The first limitation is with the ArcSight Data Storage Manager (ADSM). ArcSight's total capacity is currently capped at 12 TB. This becomes an issue if a customer needs a longer real-time data retention period, such as exceeding 90 days or reaching a year or even ten months. Increasing the disk space beyond 12 TB is not currently possible.

So, increasing the storage capacity is one area for improvement. Additionally, the real-time data retention is limited due to the 12 TB restriction. Depending on the Events Per Second (EPS) you receive, you might only be able to retain data for seven to ten days.

Overall, the 12 TB limit is the main issue we face in terms of maximizing real-time data storage.

Moreover, there are a few improvements I would like to see in future releases. 

My main suggestion for ArcSight is to simplify the deployment process. Currently, the installation process is quite complex. There are various components involved, including transformations, multiple installations, and containerization for various components. Ideally, I'd recommend that ArcSight allow the entire installation, including the ESM and database, to be completed within a single unified setup process for a streamlined experience.

Additionally, having readily available and well-organized documentation for the step-by-step installation process would be incredibly helpful.

I would also like to see better support. 

View full review »

More integration with various log sources, especially considering new cloud platforms. Lots of different platforms are now coming. 

For example, nowadays, we have more products related to cloud platforms. So, we have Azure native security firewalls. We have Oracle native security firewalls.

I want that integration with them so that I can receive the logs directly from them and define a unified correlation mechanism for it.

View full review »

ArcSight could improve by using AI and ML. More people are leaning towards this type of solution. They also could improve the product by integrating user and identity behavior analytics.

The traits' environment is changing every day. The traditional approach of discovering traits within the environment is gradually changing. We need new approaches to intelligently discover traits within the environment. ArcSight needs to improve its product to move in this direction.

View full review »

ArcSight is incredibly complex when configuring and deploying, and if your organization doesn't know what they want and what they need, ArcSight will be a challenge for them, but if they absolutely are skilled and know what they want and know what their end goal is, ArcSight is brilliant.

I would like to see more dynamic reporting. 

It could look a little newer. The interface looks a little dated, but otherwise it's fine.

View full review »

The visualization is not very good compared to Splunk.

The dashboard and the comparability with new devices could be better. For example, we have a lot of cloud infrastructure that's coming around. Nowadays, most of the appliances are cloud-based. So, the comparability of Splunk is more with cloud infrastructure. With ArcSight, we have to build FlexConnectors to integrate multiple data sources, and we need visualization in that with FlexConnectors. If you go to Splunk, they have their own apps developed, and they work more proactively compared to ArcSight.

The performance and speed could be better. Technical support could be improved.

View full review »

The marketplace is a bit of a joke; steps should be taken to improve participation. 

Micro Focus desperately needs to improve their core offering rather than adding more "solutions" to the greater ArcSight portfolio. In other words, instead of selling a separate, slick, intuitive add-on (i.e., ArcSight Investigate), just make the console GUI better! 

Customer engagement and support could be improved across the board. 

View full review »

What could be improved in ArcSight Enterprise Security Manager (ESM) is its analytics feature. That feature should be more powerful and have more correlation in terms of AI/ML, though MicroFocus has done a good job in adding analytics to ArcSight Enterprise Security Manager (ESM) which has become a big draw to customers.

What I'd like to see in the next release of the solution is the addition of AI/ML features.

View full review »

The API integration could be better, and I'd like to see more machine-learning capabilities in the future. 

View full review »

When I asked our networking juniors for a comparison between LogRhythm and ArcSight, they said that both platforms are almost the same. It is just that LogRhythm is more modern with a digital platform, which probably gives it some advantage over ArcSight. ArcSight is a very old and mature product that is running on an old platform. It is an old legacy platform. 

In terms of new features, it just requires platform upgrades so that it becomes lighter and easily adaptable, specifically in the cloud. It would be a good thing if they can also make reporting easier. 

View full review »

ArcSight ESM's UI is a little cumbersome and complex, especially for first-time and occasional users using the console manager. It's also a very complex product, and new users will require assistance from someone expert to avoid making errors. 

