AlienVault USM has made it easy to configure and get those logs. The plugins from this USM express it in a way we understand, so there's no need for looking and writing scripts. All these are easily displayed on the dashboard for us to act on.A very positive step towards keeping our network secure!We use AlienVault USM across our entire organization. It was purchased to help us improve our ability to respond to cyber security threats by keeping up with patching and tracking down vulnerabilities on our network. We took these steps after paying to have penetration testing done on our network.,AlienVault USM helps our IT staff stay on top of patches. AlientVault USM makes it easier for our IT staff to track down vulnerabilities. AlienVault USM provides steps to correct any vulnerabilities that may arise. AlienVault's staff were very helpful in setting up their product on our network. There was plenty of opportunity for training.,AlienVault USM can be cumbersome for a small IT staff to manage. We still use AlienVault USM but now pay a third party to help us manage it.,8,Splunk Enterprise Security and Fortinet FortiGate,AlienVault USM is much more comprehensive than other security technology that we had previously used. It allows us to stay up to date on important preventative measures for keeping our network safe and provides detailed directions for addressing issues.,I wouldn't say that AlienVault USM reduced the amount of work needed to detect security threats for us. It just brought things to light that may have been overlooked in the past. Our IT staff eventually determined that using a third party to manage AlienVault USM for us was the best way to use it effectively.Alienvault is wonderfulAlienVault USM Anywhere is being used across the entire organization, for full network monitoring of all systems including election systems. We also are using AlienVault in our Azure environment for monitoring of applications and virtual machines that are housed in the cloud. This is through firewall logs and the AlienVault Agents.,Normalization of logs that it receives Know threat alerts Amount of data it keeps track of,Easier connection with the Cisco Umbrella system Better systems integrations Simpler log clean ups and alerts,10,With AlienVault USM Anywhere, we have been able to perform our daily duties, quicker and more precisely then we could before. We are able to act upon threats quicker and know where they are coming from. This has reduced downtime and service times all around the office.Accurate, easy to setup, no maintenance required, but UI needs to improve.USM being used for our whole organization. It is deployed via sensor on various regions to capture in/out data for monitoring potential risk. We use USM as a centered logger and analysis system also collecting data from firewall/VPN, Office365, Crowstrike and others. It's convenient to integrate various plugins for gathering data/alert from different clouds/platforms. The whole system setup is pretty straightforward and not difficult to use,Risk analysis is accurate. Cloud-based rule update means less hassle. Integrated plugins help centralize log/alert into one system. Filter/suppress rule is very easy to set. Easy to fit to our current traffic pattern.,It's a pain to check each individual alert for detail, I wish there was a popup window or something similar to quickly go through each unusual alert. The UI seems not that efficient, and a little bit slow in my opinion. I wish we had a Kibana-like quick search criteria change function, click and go.,8,,We also deploy Suricata + Kibana + Es alone with a USM sensor. Both act pretty much the same. USM does have the advantage of stack or reduce duplicated alerts. We found lots of coin miner programs via USM. That helps a lot. We also fixed some configuration issues based on various attack attempts detected on USM.,By deploying the sensor in each different region/cloud we gained good coverage with less effort on setup and configuration. We saved lots of labor, for most situations. USM is good enough to monitor and detect potential risks. As I stated before, USM did a good job on rules management/update. This saves lots of time and is much more effective for the customer.AlienVault USM from the perspective of a non-security IT departmentAlienVault USM is being used by the IT department for its vulnerability scanning, intrusion detection, and event correlation. It's a fairly new product for us and we're still getting acclimated to it but so far it's been very useful in giving us greater visibility into our environment.,Vulnerability assessment is very good. Especially with the software on servers and workstations. Event correlation has helped tremendously by centralizing all the data into one feed that we can filter easily. Support, training, and implementation were top notch. Very helpful people who answered questions clearly and concisely.,For a company that is on the smaller side as far as the number of employees and computer systems, the storage available in our tier could get eaten up quite quickly. It wasn't that easy for us to know where to go from a storage tier startup standpoint.,9,Rapid7 InsightOps,AlienVault USM is the first security technology that we have used in any sort of formal way here so I can't really compare it to any other products that were used in a production environment. That being said, the very next day following implementation, AlienVault USM alerted me to an attempted breach of one of our systems. So in my mind that says quite a bit about its effectiveness. I would hope other products would be as good, but I know that AlienVault USM is.,So far I would say we haven't had a reduction in the amount of work, but that is mostly because of the learning curve and the time that is available to actually get the AlienVault USM platform set-up for our environment is being superseded by other non-security IT projects and daily support issues.Pretty good at what it does, but could be improved.We use AlienVault USM to satisfy PCI DSS requirements. Namely event logging and audit, change audit, and Intrusion Prevention services.,Lots of built-in out of the box functionality. Easily satisfies several PCI DSS requirements. Event logging is easy to navigate and presented well.,Initial setup is quite tedious. Network setup for IDS caused us to bring our network down a couple of times. Reports aren't very good.,8,It's pretty good at detecting threats. Although there have been quite a few false positives that we've had to go and whitelist. For example, some of the agents on the DC are extremely noisy, filling our storage with mundane event logs.,AlienVault USM has achieved this by consolidating a bunch of different tools into one tool. We no longer need to maintain 6-7 different tools to meet our PCI DSS requirements.AlienVault proved itself after one day.Currently it's only being used by the IT department to identify suspicious network activity, which we did not monitor prior to implementing AlienVault. One day after implementing AlienVault, we were notified of a bitcoin miner on our FTP site. Sure enough, when I logged into that machine and ran a malware scan, it picked up a Bitcoin Miner.,Report suspicious network activity. Display all threats in a nice dashboard. Notify me of what other people have encountered with "Pulses.",Make initial setup easier. Make their certification test not so ridiculously tedious with oddly specific questions. Provide better remediation steps.,7,AT&T Threat Intellect,As I mentioned earlier, we had only one day go by and AlienVault detected a bitcoin miner on my FTP server. This thing could have been running indefinitely had AlienVault not notified us of the suspicious activity. We are at a point now where we really need all the help we can get to manage these threats. AlienVault did that for us after one day.,It has, after only one day when it detected a bitcoin miner. I look forward to checking AlienVault's dashboard every day to see what it finds.Alien Vault USM goods and not so goodsWe are 200 employees strong and have presence in 5 states. We utilize AlienVault (AV) across our entire MPLS network. It addresses the issue of visibility of our servers and workstations to analyze potential threats and less common issues with auditing we wouldn’t otherwise catch but can cause major issues if not resolved.,AlienVault is very customizable. We can set up many built-in rules and alerts which saves time but can also be extremely granular to properly scan our unique network. Great technical support. When I need assistance setting up a new sensor or target scan, AlienVault engineers are there to assist and get me on track.,Although the interface shows a lot of development and thought put into it, there are some buggy issues at times with simple form submission and web navigation. Initially setting up Alien Vault in our environment was challenging and there was a lack of support around the “hardware level” meaning our VMWare environment.,7,SolarWinds Kiwi Syslog Server,Other security measures like antivirus only find malicious threats after they have infected one or multiple computers. AlienVault's real time scanning can detect these threats are they are attempting to propagate through my network.,The tool does provide a much needed layer of security we didn’t previously have but I would say still is missing the mark on reducing the amours to of work needed to operate the tool and get the most out of it. I would have to hire a full time resource or outsource the job to a 3rd party to really get the full benefit of my subscription.AlienVault OSSIM SaaS ReviewThis is currently being used across our corporate environment to help monitor our firewalls that process all associate traffic, active directory, O365, etc. This product has helped us to gain more visibility into the traffic that is being sent across our network and help identify threats quicker. Currently, the Security department is in charge of all that is AlienVault, and have given read access to a few neighborliness departments.,Ability to tune alarms and events to your liking. Very easy to get rid of false positives that are known in your environment, and create actionable alerts for legitimate alerts. The simplicity of the dashboard. Everything within AlienVault USM Anywhere is easy to navigate and configure. From sorting logs to creating new users, the layout is natural and easy to figure out. The Architecture of the SaaS deployment went smoothly and is very simple and expandable. Very little to worry about on our side with great results.,Support response time and incident handling have some room to improve. We had major issues with a sensor, and it took several days to get a response. Once we got a response the issue was corrected, it just took a while to get our engineer on the phone. Small bugs in the way that the syslog packets are read and normalized. Reading the time in the packet wrong has been the biggest issue we have found so far that is without a solution. Complicated Architecture to fully use the product. Requiring port mirroring to use the IDS portion of Alienvault is quite challenging when dealing with a large network size and diverse locations such as ours.,8,Exabeam Security Intelligence Platform,The OTX platform has proven to be instrumental in identifying threats in our environment quickly and accurately. The ability to correlate login events to known malicious hosts, and generate actionable alerts has been the most utilized feature and generated the most actionable alerts. We did not get far enough into testing Exabeam to determine how their product handled these types of identifications, but I am quite impressed with Alienvault's solution.,After the initial tuning of the platform, this has most definitely saved us time in identifying incidents and allowed us to have most of our logs in one place. The ability to tie all of our logs together and use AlienVault USM Anywhere to correlate these together and identify threats within our environment has been greatly appreciated.Things to think aboutIt is being used by the IT department for internal vulnerability scans and log collection. It also plays a role in providing information to our internal and external auditors.,It is good at doing internal scans of end-user devices to find vulnerabilities without the need of installing an agent or client on each device. It is good at being a log server. A place to send logs for all of your networking devices, such as switches, firewalls, and other solutions that accept log servers.,Its ability to collect logs from Barracuda solutions needs heavy improvement. How it collects and organizes the data isn't very useful. The end device client, which is optional, and can be installed on any device you want to collect more data from, has compatibility issues with quite a few products we use, and anti-virus software in-particular doesn't like it. We have also had some performance issues with devices the client is installed on. The way collected data from all devices and locations is presented to the user in the web portal is not as user-friendly or as clean as it could be. It tends to show too much useless data and too many categories, making it easy to miss the important parts.,6,PRTG Network Monitor, Lansweeper and Netwrix Auditor,AlienVault is a good product for detecting vulnerabilities, but does not replace our other solutions. For instance, our firewall solutions do a much better job at logging and providing real-time alerts of issue and attacks. Our SAL monitoring solutions provide uptime and performance that is outside the scope of features for AlienVault.,AlienVault does help reduce the amount of time in searching logs or gathering data for reports. If you take the time, up front, to correctly set up email alerts, it will provide your organization a good method of responding quickly to security threats.
Unspecified
AlienVault USM
501 Ratings
Score 8.0 out of 101
<a href='https://www.trustradius.com/static/about-trustradius-scoring' target='_blank' rel='nofollow'>trScore algorithm: Learn more.</a>TRScore

