TrustRadius
https://media.trustradius.com/product-logos/LF/Ap/TPOL9A2198T5.JPEGAlienVault USM - A Solid Tool to Launch Your SecOps ProgramAlienVault is a great SIEM for organizations who are either new to security operational logging, and wish to purchase a sound solution at a lower price point, or those with a smaller staff and potentially IT budget that wishes to buy a solution that can accomplish many different tasks. Our use of the platform extends across the global organization. We have documented multiple use cases that we are working through within the AlienVault platform such as vulnerability management and scanning, malware detection on clients and servers, malicious network traffic moving laterally and vertically throughout our environment, etc. As is the case with any SIEM, they are only as effective as the log sources that they ingest allow them to be. We are pulling in Windows client and server event logs (filtered to specific EventID's), DNS, DHCP, AWS CloudTrail/CloudWatch logs, NIDS sensor logs, firewall logs, and are also working to integrate the solution with other corporate systems to extend its capability, such as our ITSM. AlienVault is pretty featured rich compared to other SIEM solutions, but those features are mostly good, not great. There is also a growing list of 3rd party integrations as well, which can make the solution even stronger. With that said, there are other SIEM solutions that offer more flexible deployment models, have more 3rd party integrations, and offer more extensibility in terms of holistically supporting the incident response process. Our organization has found AlienVault to work pretty well for us, as this is the first SIEM the business has deployed. Additionally, we are early on in the process of cybersecurity program development, so AlienVault's inclusion of features such as vulnerability scanning and file integrity monitoring extend its value.,Feature-rich includes functionality not typically present in other SIEM's such as vulnerability scanning, UEBA, file integrity monitoring, NIDS Simple to configure and deploy. Relatively inexpensive compared to other enterprise SIEM solutions.,While there are many features, many of them are not very advanced. Vulnerability scanning as an example is extremely simplistic and almost unusable for an enterprise organization. It's just enough to get a program off the ground. Cloud-only deployment model (SaaS) may not fit all organizations. Not all organizations are "cloud friendly". Reporting capabilities out of the box are lack luster. Vulnerability management reporting as an example does not include a single canned report.,7,LogRhythm NextGen SIEM Platform, SolarWinds Security Event Manager, Splunk Enterprise Security and IBM QRadar,Like most situations, you get out what you put in. AlienVault is not going to filter up to every malicious activity occurring in an environment right out of the box. There is plenty of work to be done to get log sources ingested in a prioritized manner, to get basic rules tuned, and to integrate it with other solutions, where it makes sense. This maturity can take years to put in place in many cases. Once AlienVault USM is set up and tuned properly and has all log sources ingested, it is very good at finding things in an environment. It requires constant maintenance moving forward however to ensure that as tech landscapes change, the alarm rules are properly configured, and new ones are added.,Our organization has achieved this benefit. We send all security-related log sources to AlienVault, to include our corporate antivirus solution, DNS security solution, Windows logs, etc. Having all of this information in a single platform offers the ability to search through disparate logs while investigating an event. The simplicity of doing this in a single platform is significant. Also, as we configure and deploy more advanced alarm or event rules, the solution becomes even more valuable in this way. Once again, its all about the time and energy that you invest in building the solution to be as effective as it can be in your environment.AlienVault USM Anywhere - Cost effective SIEM-as-a-serviceAlienVault USM Anywhere provides us with SIEM, at a low price point and with a great array of functionality. SIEM is critical to our security operations and feeds incident response efforts. We use it to monitor logs and events from our applications and server platforms, integrating many of our other security products into the flow of data into USM Anywhere, for centralized logging and event management.,AlienVault USM Anywhere is easy to deploy with their cloud-based model and deploying the required agents on-prem (or in the cloud) is quick and easy. Custom rules allow for alerting based on content from events and you can even trigger agents in response to threats, shutting down computers or grabbing forensic info for incident response. USM Anywhere also takes care of reporting for ISO and PCI, allowing you to pull reports for auditors at a moment’s notice. With many integrations out-of-the-box, you can pull in all the data from products you use and other sources, such as Amazon CloudWatch Logs.,We would love to be able to create custom rules based on a series of events, to create rule-sets where, for example, failed logins to the VPN Server are logged and then when a successful attempt follows soon after, it triggers an alarm for a Brute Force. It does this for things like OKTA already, so control over which events this applies to would be great. More data tiers - something between 250GB and 500GB tiers, maybe break it down into 100GB tiers? Integration with OpsGenie would be great.,10,Alert Logic Cloud Insight and CloudPassage Halo,We have OTX to be a valuable source and the tight integration with USM really helps eliminate false positives. Being able to submit your own information into OTX also adds value and helps put context on threats. We sometimes find IP addresses can be out of date in OTX and linked to old threats, but it's good to see the history of what has occurred on this IP and you can go back and look for historical indicators of compromise in your data.,With a security team of 2, we are able to manage the events from hundreds of sources and 10's of applications on a daily basis and quickly filter out the noisy alerts and focus on the real events that pose a threat to us. USM Anywhere allows for quick and intuitive configuration and the daily activities don't feel like a chore and are simple to perform.A tool with great short and long term return on investmentWe use the USM Anywhere SIEM for our corporate security program currently, separate from our application security team in charge of our cloud environments our SaaS offering is hosted on. This solves the compliance and security issues we face as an organization for forensically sound log storage as well as data aggregation for correlation.,The integration setup for syslog forwarding and native web apps partnered with the platform is a very simple setup. Deploying sensors in cloud systems usually follow a pre-defined build flow for ease of sensor deployments and scaling. For perimeter defense, as long as your defended organizational structure uses Active Directory or another LDAP replication type service, vuln scanning and KIDS is a breeze.,For highly distributed workforce issues, the system requires a lot of third-party integrations to collect data for automation. Customization can be lacking in areas without significant help from their support teams. Building rules for filtering, suppression, and custom alarms can be a steep learning curve, although this is slightly offset by their training offerings.,9,Rapid7 InsightOps, InsightIDR and Splunk Cloud,The USM system is built with certain data ingress engines that work really well to identify and correlate suspicious activity. Since the company runs a threat intelligence feed in the form of the Open Threat Exchange, the IOCs they detect and report on are then built into the detection engine to give solid threat data. This can create a large amount of false positive during initial deployment depending on your environment, but the majority of noise can be effectively suppressed with their rule creation wizard that automatically brings in the fields on an alarm or event.,We have seen a return on investment for workflow efficiency in a dramatic sense. Prior to USM, individual security systems needed to be reviewed in a stand-alone format which can provide cracks for attackers to slip through during an exploit event. USM creates a relative single pane of glass for many of these tools and correlates event data between multiple sources to detect deeper malicious activity. This can be said for many SIEM products though and as such, a SIEM in any way will create a large return on investment when dealing with multiple security tools and log event sources.USM SaaS implementation for AWS and linux instancesWe use AlienVault USM across our entire organization, which includes 5 separate SaaS products. At a basic level, we use the core/default functionality of AlienVault to watch our AWS account. Beyond that, we use it to collect and analyze logs for suspicious activity. The ability to track and respond to suspicious events and document them completely is super key to our organization. The reporting functionality is key in allowing me to demonstrate our processes over time to show we watch and respond to alerts.,Log analysis, both syslog and AWS cloud trail, and searchability/reporting is actually better than most of our other related tools: All of our systems send log information using rsyslog to our AlienVault USM system. AlienVault is able to alert us of many issues with minimal configuration, including adding/removing users to sensitive groups, creating or removing resources such as EBS volumes, S3 buckets, or security groups. AWS loadbalancer traffic/log analysis: AlienVault automatically identifies threatening IPs or entries that match suspicious traffic patterns. The ability to search the many logs AlienVault collects in a way that even novice users can follow is super valuable. Logs can be quickly sorted by source, log type, and/or keyword searches. There have been many occasions where we were able to find non-security related issues due to the simple yet advanced search abilities of AlienVault. This has led to the challenge of deciding when and how long to allow non-security personnel access for troubleshooting.,AlienVaults lack of support for Docker may be its undoing at my company. It clearly stands above other products that fit our company, but we are adopting Docker at an ever-increasing rate. I don't want to support multiple security products, so it would be super cool if a solution to this challenge were found quickly. Enriching data is super key to allowing us to set up alerts for and filer events. This process is rather painful. This significantly increases the cost of maintaining AlienVault. Specifically, several auditd and standard AWS logs do not allow me to filter based on keywords in the message. Here is one example: User: arn:aws:sts::2#########:assumed-role/qe-lambda-role/qe-batch-run-dev-frontend_batch_runner is not authorized to perform: logs:CreateLogStream on resource: arn:aws:logs:us-east-1:#########:log-group:/aws/lambda/qe-batch-run-dev-frontend_batch_runner:log-stream:2019/05/30/[$LATEST]######################## The ability to configure AlienVault to run security scans using SSH on systems is prohibitively difficult to use, especially when using a Bastion. Making OSSIM work is a huge pain. I could not find AlienVault documentation that covers how things work and how to properly integrate it.,9,Qualys Cloud Platform (formerly Qualysguard), Snyk, AWS Config and AWS Cloud9,AWS Inspector is a product that does very well against AlienVault for doing system level scans. It is also very expensive and cannot be customized at all. PEN testing is not something that AlienVault does and I'm assuming that is intentional. Network IDS isn't integrated into AlienVault or is very basic. I am assuming the plan would be to implement something like tripwire and have logs from that system sent to AlienVault. Obviously, we would like it to do absolutely everything and do it very well:) That said, I highly doubt that is an option. If this can be done, please don't let me slow you down.,Yes, we have achieved this. Once set up, ensuring all of our systems are logging to AlienVault is very simple. Native system tools and AWS tools work easily, which simplifies the integration of all of our AWS systems with AlienVault. I am able to handle off much of the daily care and feeding of AlienVault to more junior members of my team with minimal effort. If we experience turn over, it is equally simple to bring new team members online.AlienVault USM: better than expected and a convenient way to maintain security complianceWe use AlienVault USM to monitor and secure our AWS, Azure, and Office 365 environments. The primary use of the product is to maintain PCI compliance. The various PCI reports save a significant amount of time each year during our security audits. We use it to collect logs from Windows, Linux, and cloud environments into one convenient location.,The integrations are very end-user friendly. The user interface is fairly intuitive. The PCI reports are extremely time-saving. The cross-platform compatibility makes hybrid environment management much easier.,The "Agent" has caused many problems in our environment. The AlienVault server seems to get overwhelmed quickly and could use an option for greater scaling for larger installations. The documentation is often lacking on details. The documentation often covers what specific steps to take but does not cover why or how certain items work. The user interface is missing many features for bulk/large-scale operations. Such as the ability to close more than one page of alarms at once. The "report false positive" does not provide a way to easily remove items so they still show up in audits. There is no way to reconfigure many checks to avoid false positives. The system lacks transparency for many security or infrastructure operations.,7,,The ability to integrate logging from AWS, Azure, Office 365 and more has been extremely helpful. It allows me to see active security issues in multiple environments and tell if there is