ArcSight Enterprise Security Manager (ESM) Overview

ArcSight Enterprise Security Manager (ESM) is the #10 ranked solution of our top Security Information and Event Management (SIEM) tools. It's rated 3.6 out of 5 stars, and is most commonly compared to Splunk: ArcSight Enterprise Security Manager (ESM) vs Splunk

What is ArcSight Enterprise Security Manager (ESM)?

ArcSight is Micro Focus' leading Security Information and Event Management (SIEM) solution. ArcSight helps businesses protect their data through compliance solutions and security analytics.

There are a number of different products and solutions in the ArcSight family so you are able to pick and choose those that are best suited to your business requirements.

With ArcSight, IT can:

  • Monitor IT infrastructure.
  • Manage insider security with secure identity and access control.
  • Automate compliance.
  • Monitor applications.
  • Manage security risks.
  • Identify APTs.

ArcSight Enterprise Security Manager (ESM) is also known as Micro Focus ArcSight, HPE ArcSight, ArcSight .

ArcSight Enterprise Security Manager (ESM) Buyer's Guide

Download the ArcSight Enterprise Security Manager (ESM) Buyer's Guide including reviews and more. Updated: September 2020

ArcSight Enterprise Security Manager (ESM) Customers

Lake Health, U.S. Department of Health and Human Services, Bank AlJazira, Banca Intesa, and Obrela.

ArcSight Enterprise Security Manager (ESM) Video

ArcSight Enterprise Security Manager (ESM) Archived Reviews (More than two years old)

Filter by:
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Teguh Budyantara
IT Manager at Royal Cemerlang
Real User
Top 20
May 22, 2018
Can pinpoint the story behind every virus or network attack to the environment

What is our primary use case?

Our primary use case is SIEM. It is a data lake for logs from all of our servers and devices (routers, switches, firewalls, wireless controllers, etc.).

How has it helped my organization?

It prevented my users from getting infected by ransomware. It can also pinpoint the story behind every virus or network attack to our environment.

What is most valuable?

ArcSight ESM: The module has user-defined rules capabilities. This feature lets us define almost any threat.

What needs improvement?

The product should include a lot more predefined scenarios so the adopted company will have knowledge and a broader skill set in security and network.

For how long have I used the solution?

Three to five years.
Jordan French
Business Development Manager- Threat Management Services at Insight Enterprises, Inc.
MSP
Apr 25, 2018
Absolutely improved the efficiency of our security team

What is our primary use case?

It is our SIEM of choice in our managed SIEM services offering. Its multi-tenant capability, virtually universal connector framework, and licensing model made it the clear choice to deliver a value-add as an MSSP.

Pros and Cons

  • It has absolutely improved the efficiency of our security team. We use it internally as well. It is such a powerful tool that our internal security team became a customer of our ArcSight managed service.
  • The initial setup is very complex. We had to architect a deployment which allowed us to incorporate an ever growing number of customers into our hosted instance of ArcSight.
  • Customer service during the transition from HPE to Micro Focus was abysmal where it became disruptive to our service delivery.

Cost and Licensing Advice

  • Thanks to Micro Focus's licensing model, as an MSSP, we are able to see a complete return on our investment almost immediately.
  • Customers without a ton of resources to dedicate to deployment may be better served by a managed ArcSight service.

What other advice do I have?

It has its quirks, but ultimately, it delivers capabilities that no other SIEM could provide.
Learn what your peers think about ArcSight Enterprise Security Manager (ESM). Get advice and tips from experienced pros sharing their opinions. Updated: September 2020.
446,956 professionals have used our research since 2012.
it_user700140
Ex Senior Security Analyst and Onsite consultant at Paladion Networks
Consultant
Mar 11, 2018
Once the rules are defined, it becomes easy to detect changes and generate automated logs

What is our primary use case?

We use Micro Focus ArcSight SIEM version 6.3, 6.4, and 6.5 in multiple sites and customer ranges. The SIEM log monitoring tool is very efficient at providing us the details for any file system changes, logins, OSPF, and BGP as well as other router and server changes.

Pros and Cons

  • The tool sends an automated mail to all the operators, which makes it easy to share the information and reporting.​
  • Once the rules are defined, it is capable of detecting minute changes in the systems, which are effectively based on the entries in the log.​
  • ​It is a vital tool for live monitoring and helps us to understand the traffic alerts of any major issue on the network, thereby reducing hacking attempts.
  • Once the rules are defined, it becomes easy to detect changes and generate automated logs.
  • The analytics feature is not reliable and needs improvement for more detailed analysis.​
  • ​In certain cases, this product does have false positives, which the company should work on.
  • They should try to include business logic vulnerabilities in the SIEM tool.

