ArcSight Enterprise Security Manager (ESM) Reviews

We use the product for everything. It serves as our company's management platform, handling our tech needs, block systems, alerts, custom rules, triggered events, analytics, investigations, incident closures, case creations, whitelists, and various other tasks.

We utilize ArcSight ESM for real-time threat detection in our organization. We have custom rules that we've developed on top of the WAN services, along with scheduled licensing activities.

It provides more granular data compared to solutions like Azure or Splunk. While ArcSight ESM may be considered less user-friendly, it offers a high level of customization, allowing for configuration and adaptation to specific use cases, especially regarding alerting and incident response.

Its integrations are working well. Though I haven't used the solution for an extended period, it seems highly customizable. This level of customization is not commonly found in many solutions. While solutions like Kubernetes offer a variety of apps through app extensions, it allows users to build their features to a considerable extent.

We have pricing issues. ArcSight ESM may not be the most user-friendly option, and its interface is quite traditional. However, despite these aspects, we find it a good cybersecurity solution. It needs to improve the dashboards, documentation, and support as well.

The documentation and community support for ArcSight ESM is not as strong as other solutions. Finding resources and analysts who have experience with ArcSight can be challenging. The solution is less user-friendly than alternatives like Splunk, QRadar, or Sentinel. The technical nature of ArcSight may make analysts hesitant to dive into it, contributing to a steeper learning curve.

I have been using the product for two months. 

During the pandemic, there were challenges related to stability, particularly with the discrepancy in events being pulled in. The issue was attributed to connectors, and there were problems with certificates that needed updating. As a result, events were regularly stopped by these connectors. I rate the tool's stability a seven out of ten. 

The solution is scalable. My company has 20 users. 

I haven't contacted the tool's technical support yet. 

I would recommend ArcSight ESM to others depending on the organization's size and specific requirements. For larger organizations, I might not recommend it, but for SMEs, it could be a suitable choice. If it meets your organization's specific use cases and requirements, and if you can ensure that you have resources trained to work with it, then it could be a suitable choice.

I rate the overall product a seven out of ten. 

I primarily use ArcSight ESM for security and network monitoring. We are dealing with Active Directory, so we use ArcSight ESM to track the actions administrators take on accounts, like disabling and enabling accounts or accounts going expired and why.

ArcSight ESM allows us to track the logging of our customers or providers through VPN to a security middleware that tracks and allows them to access backend resources. In this way, we can find if someone is doing an administrative operation at inappropriate times of day or trying to do something they're not allowed to.

ArcSight ESM's UI is a little cumbersome and complex, especially for first-time and occasional users using the console manager. It's also a very complex product, and new users will require assistance from someone expert to avoid making errors. 

I've been using ArcSight ESM for three years.

ArcSight ESM is stable, except when you're doing very complex correlations, but that's a problem common to all products in this area.

We have not had any problems with ArcSight ESM's scalability.

ArcSight's technical support is very good.

The initial setup was not so easy as it's a very technical product, and anybody who doesn't have a lot of technical knowledge will probably find it difficult to set up. It's important to have a clear understanding of your goals when setting up all the infrastructure, as ESM is so complex. The deployment took around an hour or two.

We used a provider team.

ArcSight ESM is a very powerful platform, but you have to be careful in designing rules and defining an initial set of targets because otherwise, you could end up with high costs or a hugely demanding setup. I would rate ArcSight ESM seven out of ten.

• Logger
• Command Center

The ArcSight ESM allows for easy log analysis as well as correlation and alerting. Logger is an indexed database which allows for faster, historical searching. The versatility to use SQL queries is helpful.

There are some limitations on the functionality of Rules that I would like to see expanded. I would like to see some better support options in the ArcSight community for HP Protect. Unless someone in your organization is an ArcSight SME, you are going to have a difficult time getting answers.

I've used it for two years.

There were no issues with the deployment.

We've not had any issues with the stability.

We've had no issues scaling it for our needs.