a correlation between any events. AlienVault is crucial in actively alerting me to issues regarding possible security breaches. The software can, in some cases, over-report. However, that is more a symptom of configuration than an issue with the product.,By integrating logs from multiple environments, automatically generating reports, and automatically generating alerts the software has saved me considerable time in detecting threats. In many cases, it lacks the ability to customize detection or integrations but thankfully for standard "threat detection" the software seems to work better than expected.AlienVault Is a SuccessAlienVault is being used for the Security Team to see all host and network traffic. This real-time SIEM is tuned to give us alarms we actually need to look at on a daily basis. This addresses anything from malware to network, system and email breaches.,Deployment with the sensors for USM anywhere. Support Responsive UI Alien Apps,Agents offline Easier agent deployment on host. Quicker response from engineers and not just send engineers a document for the fix.,9,Sophos Intercept X and Darktrace,We had a lot of false positives at first, once we tuned it to get real-time alarms this is a great tool to have. We get threat intelligence from multiple systems we run in for our organization.,It took some time to tune it how we wanted to, it sees a ton of traffic so we needed to gather together as a team to do some cleanup for about 2 months. Once this was done we are very happy with what AV shows the Security team on a daily basis. IT is a low maintenance product now.USM Anywhere does what it says.Alienvault USM is being used to aggregate, inspect, and correlate both Windows/Linux logs and our Data Center network traffic. It is used exclusively by the SOC team for threat hunting and EDR.,VMWare Sensor deployment is very easy. Dashboards are nice and clean. Network monitoring and Syslog collector just work.,USM Anywhere does not support Netflow or any variation. SPAN and RSPAN are currently the only methods to monitor IP flows. USM Anywhere tech support is lackluster. I have opened two tickets and struggled to receive knowledgeable technical assistance. USM Anywhere does not do scheduled report delivery in any format. Reports are run on demand and must be printed to pdf for distribution.,7,Splunk Enterprise Security,I started receiving actionable event and alarm data immediately upon deployment of my first sensor and a few agents. Root cause analysis is simplified by being able to drill down into Alarms and associated events.,Alienvault USM was able to provide the monitoring necessary to reduce the amount of time needed to identify a security threat and figure out root cause analysis. Analysts are spending less time threat hunting and more time recommending remediation steps.AlienVault USM - a single solution in a complex worldGlobally as a SIEM/FIM solution.,FIM with limits. Vulnerability scans (with agents installed as opposed to "NXlog"). Dashboards.,Need to be able to comment on issues flagged by AlienVault so that other users may know what has been done for triage. Single pane of glass, need to have a shared dashboard that is customizable.,5,Qualys Policy Compliance (PC), Imperva CDN (formerly Incapsula), Alert Logic Log Correlation and Analysis, Rapid7 Nexpose, Alert Logic Network Threat Detection, Rapid7 InsightOps and Fidelis Elevate,I believe so, you don't know what you don't know of course but it appears to be a good solution for our needs.AlienVault USM gives more visibility than I have ever had in one pane of glass.AlienVault is deployed across the corporate infrastructure to centrally manage security logs on all servers via the agent. Sensors are deployed in the corporate network to monitor and scan workstations and servers for vulnerabilities and perform discovery scans for new systems on the network. The firewalls also supply syslogs to the sensors. Office 365 is monitored via an Azure sensor, along with Azure infrastructure. Production systems are monitored using agents and a sensor.,Effective correlation of various log sources to provide useful alerts. An agent provides detailed logs of events on every system, be it Windows, Linux, or MacOS, to the point you do not have to log in to each machine to review security logs. Provides auto detection of log sources and effective mapping of the log data to key fields. Pre-built alerts allow AlienVault to be effective right away. There's no need to spend days creating alerts for it to be usable. Has powerful search capabilities once the logs are in AlienVault. Has the ability to run queries on agent systems based on an alert trigger (eg. list of logged on users).,The biggest challenge is the deployment of the Agent. It requires logging onto each system and running the install script manually. You need a GPO or a scriptable way to push the agent. We would like the ability to limit access to specific sensors for users that have been given access to AlienVault. Currently, if an analyst has access to AlienVault, they can see all data sources and logs. We saw a lot of false positive results in the beginning, requiring a bit of tuning to suppress some rules. There's no ability to suppress Vulnerabilities identified in the vulnerability scanning component.,9,,AlienVault is very effective in detecting O365 logins from multiple regions for the same users, allowing us to detect compromised accounts. The integrations with Palo Alto FWs allows the detection of users connecting to known C&C addresses.,AlienVault has given us great visibility into security threats in O365, on servers, workstations, and FWs, all using one pane of glass. Without having to manually collect threat intelligence and maintain on-premise hardware. We see user AD account and group changes, we see when someone modifies a configuration on a firewall and if someone launches an attack against an FW using an exploit. I am surprised by all the details I was missing before we deployed AlienVault USM.Alienvault gives you eyes without the extra bodies :)Alienvault was selected as our SIEM solution to provide cutting-edge monitoring, analytics and alerting, and it has the added benefit of being able to conduct vulnerability assessments and provide endpoint detection and response. There is a lot of noise when deploying any SIEM solution, but Alienvault is unique in that it can be effective, practically right out-of-the-box, and anything required beyond that is satisfied by their great support team and available training. I have found that USM Anywhere can fill a critical gap in your security program, and I would recommend it for both small, medium, and large businesses.,Anomaly Detection and Identification Digital Forensics/Incident Response Log Correlation and Built-in Attack Signatures Cloud Security Monitoring,Would be nice to have better error messaging, specifically around credential failures.,8,Due to the predefined correlation and orchestration rules, baked-in dashboards and reports, I would say it is a leader in providing effective threat detection and ROI within a very short period after deployment, from my experience.,In our situation, USM Anywhere was put in place to allow for extra analysis and intelligence without additional analyst resources. USM Anywhere has accomplished this.AlienVault USM..making senseThe USM is being used by the IT department as a SIEM, giving our organization a 360 view of what's going on in the network infrastructure, and more focus on the critical infrastructures which has been plugged-in to send all their log activities. The AlienVault USM has made it simple by the creation of plugins which makes it easier to express the logs in simple expression for easy understanding.,Large plugin base to accommodate different devices. Easy to deploy. Easy management. Makes network monitoring and actionable steps clear and simple.,Updating the appliance to a newer version. More control over which devices will be allowed to log into a database and which ones that should just appear, so that the database will not get filled up quickly.,8,IBM QRadar,AlienVault helps in: - Threat insight through OTX.- Network Intrusion Detection System.- Host Based Intrusion Detecting Solution.- Alienvault gives the ability to monitor up to 5 public IPs, which we use in knowing the hits trends to our network.- The deployment steps are direct and easy.,Our Organization has benefited from this. Before now we were managing a number of appliances, going from one to another, checking and interpreting the different logs and looking for scripts to read those logs, was really making our threat intelligence and detection process slow and tiring, but AlienVault USM has made it easy to configure and get those logs. The plugins from this USM express it in a way we understand, so there's no need for looking and writing scripts. All these are easily displayed on the dashboard for us to act on.A very positive step towards keeping our network secure!We use AlienVault USM across our entire organization. It was purchased to help us improve our ability to respond to cyber security threats by keeping up with patching and tracking down vulnerabilities on our network. We took these steps after paying to have penetration testing done on our network.,AlienVault USM helps our IT staff stay on top of patches. AlientVault USM makes it easier for our IT staff to track down vulnerabilities. AlienVault USM provides steps to correct any vulnerabilities that may arise. AlienVault's staff were very helpful in setting up their product on our network. There was plenty of opportunity for training.,AlienVault USM can be cumbersome for a small IT staff to manage. We still use AlienVault USM but now pay a third party to help us manage it.,8,Splunk Enterprise Security and Fortinet FortiGate,AlienVault USM is much more comprehensive than other security technology that we had previously used. It allows us to stay up to date on important preventative measures for keeping our network safe and provides detailed directions for addressing issues.,I wouldn't say that AlienVault USM reduced the amount of work needed to detect security threats for us. It just brought things to light that may have been overlooked in the past. Our IT staff eventually determined that using a third party to manage AlienVault USM for us was the best way to use it effectively.Alienvault is wonderfulAlienVault USM Anywhere is being used across the entire organization, for full network monitoring of all systems including election systems. We also are using AlienVault in our Azure environment for monitoring of applications and virtual machines that are housed in the cloud. This is through firewall logs and the AlienVault Agents.,Normalization of logs that it receives Know threat alerts Amount of data it keeps track of,Easier connection with the Cisco Umbrella system Better systems integrations Simpler log clean ups and alerts,10,With AlienVault USM Anywhere, we have been able to perform our daily duties, quicker and more precisely then we could before. We are able to act upon threats quicker and know where they are coming from. This has reduced downtime and service times all around the office.Accurate, easy to setup, no maintenance required, but UI needs to improve.USM being used for our whole organization. It is deployed via sensor on various regions to capture in/out data for monitoring potential risk. We use USM as a centered logger and analysis system also collecting data from firewall/VPN, Office365, Crowstrike and others. It's convenient to integrate various plugins for gathering data/alert from different clouds/platforms. The whole system setup is pretty straightforward and not difficult to use,Risk analysis is accurate. Cloud-based rule update means less hassle. Integrated plugins help centralize log/alert into one system. Filter/suppress rule is very easy to set. Easy to fit to our current traffic pattern.,It's a pain to check each individual alert for detail, I wish there was a popup window or something similar to quickly go through each unusual alert. The UI seems not that efficient, and a little bit slow in my opinion. I wish we had a Kibana-like quick search criteria change function, click and go.,8,,We also deploy Suricata + Kibana + Es alone with a USM sensor. Both act pretty much the same. USM does have the advantage of stack or reduce duplicated alerts. We found lots of coin miner programs via USM. That helps a lot. We also fixed some configuration issues based on various attack attempts detected on USM.,By deploying the sensor in each different region/cloud we gained good coverage with less effort on setup and configuration. We saved lots of labor, for most situations. USM is good enough to monitor and detect potential risks. As I stated before, USM did a good job on rules management/update. This saves lots of time and is much more effective for the customer.AlienVault USM from the perspective of a non-security IT departmentAlienVault USM is being used by the IT department for its vulnerability scanning, intrusion detection, and event correlation. It's a fairly new product for us and we're still getting acclimated to it but so far it's been very useful in giving us greater visibility into our environment.,Vulnerability assessment is very good. Especially with the software on servers and workstations. Event correlation has helped tremendously by centralizing all the data into one feed that we can filter easily. Support, training, and implementation were top notch. Very helpful people who answered questions clearly and concisely.,For a company that is on the smaller side as far as the number of employees and computer systems, the storage available in our tier could get eaten up quite quickly. It wasn't that easy for us to know where to go from a storage tier startup standpoint.,9,Rapid7 InsightOps,AlienVault USM is the first security technology that we have used in any sort of formal way here so I can't really compare it to any other products that were used in a production environment. That being said, the very next day following implementation, AlienVault USM alerted me to an attempted breach of one of our systems. So in my mind that says quite a bit about its effectiveness. I would hope other products would be as good, but I know that AlienVault USM is.,So far I would say we haven't had a reduction