Reviews (1-25 of 287)
- Feature-rich includes functionality not typically present in other SIEM's such as vulnerability scanning, UEBA, file integrity monitoring, NIDS
- Simple to configure and deploy.
- Relatively inexpensive compared to other enterprise SIEM solutions.
- While there are many features, many of them are not very advanced. Vulnerability scanning as an example is extremely simplistic and almost unusable for an enterprise organization. It's just enough to get a program off the ground.
- Cloud-only deployment model (SaaS) may not fit all organizations. Not all organizations are "cloud friendly".
- Reporting capabilities out of the box are lack luster. Vulnerability management reporting as an example does not include a single canned report.
AlienVault USM is less appropriate for more mature organizations who have the staff to support more advanced security operational capabilities or engage in advanced threat hunting. Also, organizations who like more ability to add internally developed functionality into their SIEM through scripting or other automated response activities.
- AlienVault USM Anywhere is easy to deploy with their cloud-based model and deploying the required agents on-prem (or in the cloud) is quick and easy.
- Custom rules allow for alerting based on content from events and you can even trigger agents in response to threats, shutting down computers or grabbing forensic info for incident response.
- USM Anywhere also takes care of reporting for ISO and PCI, allowing you to pull reports for auditors at a moment’s notice.
- With many integrations out-of-the-box, you can pull in all the data from products you use and other sources, such as Amazon CloudWatch Logs.
- We would love to be able to create custom rules based on a series of events, to create rule-sets where, for example, failed logins to the VPN Server are logged and then when a successful attempt follows soon after, it triggers an alarm for a Brute Force. It does this for things like OKTA already, so control over which events this applies to would be great.
- More data tiers - something between 250GB and 500GB tiers, maybe break it down into 100GB tiers?
- Integration with OpsGenie would be great.
- The integration setup for syslog forwarding and native web apps partnered with the platform is a very simple setup.
- Deploying sensors in cloud systems usually follow a pre-defined build flow for ease of sensor deployments and scaling.
- For perimeter defense, as long as your defended organizational structure uses Active Directory or another LDAP replication type service, vuln scanning and KIDS is a breeze.
- For highly distributed workforce issues, the system requires a lot of third-party integrations to collect data for automation.
- Customization can be lacking in areas without significant help from their support teams.
- Building rules for filtering, suppression, and custom alarms can be a steep learning curve, although this is slightly offset by their training offerings.
- Log analysis, both syslog and AWS cloud trail, and searchability/reporting is actually better than most of our other related tools: All of our systems send log information using rsyslog to our AlienVault USM system. AlienVault is able to alert us of many issues with minimal configuration, including adding/removing users to sensitive groups, creating or removing resources such as EBS volumes, S3 buckets, or security groups.
- AWS loadbalancer traffic/log analysis: AlienVault automatically identifies threatening IPs or entries that match suspicious traffic patterns.
- The ability to search the many logs AlienVault collects in a way that even novice users can follow is super valuable. Logs can be quickly sorted by source, log type, and/or keyword searches. There have been many occasions where we were able to find non-security related issues due to the simple yet advanced search abilities of AlienVault. This has led to the challenge of deciding when and how long to allow non-security personnel access for troubleshooting.
- AlienVaults lack of support for Docker may be its undoing at my company. It clearly stands above other products that fit our company, but we are adopting Docker at an ever-increasing rate. I don't want to support multiple security products, so it would be super cool if a solution to this challenge were found quickly.
- Enriching data is super key to allowing us to set up alerts for and filer events. This process is rather painful. This significantly increases the cost of maintaining AlienVault. Specifically, several auditd and standard AWS logs do not allow me to filter based on keywords in the message.
- Here is one example:
- User: arn:aws:sts::2#########:assumed-role/qe-lambda-role/qe-batch-run-dev-frontend_batch_runner is not authorized to perform: logs:CreateLogStream on resource: arn:aws:logs:us-east-1:#########:log-group:/aws/lambda/qe-batch-run-dev-frontend_batch_runner:log-stream:2019/05/30/[$LATEST]########################
- The ability to configure AlienVault to run security scans using SSH on systems is prohibitively difficult to use, especially when using a Bastion.