I would give it 3/10. A lot of the support is community based. That strategy can work, but the answers are sometimes incomplete, incorrect, and can take a long time to get.

I have used QRadar and Splunk. Both have great functionality that make them easy to use, but ArcSight has a very consistent layout and their logic is easy to figure out.

I was not involved in the setup.

I'm not involved in pricing or licensing.

It's a well rounded product especially with the addition of Logger and Command Center. I felt it was easy to understand and use right from the start. There are some companies that do not take advantage of everything ArcSight can offer. A problem I think ArcSight can fix with better support alternatives.

The real-time correlation (CORR) engine and ability to build complex correlations from simple 'building blocks', provided the base 'building blocks' are well throughout in the first place, are the most valuable features for us.

The ways in which it's improved our organization are too numerous to mention. But you have to have good, steady resources and well worked-out use cases. ArcSight can report on many things and save on repetitious daliy monitoring.

There's a lot of improvements that need to be made, too many to mention all of them, but some improvements with the Con App would be a good start.

We've used it for over eight years.

We did have issues at the start, but this comes down to having good HP ArcSight architects to start with, which we didn't when the project started.

We did have issues at the start, but this comes down to having good HP ArcSight architects to start with, which we didn't when the project started.

We did have issues at the start, but this comes down to having good HP ArcSight architects to start with, which we didn't when the project started.

With HP themselves, they need a lot of pushing to get them to get seriously involved with issues, given that they are paid a lot of money to provide support and deliver top SLAs.

We mainly use HP ArcSight, but also Splunk. I didn't have a say in making the choices.

The initial setup was fairly straightforward, but the overall architecture planning needs seasoned professionals who understand what ArcSight is and how it needs to be deployed.

The installation had already been implemented by an HP subsidiary who were fairly good when performing the installation. Despite that, they did a poor job of implementing the hardware.

The HP products are expensive.

It's a fantastic product and highly configurable, but it needs nothing less than a seasoned cyber security professional with serious engineering expertise and a real desire to provide meaningful use cases. Anyone that says ArcSight is 'fire and forget' should not be allowed to work in cyber security!

If you want Arcsight implemented correctly, start by sizing your organization, and looking at data flows and the available data streams. Be mindful of regulatory and compliance reporting, Risk and Legal as well, as you may need to factor in any and all of these when working with enterprise solutions.

I use the solution to implement detection rules based on attack scenarios.

On the positive side, ArcSight ESM's performance was excellent. It was very fast when writing queries. It provided good performance monitoring and had built-in rules to show which rules triggered most often and impacted performance. This performance monitoring was well-implemented.

I faced some problems implementing certain attacks, which was my biggest concern. The visualization wasn't very good, and I couldn't create good monitoring dashboards.

I have been working with the product for a year. 

The tool's support is one of its best parts. 

Positive

I wasn't involved in the initial setup and deployment of ArcSight ESM, as it had already been implemented when I joined the company. I worked on implementing dashboards and detection rules. The rule categorization was good and had a good alert system when rules were triggered.

Price-wise, ArcSight ESM was a bit high compared to competitors, which factored into our decision to switch to Splunk. It couldn't cover all our business needs for what we wanted to implement.

I rate the overall solution a five out of ten. 

We use it for our internal and vendor daily base of log analysis and threat analysis.

It is a robust product and has multiple valuable features. For example, it has robust threat intelligence built into its customization and great templates that provide ease of use.

The dashboard looks a bit cumbersome with the current version. They should work on the dashboard and optimize their integration which currently lags with devices of reputed vendors. So, having these custom integrators sometimes works and sometimes doesn't.

We have been using this solution for almost ten years. It is deployed on private cloud.

We haven't experienced any stability challenges. It works if we get enough hardware and software provisions for the vendor recommendation.

On-premises is a challenge to scale, and we haven't tried the cloud but we've heard it's quite scalable and robust.

We do not use technical support that often. They are very good, but they should train their L1-level support. Overall, they're a good strong team.