in the amount of work, but that is mostly because of the learning curve and the time that is available to actually get the AlienVault USM platform set-up for our environment is being superseded by other non-security IT projects and daily support issues.Pretty good at what it does, but could be improved.We use AlienVault USM to satisfy PCI DSS requirements. Namely event logging and audit, change audit, and Intrusion Prevention services.,Lots of built-in out of the box functionality. Easily satisfies several PCI DSS requirements. Event logging is easy to navigate and presented well.,Initial setup is quite tedious. Network setup for IDS caused us to bring our network down a couple of times. Reports aren't very good.,8,It's pretty good at detecting threats. Although there have been quite a few false positives that we've had to go and whitelist. For example, some of the agents on the DC are extremely noisy, filling our storage with mundane event logs.,AlienVault USM has achieved this by consolidating a bunch of different tools into one tool. We no longer need to maintain 6-7 different tools to meet our PCI DSS requirements.AlienVault proved itself after one day.Currently it's only being used by the IT department to identify suspicious network activity, which we did not monitor prior to implementing AlienVault. One day after implementing AlienVault, we were notified of a bitcoin miner on our FTP site. Sure enough, when I logged into that machine and ran a malware scan, it picked up a Bitcoin Miner.,Report suspicious network activity. Display all threats in a nice dashboard. Notify me of what other people have encountered with "Pulses.",Make initial setup easier. Make their certification test not so ridiculously tedious with oddly specific questions. Provide better remediation steps.,7,AT&T Threat Intellect,As I mentioned earlier, we had only one day go by and AlienVault detected a bitcoin miner on my FTP server. This thing could have been running indefinitely had AlienVault not notified us of the suspicious activity. We are at a point now where we really need all the help we can get to manage these threats. AlienVault did that for us after one day.,It has, after only one day when it detected a bitcoin miner. I look forward to checking AlienVault's dashboard every day to see what it finds.Alien Vault USM goods and not so goodsWe are 200 employees strong and have presence in 5 states. We utilize AlienVault (AV) across our entire MPLS network. It addresses the issue of visibility of our servers and workstations to analyze potential threats and less common issues with auditing we wouldn’t otherwise catch but can cause major issues if not resolved.,AlienVault is very customizable. We can set up many built-in rules and alerts which saves time but can also be extremely granular to properly scan our unique network. Great technical support. When I need assistance setting up a new sensor or target scan, AlienVault engineers are there to assist and get me on track.,Although the interface shows a lot of development and thought put into it, there are some buggy issues at times with simple form submission and web navigation. Initially setting up Alien Vault in our environment was challenging and there was a lack of support around the “hardware level” meaning our VMWare environment.,7,SolarWinds Kiwi Syslog Server,Other security measures like antivirus only find malicious threats after they have infected one or multiple computers. AlienVault's real time scanning can detect these threats are they are attempting to propagate through my network.,The tool does provide a much needed layer of security we didn’t previously have but I would say still is missing the mark on reducing the amours to of work needed to operate the tool and get the most out of it. I would have to hire a full time resource or outsource the job to a 3rd party to really get the full benefit of my subscription.AlienVault OSSIM SaaS ReviewThis is currently being used across our corporate environment to help monitor our firewalls that process all associate traffic, active directory, O365, etc. This product has helped us to gain more visibility into the traffic that is being sent across our network and help identify threats quicker. Currently, the Security department is in charge of all that is AlienVault, and have given read access to a few neighborliness departments.,Ability to tune alarms and events to your liking. Very easy to get rid of false positives that are known in your environment, and create actionable alerts for legitimate alerts. The simplicity of the dashboard. Everything within AlienVault USM Anywhere is easy to navigate and configure. From sorting logs to creating new users, the layout is natural and easy to figure out. The Architecture of the SaaS deployment went smoothly and is very simple and expandable. Very little to worry about on our side with great results.,Support response time and incident handling have some room to improve. We had major issues with a sensor, and it took several days to get a response. Once we got a response the issue was corrected, it just took a while to get our engineer on the phone. Small bugs in the way that the syslog packets are read and normalized. Reading the time in the packet wrong has been the biggest issue we have found so far that is without a solution. Complicated Architecture to fully use the product. Requiring port mirroring to use the IDS portion of Alienvault is quite challenging when dealing with a large network size and diverse locations such as ours.,8,Exabeam Security Intelligence Platform,The OTX platform has proven to be instrumental in identifying threats in our environment quickly and accurately. The ability to correlate login events to known malicious hosts, and generate actionable alerts has been the most utilized feature and generated the most actionable alerts. We did not get far enough into testing Exabeam to determine how their product handled these types of identifications, but I am quite impressed with Alienvault's solution.,After the initial tuning of the platform, this has most definitely saved us time in identifying incidents and allowed us to have most of our logs in one place. The ability to tie all of our logs together and use AlienVault USM Anywhere to correlate these together and identify threats within our environment has been greatly appreciated.Things to think aboutIt is being used by the IT department for internal vulnerability scans and log collection. It also plays a role in providing information to our internal and external auditors.,It is good at doing internal scans of end-user devices to find vulnerabilities without the need of installing an agent or client on each device. It is good at being a log server. A place to send logs for all of your networking devices, such as switches, firewalls, and other solutions that accept log servers.,Its ability to collect logs from Barracuda solutions needs heavy improvement. How it collects and organizes the data isn't very useful. The end device client, which is optional, and can be installed on any device you want to collect more data from, has compatibility issues with quite a few products we use, and anti-virus software in-particular doesn't like it. We have also had some performance issues with devices the client is installed on. The way collected data from all devices and locations is presented to the user in the web portal is not as user-friendly or as clean as it could be. It tends to show too much useless data and too many categories, making it easy to miss the important parts.,6,PRTG Network Monitor, Lansweeper and Netwrix Auditor,AlienVault is a good product for detecting vulnerabilities, but does not replace our other solutions. For instance, our firewall solutions do a much better job at logging and providing real-time alerts of issue and attacks. Our SAL monitoring solutions provide uptime and performance that is outside the scope of features for AlienVault.,AlienVault does help reduce the amount of time in searching logs or gathering data for reports. If you take the time, up front, to correctly set up email alerts, it will provide your organization a good method of responding quickly to security threats.No matter how vast your environment is, AlienVault USM can make you feel like home in.I love that it integrates with everything and at different levels. I wish ISO27k was implemented as PCI-DSS for the "Compliance-scoped assets", but so far I love the product. It's the best of both worlds - having opensource stuff as well as support.,AWS integration. Google integration. Asset grouping. Incident-automation with ServiceNow.,Knowing software versions and asset information, we should be able to know the vulnerabilities as they come out without having to rescan the inventory. A rescan could be done to validate the info is still true (about versions and stuff), but instead of va-scan being the vulnerability "informer", you could check when a new vulnerability comes out - if we had this software/service configured somewhere. Malware protection? I'm honestly not sure as there's not a lot that AlienVault doesn't do :),9,,It's easy to deploy. The dashboards accurately represent the risk and attack vector.,Right now, we are still implementing it but I can see it'll reduce my amount of work very soon! We detected a few weird security events already with it and we're not that far into deployment.So far so goodCurrently, we use it for all of our log shipping. Also, we use the port mirror function for all of our network traffic.,Vulnerability lists. Log storage. Integrations.,Tech support. Releasing unstable agents. Did I mention support?,7,,Between AlienVault and our antivirus software, we have a solid foundation.,Other than adding the service to the VM we really didn't have to do much setup.AlienVault is pretty dopeWe are using AlienVault as a SIEM, Log Manager, FIM, and Vulnerablility Management tool. It is used across the whole organization. We need to be HIPAA compliant, so it addresses the need for a log manager, vulnerability scanner, policy report generator, and FIM.,log management vulnerability management correlation alerts,Policy Reports,8,Qualys Cloud Platform (formerly Qualysguard) and Alert Logic Log Correlation and Analysis,AlienVault is very effective at finding and remediating vulnerabilities. Finding the needed patch or needed changes are now much easier.,Not currently, but hopefully once our infrastructure is implemented and will stay consistent.,No,We did not,Price Product Features Product Usability,I wouldn'tAlienVault. Not just a cool product name, but it keeps you safe too!AlienVault was selected and implemented on our network to support our needs for proactive notifications, monitoring and response to threat detections. We wanted the ability to put all of our on-premise and cloud presence on a simple to use, one-stop shop platform for ease of monitoring and response. This system is used throughout our IT department and to support our compliance against HIPAA and overall IT Security.,AlienVault USM Anywhere has very strong documentation. They really do not try to push professional services but really offer you the opportunity to try and buy the product and work through the documentation to implement on your network. AlienVault USM's dashboard is easy to use, highly customizable and quick to report (without issues) any of the parameters you set up. The dashboard is intuitive and responsive! AlienVault USM Anywhere is easy to scale and deploy. Its soft license platform allows you to deploy additional agents and secure elements of your network at close to a moment's notice!,AlienVault's Dashboard is very strong but does take some time getting used to and customizing. The reporting functions and proactive reporting is a great tool but takes plenty of time to learn and get right. It could be difficult but if there was some out of the box wizard engine that could get some reports up and running fast it would be helpful. It would be great to see the USM product compare against other similar environments or industry benchmarks to notify us even if we do not have the threat to our network. It would be a huge value added to understand how, why and where other networks that are part of the USM family are hit. Access to the cold storage of logs for AlienVault is a bit confusing. It would be a huge addition if we could dump all the logs locally and have an easier searching tool for such logs. It seems it is not just AlienVault but most companies now want them to use their storage, not local.,9,Cisco IPS Sensor,AlienVault USM has been instrumental in detecting real security threats to our environment. The important thing is to ensure you set up the agents properly and categorize the assets properly for it to report and scan on. We have avoided multiple external incidents due to the protection, responsiveness and auto-quarantine mechanisms it has in place.,Not only was there a large ROI on reducing the amount of work needed to detect security threats once you set the system up properly and configure the dashboard to display the information you need, but the system also does most the work for you. The amount of time sifting logs and identifying issues and fix actions is significantly reduced. It not only brings a reprieve to threat detection but it also reduces administrative overhead. The key is really putting in the effort to make the dashboard work for you and understanding the proper thresholds, triggers, and proactive notifications.USM Anywhere, the easy SIEM.USM is the SIEM used to collect data across the entire environment, that data is used to report to the QSA for PCI compliance. It has greatly helped find problems as well as streamline our PCI compliance reporting. What was once very manual and time consuming is not simply pulling reports.,Find security issues such as malware. PCI compliance reporting. Deep dive into various issues in the environment.,UI could be streamlined some.,9,LogRhythm NextGen SIEM Platform and SolarWinds Log & Event Manager,We catch at least once malware event each week.,It simply does it's job, it finds things and lets us know we need to remediate.
Unspecified
AlienVault USM
458 Ratings
Score 8.1 out of 101
<a href='https://www.trustradius.com/static/about-trustradius-scoring' target='_blank' rel='nofollow'>trScore algorithm: Learn more.</a>TRScore