AlienVault USM Reviews

<a href='https://www.trustradius.com/static/about-trustradius-scoring#question3' target='_blank' rel='nofollow'>Customer Verified: Read more.</a>
AlienVault USM
501 Ratings
<a href='https://www.trustradius.com/static/about-trustradius-scoring' target='_blank' rel='nofollow'>trScore algorithm: Learn more.</a>
Score 8.0 out of 101

Do you work for this company? Manage this listing

TrustRadius Top Rated for 2019
Show Filters 
Hide Filters 
Filter 502 vetted AlienVault USM reviews and ratings
Clear all filters
Overall Rating
Reviewer's Company Size
Last Updated
By Topic
Industry
Department
Experience
Job Type
Role

Reviews (1-25 of 303)

Do you use this product? Write a Review
Stacey Medina profile photo
August 14, 2019

AlienVault USM: one of the best SIEMs

Score 10 out of 10
Vetted Review
Verified User
Review Source
I was put in charge of getting our company NIST-800 compliant and one of the requirements of compliance is to have a security information and event management (SIEM). The company that did our gap analysis highly recommended the AlienVault USM and after a bit of research and reviews, I decided to move forward with AlienVault. I was very impressed with how simple it was to deploy as a virtual machine and how robust the interface is. This USM does everything and more. I can't wait to delve deeper into the functionality of the dashboard. The support team is also very responsive and very knowledgeable of the product.
  • The detailed reporting it provides
  • Simple to deploy and install
  • Great dashboard
  • Excellent tech support
  • Offer more free training courses, either on-demand or scheduled webinars.
AlienVault USM is well suited for any small/medium businesses as well as big corporations. The reporting and dashboard alone are something I always look for in a USM because it makes it easier for me to gather and find the information I am required to have. If detailed reports are what you are looking for or an easy to navigate dashboard this is the software for you.
AlienVault USM is one of the best tools to use due to its the ability to notify you and also have very granular control of what you can view about the threats. It pins down the data need to track down any information needed to report or view from the threat and also has wonderful KB's on how to fix or resolve them.
Read Stacey Medina's full review
Frank DePaola profile photo
July 19, 2019