- Making OSSIM work is a huge pain. I could not find AlienVault documentation that covers how things work and how to properly integrate it.
It seems a bit poor when creating alarm filters that only trigger after "x" number of times. I know this can be done with escalation alerts. Keeping noisy alerts out of the UI is key to prevent alert fatigue in our more junior team members.
In general, AlienVault seems to be noisy. I'd like the ability to specify a group of users that can create security groups with sensitive ports exposed to the web, but I don't believe this is possible. I know how to do this per user. I don't believe groups are something we can specify.
PEN testing is not something that AlienVault does and I'm assuming that is intentional.
Network IDS isn't integrated into AlienVault or is very basic. I am assuming the plan would be to implement something like tripwire and have logs from that system sent to AlienVault. Obviously, we would like it to do absolutely everything and do it very well:) That said, I highly doubt that is an option. If this can be done, please don't let me slow you down.
- The integrations are very end-user friendly.
- The user interface is fairly intuitive.
- The PCI reports are extremely time-saving.
- The cross-platform compatibility makes hybrid environment management much easier.
- The "Agent" has caused many problems in our environment.
- The AlienVault server seems to get overwhelmed quickly and could use an option for greater scaling for larger installations.
- The documentation is often lacking on details. The documentation often covers what specific steps to take but does not cover why or how certain items work.
- The user interface is missing many features for bulk/large-scale operations. Such as the ability to close more than one page of alarms at once.
- The "report false positive" does not provide a way to easily remove items so they still show up in audits.
- There is no way to reconfigure many checks to avoid false positives.
- The system lacks transparency for many security or infrastructure operations.
- Deployment with the sensors for USM anywhere.
- Responsive UI
- Alien Apps
- Agents offline
- Easier agent deployment on host.
- Quicker response from engineers and not just send engineers a document for the fix.
- VMWare Sensor deployment is very easy.
- Dashboards are nice and clean.
- Network monitoring and Syslog collector just work.
- USM Anywhere does not support Netflow or any variation. SPAN and RSPAN are currently the only methods to monitor IP flows.
- USM Anywhere tech support is lackluster. I have opened two tickets and struggled to receive knowledgeable technical assistance.
- USM Anywhere does not do scheduled report delivery in any format. Reports are run on demand and must be printed to pdf for distribution.
- FIM with limits.
- Vulnerability scans (with agents installed as opposed to "NXlog").
- Need to be able to comment on issues flagged by AlienVault so that other users may know what has been done for triage.
- Single pane of glass, need to have a shared dashboard that is customizable.
The ability to comment on issues within the application is rather important as now I can 'label' an issue and assign to myself or others but cannot include what steps have been taken thus far. That means a separate email communication is necessary.
Production systems are monitored using agents and a sensor.
- Effective correlation of various log sources to provide useful alerts.
- An agent provides detailed logs of events on every system, be it Windows, Linux, or MacOS, to the point you do not have to log in to each machine to review security logs.
- Provides auto detection of log sources and effective mapping of the log data to key fields.
- Pre-built alerts allow AlienVault to be effective right away. There's no need to spend days creating alerts for it to be usable.
- Has powerful search capabilities once the logs are in AlienVault.
- Has the ability to run queries on agent systems based on an alert trigger (eg. list of logged on users).
- The biggest challenge is the deployment of the Agent. It requires logging onto each system and running the install script manually. You need a GPO or a scriptable way to push the agent.
- We would like the ability to limit access to specific sensors for users that have been given access to AlienVault. Currently, if an analyst has access to AlienVault, they can see all data sources and logs.
- We saw a lot of false positive results in the beginning, requiring a bit of tuning to suppress some rules.
- There's no ability to suppress Vulnerabilities identified in the vulnerability scanning component.
- Anomaly Detection and Identification
- Digital Forensics/Incident Response
- Log Correlation and Built-in Attack Signatures
- Cloud Security Monitoring
- Would be nice to have better error messaging, specifically around credential failures.