AlienVault USM Reviews

<a href='https://www.trustradius.com/static/about-trustradius-scoring#question3' target='_blank' rel='nofollow'>Customer Verified: Read more.</a>
AlienVault USM
458 Ratings
<a href='https://www.trustradius.com/static/about-trustradius-scoring' target='_blank' rel='nofollow'>trScore algorithm: Learn more.</a>
Score 8.1 out of 101
TrustRadius Top Rated for 2019
Show Filters 
Hide Filters 
Filter 459 vetted AlienVault USM reviews and ratings
Clear all filters
Overall Rating
Reviewer's Company Size
Last Updated
By Topic
Industry
Department
Experience
Job Type
Role

Reviews (1-25 of 287)

  Vendors can't alter or remove reviews. Here's why.
Frank DePaola profile photo
July 19, 2019

Review: "AlienVault USM - A Solid Tool to Launch Your SecOps Program"

Score 7 out of 10
Vetted Review
Verified User
Review Source
AlienVault is a great SIEM for organizations who are either new to security operational logging, and wish to purchase a sound solution at a lower price point, or those with a smaller staff and potentially IT budget that wishes to buy a solution that can accomplish many different tasks. Our use of the platform extends across the global organization. We have documented multiple use cases that we are working through within the AlienVault platform such as vulnerability management and scanning, malware detection on clients and servers, malicious network traffic moving laterally and vertically throughout our environment, etc. As is the case with any SIEM, they are only as effective as the log sources that they ingest allow them to be. We are pulling in Windows client and server event logs (filtered to specific EventID's), DNS, DHCP, AWS CloudTrail/CloudWatch logs, NIDS sensor logs, firewall logs, and are also working to integrate the solution with other corporate systems to extend its capability, such as our ITSM. AlienVault is pretty featured rich compared to other SIEM solutions, but those features are mostly good, not great. There is also a growing list of 3rd party integrations as well, which can make the solution even stronger. With that said, there are other SIEM solutions that offer more flexible deployment models, have more 3rd party integrations, and offer more extensibility in terms of holistically supporting the incident response process. Our organization has found AlienVault to work pretty well for us, as this is the first SIEM the business has deployed. Additionally, we are early on in the process of cybersecurity program development, so AlienVault's inclusion of features such as vulnerability scanning and file integrity monitoring extend its value.
  • Feature-rich includes functionality not typically present in other SIEM's such as vulnerability scanning, UEBA, file integrity monitoring, NIDS
  • Simple to configure and deploy.
  • Relatively inexpensive compared to other enterprise SIEM solutions.
  • While there are many features, many of them are not very advanced. Vulnerability scanning as an example is extremely simplistic and almost unusable for an enterprise organization. It's just enough to get a program off the ground.
  • Cloud-only deployment model (SaaS) may not fit all organizations. Not all organizations are "cloud friendly".
  • Reporting capabilities out of the box are lack luster. Vulnerability management reporting as an example does not include a single canned report.
AlienVault USM is well suited for smaller organizations or organizations of any size that are just lifting their security operations or security monitoring program off the ground.