AlienVault USM - A Solid Tool to Launch Your SecOps Program

Score 7 out of 10
Vetted Review
Verified User
Review Source
AlienVault is a great SIEM for organizations who are either new to security operational logging, and wish to purchase a sound solution at a lower price point, or those with a smaller staff and potentially IT budget that wishes to buy a solution that can accomplish many different tasks. Our use of the platform extends across the global organization. We have documented multiple use cases that we are working through within the AlienVault platform such as vulnerability management and scanning, malware detection on clients and servers, malicious network traffic moving laterally and vertically throughout our environment, etc. As is the case with any SIEM, they are only as effective as the log sources that they ingest allow them to be. We are pulling in Windows client and server event logs (filtered to specific EventID's), DNS, DHCP, AWS CloudTrail/CloudWatch logs, NIDS sensor logs, firewall logs, and are also working to integrate the solution with other corporate systems to extend its capability, such as our ITSM. AlienVault is pretty featured rich compared to other SIEM solutions, but those features are mostly good, not great. There is also a growing list of 3rd party integrations as well, which can make the solution even stronger. With that said, there are other SIEM solutions that offer more flexible deployment models, have more 3rd party integrations, and offer more extensibility in terms of holistically supporting the incident response process. Our organization has found AlienVault to work pretty well for us, as this is the first SIEM the business has deployed. Additionally, we are early on in the process of cybersecurity program development, so AlienVault's inclusion of features such as vulnerability scanning and file integrity monitoring extend its value.
  • Feature-rich includes functionality not typically present in other SIEM's such as vulnerability scanning, UEBA, file integrity monitoring, NIDS
  • Simple to configure and deploy.
  • Relatively inexpensive compared to other enterprise SIEM solutions.
  • While there are many features, many of them are not very advanced. Vulnerability scanning as an example is extremely simplistic and almost unusable for an enterprise organization. It's just enough to get a program off the ground.
  • Cloud-only deployment model (SaaS) may not fit all organizations. Not all organizations are "cloud friendly".
  • Reporting capabilities out of the box are lack luster. Vulnerability management reporting as an example does not include a single canned report.
AlienVault USM is well suited for smaller organizations or organizations of any size that are just lifting their security operations or security monitoring program off the ground.

AlienVault USM is less appropriate for more mature organizations who have the staff to support more advanced security operational capabilities or engage in advanced threat hunting. Also, organizations who like more ability to add internally developed functionality into their SIEM through scripting or other automated response activities.
Like most situations, you get out what you put in. AlienVault is not going to filter up to every malicious activity occurring in an environment right out of the box. There is plenty of work to be done to get log sources ingested in a prioritized manner, to get basic rules tuned, and to integrate it with other solutions, where it makes sense. This maturity can take years to put in place in many cases. Once AlienVault USM is set up and tuned properly and has all log sources ingested, it is very good at finding things in an environment. It requires constant maintenance moving forward however to ensure that as tech landscapes change, the alarm rules are properly configured, and new ones are added.
Read Frank DePaola's full review
Matthew White profile photo
July 16, 2019

AlienVault USM Anywhere - Cost effective SIEM-as-a-service

Score 10 out of 10
Vetted Review
Verified User
Review Source
AlienVault USM Anywhere provides us with SIEM, at a low price point and with a great array of functionality. SIEM is critical to our security operations and feeds incident response efforts. We use it to monitor logs and events from our applications and server platforms, integrating many of our other security products into the flow of data into USM Anywhere, for centralized logging and event management.
  • AlienVault USM Anywhere is easy to deploy with their cloud-based model and deploying the required agents on-prem (or in the cloud) is quick and easy.
  • Custom rules allow for alerting based on content from events and you can even trigger agents in response to threats, shutting down computers or grabbing forensic info for incident response.
  • USM Anywhere also takes care of reporting for ISO and PCI, allowing you to pull reports for auditors at a moment’s notice.
  • With many integrations out-of-the-box, you can pull in all the data from products you use and other sources, such as Amazon CloudWatch Logs.
  • We would love to be able to create custom rules based on a series of events, to create rule-sets where, for example, failed logins to the VPN Server are logged and then when a successful attempt follows soon after, it triggers an alarm for a Brute Force. It does this for things like OKTA already, so control over which events this applies to would be great.
  • More data tiers - something between 250GB and 500GB tiers, maybe break it down into 100GB tiers?
  • Integration with OpsGenie would be great.
AlienVault USM Anywhere is a great SIEM and if you need to deploy a SaaS solution then it is suited very well. It works very well for us being 100% AWS and integrates well with our toolset and AWS features. The AT&T Alien Labs Open Threat Intelligence (OTX) is perfect for providing context on events and feeding our incident response processes.
We have OTX to be a valuable source and the tight integration with USM really helps eliminate false positives. Being able to submit your own information into OTX also adds value and helps put context on threats. We sometimes find IP addresses can be out of date in OTX and linked to old threats, but it's good to see the history of what has occurred on this IP and you can go back and look for historical indicators of compromise in your data.
Read Matthew White's full review
Forrest Berrey profile photo
June 19, 2019

A tool with great short and long term return on investment

Score 9 out of 10
Vetted Review
Verified User
Review Source
We use the USM Anywhere SIEM for our corporate security program currently, separate from our application security team in charge of our cloud environments our SaaS offering is hosted on. This solves the compliance and security issues we face as an organization for forensically sound log storage as well as data aggregation for correlation.
  • The integration setup for syslog forwarding and native web apps partnered with the platform is a very simple setup.
  • Deploying sensors in cloud systems usually follow a pre-defined build flow for ease of sensor deployments and scaling.
  • For perimeter defense, as long as your defended organizational structure uses Active Directory or another LDAP replication type service, vuln scanning and KIDS is a breeze.
  • For highly distributed workforce issues, the system requires a lot of third-party integrations to collect data for automation.
  • Customization can be lacking in areas without significant help from their support teams.
  • Building rules for filtering, suppression, and custom alarms can be a steep learning curve, although this is slightly offset by their training offerings.
The system works very well for 'legacy' perimeter defense based networks that rely on centralized network traffic and remote management solutions for the internal networking and endpoint devices. For architectures adopting a zero-trust/BeyondCorp mentality, the system can still be useful but requires either investment in third-party tools to collect information otherwise unavailable to the system, or significant custom infrastructure tools to support many orchestration functionalities.
The USM system is built with certain data ingress engines that work really well to identify and correlate suspicious activity. Since the company runs a threat intelligence feed in the form of the Open Threat Exchange, the IOCs they detect and report on are then built into the detection engine to give solid threat data. This can create a large amount of false positive during initial deployment depending on your environment, but the majority of noise can be effectively suppressed with their rule creation wizard that automatically brings in the fields on an alarm or event.
Read Forrest Berrey's full review
John DeLay profile photo
May 31, 2019

