Reviews (1-25 of 331)
- The USM platform provides the essential security capabilities that work together for a fast and cost-effective way for organizations to have complete visibility into the security of their environment.
- With the information gathered during asset discovery, USM will correlated that information with known vulnerabilities for continuous vulnerability awareness. In addition, USM contains an active scanner capable of scanning for over 30,000 known vulnerabilities.
- To give better visibility into your network, and possibly detect intrusions that don’t follow behavioral patterns, we offer Netflow information, bandwidth monitoring, and traffic capture, all part of our behavioral monitoring capabilities built into USM.
- External threats — Coming from external attackers.
- The value of the asset associated with the event
- Feature-rich includes functionality not typically present in other SIEM's such as vulnerability scanning, UEBA, file integrity monitoring, NIDS
- Simple to configure and deploy.
- Relatively inexpensive compared to other enterprise SIEM solutions.
- While there are many features, many of them are not very advanced. Vulnerability scanning as an example is extremely simplistic and almost unusable for an enterprise organization. It's just enough to get a program off the ground.
- Cloud-only deployment model (SaaS) may not fit all organizations. Not all organizations are "cloud friendly".
- Reporting capabilities out of the box are lack luster. Vulnerability management reporting as an example does not include a single canned report.
AlienVault USM is less appropriate for more mature organizations who have the staff to support more advanced security operational capabilities or engage in advanced threat hunting. Also, organizations who like more ability to add internally developed functionality into their SIEM through scripting or other automated response activities.
- AlienVault USM Anywhere is easy to deploy with their cloud-based model and deploying the required agents on-prem (or in the cloud) is quick and easy.
- Custom rules allow for alerting based on content from events and you can even trigger agents in response to threats, shutting down computers or grabbing forensic info for incident response.
- USM Anywhere also takes care of reporting for ISO and PCI, allowing you to pull reports for auditors at a moment’s notice.
- With many integrations out-of-the-box, you can pull in all the data from products you use and other sources, such as Amazon CloudWatch Logs.
- We would love to be able to create custom rules based on a series of events, to create rule-sets where, for example, failed logins to the VPN Server are logged and then when a successful attempt follows soon after, it triggers an alarm for a Brute Force. It does this for things like OKTA already, so control over which events this applies to would be great.
- More data tiers - something between 250GB and 500GB tiers, maybe break it down into 100GB tiers?
- Integration with OpsGenie would be great.
- Correlate logs from different sources into actionable intelligence.
- Provide an easy to use interface to interact with Alarms and Events.
- Integrate with our alerting tools to make sure when an incident is happening, the right people know about it quickly.
- Being able to make custom plugins for internal tools.
- Being able to have a webhook plugin to send logs directly to the cloud appliance.
- Make the management of suppression rules better. Maybe include a suppression rule visualizer to make sure your suppression rule is doing exactly what you would like it to do.
It is not appropriate if you are looking to easily be able to customize the tool. A lot of the options you have with tools like Splunk are just not here.
- Intelligence updates from the Alienvault community and security pros.
- Writing of threat detection rules and ingestion parsing for different devices.
- Vulnerability scanning.
- Asset management is done purely by IP unless using the agent.
- Agent installs and updates can be a bit flakey, and on occasion use lots of resources.
- Internal vulnerability scans
- Monitor firewall and security group changes
- Monitor and alert on suspicious system logs
- Monitor and alert on suspicious cloud watch logs
- False alarms occur occasionally
- There is no report for only displaying vulnerabilities with an available patch. Specter class issues can only be mitigated but will remain active until we are all on next-generation processors.
- Centralization of data logs makes it easier to analyze the many application logs throughout our organization. (ie. Windows logs, PLC logs, Antivirus logs, Exchange server logs, etc).
- Easy maneuvering with AlienVault pages as well as easy to bookmark alerts.
- Creating SOC on a budget especially with a smaller IT dept.
- Incident response.
- Threat detection.
- Compliance management.
- AlientVault OTX is a user community that is very helpful especially when you are curious about the alerts or to help mitigate issues that arise.
- I would like more detailed ways to mitigate issues.