AlienVault USM is less appropriate for more mature organizations who have the staff to support more advanced security operational capabilities or engage in advanced threat hunting. Also, organizations who like more ability to add internally developed functionality into their SIEM through scripting or other automated response activities.
Like most situations, you get out what you put in. AlienVault is not going to filter up to every malicious activity occurring in an environment right out of the box. There is plenty of work to be done to get log sources ingested in a prioritized manner, to get basic rules tuned, and to integrate it with other solutions, where it makes sense. This maturity can take years to put in place in many cases. Once AlienVault USM is set up and tuned properly and has all log sources ingested, it is very good at finding things in an environment. It requires constant maintenance moving forward however to ensure that as tech landscapes change, the alarm rules are properly configured, and new ones are added.
Read Frank DePaola's full review
Matthew White profile photo
July 16, 2019

Review: "AlienVault USM Anywhere - Cost effective SIEM-as-a-service"

Score 10 out of 10
Vetted Review
Verified User
Review Source
AlienVault USM Anywhere provides us with SIEM, at a low price point and with a great array of functionality. SIEM is critical to our security operations and feeds incident response efforts. We use it to monitor logs and events from our applications and server platforms, integrating many of our other security products into the flow of data into USM Anywhere, for centralized logging and event management.
  • AlienVault USM Anywhere is easy to deploy with their cloud-based model and deploying the required agents on-prem (or in the cloud) is quick and easy.
  • Custom rules allow for alerting based on content from events and you can even trigger agents in response to threats, shutting down computers or grabbing forensic info for incident response.
  • USM Anywhere also takes care of reporting for ISO and PCI, allowing you to pull reports for auditors at a moment’s notice.
  • With many integrations out-of-the-box, you can pull in all the data from products you use and other sources, such as Amazon CloudWatch Logs.
  • We would love to be able to create custom rules based on a series of events, to create rule-sets where, for example, failed logins to the VPN Server are logged and then when a successful attempt follows soon after, it triggers an alarm for a Brute Force. It does this for things like OKTA already, so control over which events this applies to would be great.
  • More data tiers - something between 250GB and 500GB tiers, maybe break it down into 100GB tiers?
  • Integration with OpsGenie would be great.
AlienVault USM Anywhere is a great SIEM and if you need to deploy a SaaS solution then it is suited very well. It works very well for us being 100% AWS and integrates well with our toolset and AWS features. The AT&T Alien Labs Open Threat Intelligence (OTX) is perfect for providing context on events and feeding our incident response processes.
We have OTX to be a valuable source and the tight integration with USM really helps eliminate false positives. Being able to submit your own information into OTX also adds value and helps put context on threats. We sometimes find IP addresses can be out of date in OTX and linked to old threats, but it's good to see the history of what has occurred on this IP and you can go back and look for historical indicators of compromise in your data.
Read Matthew White's full review
Forrest Berrey profile photo
June 19, 2019

AlienVault USM Review: "A tool with great short and long term return on investment"

Score 9 out of 10
Vetted Review
Verified User
Review Source
We use the USM Anywhere SIEM for our corporate security program currently, separate from our application security team in charge of our cloud environments our SaaS offering is hosted on. This solves the compliance and security issues we face as an organization for forensically sound log storage as well as data aggregation for correlation.
  • The integration setup for syslog forwarding and native web apps partnered with the platform is a very simple setup.
  • Deploying sensors in cloud systems usually follow a pre-defined build flow for ease of sensor deployments and scaling.
  • For perimeter defense, as long as your defended organizational structure uses Active Directory or another LDAP replication type service, vuln scanning and KIDS is a breeze.
  • For highly distributed workforce issues, the system requires a lot of third-party integrations to collect data for automation.
  • Customization can be lacking in areas without significant help from their support teams.
  • Building rules for filtering, suppression, and custom alarms can be a steep learning curve, although this is slightly offset by their training offerings.
The system works very well for 'legacy' perimeter defense based networks that rely on centralized network traffic and remote management solutions for the internal networking and endpoint devices. For architectures adopting a zero-trust/BeyondCorp mentality, the system can still be useful but requires either investment in third-party tools to collect information otherwise unavailable to the system, or significant custom infrastructure tools to support many orchestration functionalities.
The USM system is built with certain data ingress engines that work really well to identify and correlate suspicious activity. Since the company runs a threat intelligence feed in the form of the Open Threat Exchange, the IOCs they detect and report on are then built into the detection engine to give solid threat data. This can create a large amount of false positive during initial deployment depending on your environment, but the majority of noise can be effectively suppressed with their rule creation wizard that automatically brings in the fields on an alarm or event.
Read Forrest Berrey's full review
John DeLay profile photo
May 31, 2019

AlienVault USM Review: "USM SaaS implementation for AWS and linux instances"

Score 9 out of 10
Vetted Review
Verified User
Review Source
We use AlienVault USM across our entire organization, which includes 5 separate SaaS products. At a basic level, we use the core/default functionality of AlienVault to watch our AWS account. Beyond that, we use it to collect and analyze logs for suspicious activity. The ability to track and respond to suspicious events and document them completely is super key to our organization. The reporting functionality is key in allowing me to demonstrate our processes over time to show we watch and respond to alerts.
  • Log analysis, both syslog and AWS cloud trail, and searchability/reporting is actually better than most of our other related tools: All of our systems send log information using rsyslog to our AlienVault USM system. AlienVault is able to alert us of many issues with minimal configuration, including adding/removing users to sensitive groups, creating or removing resources such as EBS volumes, S3 buckets, or security groups.
  • AWS loadbalancer traffic/log analysis: AlienVault automatically identifies threatening IPs or entries that match suspicious traffic patterns.
  • The ability to search the many logs AlienVault collects in a way that even novice users can follow is super valuable. Logs can be quickly sorted by source, log type, and/or keyword searches. There have been many occasions where we were able to find non-security related issues due to the simple yet advanced search abilities of AlienVault. This has led to the challenge of deciding when and how long to allow non-security personnel access for troubleshooting.
  • AlienVaults lack of support for Docker may be its undoing at my company. It clearly stands above other products that fit our company, but we are adopting Docker at an ever-increasing rate. I don't want to support multiple security products, so it would be super cool if a solution to this challenge were found quickly.
  • Enriching data is super key to allowing us to set up alerts for and filer events. This process is rather painful. This significantly increases the cost of maintaining AlienVault. Specifically, several auditd and standard AWS logs do not allow me to filter based on keywords in the message.
  • Here is one example:
  • User: arn:aws:sts::2#########:assumed-role/qe-lambda-role/qe-batch-run-dev-frontend_batch_runner is not authorized to perform: logs:CreateLogStream on resource: arn:aws:logs:us-east-1:#########:log-group:/aws/lambda/qe-batch-run-dev-frontend_batch_runner:log-stream:2019/05/30/[$LATEST]########################
  • The ability to configure AlienVault to run security scans using SSH on systems is prohibitively difficult to use, especially when using a Bastion.
  • Making OSSIM work is a huge pain. I could not find AlienVault documentation that covers how things work and how to properly integrate it.
AlienVault is great and ingesting and processing information from multiple sources. It is excellent at monitoring AWS "things" out of the box, such as user management, network traffic through load balancers, or monitoring devices with sensitive data. I was surprised at how easy this was to start using immediately after purchase. This was a huge selling point. We had tools in place to monitor much of our environment, except AWS. Once the AlienVault system was in place, the rest happened naturally. It's now the most critical security system that we have.

It seems a bit poor when creating alarm filters that only trigger after "x" number of times. I know this can be done with escalation alerts. Keeping noisy alerts out of the UI is key to prevent alert fatigue in our more junior team members.
In general, AlienVault seems to be noisy. I'd like the ability to specify a group of users that can create security groups with sensitive ports exposed to the web, but I don't believe this is possible. I know how to do this per user. I don't believe groups are something we can specify.
AWS Inspector is a product that does very well against AlienVault for doing system level scans. It is also very expensive and cannot be customized at all.

PEN testing is not something that AlienVault does and I'm assuming that is intentional.

Network IDS isn't integrated into AlienVault or is very basic. I am assuming the plan would be to implement something like tripwire and have logs from that system sent to AlienVault. Obviously, we would like it to do absolutely everything and do it very well:) That said, I highly doubt that is an option. If this can be done, please don't let me slow you down.
Read John DeLay's full review
Alex Kranz profile photo
April 04, 2019

Review: "AlienVault USM: better than expected and a convenient way to maintain security compliance"

Score 7 out of 10
Vetted Review
Verified User
Review Source
We use AlienVault USM to monitor and secure our AWS, Azure, and Office 365 environments. The primary use of the product is to maintain PCI compliance. The various PCI reports save a significant amount of time each year during our security audits. We use it to collect logs from Windows, Linux, and cloud environments into one convenient location.
  • The integrations are very end-user friendly.
  • The user interface is fairly intuitive.
  • The PCI reports are extremely time-saving.
  • The cross-platform compatibility makes hybrid environment management much easier.
  • The "Agent" has caused many problems in our environment.
  • The AlienVault server seems to get overwhelmed quickly and could use an option for greater scaling for larger installations.
  • The documentation is often lacking on details. The documentation often covers what specific steps to take but does not cover why or how certain items work.
  • The user interface is missing many features for bulk/large-scale operations. Such as the ability to close more than one page of alarms at once.
  • The "report false positive" does not provide a way to easily remove items so they still show up in audits.
  • There is no way to reconfigure many checks to avoid false positives.
  • The system lacks transparency for many security or infrastructure operations.
AlienVault is well suited for monitoring environments especially standard Linux environments and is great at generating non-technical reports. The standard user interface allows non-technical individuals to navigate the system and generates clean looking easy to understand reports. The system is not as well suited for Windows environments or any non-standard configurations such as integrating custom software/scripts is very challenging. File integrity monitoring on Windows has been very frustrating.
The ability to integrate logging from AWS, Azure, Office 365 and more has been extremely helpful. It allows me to see active security issues in multiple environments and tell if there is a correlation between any events. AlienVault is crucial in actively alerting me to issues regarding possible security breaches. The software can, in some cases, over-report. However, that is more a symptom of configuration than an issue with the product.
Read Alex Kranz's full review
Daniel Jones profile photo
June 19, 2019

AlienVault USM Review: "AlienVault Is a Success"

Score 9 out of 10
Vetted Review
Verified User
Review Source
AlienVault is being used for the Security Team to see all host and network traffic. This real-time SIEM is tuned to give us alarms we actually need to look at on a daily basis. This addresses anything from malware to network, system and email breaches.
  • Deployment with the sensors for USM anywhere.
  • Support
  • Responsive UI
  • Alien Apps
  • Agents offline
  • Easier agent deployment on host.
  • Quicker response from engineers and not just send engineers a document for the fix.
AV is beneficial for monitoring all hosts in an environment. I can't think of a scenario where it is less appropriate.
We had a lot of false positives at first, once we tuned it to get real-time alarms this is a great tool to have. We get threat intelligence from multiple systems we run in for our organization.
Read Daniel Jones's full review
Jeremy Wilkins profile photo
June 12, 2019

AlienVault USM Review: "USM Anywhere does what it says."