USM SaaS implementation for AWS and linux instances

Score 9 out of 10
Vetted Review
Verified User
Review Source
We use AlienVault USM across our entire organization, which includes 5 separate SaaS products. At a basic level, we use the core/default functionality of AlienVault to watch our AWS account. Beyond that, we use it to collect and analyze logs for suspicious activity. The ability to track and respond to suspicious events and document them completely is super key to our organization. The reporting functionality is key in allowing me to demonstrate our processes over time to show we watch and respond to alerts.
  • Log analysis, both syslog and AWS cloud trail, and searchability/reporting is actually better than most of our other related tools: All of our systems send log information using rsyslog to our AlienVault USM system. AlienVault is able to alert us of many issues with minimal configuration, including adding/removing users to sensitive groups, creating or removing resources such as EBS volumes, S3 buckets, or security groups.
  • AWS loadbalancer traffic/log analysis: AlienVault automatically identifies threatening IPs or entries that match suspicious traffic patterns.
  • The ability to search the many logs AlienVault collects in a way that even novice users can follow is super valuable. Logs can be quickly sorted by source, log type, and/or keyword searches. There have been many occasions where we were able to find non-security related issues due to the simple yet advanced search abilities of AlienVault. This has led to the challenge of deciding when and how long to allow non-security personnel access for troubleshooting.
  • AlienVaults lack of support for Docker may be its undoing at my company. It clearly stands above other products that fit our company, but we are adopting Docker at an ever-increasing rate. I don't want to support multiple security products, so it would be super cool if a solution to this challenge were found quickly.
  • Enriching data is super key to allowing us to set up alerts for and filer events. This process is rather painful. This significantly increases the cost of maintaining AlienVault. Specifically, several auditd and standard AWS logs do not allow me to filter based on keywords in the message.
  • Here is one example:
  • User: arn:aws:sts::2#########:assumed-role/qe-lambda-role/qe-batch-run-dev-frontend_batch_runner is not authorized to perform: logs:CreateLogStream on resource: arn:aws:logs:us-east-1:#########:log-group:/aws/lambda/qe-batch-run-dev-frontend_batch_runner:log-stream:2019/05/30/[$LATEST]########################
  • The ability to configure AlienVault to run security scans using SSH on systems is prohibitively difficult to use, especially when using a Bastion.
  • Making OSSIM work is a huge pain. I could not find AlienVault documentation that covers how things work and how to properly integrate it.
AlienVault is great and ingesting and processing information from multiple sources. It is excellent at monitoring AWS "things" out of the box, such as user management, network traffic through load balancers, or monitoring devices with sensitive data. I was surprised at how easy this was to start using immediately after purchase. This was a huge selling point. We had tools in place to monitor much of our environment, except AWS. Once the AlienVault system was in place, the rest happened naturally. It's now the most critical security system that we have.

It seems a bit poor when creating alarm filters that only trigger after "x" number of times. I know this can be done with escalation alerts. Keeping noisy alerts out of the UI is key to prevent alert fatigue in our more junior team members.
In general, AlienVault seems to be noisy. I'd like the ability to specify a group of users that can create security groups with sensitive ports exposed to the web, but I don't believe this is possible. I know how to do this per user. I don't believe groups are something we can specify.
AWS Inspector is a product that does very well against AlienVault for doing system level scans. It is also very expensive and cannot be customized at all.

PEN testing is not something that AlienVault does and I'm assuming that is intentional.

Network IDS isn't integrated into AlienVault or is very basic. I am assuming the plan would be to implement something like tripwire and have logs from that system sent to AlienVault. Obviously, we would like it to do absolutely everything and do it very well:) That said, I highly doubt that is an option. If this can be done, please don't let me slow you down.
Read John DeLay's full review
Agustin Larrarte profile photo
August 14, 2019

Great value for organizations who wish to realize the value of SIEM

Score 6 out of 10
Vetted Review
Verified User
Review Source
We have used Alienvault USM in our PCI environment to detect the most common threats. We have discovered it added extra value to our organization by creating visibility on security issues we didn't know of before. On the downside, the on-premise version of Alienvault USM can get slow after loading it with a lot of machines (when doing big queries) and doesn't adapt very well to dynamic environments, but their on cloud version is definitely making that better.
  • Reports most common threats, real-time and take immediate automatic actions. I think this is strong if you don't have a team monitoring 24/7.
  • Connects with signature providers and keeps up-to-date well with 0 vulnerabilities. I don't need to explain why you may want to be protected against the newest threats.
  • The UI is very easy to get used to, which will make you adapt to its use quickly.
  • This tool will become slower and slower as you start adding devices to it, the on-premise version has a lot of room for improvement here, the database is slow.
  • The on-premise version of Alienvault USM will not support dynamic environments where people is constantly removing/adding new virtual machines and doesn't cope with puppet management.
  • Only the most common hypervisors supported, it could be good to have an image for XEN.
The on-premise version of Alienvault will be very good for environments that don't change a lot over time, it will provide good information about security issues on your premises. I would not recommend using this if you have a big private cloud where a lot of changes are being made. Go with the cloud version if that's your case.
Threat detection is very detailed and gives you all the information you need to start investigating a security issue. The simplicity to suppress or filter information is great. Alerts contain a full breakdown of the event and recommendations for response. Integrations although limited (Alien Apps) are very helpful. The correlation tools are excellent, you just need to feed it the right data.
Read Agustin Larrarte's full review
Brian Lindow profile photo
August 13, 2019

Simple and easy to install/manage SIEM tool with small infrastructure footprint.

Score 9 out of 10
Vetted Review
Verified User
Review Source
AlienVault is our SIEM tool that addresses the enterprise looking for indications of compromise. This was a finding in an internal audit a few years ago so it follows more of a compliance requirement.
  • Active Directory login requests
  • Logs on the Domain Controls
  • Only showing alerts that have a high indication of compromise and reduces false positives.
  • Trimming of log files to stay within limits
  • Projecting any future storage costs from AlienVault
Well suited for a small InfoSec team that has limited time to manage the tool and respond to alerts. If you have a larger team that wants more detailed data that could be used for AppDev troubleshooting then a different products is probably better.
AlienVault has been more effective than tools that I have previously used for several reasons. One is the ease of install and use compared to other products that you end up turning off since they are too hard to use. Second, the infrastructure footprint is minimal since it is cloud-based and doesn't require extensive infrastructure time.
Read Brian Lindow's full review
Magdiel Hernandez profile photo
August 02, 2019

AlienVault USM, missing the versatility of the golden days.