View full review »

ArcSight's features are already ahead of many competitors, but may they could offer some more training about how to find tools, how to get them working, and how to optimize them. I'd also like to see a greater focus on cloud content and the ability to write rules from the browser.

View full review »

The network modeling and asset categorization needs to be simplified to facilitate wider adaptation amongst customers. View full review »

The dashboard looks a bit cumbersome with the current version. They should work on the dashboard and optimize their integration which currently lags with devices of reputed vendors. So, having these custom integrators sometimes works and sometimes doesn't.

View full review »

The deployment typology could be improved. If you want to scale across all the different lines of businesses, it should be easy to do that and it's not. If I'm doing DMX monitoring, I shouldn't need a different SIEM. For the traditional application servers which are RTTR architecture-based, the legacy applications, which might be Java or steam-based applications, require DMX monitoring, currently provided by Nagios. Instead, the monitoring could be different types of monitoring which we could get from ArcSight. It would save the cost of doing the DMX monitoring from Nagios. QRadar has a dashboard which includes most of the monitoring, data and everything. The features in ArcSight could be more like that.

View full review »

ArcSight ESM needs to improve performance, user interface, and automation.

View full review »

I am having issues with report generation with older versions. I don't know if this is because of compatibility issues, but report generation has been a little bit difficult in older versions. It is not similar to the newer and current versions.

We are looking at moving to the cloud. It would be good if ArcSight ESM can move to the cloud. They already seem to be working on this. 

It would also be very helpful and great if we can integrate external threat intelligence, machine learning, and AI into this solution. It has good dashboards, but they can always be better. Its stability can also be improved. 

View full review »

The query language should be less complex. 

The UI interface is somewhat complex and needs to be simplified. 

The dashboards don't read in a graphical manner. You have to read the logs and the output whenever you run a query. You need to understand the output. You have to export it to a .CSV and then design the visualization as per your requirements.

We're missing visual dashboards and reporting. We'd like to have the reporting of simple histories, and we need dashboards to show details in a presentable format.

In the logs, we're capturing multiple fields, some of which we do not need. There should be an option to just keep the fields you require and discard the rest. 

View full review »

For somebody who is new and just starting with this product, they find it really tough. The software is quite big. It would be nice if the interface were more user-friendly, with, for example, a minimal number of tabs to navigate.

A walkthrough that shows everything a normal user might do would be very helpful.

I would like to see improvements on the Active Channel side of this solution.

View full review »

ArcSight ESM could improve the alerts for the storage capacities or actions.

View full review »

We have pricing issues. ArcSight ESM may not be the most user-friendly option, and its interface is quite traditional. However, despite these aspects, we find it a good cybersecurity solution. It needs to improve the dashboards, documentation, and support as well.

The documentation and community support for ArcSight ESM is not as strong as other solutions. Finding resources and analysts who have experience with ArcSight can be challenging. The solution is less user-friendly than alternatives like Splunk, QRadar, or Sentinel. The technical nature of ArcSight may make analysts hesitant to dive into it, contributing to a steeper learning curve.

View full review »

There are some limitations on the functionality of Rules that I would like to see expanded. I would like to see some better support options in the ArcSight community for HP Protect. Unless someone in your organization is an ArcSight SME, you are going to have a difficult time getting answers.

View full review »

There's a lot of improvements that need to be made, too many to mention all of them, but some improvements with the Con App would be a good start.

View full review »

The tool should improve its UI. It also should make data more searchable. 

View full review »

The initial setup could be more straightforward. 

View full review »

The user interface of ArcSight Enterprise Security Manager could improve. It is not very good. Additionally, they could integrate the web interface better.

View full review »

Ease of use, access and simplicity: HPW ArcSight makes it hard to capitalize on reports without the use of the console. Other SIEM tools have made it clear that event correlation results can be used not only to send out alerts, but also to provide easily accessible results to management.

ArcSight can be quite complicated to use for "non-IT" user. In terms of "ease of use", access and simplicity, HPE could do a better job, since customers acquiring the product should be spending more time on implementing use cases than on understanding the product and the console organization.