- Large plugin base to accommodate different devices.
- Easy to deploy.
- Easy management.
- Makes network monitoring and actionable steps clear and simple.
- Updating the appliance to a newer version.
- More control over which devices will be allowed to log into a database and which ones that should just appear, so that the database will not get filled up quickly.
- Threat insight through OTX.
- AlienVault USM helps our IT staff stay on top of patches.
- AlientVault USM makes it easier for our IT staff to track down vulnerabilities.
- AlienVault USM provides steps to correct any vulnerabilities that may arise.
- AlienVault's staff were very helpful in setting up their product on our network. There was plenty of opportunity for training.
- AlienVault USM can be cumbersome for a small IT staff to manage. We still use AlienVault USM but now pay a third party to help us manage it.
- Risk analysis is accurate. Cloud-based rule update means less hassle.
- Integrated plugins help centralize log/alert into one system.
- Filter/suppress rule is very easy to set. Easy to fit to our current traffic pattern.
- It's a pain to check each individual alert for detail, I wish there was a popup window or something similar to quickly go through each unusual alert.
- The UI seems not that efficient, and a little bit slow in my opinion.
- I wish we had a Kibana-like quick search criteria change function, click and go.
- Vulnerability assessment is very good. Especially with the software on servers and workstations.
- Event correlation has helped tremendously by centralizing all the data into one feed that we can filter easily.
- Support, training, and implementation were top notch. Very helpful people who answered questions clearly and concisely.
- For a company that is on the smaller side as far as the number of employees and computer systems, the storage available in our tier could get eaten up quite quickly. It wasn't that easy for us to know where to go from a storage tier startup standpoint.
- Lots of built-in out of the box functionality.
- Easily satisfies several PCI DSS requirements.
- Event logging is easy to navigate and presented well.
- Initial setup is quite tedious.
- Network setup for IDS caused us to bring our network down a couple of times.
- Reports aren't very good.
- Report suspicious network activity.
- Display all threats in a nice dashboard.
- Notify me of what other people have encountered with "Pulses."
- Make initial setup easier.
- Make their certification test not so ridiculously tedious with oddly specific questions.
- Provide better remediation steps.
Not well suited: for people who expect an easy plug-and-play solution.
- AlienVault is very customizable. We can set up many built-in rules and alerts which saves time but can also be extremely granular to properly scan our unique network.
- Great technical support. When I need assistance setting up a new sensor or target scan, AlienVault engineers are there to assist and get me on track.
- Although the interface shows a lot of development and thought put into it, there are some buggy issues at times with simple form submission and web navigation.
- Initially setting up Alien Vault in our environment was challenging and there was a lack of support around the “hardware level” meaning our VMWare environment.
- Ability to tune alarms and events to your liking. Very easy to get rid of false positives that are known in your environment, and create actionable alerts for legitimate alerts.
- The simplicity of the dashboard. Everything within AlienVault USM Anywhere is easy to navigate and configure. From sorting logs to creating new users, the layout is natural and easy to figure out.
- The Architecture of the SaaS deployment went smoothly and is very simple and expandable. Very little to worry about on our side with great results.
- Support response time and incident handling have some room to improve. We had major issues with a sensor, and it took several days to get a response. Once we got a response the issue was corrected, it just took a while to get our engineer on the phone.
- Small bugs in the way that the syslog packets are read and normalized. Reading the time in the packet wrong has been the biggest issue we have found so far that is without a solution.
- Complicated Architecture to fully use the product. Requiring port mirroring to use the IDS portion of Alienvault is quite challenging when dealing with a large network size and diverse locations such as ours.
- It is good at doing internal scans of end-user devices to find vulnerabilities without the need of installing an agent or client on each device.
- It is good at being a log server. A place to send logs for all of your networking devices, such as switches, firewalls, and other solutions that accept log servers.
- Its ability to collect logs from Barracuda solutions needs heavy improvement. How it collects and organizes the data isn't very useful.