- Log analysis, both syslog and AWS cloud trail, and searchability/reporting is actually better than most of our other related tools: All of our systems send log information using rsyslog to our AlienVault USM system. AlienVault is able to alert us of many issues with minimal configuration, including adding/removing users to sensitive groups, creating or removing resources such as EBS volumes, S3 buckets, or security groups.
- AWS loadbalancer traffic/log analysis: AlienVault automatically identifies threatening IPs or entries that match suspicious traffic patterns.
- The ability to search the many logs AlienVault collects in a way that even novice users can follow is super valuable. Logs can be quickly sorted by source, log type, and/or keyword searches. There have been many occasions where we were able to find non-security related issues due to the simple yet advanced search abilities of AlienVault. This has led to the challenge of deciding when and how long to allow non-security personnel access for troubleshooting.
- AlienVaults lack of support for Docker may be its undoing at my company. It clearly stands above other products that fit our company, but we are adopting Docker at an ever-increasing rate. I don't want to support multiple security products, so it would be super cool if a solution to this challenge were found quickly.
- Enriching data is super key to allowing us to set up alerts for and filer events. This process is rather painful. This significantly increases the cost of maintaining AlienVault. Specifically, several auditd and standard AWS logs do not allow me to filter based on keywords in the message.
- Here is one example:
- User: arn:aws:sts::2#########:assumed-role/qe-lambda-role/qe-batch-run-dev-frontend_batch_runner is not authorized to perform: logs:CreateLogStream on resource: arn:aws:logs:us-east-1:#########:log-group:/aws/lambda/qe-batch-run-dev-frontend_batch_runner:log-stream:2019/05/30/[$LATEST]########################
- The ability to configure AlienVault to run security scans using SSH on systems is prohibitively difficult to use, especially when using a Bastion.
- Making OSSIM work is a huge pain. I could not find AlienVault documentation that covers how things work and how to properly integrate it.
It seems a bit poor when creating alarm filters that only trigger after "x" number of times. I know this can be done with escalation alerts. Keeping noisy alerts out of the UI is key to prevent alert fatigue in our more junior team members.
In general, AlienVault seems to be noisy. I'd like the ability to specify a group of users that can create security groups with sensitive ports exposed to the web, but I don't believe this is possible. I know how to do this per user. I don't believe groups are something we can specify.
PEN testing is not something that AlienVault does and I'm assuming that is intentional.
Network IDS isn't integrated into AlienVault or is very basic. I am assuming the plan would be to implement something like tripwire and have logs from that system sent to AlienVault. Obviously, we would like it to do absolutely everything and do it very well:) That said, I highly doubt that is an option. If this can be done, please don't let me slow you down.
- Reports most common threats, real-time and take immediate automatic actions. I think this is strong if you don't have a team monitoring 24/7.
- Connects with signature providers and keeps up-to-date well with 0 vulnerabilities. I don't need to explain why you may want to be protected against the newest threats.
- The UI is very easy to get used to, which will make you adapt to its use quickly.
- This tool will become slower and slower as you start adding devices to it, the on-premise version has a lot of room for improvement here, the database is slow.
- The on-premise version of Alienvault USM will not support dynamic environments where people is constantly removing/adding new virtual machines and doesn't cope with puppet management.
- Only the most common hypervisors supported, it could be good to have an image for XEN.
- AlienVault USM was quick to deploy and the configuration was pretty straight forward.
- The AlienVault USM product has great documentation and service support. Very knowledgeable and readily available. Highly recommend their support package.
- The AlienVault UI is very comprehensive and deep tool-sets. You can monitor just about anything anywhere from anywhere. This flexibility was incredibly useful.
- While their UI was comprehensive, it takes a while to understand how to group and tag the resources you want to monitor and how and on what schedule. The tools are deep but the usability is a bit complex. You will need to read the documentation.
- Their pricing model for through-put was a bit challenging. I would like to see a different pricing structure. I would much prefer to see site licenses.
- Sometimes the assessments where vague. While this shouldn't be relied upon as the only source for assessments, there were often descriptions that did not associate with the vulnerability or required us to deploy other tools to verify such as AWS Inspector, was not a big deal but some added overhead.