Score 5 out of 10
Vetted Review
Verified User
Review Source
We use AlienVault as our primary SIEM tool. Our SOC uses the tool to create alerts, monitor suspicious patterns, receive alerting, and investigate security incidents.
  • Creation of dashboards.
  • Creation of metrics that we utilize in our monthly reports.
  • We like the way alerts are being sent to us and the information they provide.
  • Their customer supports is the worst, and sadly this has been consistent every time we've had to reach out to them.
  • The account execs have ZERO flexibility regarding making deals and meeting us halfway.
  • The features do not work as advertised.
While is well suited if you are small organization starting a security practice, AlienVault fails to deliver when it comes to medium or large corporations, as there is very little flexibility from the tool to create alerts. Also, plugins in this time are definitely not the way to go.
It is not very good. I have detected many times when AlienVault is behind by a span of several hours when compared to other technologies, such as Crowdstrike or LogR.
Read Magdiel Hernandez's full review
Ryan Hart, MBA profile photo
July 29, 2019

Better than Splunk

Score 10 out of 10
Vetted Review
Verified User
Review Source
We used to monitor our web application, firewall, and our G Suite logs. AlienVault USM solves the problem of manually monitoring logs. We were able to filter our alerts to ignore known non-threatening behaviours. AlienVault USM also gave us a more efficient way to search our logs rather than viewing the raw log files in our data provider.
  • Easy to Install
  • Good use of filters
  • Great training
  • Good support documentation
  • Paying per GB of usage is not ideal
AlienVault USM provides good overall value and support. I am not a fan of on-prem monitoring hardware. Alien Vault USM has fantastic cloud-based monitoring solutions which we host in our cloud environment.
AlienVault USM is only as effective as you configure the filters and ensure your data is being digested. Provided those two items are being done, AlienVault USM is a FANTASIC vendor for monitoring our security.
Read Ryan Hart, MBA's full review
Alex Kranz profile photo
April 04, 2019

AlienVault USM: better than expected and a convenient way to maintain security compliance

Score 7 out of 10
Vetted Review
Verified User
Review Source
We use AlienVault USM to monitor and secure our AWS, Azure, and Office 365 environments. The primary use of the product is to maintain PCI compliance. The various PCI reports save a significant amount of time each year during our security audits. We use it to collect logs from Windows, Linux, and cloud environments into one convenient location.
  • The integrations are very end-user friendly.
  • The user interface is fairly intuitive.
  • The PCI reports are extremely time-saving.
  • The cross-platform compatibility makes hybrid environment management much easier.
  • The "Agent" has caused many problems in our environment.
  • The AlienVault server seems to get overwhelmed quickly and could use an option for greater scaling for larger installations.
  • The documentation is often lacking on details. The documentation often covers what specific steps to take but does not cover why or how certain items work.
  • The user interface is missing many features for bulk/large-scale operations. Such as the ability to close more than one page of alarms at once.
  • The "report false positive" does not provide a way to easily remove items so they still show up in audits.
  • There is no way to reconfigure many checks to avoid false positives.
  • The system lacks transparency for many security or infrastructure operations.
AlienVault is well suited for monitoring environments especially standard Linux environments and is great at generating non-technical reports. The standard user interface allows non-technical individuals to navigate the system and generates clean looking easy to understand reports. The system is not as well suited for Windows environments or any non-standard configurations such as integrating custom software/scripts is very challenging. File integrity monitoring on Windows has been very frustrating.
The ability to integrate logging from AWS, Azure, Office 365 and more has been extremely helpful. It allows me to see active security issues in multiple environments and tell if there is a correlation between any events. AlienVault is crucial in actively alerting me to issues regarding possible security breaches. The software can, in some cases, over-report. However, that is more a symptom of configuration than an issue with the product.
Read Alex Kranz's full review
Daniel Jones profile photo
June 19, 2019

AlienVault Is a Success

Score 9 out of 10
Vetted Review
Verified User
Review Source
AlienVault is being used for the Security Team to see all host and network traffic. This real-time SIEM is tuned to give us alarms we actually need to look at on a daily basis. This addresses anything from malware to network, system and email breaches.
  • Deployment with the sensors for USM anywhere.
  • Support
  • Responsive UI
  • Alien Apps
  • Agents offline
  • Easier agent deployment on host.
  • Quicker response from engineers and not just send engineers a document for the fix.
AV is beneficial for monitoring all hosts in an environment. I can't think of a scenario where it is less appropriate.
We had a lot of false positives at first, once we tuned it to get real-time alarms this is a great tool to have. We get threat intelligence from multiple systems we run in for our organization.
Read Daniel Jones's full review
Jeremy Wilkins profile photo
June 12, 2019

USM Anywhere does what it says.

Score 7 out of 10
Vetted Review
Verified User
Review Source
Alienvault USM is being used to aggregate, inspect, and correlate both Windows/Linux logs and our Data Center network traffic. It is used exclusively by the SOC team for threat hunting and EDR.
  • VMWare Sensor deployment is very easy.
  • Dashboards are nice and clean.
  • Network monitoring and Syslog collector just work.
  • USM Anywhere does not support Netflow or any variation. SPAN and RSPAN are currently the only methods to monitor IP flows.
  • USM Anywhere tech support is lackluster. I have opened two tickets and struggled to receive knowledgeable technical assistance.
  • USM Anywhere does not do scheduled report delivery in any format. Reports are run on demand and must be printed to pdf for distribution.
Well suited for smaller SOC teams or lean IT departments. A self-driven admin with experience in networking and server administration can find all the resources needed online.
I started receiving actionable event and alarm data immediately upon deployment of my first sensor and a few agents. Root cause analysis is simplified by being able to drill down into Alarms and associated events.
Read Jeremy Wilkins's full review
Dana Williams profile photo
June 05, 2019

AlienVault USM - a single solution in a complex world

Score 5 out of 10
Vetted Review
Verified User
Review Source
Globally as a SIEM/FIM solution.
  • FIM with limits.
  • Vulnerability scans (with agents installed as opposed to "NXlog").
  • Dashboards.
  • Need to be able to comment on issues flagged by AlienVault so that other users may know what has been done for triage.
  • Single pane of glass, need to have a shared dashboard that is customizable.
I find AlienVaullt easy to use and the learning curve is less when compared to some of the other solutions available. This is especially important for small to medium-sized companies with small staffs. I think of it as what we need and not necessarily what we want in a solution.
The ability to comment on issues within the application is rather important as now I can 'label' an issue and assign to myself or others but cannot include what steps have been taken thus far. That means a separate email communication is necessary.
Read Dana Williams's full review
Stephen Squires profile photo
June 01, 2019

AlienVault USM gives more visibility than I have ever had in one pane of glass.