Score 7 out of 10
Vetted Review
Verified User
Review Source
Alienvault USM is being used to aggregate, inspect, and correlate both Windows/Linux logs and our Data Center network traffic. It is used exclusively by the SOC team for threat hunting and EDR.
  • VMWare Sensor deployment is very easy.
  • Dashboards are nice and clean.
  • Network monitoring and Syslog collector just work.
  • USM Anywhere does not support Netflow or any variation. SPAN and RSPAN are currently the only methods to monitor IP flows.
  • USM Anywhere tech support is lackluster. I have opened two tickets and struggled to receive knowledgeable technical assistance.
  • USM Anywhere does not do scheduled report delivery in any format. Reports are run on demand and must be printed to pdf for distribution.
Well suited for smaller SOC teams or lean IT departments. A self-driven admin with experience in networking and server administration can find all the resources needed online.
I started receiving actionable event and alarm data immediately upon deployment of my first sensor and a few agents. Root cause analysis is simplified by being able to drill down into Alarms and associated events.
Read Jeremy Wilkins's full review
Dana Williams profile photo
June 05, 2019

Review: "AlienVault USM - a single solution in a complex world"

Score 5 out of 10
Vetted Review
Verified User
Review Source
Globally as a SIEM/FIM solution.
  • FIM with limits.
  • Vulnerability scans (with agents installed as opposed to "NXlog").
  • Dashboards.
  • Need to be able to comment on issues flagged by AlienVault so that other users may know what has been done for triage.
  • Single pane of glass, need to have a shared dashboard that is customizable.
I find AlienVaullt easy to use and the learning curve is less when compared to some of the other solutions available. This is especially important for small to medium-sized companies with small staffs. I think of it as what we need and not necessarily what we want in a solution.
The ability to comment on issues within the application is rather important as now I can 'label' an issue and assign to myself or others but cannot include what steps have been taken thus far. That means a separate email communication is necessary.
Read Dana Williams's full review
Stephen Squires profile photo
June 01, 2019

Review: "AlienVault USM gives more visibility than I have ever had in one pane of glass."

Score 9 out of 10
Vetted Review
Verified User
Review Source
AlienVault is deployed across the corporate infrastructure to centrally manage security logs on all servers via the agent. Sensors are deployed in the corporate network to monitor and scan workstations and servers for vulnerabilities and perform discovery scans for new systems on the network. The firewalls also supply syslogs to the sensors. Office 365 is monitored via an Azure sensor, along with Azure infrastructure.
Production systems are monitored using agents and a sensor.
  • Effective correlation of various log sources to provide useful alerts.
  • An agent provides detailed logs of events on every system, be it Windows, Linux, or MacOS, to the point you do not have to log in to each machine to review security logs.
  • Provides auto detection of log sources and effective mapping of the log data to key fields.
  • Pre-built alerts allow AlienVault to be effective right away. There's no need to spend days creating alerts for it to be usable.
  • Has powerful search capabilities once the logs are in AlienVault.
  • Has the ability to run queries on agent systems based on an alert trigger (eg. list of logged on users).
  • The biggest challenge is the deployment of the Agent. It requires logging onto each system and running the install script manually. You need a GPO or a scriptable way to push the agent.
  • We would like the ability to limit access to specific sensors for users that have been given access to AlienVault. Currently, if an analyst has access to AlienVault, they can see all data sources and logs.
  • We saw a lot of false positive results in the beginning, requiring a bit of tuning to suppress some rules.
  • There's no ability to suppress Vulnerabilities identified in the vulnerability scanning component.
The Office365 log management & searching is terrible using native Microsoft tools, plus you are limited to 90 days of logs retention in O365. AlienVault has great integration with Palo Alto FWs. The biggest point to note is that AlienVault is only designed for security logging. It is not designed to capture & search application logs, for example. It is not Splunk.
AlienVault is very effective in detecting O365 logins from multiple regions for the same users, allowing us to detect compromised accounts. The integrations with Palo Alto FWs allows the detection of users connecting to known C&C addresses.
Read Stephen Squires's full review
Ryan Collins profile photo
May 27, 2019

AlienVault USM Review: "Alienvault gives you eyes without the extra bodies :)"

Score 8 out of 10
Vetted Review
Verified User
Review Source
Alienvault was selected as our SIEM solution to provide cutting-edge monitoring, analytics and alerting, and it has the added benefit of being able to conduct vulnerability assessments and provide endpoint detection and response. There is a lot of noise when deploying any SIEM solution, but Alienvault is unique in that it can be effective, practically right out-of-the-box, and anything required beyond that is satisfied by their great support team and available training. I have found that USM Anywhere can fill a critical gap in your security program, and I would recommend it for both small, medium, and large businesses.
  • Anomaly Detection and Identification
  • Digital Forensics/Incident Response
  • Log Correlation and Built-in Attack Signatures
  • Cloud Security Monitoring
  • Would be nice to have better error messaging, specifically around credential failures.
If you have a new, small company that needs effective monitoring and alerting right out of the box, I would say that AV has a lot less deployment and overhead than many SIEM solutions. That said, it can scale quite well and is particularly nice to operate when dealing with cloud infrastructure.
Due to the predefined correlation and orchestration rules, baked-in dashboards and reports, I would say it is a leader in providing effective threat detection and ROI within a very short period after deployment, from my experience.
Read Ryan Collins's full review
Francis Aghedo profile photo
May 17, 2019

User Review: "AlienVault USM..making sense"

Score 8 out of 10
Vetted Review
Verified User
Review Source
The USM is being used by the IT department as a SIEM, giving our organization a 360 view of what's going on in the network infrastructure, and more focus on the critical infrastructures which has been plugged-in to send all their log activities. The AlienVault USM has made it simple by the creation of plugins which makes it easier to express the logs in simple expression for easy understanding.
  • Large plugin base to accommodate different devices.
  • Easy to deploy.
  • Easy management.
  • Makes network monitoring and actionable steps clear and simple.
  • Updating the appliance to a newer version.
  • More control over which devices will be allowed to log into a database and which ones that should just appear, so that the database will not get filled up quickly.
Threat detection both on-premise and external, especially the feature of having the OTX, which comes in handy in giving more insight as to the threat being faced. The OSSIM feature is also a big plus where HIDS for windows and Linux based workstation and servers can be monitored. The correlation rules are made easy for any admin to easily manage.
AlienVault helps in:
- Threat insight through OTX.
- Network Intrusion Detection System.
- Host Based Intrusion Detecting Solution.
- Alienvault gives the ability to monitor up to 5 public IPs, which we use in knowing the hits trends to our network.
- The deployment steps are direct and easy.

Read Francis Aghedo's full review
Kirk Fischer profile photo
May 10, 2019

AlienVault USM Review: "A very positive step towards keeping our network secure!"

Score 8 out of 10
Vetted Review
Verified User
Review Source
We use AlienVault USM across our entire organization. It was purchased to help us improve our ability to respond to cyber security threats by keeping up with patching and tracking down vulnerabilities on our network. We took these steps after paying to have penetration testing done on our network.
  • AlienVault USM helps our IT staff stay on top of patches.
  • AlientVault USM makes it easier for our IT staff to track down vulnerabilities.
  • AlienVault USM provides steps to correct any vulnerabilities that may arise.
  • AlienVault's staff were very helpful in setting up their product on our network. There was plenty of opportunity for training.
  • AlienVault USM can be cumbersome for a small IT staff to manage. We still use AlienVault USM but now pay a third party to help us manage it.
AlienVault USM is appropriate for companies looking to improve cyber-security without investing heavily in additional IT staff. There is a considerable learning curve associated with this product so it's worth considering letting a third party manage it for you.
AlienVault USM is much more comprehensive than other security technology that we had previously used. It allows us to stay up to date on important preventative measures for keeping our network safe and provides detailed directions for addressing issues.
Read Kirk Fischer's full review
Corey Foster profile photo
May 08, 2019

AlienVault USM Review: "Alienvault is wonderful"

Score 10 out of 10
Vetted Review
Verified User
Review Source
AlienVault USM Anywhere is being used across the entire organization, for full network monitoring of all systems including election systems. We also are using AlienVault in our Azure environment for monitoring of applications and virtual machines that are housed in the cloud. This is through firewall logs and the AlienVault Agents.
  • Normalization of logs that it receives
  • Know threat alerts
  • Amount of data it keeps track of
  • Easier connection with the Cisco Umbrella system
  • Better systems integrations
  • Simpler log clean ups and alerts
AlienVault USM Anywhere is well suited in the log normalization, log retrievals, It helps in reviewing logs in one location so you are not bouncing from one server or equipment to the next to view logs and network traffic. It helps to make the job a little bit easier to perform.
Read Corey Foster's full review
XianJiang Cai profile photo
April 29, 2019

AlienVault USM: "Accurate, easy to setup, no maintenance required, but UI needs to improve."