- Scanning network assets for vulnerabilities.
- Heuristics in determining behavior and alerts accordingly.
- Lots of false positives for vulnerabilities, Linux malware on Windows systems????
- Lack of third-party app support or integration.
- Being charged based on the amount of data.
- Deployment is quick
- Normalization of log data and threat identification is effective and simple to understand.
- Vulnerability analysis along with CVE identification is better than Nessus
- Investigations feature is robust
- Cloud sensor depoyment and capabilities is robust
- Custom Plugin creation/modification by the user is missing. If log data is unknown to the platform, the processing of getting a new plugin developed is lengthy. It would be ideal if the user could create custom plugins for their own platform.
- Asset discovery adds every IP address in a subnet even if no host is present. The detection method is flawed. I don't have this issue on the same network with other asset discovery tools.
- SaaS performance can be slow. When listing items more than 20 at a time, the UI refresh can be painfully slow.
- SIEM is great for monitoring and maintaining our systems and networks, and with the right tuning the system becomes an incredibly powerful tool by being able to identify the difference between a high priority event and false positive.
- The vulnerability scanning is a very useful part of the system, especially as after finding any vulnerabilities it provides lots of detail on what was found along with a solution.
- User management has a good level of modularity, allowing us to restrict access for certain users to only certain areas.
- The system can be a little over-complicated to set-up to perform what I would think to be simple tasks. For example, sending an email notification on a certain alarm being created.
- The reporting module does not offer much visual customization, only allowing you to add your company logo and color scheme as a template.
- As for us, it casually integrated to AWS cloud and local infrastructures, in simple words easy to implement
- Processes different types to logs using its very own inbuilt plugins and display it in an understandable manner for the non-technical users as well
- Has its own very accurate correlation rules to generate alarms from the processed logs
- Has an open threat intelligence community which can be integrated with the AlienVault account
- In order to collect the system logs from various servers, it has an AlienVault agent that can be installed on the windows, MAC and Linux. It collects the various types of logs such as user activity, shell history, file integrity, etc., logs
- Any suspicious alarm can be added as a ticket on its console and can be processed according to severity type.
- Server and Network vulnerabilities details can be scanned through the USM.
- Customizable dashboards view in the console makes easy to monitor logs from the different sources.
- Events view can be customized according to the data source plugins.
- USM has a feature of suppressing and filtering out the logs from the console. Suppression hides the logs from the console dashboard whereas filtering block the similar type of log entering the alienvault console which helps to reduce the storage usage
- Asset Discovery: Maintains and scans dynamic asset inventory and software inventory for large scale organization
- Security & Compliance Reporting: contains customizable reports for regulation standards and compliance frameworks
- It uses sensors to collect data from different sources which results in extra cost for the sensor server
- Support is very poor
- It would be great if there was document to study on how can we identify and monitor suspicous logs
Since it is very expensive I do not recommend it for small organizations it requires additional infrastructures to implement the AlienVault within the premise.
- You have the list of domains that were visited from your organization employee
- You compare this list of domains with lists of malicious domains obtained from different OTX(open threat exchange pulse) providers that have already been posted on OTX.
- If a match is found, an alert is raised to take appropriate action.
- The same process is repeated at regular intervals to check all the new domains.
- Very easy to use. The UI is very intuitive.
- Out of the box predefined reports that make the initial filtering easy.
- Very easy to setup.
- Sometimes it gets slow with large queries.
- When the upgrading fails you have to debug extensively to know what happened.
- When we massively add hosts, sometimes some of them are not added so you have to be careful.
- Active Directory login requests
- Logs on the Domain Controls
- Only showing alerts that have a high indication of compromise and reduces false positives.
- Trimming of log files to stay within limits
- Projecting any future storage costs from AlienVault
- Creation of dashboards.
- Creation of metrics that we utilize in our monthly reports.
- We like the way alerts are being sent to us and the information they provide.
- Their customer supports is the worst, and sadly this has been consistent every time we've had to reach out to them.
- The account execs have ZERO flexibility regarding making deals and meeting us halfway.
- The features do not work as advertised.