Score 9 out of 10
Vetted Review
Verified User
Review Source
AlienVault is deployed across the corporate infrastructure to centrally manage security logs on all servers via the agent. Sensors are deployed in the corporate network to monitor and scan workstations and servers for vulnerabilities and perform discovery scans for new systems on the network. The firewalls also supply syslogs to the sensors. Office 365 is monitored via an Azure sensor, along with Azure infrastructure.
Production systems are monitored using agents and a sensor.
  • Effective correlation of various log sources to provide useful alerts.
  • An agent provides detailed logs of events on every system, be it Windows, Linux, or MacOS, to the point you do not have to log in to each machine to review security logs.
  • Provides auto detection of log sources and effective mapping of the log data to key fields.
  • Pre-built alerts allow AlienVault to be effective right away. There's no need to spend days creating alerts for it to be usable.
  • Has powerful search capabilities once the logs are in AlienVault.
  • Has the ability to run queries on agent systems based on an alert trigger (eg. list of logged on users).
  • The biggest challenge is the deployment of the Agent. It requires logging onto each system and running the install script manually. You need a GPO or a scriptable way to push the agent.
  • We would like the ability to limit access to specific sensors for users that have been given access to AlienVault. Currently, if an analyst has access to AlienVault, they can see all data sources and logs.
  • We saw a lot of false positive results in the beginning, requiring a bit of tuning to suppress some rules.
  • There's no ability to suppress Vulnerabilities identified in the vulnerability scanning component.
The Office365 log management & searching is terrible using native Microsoft tools, plus you are limited to 90 days of logs retention in O365. AlienVault has great integration with Palo Alto FWs. The biggest point to note is that AlienVault is only designed for security logging. It is not designed to capture & search application logs, for example. It is not Splunk.
AlienVault is very effective in detecting O365 logins from multiple regions for the same users, allowing us to detect compromised accounts. The integrations with Palo Alto FWs allows the detection of users connecting to known C&C addresses.
Read Stephen Squires's full review
Ryan Collins profile photo
May 27, 2019

Alienvault gives you eyes without the extra bodies :)

Score 8 out of 10
Vetted Review
Verified User
Review Source
Alienvault was selected as our SIEM solution to provide cutting-edge monitoring, analytics and alerting, and it has the added benefit of being able to conduct vulnerability assessments and provide endpoint detection and response. There is a lot of noise when deploying any SIEM solution, but Alienvault is unique in that it can be effective, practically right out-of-the-box, and anything required beyond that is satisfied by their great support team and available training. I have found that USM Anywhere can fill a critical gap in your security program, and I would recommend it for both small, medium, and large businesses.
  • Anomaly Detection and Identification
  • Digital Forensics/Incident Response
  • Log Correlation and Built-in Attack Signatures
  • Cloud Security Monitoring
  • Would be nice to have better error messaging, specifically around credential failures.
If you have a new, small company that needs effective monitoring and alerting right out of the box, I would say that AV has a lot less deployment and overhead than many SIEM solutions. That said, it can scale quite well and is particularly nice to operate when dealing with cloud infrastructure.
Due to the predefined correlation and orchestration rules, baked-in dashboards and reports, I would say it is a leader in providing effective threat detection and ROI within a very short period after deployment, from my experience.
Read Ryan Collins's full review
Francis Aghedo profile photo
May 17, 2019

AlienVault USM..making sense

Score 8 out of 10
Vetted Review
Verified User
Review Source
The USM is being used by the IT department as a SIEM, giving our organization a 360 view of what's going on in the network infrastructure, and more focus on the critical infrastructures which has been plugged-in to send all their log activities. The AlienVault USM has made it simple by the creation of plugins which makes it easier to express the logs in simple expression for easy understanding.
  • Large plugin base to accommodate different devices.
  • Easy to deploy.
  • Easy management.
  • Makes network monitoring and actionable steps clear and simple.
  • Updating the appliance to a newer version.
  • More control over which devices will be allowed to log into a database and which ones that should just appear, so that the database will not get filled up quickly.
Threat detection both on-premise and external, especially the feature of having the OTX, which comes in handy in giving more insight as to the threat being faced. The OSSIM feature is also a big plus where HIDS for windows and Linux based workstation and servers can be monitored. The correlation rules are made easy for any admin to easily manage.
AlienVault helps in:
- Threat insight through OTX.
- Network Intrusion Detection System.
- Host Based Intrusion Detecting Solution.
- Alienvault gives the ability to monitor up to 5 public IPs, which we use in knowing the hits trends to our network.
- The deployment steps are direct and easy.

Read Francis Aghedo's full review
Kirk Fischer profile photo
May 10, 2019

A very positive step towards keeping our network secure!

Score 8 out of 10
Vetted Review
Verified User
Review Source
We use AlienVault USM across our entire organization. It was purchased to help us improve our ability to respond to cyber security threats by keeping up with patching and tracking down vulnerabilities on our network. We took these steps after paying to have penetration testing done on our network.
  • AlienVault USM helps our IT staff stay on top of patches.
  • AlientVault USM makes it easier for our IT staff to track down vulnerabilities.
  • AlienVault USM provides steps to correct any vulnerabilities that may arise.
  • AlienVault's staff were very helpful in setting up their product on our network. There was plenty of opportunity for training.
  • AlienVault USM can be cumbersome for a small IT staff to manage. We still use AlienVault USM but now pay a third party to help us manage it.
AlienVault USM is appropriate for companies looking to improve cyber-security without investing heavily in additional IT staff. There is a considerable learning curve associated with this product so it's worth considering letting a third party manage it for you.
AlienVault USM is much more comprehensive than other security technology that we had previously used. It allows us to stay up to date on important preventative measures for keeping our network safe and provides detailed directions for addressing issues.
Read Kirk Fischer's full review
Corey Foster profile photo
May 08, 2019

Alienvault is wonderful

Score 10 out of 10
Vetted Review
Verified User
Review Source
AlienVault USM Anywhere is being used across the entire organization, for full network monitoring of all systems including election systems. We also are using AlienVault in our Azure environment for monitoring of applications and virtual machines that are housed in the cloud. This is through firewall logs and the AlienVault Agents.
  • Normalization of logs that it receives
  • Know threat alerts
  • Amount of data it keeps track of
  • Easier connection with the Cisco Umbrella system
  • Better systems integrations
  • Simpler log clean ups and alerts
AlienVault USM Anywhere is well suited in the log normalization, log retrievals, It helps in reviewing logs in one location so you are not bouncing from one server or equipment to the next to view logs and network traffic. It helps to make the job a little bit easier to perform.
Read Corey Foster's full review
XianJiang Cai profile photo
April 29, 2019

Accurate, easy to setup, no maintenance required, but UI needs to improve.

