A solid SIEM choice for those of us without dedicated SOCs and multiple hats.
October 24, 2019

A solid SIEM choice for those of us without dedicated SOCs and multiple hats.

Anonymous | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User
Review Source

Software Version

USM Anywhere (SaaS)

Overall Satisfaction with AlienVault USM

We're using the USM product as its intended use case of a SIEM. Sensors are deployed into our hybrid cloud at various points and push logs to the USM dashboard. With our MSSP monitoring, AlienVault USM meets our needs of 24/7 security monitoring
  • It is easy to deploy and get logs into the dashboard
  • Integrations with Office 365 is pretty seamless and provides great context.
  • Super easy to increase storage tiers if you find yourself adding more and more log sources.
  • USM Anywhere doesn't allow you to multi-home sensors. So if you have non-routable networks, you'll need to investigate the on-premise solution too.
  • You have to be on top of tuning else a constant stream of alerts will cause your SOC staff to begin ignoring alarms.
  • You have to be on top of tuning else you'll eat your allotment of storage for that month. It is really easy to exceed your storage quota if you don't proactively monitor log sources. USM could do a better job letting you know if a log source is too chatty.
Splunk's ES is a paid add-on on top of an already pricey product. Finding a MSSP that supports Splunk and isn't a 6 figure annual commitment seems unlikely.

LogRhythm did not have a cloud-based solution when we were considering SIEMs. Fantastic product though and have a good MSSP base.

Devo did not have a MSSP partner base when we looked. Their product is fantastic too.

AlienVault USM has good partners to choose from as well as an affordable cloud model, that's why we chose it.
I don't believe AlienVault USM's OTX threat feed best of breed or anything like that. The feed is useful though and there are big names in the security world that contribute. So I find value in how well OTX is built into USM.
AlienVault USM has reduced the amount of review we were conducting on a daily basis without sacrificing monitoring. It allows me to better understand the threat posture of our infrastructure as well. SIEMs are only as good as their content. Since AlienVault USM comes with decent content of the box it actively reduces your workload for the minute it is deployed. It isn't a silver bullet and it requires feed and care. Unlike other tools, you will continue to increase its value with time spent in it.
AlienVault USM is a good SIEM product for shops that don't have dedicated content creators. If your log source volume is at the TB level on a daily basis, it's not for you. However if you are on a TB level at the monthly level then it's worth looking into. The AT&T purchase has seen a good bit of new development being put into the product around investigation frameworks and integrations. We've gone to a TB tier and have renewed our subscription.