Cost and Licensing Advice

  • ​It is best to be an institutional buyer and directly contact the sales team, as they can provide over-the-top discounts for bulk orders.​
it_user661260
Security Consultant at a tech services company with 5,001-10,000 employees
Consultant
Nov 26, 2017
It makes user behavior and problems on the network visible, which we can then solve

Pros and Cons

  • The real-time analysis adds value.
  • HPE ArcSight has a quite steep learning curve.

Cost and Licensing Advice

  • Aggregation can help a lot in pushing down licensing costs.

What other advice do I have?

Get a training course and start working with it quickly after getting your course. It is easy to forget all the options ArcSight has.
it_user730782
Delivery Consultant - Security Solutions with 1,001-5,000 employees
Vendor
Sep 11, 2017
By tweaking use case conditions one could identify potential security breaches, but admin is complex

Pros and Cons

  • Customization. ArcSight gives you a platform to on-board out-of-the-box devices with a more accurate way of collecting desired logs/events.
  • Administration of ArcSight is not an easy job. The admin needs to be well experienced in it to identify the root cause and fix it.

Cost and Licensing Advice

  • ArcSight is pretty expensive compared with its competitors. I believe that is fine as it provides value.

What other advice do I have?

On-boarding is easy but administration is challenging and more fun.
Hatem Metwally
Senior Security Consultant, CISSP, HPE ArcSight Specialist at a retailer with 5,001-10,000 employees
Consultant
Sep 3, 2017
Parses raw logs, converts them to common event format so you don't need expertise in all products

Pros and Cons

  • SmartConnector: Normalization parses raw logs and converts them into CEF (common event format). This is the core of the product.
  • They need to develop NetFlow appliances that can be installed in the customer network on span ports, collect NetFlow, and send it to ArcSight without relying on the devices' NetFlow capability and their position in the network.

Cost and Licensing Advice

  • HPE ArcSight pricing might be more expensive than other SIEM solutions, but in my opinion it has powerful features and great flexibility in developing complex use cases.

What other advice do I have?

If you are implementing Express/ESM, I advise disabling all out-of-the-box content and building your own. Also, keep monitoring partial matches and your session/active list sizes as you develop your correlation rules, as it has a big performance hit on the system.
it_user587595
Dynamics Nav Expert at a tech services company with 51-200 employees
Consultant
Jan 31, 2017
Allows integration and log collection with different devices.

What other advice do I have?

Prior to implementation, do an internal assessment and analyze business, technical, and other requirements. Know your inventory and ask for a project methodology approach. Ask your partner for a referral visit to other customer sites.
it_user409143
Security Manager at a tech services company with 10,001+ employees
Consultant
Jan 31, 2017
Allows me to view events in real time. The FlexConnector configuration is complex.

What other advice do I have?

This product requires a dedicate team to operate it from a to z. HPE support needs to be clearly defined and considered.
it_user257376
Lead Splunk Architect at a financial services firm with 10,001+ employees
Real User
Jan 31, 2017
CEF log formatting helps with combining events from different sources. It can be quite complicated for the "non-IT" user.

What other advice do I have?

My first advice is "be patient". It takes a lot of time to deploy an ArcSight infrastructure, but the result is worth it. Technically, it’s a very powerful tool. It would be worth it to take the time to learn some of the hidden features.
it_user597603
Manager at a financial services firm with 1,001-5,000 employees
Vendor
Jan 31, 2017
It provides event correlation across multiple device categories. The web console should have all the features of the standard console.

What other advice do I have?

You must understand your environment and its dynamics. Talk with IT people, write down the most important use cases, shortlist at least three SIEM solutions, do several pilots and then choose well.
it_user597606
Associate Manager at a tech services company with 10,001+ employees
Consultant
Jan 29, 2017
Dashboards and channels provide real-time alerts. Correlation becomes slow if we have more than a certain number of rules.
it_user256617
Sales Engineer at a tech services company with 1,001-5,000 employees
Consultant
Jan 29, 2017
Enables you to create a dashboard for analytics and set alerts.

What other advice do I have?

You need to first know the SIEM concept. SIEM can grow significantly, so you need to understand how to use a collector properly.
it_user124926
Security Expert at a tech services company
Consultant
Jan 29, 2017
The correlation capabilities are valuable. It is too restrictive to suit the flexibility needs of the infrastructure.

What other advice do I have?