Also, in terms of installation, we are no longer in an era where installing a product should be a laborious process. Instead, it should be simple and fast.

Also, when it comes to data onboarding, managing ArcSight connectors in a multi-technology environment, there is no simple way to guarantee that data parsing is happening properly.

Finally, having simple-to-set-up, multi-site high availability, in contrast to single-site HA, would be very welcome.

View full review »

ArcSight ESM could improve by adding more features and documentation. There needs to be more documentation.

View full review »

There are several improvements that we would like to see, including:

1. Building a system based on a log collection (SOC)
   
2. A scenario for external encroachment
3. Operator training

View full review »

In certain cases, this product does have false positives, which the company should work on. They should also try to include business logic vulnerabilities in the SIEM tool. The analytics feature is not reliable and needs improvement for more detailed analysis.

View full review »

The layout of the analyst's console need improvement. It has had no significant changes in at least nine years. Also, the advanced statistics in visualizations simply don't work, and I've performed an analysis of these functions.

View full review »

The onboarding process for this solution could be better.

Additional features I'd like to see in the next release is a better GUI (graphic user interface), and for them to include intelligence tools, e.g. dark web threat intelligence, etc.

View full review »

The centralized dashboard for the hybrid cloud environment needs to be more focused. It needs to be redefined because it's missing most of the information.

ArcSight should also be a little bit easy to use. Currently, integration with various applications and connectors is not that easy. Deployment is easy, but integration is not that easy. 

ArcSight also has a very high bandwidth consumption to pull the local servers. It should have some kind of better process or ability to transfer files from on-premises to the cloud, from the cloud to on-premises, and from a cloud to another cloud.

View full review »

Although we're able to customize it, it requires some level of subject-matter expertise for all the special adapters for collection.

We also had initial stability issues that were probably caused by our architecture and not the solution itself.

View full review »

I'm a little concerned that the market is moving around ArcSight. It's a fantastic SIEM, but the recent metrics show that relying too heavily on a SIEM solution isn't protecting us. ArcSight addresses that by integrating with other solutions, but I'd like to see that to be a more central element of it.

View full review »

There are SO MANY things you can do in AS, and there is a lack of really in-depth documentation on a lot of it. I am not sure why this is, but it is a little hard to be self-sufficient when this is the case. I am sure this is why real ArcSight experts are in demand! Being too feature-rich can be as bad as being oversimplified! View full review »

In other products, I have found that they use some kind of GUI that is drag and drop. While in ArcSight they still use scripting. They should keep scripting because some people prefer scripting but they should have the option for those who prefer using drag and drop.

They should do something similar to what Splunk is doing. They have Enterprise Security and ArcSight should include some use cases that concentrate on Enterprise Security.

View full review »

I would like to see the following:

• An improvement in the connector/agent configuration.
  The connector configuration is CLI based. If the connectors are pre-defined and built by HPE, then the configuration/installation seems to be OK.

• Making the FlexConnector configuration less complex.
  You need development skills in order to do your job in creating/configuring agents and connectors. I tried to learn the syntax in order to customize the software (connectors and agents) for a particular device, and it was a nightmare. The cost for this work, via HPE consultancy, is huge.

View full review »

The solution needs quite a bit of initial customization.

It needs more product integration, like NBAD and VM solutions, etc. Although the solution currently supports log collection from NBAD and VM solutions, it would be good to add features for HPE to have their own NBAD and VM solution.

There is room to improve the storage requirement.

Most SIEM solutions now have their own Vulnerability Management, NBAD, File Integrity Monitoring etc solutions that can be bought as an add on module. HP does not seem to have any of those capabilities. The most important advantage of having such capabilities is that it allows users to view and analyse all the data on a single pane of glass. Regarding the initial customization, the solution needs some effort in terms of fine tuning to get the dashboards and reports to work. Once it is setup I think the way the data can be used with in the solution is the best as it allows high customization.

View full review »

I would like to see improvement in the complexity involved to create a custom connector (flex). Other SIEM solutions, like QRadar, have addressed this.