Score 8 out of 10
Vetted Review
Verified User
Review Source
USM being used for our whole organization. It is deployed via sensor on various regions to capture in/out data for monitoring potential risk. We use USM as a centered logger and analysis system also collecting data from firewall/VPN, Office365, Crowstrike and others. It's convenient to integrate various plugins for gathering data/alert from different clouds/platforms. The whole system setup is pretty straightforward and not difficult to use
  • Risk analysis is accurate. Cloud-based rule update means less hassle.
  • Integrated plugins help centralize log/alert into one system.
  • Filter/suppress rule is very easy to set. Easy to fit to our current traffic pattern.
  • It's a pain to check each individual alert for detail, I wish there was a popup window or something similar to quickly go through each unusual alert.
  • The UI seems not that efficient, and a little bit slow in my opinion.
  • I wish we had a Kibana-like quick search criteria change function, click and go.
It has done very well on a complicated network environment. It detects risk very well. No need to mess with Suricata rules.

We also deploy Suricata + Kibana + Es alone with a USM sensor. Both act pretty much the same. USM does have the advantage of stack or reduce duplicated alerts. We found lots of coin miner programs via USM. That helps a lot. We also fixed some configuration issues based on various attack attempts detected on USM.
Read XianJiang Cai's full review
Tim Valus profile photo
April 25, 2019

Review: "AlienVault USM from the perspective of a non-security IT department"

Score 9 out of 10
Vetted Review
Verified User
Review Source
AlienVault USM is being used by the IT department for its vulnerability scanning, intrusion detection, and event correlation. It's a fairly new product for us and we're still getting acclimated to it but so far it's been very useful in giving us greater visibility into our environment.
  • Vulnerability assessment is very good. Especially with the software on servers and workstations.
  • Event correlation has helped tremendously by centralizing all the data into one feed that we can filter easily.
  • Support, training, and implementation were top notch. Very helpful people who answered questions clearly and concisely.
  • For a company that is on the smaller side as far as the number of employees and computer systems, the storage available in our tier could get eaten up quite quickly. It wasn't that easy for us to know where to go from a storage tier startup standpoint.
AlienVault USM is very well suited for a small to medium-sized business who may have 20+ servers and 50-75+ workstations in use but who may not have a dedicated security person/team, or the security tools that are becoming more and more needed in businesses of almost all sizes these days. There is also an MSP version of AlienVault USM, so even smaller companies could leverage the product through one and still get all the intelligence without the need for a person or department to operate the software.
AlienVault USM is the first security technology that we have used in any sort of formal way here so I can't really compare it to any other products that were used in a production environment. That being said, the very next day following implementation, AlienVault USM alerted me to an attempted breach of one of our systems. So in my mind that says quite a bit about its effectiveness. I would hope other products would be as good, but I know that AlienVault USM is.
Read Tim Valus's full review
Elliott Yau profile photo
April 25, 2019

AlienVault USM Review: "Pretty good at what it does, but could be improved."

Score 8 out of 10
Vetted Review
Verified User
Review Source
We use AlienVault USM to satisfy PCI DSS requirements. Namely event logging and audit, change audit, and Intrusion Prevention services.
  • Lots of built-in out of the box functionality.
  • Easily satisfies several PCI DSS requirements.
  • Event logging is easy to navigate and presented well.
  • Initial setup is quite tedious.
  • Network setup for IDS caused us to bring our network down a couple of times.
  • Reports aren't very good.
AlienVault USM is good for meeting PCI DSS requirements but is not very appropriate if you need only bits and pieces from the application. It's good for bigger companies, although the cost may scare off smaller businesses.
It's pretty good at detecting threats. Although there have been quite a few false positives that we've had to go and whitelist. For example, some of the agents on the DC are extremely noisy, filling our storage with mundane event logs.
Read Elliott Yau's full review
Clint Siebert profile photo
April 19, 2019

AlienVault USM Review: "AlienVault proved itself after one day."

Score 7 out of 10
Vetted Review
Verified User
Review Source
Currently it's only being used by the IT department to identify suspicious network activity, which we did not monitor prior to implementing AlienVault. One day after implementing AlienVault, we were notified of a bitcoin miner on our FTP site. Sure enough, when I logged into that machine and ran a malware scan, it picked up a Bitcoin Miner.
  • Report suspicious network activity.
  • Display all threats in a nice dashboard.
  • Notify me of what other people have encountered with "Pulses."
  • Make initial setup easier.
  • Make their certification test not so ridiculously tedious with oddly specific questions.
  • Provide better remediation steps.
Well suited: monitoring strange network traffic.
Not well suited: for people who expect an easy plug-and-play solution.
As I mentioned earlier, we had only one day go by and AlienVault detected a bitcoin miner on my FTP server. This thing could have been running indefinitely had AlienVault not notified us of the suspicious activity. We are at a point now where we really need all the help we can get to manage these threats. AlienVault did that for us after one day.
Read Clint Siebert's full review
David Green profile photo
April 12, 2019

AlienVault USM Review: "Alien Vault USM goods and not so goods"

Score 7 out of 10
Vetted Review
Reseller
Review Source
We are 200 employees strong and have presence in 5 states. We utilize AlienVault (AV) across our entire MPLS network. It addresses the issue of visibility of our servers and workstations to analyze potential threats and less common issues with auditing we wouldn’t otherwise catch but can cause major issues if not resolved.
  • AlienVault is very customizable. We can set up many built-in rules and alerts which saves time but can also be extremely granular to properly scan our unique network.
  • Great technical support. When I need assistance setting up a new sensor or target scan, AlienVault engineers are there to assist and get me on track.
  • Although the interface shows a lot of development and thought put into it, there are some buggy issues at times with simple form submission and web navigation.
  • Initially setting up Alien Vault in our environment was challenging and there was a lack of support around the “hardware level” meaning our VMWare environment.
AT&T sold us AlienVault as a replacement for penetration testing but before investing do your research. AV is a great tool but ultimately is just. SEIM. It’s the best SIEM on the market but it does have limitations. AT&T needs to be aware of this and how they sell this.
Other security measures like antivirus only find malicious threats after they have infected one or multiple computers. AlienVault's real time scanning can detect these threats are they are attempting to propagate through my network.
Read David Green's full review
Tyler Michels profile photo
April 11, 2019

AlienVault USM: "AlienVault OSSIM SaaS Review"

Score 8 out of 10
Vetted Review
Verified User
Review Source
This is currently being used across our corporate environment to help monitor our firewalls that process all associate traffic, active directory, O365, etc. This product has helped us to gain more visibility into the traffic that is being sent across our network and help identify threats quicker. Currently, the Security department is in charge of all that is AlienVault, and have given read access to a few neighborliness departments.
  • Ability to tune alarms and events to your liking. Very easy to get rid of false positives that are known in your environment, and create actionable alerts for legitimate alerts.
  • The simplicity of the dashboard. Everything within AlienVault USM Anywhere is easy to navigate and configure. From sorting logs to creating new users, the layout is natural and easy to figure out.
  • The Architecture of the SaaS deployment went smoothly and is very simple and expandable. Very little to worry about on our side with great results.
  • Support response time and incident handling have some room to improve. We had major issues with a sensor, and it took several days to get a response. Once we got a response the issue was corrected, it just took a while to get our engineer on the phone.
  • Small bugs in the way that the syslog packets are read and normalized. Reading the time in the packet wrong has been the biggest issue we have found so far that is without a solution.
  • Complicated Architecture to fully use the product. Requiring port mirroring to use the IDS portion of Alienvault is quite challenging when dealing with a large network size and diverse locations such as ours.
Has generated many actionable alerts that we chased down and identified as real threats in our environment. The correlation with OTX has proven to be quite useful and saved a lot of time when trying to determine if a specific host is malicious. The integrations with firewalls could be a bit better so that the IDS component in AlienVault can be fully utilized without using port mirroring.
The OTX platform has proven to be instrumental in identifying threats in our environment quickly and accurately. The ability to correlate login events to known malicious hosts, and generate actionable alerts has been the most utilized feature and generated the most actionable alerts. We did not get far enough into testing Exabeam to determine how their product handled these types of identifications, but I am quite impressed with Alienvault's solution.
Read Tyler Michels's full review
Dustin Hannon profile photo
April 06, 2019

AlienVault USM Review: "Things to think about"

Score 6 out of 10
Vetted Review
Verified User
Review Source
It is being used by the IT department for internal vulnerability scans and log collection. It also plays a role in providing information to our internal and external auditors.
  • It is good at doing internal scans of end-user devices to find vulnerabilities without the need of installing an agent or client on each device.
  • It is good at being a log server. A place to send logs for all of your networking devices, such as switches, firewalls, and other solutions that accept log servers.
  • Its ability to collect logs from Barracuda solutions needs heavy improvement. How it collects and organizes the data isn't very useful.
  • The end device client, which is optional, and can be installed on any device you want to collect more data from, has compatibility issues with quite a few products we use, and anti-virus software in-particular doesn't like it. We have also had some performance issues with devices the client is installed on.
  • The way collected data from all devices and locations is presented to the user in the web portal is not as user-friendly or as clean as it could be. It tends to show too much useless data and too many categories, making it easy to miss the important parts.
AlienVault was not a replacement for any of our current solutions. It was an addition to them, because it collects some data our other solutions do not. We hoped for AlienVault to be able to replace most if not all of our similar solutions and log servers, but it just doesn't get the job done on that front.
Our environment is complex and stretched across many physical offices. This limited how we were able to use AlienVault. We are not currently able to use or enable all of its features. In a simple network infrastructure, AlienVault would do much better.
Note that the cost of the AlienVault product itself will most likely not be your only costs. It will require your network engineer(s) to spend multiple hours configuring or re-configuring your infrastructure to make some of its features work, such as mirror ports and virtual hosts to collect all network traffic from your core.
AlienVault is a good product for detecting vulnerabilities, but does not replace our other solutions.
For instance, our firewall solutions do a much better job at logging and providing real-time alerts of issue and attacks. Our SAL monitoring solutions provide uptime and performance that is outside the scope of features for AlienVault.
Read Dustin Hannon's full review
Jonathan Bourgeois profile photo
March 15, 2019

Review: "No matter how vast your environment is, AlienVault USM can make you feel like home in."