- The end device client, which is optional, and can be installed on any device you want to collect more data from, has compatibility issues with quite a few products we use, and anti-virus software in-particular doesn't like it. We have also had some performance issues with devices the client is installed on.
- The way collected data from all devices and locations is presented to the user in the web portal is not as user-friendly or as clean as it could be. It tends to show too much useless data and too many categories, making it easy to miss the important parts.
Our environment is complex and stretched across many physical offices. This limited how we were able to use AlienVault. We are not currently able to use or enable all of its features. In a simple network infrastructure, AlienVault would do much better.
Note that the cost of the AlienVault product itself will most likely not be your only costs. It will require your network engineer(s) to spend multiple hours configuring or re-configuring your infrastructure to make some of its features work, such as mirror ports and virtual hosts to collect all network traffic from your core.
For instance, our firewall solutions do a much better job at logging and providing real-time alerts of issue and attacks. Our SAL monitoring solutions provide uptime and performance that is outside the scope of features for AlienVault.
- AWS integration.
- Google integration.
- Asset grouping.
- Incident-automation with ServiceNow.
- Knowing software versions and asset information, we should be able to know the vulnerabilities as they come out without having to rescan the inventory. A rescan could be done to validate the info is still true (about versions and stuff), but instead of va-scan being the vulnerability "informer", you could check when a new vulnerability comes out - if we had this software/service configured somewhere.
- Malware protection? I'm honestly not sure as there's not a lot that AlienVault doesn't do :)
- AlienVault USM Anywhere has very strong documentation. They really do not try to push professional services but really offer you the opportunity to try and buy the product and work through the documentation to implement on your network.
- AlienVault USM's dashboard is easy to use, highly customizable and quick to report (without issues) any of the parameters you set up. The dashboard is intuitive and responsive!
- AlienVault USM Anywhere is easy to scale and deploy. Its soft license platform allows you to deploy additional agents and secure elements of your network at close to a moment's notice!
- AlienVault's Dashboard is very strong but does take some time getting used to and customizing. The reporting functions and proactive reporting is a great tool but takes plenty of time to learn and get right. It could be difficult but if there was some out of the box wizard engine that could get some reports up and running fast it would be helpful.
- It would be great to see the USM product compare against other similar environments or industry benchmarks to notify us even if we do not have the threat to our network. It would be a huge value added to understand how, why and where other networks that are part of the USM family are hit.
- Access to the cold storage of logs for AlienVault is a bit confusing. It would be a huge addition if we could dump all the logs locally and have an easier searching tool for such logs. It seems it is not just AlienVault but most companies now want them to use their storage, not local.
AlienVault USM Scorecard Summary
Feature Scorecard Summary
About AlienVault USM
AlienVault USM Anywhere is a cloud-based security management solution that promises to accelerate and centralize threat detection, incident response, and compliance management for cloud, hybrid cloud, and on-premises environments. The vendor says that USM Anywhere includes purpose-built cloud sensors that natively monitor your Amazon Web Services (AWS) and Microsoft Azure cloud environments. On premises, lightweight virtual sensors run on Microsoft Hyper-V and VMware ESXi to monitor your virtual private cloud and physical IT infrastructure.
USM Anywhere aims to help you rapidly deploy sensors into your cloud and on-premises environments while centrally managing data collection, security analysis, and threat detection from the AlienVault Secure Cloud.
Five Essential Security Capabilities in a Single SaaS Platform
AlienVault says that USM Anywhere provides five essential security capabilities, giving you everything you need for threat detection, incident response, and compliance management, within one platform. With USM Anywhere, you can focus on finding and responding to threats, not managing software. USM Anywhere can readily scale to meet your threat detection needs as your hybrid cloud environment changes and grows.
- Asset Discovery
- Vulnerability Assessment
- Intrusion Detection
- Behavioral Monitoring
Try USM Anywhere in
your environment—free for the first 14 days.
AlienVault USM Screenshots
AlienVault USM Videos (2)
AlienVault USM Downloadables
AlienVault USM Support Options
|Free Version||Paid Version|
|Video Tutorials / Webinar|
AlienVault USM Technical Details