Score 8 out of 10
Vetted Review
Verified User
Review Source
USM being used for our whole organization. It is deployed via sensor on various regions to capture in/out data for monitoring potential risk. We use USM as a centered logger and analysis system also collecting data from firewall/VPN, Office365, Crowstrike and others. It's convenient to integrate various plugins for gathering data/alert from different clouds/platforms. The whole system setup is pretty straightforward and not difficult to use
  • Risk analysis is accurate. Cloud-based rule update means less hassle.
  • Integrated plugins help centralize log/alert into one system.
  • Filter/suppress rule is very easy to set. Easy to fit to our current traffic pattern.
  • It's a pain to check each individual alert for detail, I wish there was a popup window or something similar to quickly go through each unusual alert.
  • The UI seems not that efficient, and a little bit slow in my opinion.
  • I wish we had a Kibana-like quick search criteria change function, click and go.
It has done very well on a complicated network environment. It detects risk very well. No need to mess with Suricata rules.

We also deploy Suricata + Kibana + Es alone with a USM sensor. Both act pretty much the same. USM does have the advantage of stack or reduce duplicated alerts. We found lots of coin miner programs via USM. That helps a lot. We also fixed some configuration issues based on various attack attempts detected on USM.
Read XianJiang Cai's full review
Tim Valus profile photo
April 25, 2019

AlienVault USM from the perspective of a non-security IT department

Score 9 out of 10
Vetted Review
Verified User
Review Source
AlienVault USM is being used by the IT department for its vulnerability scanning, intrusion detection, and event correlation. It's a fairly new product for us and we're still getting acclimated to it but so far it's been very useful in giving us greater visibility into our environment.
  • Vulnerability assessment is very good. Especially with the software on servers and workstations.
  • Event correlation has helped tremendously by centralizing all the data into one feed that we can filter easily.
  • Support, training, and implementation were top notch. Very helpful people who answered questions clearly and concisely.
  • For a company that is on the smaller side as far as the number of employees and computer systems, the storage available in our tier could get eaten up quite quickly. It wasn't that easy for us to know where to go from a storage tier startup standpoint.
AlienVault USM is very well suited for a small to medium-sized business who may have 20+ servers and 50-75+ workstations in use but who may not have a dedicated security person/team, or the security tools that are becoming more and more needed in businesses of almost all sizes these days. There is also an MSP version of AlienVault USM, so even smaller companies could leverage the product through one and still get all the intelligence without the need for a person or department to operate the software.
AlienVault USM is the first security technology that we have used in any sort of formal way here so I can't really compare it to any other products that were used in a production environment. That being said, the very next day following implementation, AlienVault USM alerted me to an attempted breach of one of our systems. So in my mind that says quite a bit about its effectiveness. I would hope other products would be as good, but I know that AlienVault USM is.
Read Tim Valus's full review
Elliott Yau profile photo
April 25, 2019

Pretty good at what it does, but could be improved.

Score 8 out of 10
Vetted Review
Verified User
Review Source
We use AlienVault USM to satisfy PCI DSS requirements. Namely event logging and audit, change audit, and Intrusion Prevention services.
  • Lots of built-in out of the box functionality.
  • Easily satisfies several PCI DSS requirements.
  • Event logging is easy to navigate and presented well.
  • Initial setup is quite tedious.
  • Network setup for IDS caused us to bring our network down a couple of times.
  • Reports aren't very good.
AlienVault USM is good for meeting PCI DSS requirements but is not very appropriate if you need only bits and pieces from the application. It's good for bigger companies, although the cost may scare off smaller businesses.
It's pretty good at detecting threats. Although there have been quite a few false positives that we've had to go and whitelist. For example, some of the agents on the DC are extremely noisy, filling our storage with mundane event logs.
Read Elliott Yau's full review
Clint Siebert profile photo
April 19, 2019

AlienVault proved itself after one day.

Score 7 out of 10
Vetted Review
Verified User
Review Source
Currently it's only being used by the IT department to identify suspicious network activity, which we did not monitor prior to implementing AlienVault. One day after implementing AlienVault, we were notified of a bitcoin miner on our FTP site. Sure enough, when I logged into that machine and ran a malware scan, it picked up a Bitcoin Miner.
  • Report suspicious network activity.
  • Display all threats in a nice dashboard.
  • Notify me of what other people have encountered with "Pulses."
  • Make initial setup easier.
  • Make their certification test not so ridiculously tedious with oddly specific questions.
  • Provide better remediation steps.
Well suited: monitoring strange network traffic.
Not well suited: for people who expect an easy plug-and-play solution.
As I mentioned earlier, we had only one day go by and AlienVault detected a bitcoin miner on my FTP server. This thing could have been running indefinitely had AlienVault not notified us of the suspicious activity. We are at a point now where we really need all the help we can get to manage these threats. AlienVault did that for us after one day.
Read Clint Siebert's full review
David Green profile photo
April 12, 2019

Alien Vault USM goods and not so goods

Score 7 out of 10
Vetted Review
Reseller
Review Source
We are 200 employees strong and have presence in 5 states. We utilize AlienVault (AV) across our entire MPLS network. It addresses the issue of visibility of our servers and workstations to analyze potential threats and less common issues with auditing we wouldn’t otherwise catch but can cause major issues if not resolved.
  • AlienVault is very customizable. We can set up many built-in rules and alerts which saves time but can also be extremely granular to properly scan our unique network.
  • Great technical support. When I need assistance setting up a new sensor or target scan, AlienVault engineers are there to assist and get me on track.
  • Although the interface shows a lot of development and thought put into it, there are some buggy issues at times with simple form submission and web navigation.
  • Initially setting up Alien Vault in our environment was challenging and there was a lack of support around the “hardware level” meaning our VMWare environment.
AT&T sold us AlienVault as a replacement for penetration testing but before investing do your research. AV is a great tool but ultimately is just. SEIM. It’s the best SIEM on the market but it does have limitations. AT&T needs to be aware of this and how they sell this.
Other security measures like antivirus only find malicious threats after they have infected one or multiple computers. AlienVault's real time scanning can detect these threats are they are attempting to propagate through my network.
Read David Green's full review
Tyler Michels profile photo
April 11, 2019