The setup is neither easy nor difficult and depends on the expertise. It requires really good expertise to build from scratch. The setup itself is not a big hassle, and in a week, the system is up and running, but the main challenge is the integration. We keep integrating, and with the password of the integrated direct, it's fine.

It is a licensed product.

I rate this solution an eight out of ten in terms of the inbuilt features and how it has grown into a strong solution over the years. The team has done an excellent job with the features, integrations, and compatibility.

Regarding advice, I think the assessment on currently sizing the product to their need is key. It's an expensive product, so sizing is the most important choice. In addition, I believe moving to cloud has more robust integration features. They are building new custom solutions that can be integrated with ESM for better analysis.

Correlation and data normalization via CEF: The speed of ArcSight's correlation engine, together with data enrichment, makes it a great tool for exploring vast amounts of data. Other SIEM tools have a hard time giving the same results at the same speed. Also, thanks to CEF log formatting, combining events from different sources takes minimal effort. Whereas, setting up that normalisation on other SIEM competitors could take countless hours.

Ease of use, access and simplicity: HPW ArcSight makes it hard to capitalize on reports without the use of the console. Other SIEM tools have made it clear that event correlation results can be used not only to send out alerts, but also to provide easily accessible results to management.

ArcSight can be quite complicated to use for "non-IT" user. In terms of "ease of use", access and simplicity, HPE could do a better job, since customers acquiring the product should be spending more time on implementing use cases than on understanding the product and the console organization.

Also, in terms of installation, we are no longer in an era where installing a product should be a laborious process. Instead, it should be simple and fast.

Also, when it comes to data onboarding, managing ArcSight connectors in a multi-technology environment, there is no simple way to guarantee that data parsing is happening properly.

Finally, having simple-to-set-up, multi-site high availability, in contrast to single-site HA, would be very welcome.

I’ve been using ArcSight for three years.

We have had some issues on the SmartConnector layer, since not all parsers provide perfect results (especially in the case of proxy data). Also, there have been some issues on the HA modules, since HA works sort of like a local r-sync (no remote HA).

No scalability issues have been encountered so far. ArcSight's architecture is very scalable, especially when set up in a layered architecture.

Support is slow and doesn't always have the required skill set to solve the issues.

We did not have a previous solution.

Initial setup was very complex. Any modification to the OS prior to ESM installation may cause errors in installation. Most errors aren't explicit and require a lot of time, effort and sometimes PS help to solve.

Price is fair compared to other SIEMs (Splunk, QRadar, etc.). It's not the go-to product if you are looking for something cheap. Go for ArcSight, if it provides specific features that your IS requires.

Before ArcSight, we looked at QRadar and Splunk.

My first advice is "be patient". It takes a lot of time to deploy an ArcSight infrastructure, but the result is worth it. Technically, it’s a very powerful tool. It would be worth it to take the time to learn some of the hidden features.

I think that the overall experience with this solution is good, but in particular, I think that the dashboards are quite interactive.

For somebody who is new and just starting with this product, they find it really tough. The software is quite big. It would be nice if the interface were more user-friendly, with, for example, a minimal number of tabs to navigate.

A walkthrough that shows everything a normal user might do would be very helpful.

I would like to see improvements on the Active Channel side of this solution.

The software itself seems to be stable, as we have not actually experienced any bugs. The connection depends on the network side, but overall it seems to be working fine.

This solution would be more scalable if the interface were more user-friendly. There are rules and alerts, and the user has to have the proper knowledge of all of these things. With a walk-through, I think that it would be quite easy to scale.

We have two people using this solution, and we perform monitoring on a daily basis. In our environment, adding users is quite rare. 

We did have a couple of problems recently where one of the modules was not communicating well. In terms of support, I think that they are quite good.

This is the first solution that we have used for monitoring.

I was not involved in the initial setup of this solution.

This is a really good solution and I would recommend it. If you know how to work it, and how to configure it properly, then it can give you lots and lots of information. On the other hand, it provides so much detail that people can miss things. If the interface and reports were minimized and consolidated then it would be better.

I would rate this solution a seven out of ten.