<li>Correlation Engine simpleness</li>
<li>Visual agent deployment</li>
<li>Stream based solution performed by iscale bus (no latency due to the database layer) </li>
Improvements to My Organization:
<li>Better security incident analysis</li>
<li>New scopes for security events and correlation</li>
<li>Better performances on device failures actions</li>
Room for Improvement:
<li>Agent development flexibility</li>
Use of Solution:
I worked on version 5 and then 6 for a total of 6 years. My personal score is 4 stars based on my experience with the latest version I worked on (probably version 7 should be much more better.)
On version 5, builder was somewhat unstable during deployment -> workaround strong procedure with too many middle steps of saves.
The wizard agent module is very sensible to network changes and needs a restart on every network change (versions 5 and 6).
I have not seen any issues with scalability.
I had another SIEM installation (nFX) working for another application domain.
Complex but mainly because of all the network variables we had. Imagine to map firewalls rules passively and then request the ability from an external group not really involved in the installation.
Actually we were the system integrator and we provided a large enterprise solution.
Other Solutions Considered:
Novell SIEM was my second technology of this kind. Previously I experienced the nFX and later even the McAfee ESM and the Splunk ES.
Be aware that without any technical support from NetIQ it could be very hard to administer.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Aug 17 2014