AlienVault USM is a really beneficial SIEM solution.
July 13, 2020

AlienVault USM is a really beneficial SIEM solution.

Anonymous | TrustRadius Reviewer
Score 9 out of 10
Vetted Review

Software Version

USM Anywhere (SaaS)

Overall Satisfaction with AlienVault USM

We use Alienvault USM internally in our Security Operations Centre as part of our detection and response capabilities. We use it to monitor our on-premise networks and devices, our cloud servers as well as our cloud SaaS services. It allows us good visibility into our entire infrastructure and the events and alarms that we would otherwise miss.
We also implement and manage AlienVault USM deployments for clients as our recommended SIEM solution.
  • Ease of deployment and quick to get operating.
  • Wide range of plugins and log receivers to ingest logs from many sources.
  • Simple interface and dashboard makes daily operation quick and easy.
  • Custom notification templates can be limited - it is not easy to get custom email alert content for example.
  • Some network configuration on premise is needed to take full advantage of NIDS (port/traffic mirroring for example).
  • Vulnerability scanning and reporting can be a bit sparse if you are used to the likes of Nessus.
Darktrace - While also a fantastic product, its use case is slightly different from a SIEM, and we found that AlienVault's broad SIEM capabilities complemented Darkrace's focussed use case well.
CyberShark - Cloud SIEM solutions do not often allow full control of or access to the actual backend of the solutions - you aren't able to customise alert rules and create custom correlations yourself for example. As we have in-house skills to do this, we found AlienVault a better solution giving us more control.
AlienVault is well suited to companies that use either Azure/Office 365 or GSuite due to the built-in integrations that come with the product. Less complicated networks are easier to fully monitor all traffic on, thus taking advantage of richer correlations of events.

While it works with fully on-premise deployments (Exchange, file server etc), additional configuration for log correlations and alerting will likely be needed. Also for complex networks, getting the required port mirroring to ingest all network traffic can be difficult.