Score 9 out of 10
Vetted Review
Verified User
Review Source
I love that it integrates with everything and at different levels. I wish ISO27k was implemented as PCI-DSS for the "Compliance-scoped assets", but so far I love the product. It's the best of both worlds - having opensource stuff as well as support.
  • AWS integration.
  • Google integration.
  • Asset grouping.
  • Incident-automation with ServiceNow.
  • Knowing software versions and asset information, we should be able to know the vulnerabilities as they come out without having to rescan the inventory. A rescan could be done to validate the info is still true (about versions and stuff), but instead of va-scan being the vulnerability "informer", you could check when a new vulnerability comes out - if we had this software/service configured somewhere.
  • Malware protection? I'm honestly not sure as there's not a lot that AlienVault doesn't do :)
So far I love the tool. It's backed by a huge company, I would recommend it to my friends working in small to medium-sized companies.
It's easy to deploy. The dashboards accurately represent the risk and attack vector.
Read Jonathan Bourgeois's full review
Aaron Hodges profile photo
July 05, 2019

AlienVault USM Review: "So far so good"

Score 7 out of 10
Vetted Review
Verified User
Review Source
Currently, we use it for all of our log shipping. Also, we use the port mirror function for all of our network traffic.
  • Vulnerability lists.
  • Log storage.
  • Integrations.
  • Tech support.
  • Releasing unstable agents.
  • Did I mention support?
It's best for smaller companies who don't have the time to see a 10,000 view of their network.
Between AlienVault and our antivirus software, we have a solid foundation.
Read Aaron Hodges's full review
Tyler Frazer profile photo
June 24, 2019

AlienVault USM Review: "AlienVault is pretty dope"

Score 8 out of 10
Vetted Review
Verified User
Review Source
We are using AlienVault as a SIEM, Log Manager, FIM, and Vulnerablility Management tool. It is used across the whole organization. We need to be HIPAA compliant, so it addresses the need for a log manager, vulnerability scanner, policy report generator, and FIM.
  • log management
  • vulnerability management
  • correlation alerts
  • Policy Reports
Where people need multiple tools, but would prefer using one vendor.
AlienVault is very effective at finding and remediating vulnerabilities. Finding the needed patch or needed changes are now much easier.
Read Tyler Frazer's full review
Jesse Bickel, MS - PMP profile photo
February 19, 2019

AlienVault USM Review: "AlienVault. Not just a cool product name, but it keeps you safe too!"

Score 9 out of 10
Vetted Review
Verified User
Review Source
AlienVault was selected and implemented on our network to support our needs for proactive notifications, monitoring and response to threat detections. We wanted the ability to put all of our on-premise and cloud presence on a simple to use, one-stop shop platform for ease of monitoring and response. This system is used throughout our IT department and to support our compliance against HIPAA and overall IT Security.
  • AlienVault USM Anywhere has very strong documentation. They really do not try to push professional services but really offer you the opportunity to try and buy the product and work through the documentation to implement on your network.
  • AlienVault USM's dashboard is easy to use, highly customizable and quick to report (without issues) any of the parameters you set up. The dashboard is intuitive and responsive!
  • AlienVault USM Anywhere is easy to scale and deploy. Its soft license platform allows you to deploy additional agents and secure elements of your network at close to a moment's notice!
  • AlienVault's Dashboard is very strong but does take some time getting used to and customizing. The reporting functions and proactive reporting is a great tool but takes plenty of time to learn and get right. It could be difficult but if there was some out of the box wizard engine that could get some reports up and running fast it would be helpful.
  • It would be great to see the USM product compare against other similar environments or industry benchmarks to notify us even if we do not have the threat to our network. It would be a huge value added to understand how, why and where other networks that are part of the USM family are hit.
  • Access to the cold storage of logs for AlienVault is a bit confusing. It would be a huge addition if we could dump all the logs locally and have an easier searching tool for such logs. It seems it is not just AlienVault but most companies now want them to use their storage, not local.
AlienVault is a GREAT solution to deploy quick and in a hurry. They are an industry leading product with a strong support team to assist in execution. AlienVault has huge value in helping you secure your network to support HIPAA compliance or any other type of regulatory audit. If your network is Small to Medium in size, this is an ideal solution. If you were going to have a large enterprise-grade network where you are serving others on a large scale, such as a Campus, etc., you may want to take a look at a Cisco IPS (as an example).
AlienVault USM has been instrumental in detecting real security threats to our environment. The important thing is to ensure you set up the agents properly and categorize the assets properly for it to report and scan on. We have avoided multiple external incidents due to the protection, responsiveness and auto-quarantine mechanisms it has in place.
Read Jesse Bickel, MS - PMP's full review
Jason LeBlanc profile photo
June 11, 2019

AlienVault USM Review: "USM Anywhere, the easy SIEM."

Score 9 out of 10
Vetted Review
Verified User
Review Source
USM is the SIEM used to collect data across the entire environment, that data is used to report to the QSA for PCI compliance. It has greatly helped find problems as well as streamline our PCI compliance reporting. What was once very manual and time consuming is not simply pulling reports.
  • Find security issues such as malware.
  • PCI compliance reporting.
  • Deep dive into various issues in the environment.
  • UI could be streamlined some.
USM is a good catch all SIEM with a price point well below the competition.
We catch at least once malware event each week.
Read Jason LeBlanc's full review

Feature Scorecard Summary

Centralized event and log data collection (1)
8
Correlation (1)
8
Event and log normalization (1)
8
Deployment flexibility (1)
7
Custom dashboards and views (1)
6
Host and network-based intrusion detection (1)
7

About AlienVault USM

AlienVault USM Anywhere is a cloud-based security management solution that promises to accelerate and centralize threat detection, incident response, and compliance management for cloud, hybrid cloud, and on-premises environments. The vendor says that USM Anywhere includes purpose-built cloud sensors that natively monitor your Amazon Web Services (AWS) and Microsoft Azure cloud environments. On premises, lightweight virtual sensors run on Microsoft Hyper-V and VMware ESXi to monitor your virtual private cloud and physical IT infrastructure.

USM Anywhere aims to help you rapidly deploy sensors into your cloud and on-premises environments while centrally managing data collection, security analysis, and threat detection from the AlienVault Secure Cloud.

Five Essential Security Capabilities in a Single SaaS Platform

AlienVault says that USM Anywhere provides five essential security capabilities, giving you everything you need for threat detection, incident response, and compliance management, within one platform. With USM Anywhere, you can focus on finding and responding to threats, not managing software. USM Anywhere can readily scale to meet your threat detection needs as your hybrid cloud environment changes and grows.

  1. Asset Discovery
  2. Vulnerability Assessment
  3. Intrusion Detection
  4. Behavioral Monitoring
  5. SIEM

Try USM Anywhere in your environment—free for the first 14 days.
www.alienvault.com/products/usm-anywhere/free-trial

AlienVault USM Features

Security Information and Event Management (SIEM) Features
Has featureCentralized event and log data collection
Has featureCorrelation
Has featureEvent and log normalization
Has featureDeployment flexibility
Has featureIntegration with Identity and Access Management Tools
Has featureCustom dashboards and views
Has featureHost and network-based intrusion detection
Additional Features
Has featureAlienVault Open Threat Exchange

AlienVault USM Screenshots

AlienVault USM Videos (2)

Watch AlienVault USM Anywhere: Five Essential Cloud Security Capabilities in a Single SaaS Platform

Watch See How We're Pushing the Outer Limits of Security

AlienVault USM Downloadables

Pricing

Has featureFree Trial Available?Yes
Has featureFree or Freemium Version Available?Yes
Has featurePremium Consulting/Integration Services Available?Yes
Entry-level set up fee?Optional

AlienVault USM Support Options

 Free VersionPaid Version
Phone
Email
Forum/Community
FAQ/Knowledgebase
Social Media
Video Tutorials / Webinar

AlienVault USM Technical Details

Deployment Types:SaaS
Operating Systems: Unspecified
Mobile Application:No
Supported Countries:Global