View full review »

There could be more API features for extracting logs on different devices included in the product.

View full review »

The solution can be improved regarding integration with other security products, ease of implementing some features, and feeling like we're not utilizing the solution as best as we could. In the next release, the solution should incorporate some threat intel features and integrate well with other network solutions, EDRs, palm solutions and the sorts. Additionally, the reporting can be improved to bring out very insightful reports showing senior management value for the solution.

View full review »

When we need to consume old events, we have to wait for a long time. ArcSight should improve the database capability to reply to queries faster. It would also be interesting if they implemented network visibility. For example, they could add a feature like NetWitness with a model just for looking through the packets.

View full review »

One of the problems for the security center is that there are many logs that need to be retrieved from a variety of network devices. The weakness in this system comes about because, with so many different logs, it is possible that the security analyst will lose information. I would like to have better support for wide-area data analytics.

Ideally, I would like to see ArcSight have the ability to consume raw information, or raw data, without being dependent on a log file.

View full review »

ArcSight uses Oracle DB, which is a bit slow for read/write functions and the main downside to this product. Recently, HP came up with a custom DB for ArcSight 6.0 which they are calling CORR engine. With these Read/Write functions, response is good but unfortunately I've encountered many other minor issues which have room for improvement. View full review »

The correlation and storage have to be improved. The correlation works fine, if we have less amount of rules being written, but it becomes slow if we have more than 200 rules written for any correlation. This created buffer-buckets for all events flowing into the system. There are other ways in which this can be improved.

View full review »

Performance is the product's Achilles' heel. The aggregation can't be done for a long period of time, i.e. one week. On top of that, in comparison to the competition, ArcSight works very slowly and the WebUI is not very user-friendly.

View full review »

• Very complex install and management
• Steep learning curve
• Poor Network Investigation
• Poor analytics.

View full review »

Over the past two years, a lot of improvements have been happening.

The biggest requirement is that there is no cloud solution for this product yet. They need to create a cloud version. It's the biggest thing they can do to make the solution better.

The dashboard and user interface need some work. It's my understanding that they are developing better versions of those now.

View full review »

Developing more products/modules that make it more independent from relying on other vendors’ products to get all the necessary logs. For example, develop NetFlow appliances that can be installed in the customer network on span ports, collect NetFlow, and send it to ArcSight without relying on the devices' NetFlow capability and their position in the network.

View full review »

It needs additional and better user customization for SmartConnectors. It has additional device support for more obscure log sources.  

Also needed is a configuration wizard for organizations lacking the in-depth knowledge required to integrate the solution successfully.

View full review »

The technical support needs to be improved.

View full review »

ArcSight ESM is lacking cloud scalable technology.

View full review »

The interface—the console looks pretty old right now, so could benefit from a more modern design.  It's functional, but not so as visually appealing as it could be.

For additional features, I'd say capabilities regarding the behavioral analytics integrated in the solution. Right now, there's something in place, but it's not integrated on our side of the platform.

View full review »

I would like to see the following improvements:

• Less time to administer and track logs on separate devices.
• Ease of changing the product underneath. For example, instead of Juniper routers, we started to use Check Point routers.
• Reporting: I would like an easier way to find the root cause.
• Simplicity: I would like to see an easier way to figure out which column has the mapped data.
• Component accessibility: Components are managed in different places; console, web console, and administration web. It would be nice to have easier access.
• Better UX: I would like to see a better user experience with the web client. Sometimes, it is very slow and not very intuitive.
• Better documentation or "how-to" videos: Usually documentation for devices, whose logs are going to be collected, is poor. Those guides are split in two parts: 1. To-do content for device administrator. 2. To-do content on the ArcSight side. When a customer uses these guides, it is not clear what he has to do. Sometimes the customer asks specific questions that the ArcSight implementer cannot answer. Some of these questions are about specific roles, privileges needed for a domain, or database use when the specific source is added.
• Simplified licensing and license extension for console users: Console users are licensed separately. Those licenses are expensive. The web console is introduced with limited features.

