- Raw logs
- Alarm section
- Security events
Once we placed AlienVault in the product we have now, the time it takes to find and respond to real anomalies has dropped from hours to minutes, it has so much potential to be an amazing product despite it's many issues. After working with so many other SIEMs, AlienVault is among my top three favorites, and I believe it has earned that spot well.
Directives and searches within security events. So many issues with directives. Creating directives is a pain on it's own, but editing them can be a nightmare filled with tedious unnecessary steps. You do not have an option to whitelist or blacklist specific traffic flows to trigger alarms (eg. Specific IP to specific IP) if your directive contains multiple alarms. A simple fix would be to allow the engineer to give "and" and "or" statements so you could get something along the lines of (SRC IP: 192.168.0.20, DST IP: 10.10.1.12 OR 10.10.1.13) AND (SRC IP: 192.168.10.5, DST IP: 10.10.2.5). Instead you have a list of source IPs and a list of destination IPs and no matter if the traffic you need to blacklist is specific, anything communicating from the source list to the destination list triggers an alarm, which is not always what you want.
A workaround for that is to split the alarm directive into separate directives for any specific flows you are looking for. Searching in security events comes with it's own minor inconvenience that isn't a deal breaker, however, a simple improvement could make things orders of magnitude better: Allow the analyst to decide everything he wants to search for and trigger the search themselves. Right now, if you want to search something by signature, time range, and port - for example - you have to do each individually and each search forces the query to reload before you get the information set you want. E.g.: I want to search for Admin Activity Events, surrounding a specific Admin, over the last week. I need to first search for Admin activity events, which reloads the whole set of data, then search for the username, reloading the whole set of data again, then choose the last week time range, reloading again. It would make more sense to be able to package the queries I intend to use, then click something along the lines of submit. AlienVault does offer predefined searches, which is a great tool, but I think fixing the search function of the SIEM would be great.
I've used it for two years.
Stability issues have been around, but I feel like AlienVault does a stand up job at responding to and fixing them.
I personally haven't seen any scalability issues, though that falls out of my purview.
10/10 - the AlienVault team is great, and the community is very active.
Straightforward. The guidance given in documentation sets you up for success, and the ease of adding agents to machines is phenomenal.
It was done in house. Be patient, focus on getting your firewalls connected to the SIEM.
I have used several SIEMs, but stick with ArcSight, Splunk, and AlienVault. It is more client dependent. I big pro for AlienVault is it's price point and resource requirements. Though I feel like AlienVault is best suited for small to mid sized business.
Take advantage of the support team at AlienVault, and read through the documentation. If you get lost, their is a good chance the information is in there. Also, you will quickly discover the limitations of AlienVault, so you should take your time to figure out workarounds for your issues.