AlienVault OSSIM SaaS Review

Score 8 out of 10
Vetted Review
Verified User
Review Source
This is currently being used across our corporate environment to help monitor our firewalls that process all associate traffic, active directory, O365, etc. This product has helped us to gain more visibility into the traffic that is being sent across our network and help identify threats quicker. Currently, the Security department is in charge of all that is AlienVault, and have given read access to a few neighborliness departments.
  • Ability to tune alarms and events to your liking. Very easy to get rid of false positives that are known in your environment, and create actionable alerts for legitimate alerts.
  • The simplicity of the dashboard. Everything within AlienVault USM Anywhere is easy to navigate and configure. From sorting logs to creating new users, the layout is natural and easy to figure out.
  • The Architecture of the SaaS deployment went smoothly and is very simple and expandable. Very little to worry about on our side with great results.
  • Support response time and incident handling have some room to improve. We had major issues with a sensor, and it took several days to get a response. Once we got a response the issue was corrected, it just took a while to get our engineer on the phone.
  • Small bugs in the way that the syslog packets are read and normalized. Reading the time in the packet wrong has been the biggest issue we have found so far that is without a solution.
  • Complicated Architecture to fully use the product. Requiring port mirroring to use the IDS portion of Alienvault is quite challenging when dealing with a large network size and diverse locations such as ours.
Has generated many actionable alerts that we chased down and identified as real threats in our environment. The correlation with OTX has proven to be quite useful and saved a lot of time when trying to determine if a specific host is malicious. The integrations with firewalls could be a bit better so that the IDS component in AlienVault can be fully utilized without using port mirroring.
The OTX platform has proven to be instrumental in identifying threats in our environment quickly and accurately. The ability to correlate login events to known malicious hosts, and generate actionable alerts has been the most utilized feature and generated the most actionable alerts. We did not get far enough into testing Exabeam to determine how their product handled these types of identifications, but I am quite impressed with Alienvault's solution.
Read Tyler Michels's full review
Dustin Hannon profile photo
April 06, 2019

Things to think about

Score 6 out of 10
Vetted Review
Verified User
Review Source
It is being used by the IT department for internal vulnerability scans and log collection. It also plays a role in providing information to our internal and external auditors.
  • It is good at doing internal scans of end-user devices to find vulnerabilities without the need of installing an agent or client on each device.
  • It is good at being a log server. A place to send logs for all of your networking devices, such as switches, firewalls, and other solutions that accept log servers.
  • Its ability to collect logs from Barracuda solutions needs heavy improvement. How it collects and organizes the data isn't very useful.
  • The end device client, which is optional, and can be installed on any device you want to collect more data from, has compatibility issues with quite a few products we use, and anti-virus software in-particular doesn't like it. We have also had some performance issues with devices the client is installed on.
  • The way collected data from all devices and locations is presented to the user in the web portal is not as user-friendly or as clean as it could be. It tends to show too much useless data and too many categories, making it easy to miss the important parts.
AlienVault was not a replacement for any of our current solutions. It was an addition to them, because it collects some data our other solutions do not. We hoped for AlienVault to be able to replace most if not all of our similar solutions and log servers, but it just doesn't get the job done on that front.
Our environment is complex and stretched across many physical offices. This limited how we were able to use AlienVault. We are not currently able to use or enable all of its features. In a simple network infrastructure, AlienVault would do much better.
Note that the cost of the AlienVault product itself will most likely not be your only costs. It will require your network engineer(s) to spend multiple hours configuring or re-configuring your infrastructure to make some of its features work, such as mirror ports and virtual hosts to collect all network traffic from your core.
AlienVault is a good product for detecting vulnerabilities, but does not replace our other solutions.
For instance, our firewall solutions do a much better job at logging and providing real-time alerts of issue and attacks. Our SAL monitoring solutions provide uptime and performance that is outside the scope of features for AlienVault.
Read Dustin Hannon's full review

Feature Scorecard Summary

Centralized event and log data collection (1)
8
Correlation (1)
8
Event and log normalization (1)
8
Deployment flexibility (1)
7
Custom dashboards and views (1)
6
Host and network-based intrusion detection (1)
7

About AlienVault USM

AlienVault USM Anywhere is a cloud-based security management solution that promises to accelerate and centralize threat detection, incident response, and compliance management for cloud, hybrid cloud, and on-premises environments. The vendor says that USM Anywhere includes purpose-built cloud sensors that natively monitor your Amazon Web Services (AWS) and Microsoft Azure cloud environments. On premises, lightweight virtual sensors run on Microsoft Hyper-V and VMware ESXi to monitor your virtual private cloud and physical IT infrastructure.

USM Anywhere aims to help you rapidly deploy sensors into your cloud and on-premises environments while centrally managing data collection, security analysis, and threat detection from the AlienVault Secure Cloud.

Five Essential Security Capabilities in a Single SaaS Platform

AlienVault says that USM Anywhere provides five essential security capabilities, giving you everything you need for threat detection, incident response, and compliance management, within one platform. With USM Anywhere, you can focus on finding and responding to threats, not managing software. USM Anywhere can readily scale to meet your threat detection needs as your hybrid cloud environment changes and grows.

  1. Asset Discovery
  2. Vulnerability Assessment
  3. Intrusion Detection
  4. Behavioral Monitoring
  5. SIEM

Try USM Anywhere in your environment—free for the first 14 days.
www.alienvault.com/products/usm-anywhere/free-trial

AlienVault USM Features

Security Information and Event Management (SIEM) Features
Has featureCentralized event and log data collection
Has featureCorrelation
Has featureEvent and log normalization
Has featureDeployment flexibility
Has featureIntegration with Identity and Access Management Tools
Has featureCustom dashboards and views
Has featureHost and network-based intrusion detection
Additional Features
Has featureAlienVault Open Threat Exchange

AlienVault USM Screenshots

AlienVault USM Videos (2)

Watch AlienVault USM Anywhere: Five Essential Cloud Security Capabilities in a Single SaaS Platform

Watch See How We're Pushing the Outer Limits of Security

AlienVault USM Downloadables

Pricing

Has featureFree Trial Available?Yes
Has featureFree or Freemium Version Available?Yes
Has featurePremium Consulting/Integration Services Available?Yes
Entry-level set up fee?Optional

AlienVault USM Support Options

 Free VersionPaid Version
Phone
Email
Forum/Community
FAQ/Knowledgebase
Social Media
Video Tutorials / Webinar

AlienVault USM Technical Details

Deployment Types:SaaS
Operating Systems: Unspecified
Mobile Application:No
Supported Countries:Global