View full review »

The overall complexity of the product can be overwhelming for some. It's not the type of solution where you just plug it in and it works. Reaping full benefit from it requires quite a lot of custom tuning, qualified IT security personnel, and proper and thorough planning.

Technical support from the vendor can sometimes be quite slow and not very helpful, but it is getting better.

The GUI is outdated. Improvements on this are on the way, according to the vendor.

View full review »

They can definitely provide faster search response and offer larger on-the-box storage support. The predefined correlation ruleset can be improved to cover more security alerts and more products.

There is also still room for improvement for processing speed. An easily accessible documentation such as reference architectures does not exist, more guidance can be provided to customer for such a complex product.

View full review »

There are improvements that could be made to help us insure that we're in compliance with our monitoring requirements.

View full review »

I'd like to see some threat intelligence out of the box rather than adding it in subscriptions. It also needs more straightforward and simplified correlation rules so that a SOC analyst can dive right in rather than undergo a separate induction program. Right now, the attrition rate is high.

View full review »

Its search part can be improved. When I go to the console and search for a few logs or something else, it takes a lot of time. When I try to search for three days or one week, it takes too much time. This is a major area of improvement.

I wanted them to include features like SOAR, threat intelligence, and automation, and they seem to have included all these features in version 7.3 or 7.4.

View full review »

The security is difficult. 

I would like to have a feature that gives us an entire report listing what devices are integrated.

View full review »

We need to have more data to work with. The more data you have the more you will be able to give off the right information based on the historical information allows you to take more action. When you don't have enough data, you can't really get the right insights.

The stability isn't quite perfect. We occasionally run into problems.

View full review »

The product should include a lot more predefined scenarios so the adopted company will have knowledge and a broader skill set in security and network.

View full review »

- A bit on the slow side for reports requiring query of old data

- High availability achievable through complicated configurations (i.e. load balancers)

- The user interface is a bit dated

View full review »

ArcSight ESM is not easy to use and it should be integrated with other tools that have infrastructure capabilities. 

View full review »

The customer experience could be improved.

I think they can improve the AI and monitoring. Also, they need an updated database.

View full review »

They should make a user manual for the technical people.

I would like for them to integrate mobile devices. Integration or any kind of functionality which will act as a substitute for IBM so that we can really track our mobile devices as well as look at SIEM.

View full review »

HPE ArcSight has a quite steep learning curve. If you get to know the product well, it is the most powerful product that I have worked with. It would be nice if new users could start using the product more easily.

View full review »

The web console should have all the features of the standard console.

In addition, the upgrade process should be simpler.

View full review »

It can be more user-friendly. The product is too restrictive to suit the flexibility needs of the infrastructure. It is sometimes hard to implement the solution as recommended by HPE.

View full review »

SmartConnectors should be resilient, since they ingest directly from sources (often sources that I have no control over). But they're not resilient. The slightest change in the format of an event can cause SmartConnectors to stop working completely, even for other properly formatted events.

View full review »

Many competitors are going down the road of combining their products with other security products, such as vulnerability scanning, configuration control etc. HP's position doesn't change in that area as they offer to use their standalone solutions and integrate them in ArcSight. There are no embedded scanners or network forensics. Maybe it's time for HP to rethink that position.

View full review »

Better reporting with the nice look and feel available in the wider market; also more vendor log support. HP should improve their Tech Support status. View full review »

The main area is the GUI interface. Although a lot of improvements were made on the GUI in the last version (6.9.1), there are still a lot of configurations that need to be done using the console.

The console is not a bad tool to use. I personally like to use it. However, compared to competitive solutions (Splunk, QRadar), it appears to be a weakness.

View full review »

For this review, ArcSight sent me the Logger 4 7000-series appliance (2U) with six 1TB RADIUS drives, the maximum amount of internal storage available. I will like to see a threat analytics module. Also, the ability to produce reports.

View full review »

It's complicated to deploy. I need a logger at each site, which also gets quite expensive. There's no shared loggers.

View full review »

I'd like to see an improvement in their training and documentation. SOAR (Security Orchestration, Automation, and Response) would be a good feature to include in the future. 