- Deployment with the sensors for USM anywhere.
- Responsive UI
- Alien Apps
- Agents offline
- Easier agent deployment on host.
- Quicker response from engineers and not just send engineers a document for the fix.
- VMWare Sensor deployment is very easy.
- Dashboards are nice and clean.
- Network monitoring and Syslog collector just work.
- USM Anywhere does not support Netflow or any variation. SPAN and RSPAN are currently the only methods to monitor IP flows.
- USM Anywhere tech support is lackluster. I have opened two tickets and struggled to receive knowledgeable technical assistance.
- USM Anywhere does not do scheduled report delivery in any format. Reports are run on demand and must be printed to pdf for distribution.
- FIM with limits.
- Vulnerability scans (with agents installed as opposed to "NXlog").
- Need to be able to comment on issues flagged by AlienVault so that other users may know what has been done for triage.
- Single pane of glass, need to have a shared dashboard that is customizable.
The ability to comment on issues within the application is rather important as now I can 'label' an issue and assign to myself or others but cannot include what steps have been taken thus far. That means a separate email communication is necessary.
Production systems are monitored using agents and a sensor.
- Effective correlation of various log sources to provide useful alerts.
- An agent provides detailed logs of events on every system, be it Windows, Linux, or MacOS, to the point you do not have to log in to each machine to review security logs.
- Provides auto detection of log sources and effective mapping of the log data to key fields.
- Pre-built alerts allow AlienVault to be effective right away. There's no need to spend days creating alerts for it to be usable.
- Has powerful search capabilities once the logs are in AlienVault.
- Has the ability to run queries on agent systems based on an alert trigger (eg. list of logged on users).
- The biggest challenge is the deployment of the Agent. It requires logging onto each system and running the install script manually. You need a GPO or a scriptable way to push the agent.
- We would like the ability to limit access to specific sensors for users that have been given access to AlienVault. Currently, if an analyst has access to AlienVault, they can see all data sources and logs.
- We saw a lot of false positive results in the beginning, requiring a bit of tuning to suppress some rules.
- There's no ability to suppress Vulnerabilities identified in the vulnerability scanning component.
- Anomaly Detection and Identification
- Digital Forensics/Incident Response
- Log Correlation and Built-in Attack Signatures
- Cloud Security Monitoring
- Would be nice to have better error messaging, specifically around credential failures.
- Large plugin base to accommodate different devices.
- Easy to deploy.
- Easy management.
- Makes network monitoring and actionable steps clear and simple.
- Updating the appliance to a newer version.
- More control over which devices will be allowed to log into a database and which ones that should just appear, so that the database will not get filled up quickly.
- Threat insight through OTX.
AlienVault USM Scorecard Summary
Feature Scorecard Summary
About AlienVault USM
AlienVault® Unified Security Management® (USM) delivers threat detection, incident response, and compliance management in one unified platform. It is designed to combine all the essential security capabilities needed for effective security monitoring across cloud and on-premises environments, including SIEM, intrusion detection, vulnerability management, as well as continuous threat intelligence updates. The vendor states that even for resource-limited IT security teams, AlienVault USM can be affordable, fast to deploy, and easy to use. It eliminates the need to deploy, integrate, and maintain multiple point solutions in the data center.
Smart, automated data collection & analysis: USM Anywhere automatically collects and analyzes data across the attack surface, helping to quickly gain centralized security visibility without the complexity of multiple disparate security technologies.
Automated threat detection powered by AT&T Alien Labs: With threat intelligence provided by AT&T Alien Labs, USM Anywhere is updated automatically to stay on top of evolving and emerging threats, so the security team can focus on responding to alerts.
Incident response orchestration with AlienApps: USM Anywhere supports a growing ecosystem of AlienApps, enabling the user to orchestrate and automate actions towards other security technologies, able to respond to incidents quickly and easily.
AlienVault USM Screenshots
AlienVault USM Videos (2)
AlienVault USM Downloadables
AlienVault USM Competitors
AlienVault USM Support Options
|Free Version||Paid Version|
|Video Tutorials / Webinar|
AlienVault USM Technical Details