AlienVault USM for Investigation Efficiency
March 12, 2020

AlienVault USM for Investigation Efficiency

Anonymous | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User

Software Version

USM Anywhere (SaaS)

Overall Satisfaction with AlienVault USM

AlienVault USM is used by the Cyber Security Team of the company as a SIEM. Basically we use it for our investigation by utilizing the events and alarms section. AlienVault is actually easy to use and understand. It helps in making the investigation process a lot more efficient. It also provides Threat Intelligence that helps identify which of the alarms we should prioritize.
  • AlienVault offers Rule Creation which helps in testing out new implementations such as alarm suppression, event suppression, etc.
  • AlienVault is easy to navigate. At first, I was kinda confused watching my teammates use it but the more I spend my time with AlienVault the more I appreciate its features.
  • For me, I really appreciate the filters. I can filter out events specifically, which reduces time spent on looking for a particular event.
  • I think adding multiple events in the investigation would really help.
  • When opening an alarm, I hope we could just open the events on another tab directly.
In terms of user-friendliness and overall navigation, I think AlienVault USM has the advantage. Also, AlienVault USM provides its own threat intelligence and then integrates it into its SEIM, which is a very helpful feature.
Some alarms from the AlienVault NIDS still lack the information we need to fully identify whether or not the alarm is a legitimate attack or not. I'm not sure but it would help if we are able to see events prior and after the alarm to at least have an idea of what's going on. Also, the associated events really helps, but it doesn't consider all the events related to that particular alarm. Although I understand that it's impossible to do that but it would be best if we can be redirected to the events page where all the associated events are included as well as the events prior and after those for a specific amount of time. Since once we deal with a very large number of events, it's kind of hard to investigate since all we can see are the event names. (Customizing the columns is sometimes forgotten.)