There are better products in the market for medium to large-scale deployments. It is recommend to use this product for small-scale deployments, i.e., 200-800 EPS.
it_user286302
Network Security Administrator at a government with 1,001-5,000 employees
Vendor
Jan 25, 2017
With the console, I can move between analyzing events and creating content. SmartConnectors are not resilient and sometimes crash.

What other advice do I have?

Evaluate your needs. If you're only looking to integrate logs or do simple correlations, there might be a better choice out there. If you're looking for a single product that will let you aggregate, correlate and analyze many different sources in a single place, then there are few competitors that can come close to ArcSight's features.
it_user571005
System Support Engineer at a tech services company with 501-1,000 employees
MSP
Jan 25, 2017
Parsers are easy to create and test.

What other advice do I have?

Planning is very important. You need to know the security threats to your organisation to create the relevant rules. Look at other less-discussed modules of HPE ArcSight, like ArcSight Interactive Discovery and ArcSight ThreatDetector, for better results.
Ly Binh Lap
Network Security Engineer, Security Monitoring Center at a tech services company
Real User
Jan 25, 2017
FlexConnector collects logs from your own application.

What other advice do I have?

ArcSight provides many documents and guides for configuration and operation. Also, you can refer to its community at https://www.protect724.hpe.com.
it_user180471
Security Expert at a tech services company with 501-1,000 employees
Consultant
Jan 25, 2017
With multi-tier hierarchical deployment, we are able to integrate and standardize security incident detection and response.

What other advice do I have?

The keys to success with this solution are: * Careful deployment planning * Readiness to invest time and resources into training your IT security personnel * Fine tuning the solution to your specific needs
ProductS9907
Product Specialist Security Solutions at a tech services company with 201-500 employees
Real User
Jan 25, 2017
The feature list allows us to input data dynamically to list it as a rule action.

What other advice do I have?

Do a live PoC to test all needed features. Think of use cases that you would like to deploy and make sure they are doable on the system, without additional licenses/appliances. Choose a mature partner who is able to deliver the implementation even if it costs a bit more. The most common factor of failed SIEM experiences are due to bad implementations from non-experienced partners/engineers.
it_user285777
Solutions Architect- SIEM and Solutions with 1,001-5,000 employees
Vendor
Jan 17, 2017
Most devices are covered out-of-the-box. I would like to see high-end, predictive analytics.

What other advice do I have?

Ensure your scope is very clear and so are the components.
it_user401874
Information Security Specialist at a tech services company with 501-1,000 employees
MSP
Jan 16, 2017
Correlation and flexibility are valuable. It helped meet compliance requirements for log collection.

What other advice do I have?

An organization that has enough budget for SIEM and really cares about security and not only about compliance must go with ArcSight. SMB organizations who want to start a SOC or have just a log management solution for compliance requirements can go for cheaper options such as QRadar, LogRhythm, AlienVault, etc. For MSSP, ArcSight is indeed the best SIEM available in the market, as segregation of logs, access restriction, different log retention, customized view for dashboard and reports to clients are present with ease. Lastly, ArcSight is like Apple. If you have money, go for iPhone and you…
it_user415854
Senior Information Security Engineer at a tech services company with 501-1,000 employees
Consultant
Aug 31, 2016
The user has multiple levels of options to generate reports and get alerted based on conditions.

What other advice do I have?

HP are doing their job perfectly by bringing new features in every version, such as RepSM, HA capability, etc. It has never failed me.
it_user418164
Senior Security Consultant & Solution Architect at a financial services firm with 10,001+ employees
Vendor
Aug 29, 2016
It's able to track down security incidents faster and make for a more efficient investigation of a user's network activity based on the log data available.
it_user446352
Security Solutions Architect at a comms service provider with 10,001+ employees
Real User
Aug 4, 2016
it_user468321
Chief Technology Officer (CTO) at a tech company with 501-1,000 employees
Vendor
Jun 30, 2016
It enables us to speed our time to resolution.

What other advice do I have?

I'm going to rate it at a 9. There's always room for improvement, of course, and maybe I'll be fair and give it an 8.5. The only reason I would do that is because, again, coming up with that single pane of glass, easier management style, and more about deployment. You don't have to have that powerhouse technologist that knows every trick of the trade to go in and deploy it and get all the bells and whistles. Is that a perfect model that will ever be achieved? Of course not. Can there be improvement? Sure there can. What I'm shooting for is have an ArcSight solution that can get me 90 percent…
Omar Sánchez (Mr.Tech)
Information Security Advisor, CISO & CIO, Docutek Services at Docutek Services
Consultant
Top 5Leaderboard
Jun 8, 2016
Has helped us to gather, store, correlate and analyze security log data from many different information systems.
it_user427377
Senior ICT Security Officer at a financial services firm with 1,001-5,000 employees
Vendor
May 5, 2016
It provides us with event correlations that are automated and prioritized according to level of security risk and compliance violation.

