The most valuable features are flexible setup of the architecture and large coverage of devices. Most devices deployed in enterprise environments are covered out-of-the-box by ArcSight. Unlike a few other solutions, the last-mile connectivity with ArcSight agent servers is free and flexible across all location deployments.
I have implemented it for a few organizations and they have benefited by early attack detection and usage of the right incident response mechanisms.
I would like to see high-end, predictive analytics. ArcSight ESM has some features that help in advanced correlation rules creation. However, intelligence around predictive analytics, understanding the current security posture and ability to map it with possible threats in the future is not something that is present in ArcSight at the moment.
We’ve been using ArcSight for 3 years.
I have not had any issues with stability.
I have not had any issues with scalability.
I have never used technical support much, but will give it 3/5.
The connectors are straightforward. The baselining is where the issues start.
Licensing is straightforward, but the solution is fairly pricey.
We looked at QRadar and LogRhythm.
Ensure your scope is very clear and so are the components.