View full review »

It is quite complex and could use a better UI. So the improvement would be a simplification. It is pretty complicated to use. The architecture is not complex but the setup and use are. 

In the next release, it would be nice if the Logger model and the ESM model would be merged. Right now there are two big models, Logger and ESM, but from a Windows perspective, it is not good because they're sending Logger and ESM separately. So if you need ESM, you have to buy both Logger and ESM but if you only need Logger, you are buying just Logger. You can deploy them on one system, but you have two different systems and different databases. My suggestion would be to merge Logger and ESM together.

View full review »

I would like to have native cluster for connectors as a software version and not as an appliance. It also needs a better disaster recovery procedure.

View full review »

ArcSight needs to go the same route that HPE's doing with the virtualization engine of the HP 380. Basically making it more of a single pane of glass to be able to deploy and take a tangible action on a security event. Today it takes still a lot of consulting dollars to go into trying to deploy ArcSight. You have to have a very powerful technologist or technologist team to deploy ArcSight at scale and be able to actually understand the events coming inbound and make the right tangible decisions from those points of ingress or points of notification. That today, albeit, not horribly hard, as long as you have a trained professional that knows the product. It would be nice to be able to basically make that a one pane of glass, much like HPE's done with the virtualization concept. It would make that pain point a little less. It's not going to make it perfect, but it would be nice to see improvement in that area.

View full review »

The way that scaling is set up isn't very cost-effective.

The automation needs to be improved. Everybody needs automation as there is a lack of analysts these days in all of our security diagnostic accounts. There's too much noise in the data they push to you. It's a lot of white noise, and it takes a lot of time to sort through the all false positives that ArcSight triggers to you.

It's very complicated to see if something is a real case and if it's a threat or not. It's very difficult to be able to check that the information sent as they are sending you thousands of messages per day regarding threats. It's very difficult for an analyst to be able to pinpoint the real root cause of the problem. 

I would suggest that they offer full automation and filtering for white noise. By white noise I mean the bulk of messaging and alerts they have been sending to the security analysts. It's difficult for them to realize if it's a threat or not in the end, and you need to spend a lot of time among other systems that you also need to manage. Maybe only 10% of this information is useful for a security analyst.

The product should improve its ease of use.

They should work to have a more let's say intuitive dashboard, a real-time intuitive dashboard, and to focus it on the most important, critical assets in the company. 

The solution requires a lot of expertise and manpower to deploy the solution.

View full review »

ArcSight Connector appliance needs some improvement, as it has some bugs which triggers issues most of the time. I believe that the Connector is going to hit end-of-service.

View full review »

They need to fix some bugs and increase the search performance speed. Sometimes there are issues when I perform log correlations.

View full review »

The following needs to be improved:

1. We would like the ability to easily identify either unused resources or those that are being used sub-optimally.
2. ESM should make usage of variables and other such deep customizations, highly intuitive.
3. User behavior analytics is too pricey but an essential tool.

View full review »

The security area has room for improvement. 

View full review »

They need to improve the Web UI, similar to how it is done with Splunk.

ArcSight is still using a Java app to do analytics.

ArcSight Express is using HTML5, which is good. However, the capabilities of ArcSight Express are not good when the data grows.

View full review »

As of now, HP doesn’t have healthy integration of flows, this could use significant improvement. High Availability is a major concern for all of our customers, HP needs to significantly improve in HA. View full review »

Support from the vendor and pricing. View full review »

OOB content is limited Microfocus should release the smart connector update on quaterly basis.

View full review »

A lot of improvements could be made in the product. I think the roadmap is not clear, and there is no AI or machine learning solution. 

View full review »

Complexity, administration. Administration of ArcSight is not an easy job. The admin needs to be well experienced in it to identify the root cause and fix it.

View full review »

I would like to see high-end, predictive analytics. ArcSight ESM has some features that help in advanced correlation rules creation. However, intelligence around predictive analytics, understanding the current security posture and ability to map it with possible threats in the future is not something that is present in ArcSight at the moment.

View full review »