What other advice do I have?

I'm pleased with the current capabilities.
it_user417585
Information Security Architect at a tech services company with 51-200 employees
Consultant
Apr 24, 2016
Its flexibility is achieved by being easy to use, and at the same time having very sophisticated FlexConnectors.

What other advice do I have?

You need to read the documentation - you can then get it fast and working. If you do not read the documentation, you get pain and tears. Look for an experienced team to deploy the solution, or get experience yourself as HP has some good learning courses. Deep knowledge of the product will come later, but for the correct implementation you need to be prepared. ArcSight has wonderful community, and you can always ask a question or find an interesting use case there. It's a very useful resource indeed, do not hesitate to visit it.
it_user417483
Senior IT Security Consultant, Cybersecurity Technology Services at a consultancy with 1,001-5,000 employees
Consultant
Apr 24, 2016
It has flexible and rich correlation capabilities. It has the capability to manipulate every parameter - sub-strings, indexes, and custom functions.
it_user428250
System Engineer at a tech services company with 51-200 employees
Consultant
Apr 21, 2016
When I am facing a problem such as transaction fraud, we can investigate using ArcSight by tracing the log through its correlation. They need to fix some bugs and increase the search speed.

What other advice do I have?

You need to learn about architecture and practice more before implementation since this product is not easy to learn and takes time to master.
it_user410400
Senior Cyber Security Analyst at a tech services company with 10,001+ employees
Consultant
Mar 27, 2016
It allows for easy log analysis as well as correlation and alerting.

What other advice do I have?

It's a well rounded product especially with the addition of Logger and Command Center. I felt it was easy to understand and use right from the start. There are some companies that do not take advantage of everything ArcSight can offer. A problem I think ArcSight can fix with better support alternatives.
it_user409212
Cyber Security HP Arcsight Dev Ops Lead Developer with 10,001+ employees
MSP
Mar 21, 2016
The CORR engine and ability to build complex correlations from simple 'building blocks' are the most valuable features for us.

What other advice do I have?

It's a fantastic product and highly configurable, but it needs nothing less than a seasoned cyber security professional with serious engineering expertise and a real desire to provide meaningful use cases. Anyone that says ArcSight is 'fire and forget' should not be allowed to work in cyber security! If you want Arcsight implemented correctly, start by sizing your organization, and looking at data flows and the available data streams. Be mindful of regulatory and compliance reporting, Risk and Legal as well, as you may need to factor in any and all of these when working with enterprise…
it_user409203
Security Business Analyst at a tech services company with 10,001+ employees
Consultant
Mar 21, 2016
It has good options for shaping data and using them in very complex rules. Performance is the product's Achilles' heel.
it_user401781
IT Security Assistant Manager at a insurance company with 5,001-10,000 employees
Vendor
Mar 17, 2016
It allows us to traceback security threats, to generate usage trends and discover anomalies.
it_user406278
EVP & Global Head - Services at a tech company with 1,001-5,000 employees
Vendor
Mar 17, 2016
The live threat feed keeps us abreast of the latest threats. The initial setup required a lot of customization.

What other advice do I have?

Definitely consider it as a top-3 choice, but know what you're trying to achieve with an SIEM tool.
it_user406062
Sr. Director, Corporate Information Security at a comms service provider with 1,001-5,000 employees
Vendor
Mar 16, 2016
It correlates security events and then allows us to take action to address those events.

What other advice do I have?

Make sure you staff up internally, and have the right subject-matter expertise to take advantage of the platform. Otherwise, it's not going to help.
it_user402840
Senior Manager Fraud Services at a financial services firm with 1,001-5,000 employees
Vendor
Mar 10, 2016
It's a reliable service and provides our team members with a lot of knowledge.

Valuable Features:

It's a reliable service and provides our team members with a lot of knowledge. In turn, it provides solutions for the needs of the IT department.

Room for Improvement:

There are improvements that could be made to help us insure that we're in compliance with our monitoring requirements.

Use of Solution:

I've been in my group for over eight years and we've used it for the entire time. I'm not sure when the initial implementation was.

Deployment Issues:

We've had no issues with deployment.

Stability Issues:

It's consistently stable. I've not heard any complaints about instability.

Scalability Issues:

HP has delivered for our company and its size.

Initial Setup:

The initial setup was done more than eight years ago before I started with the company. …
technica402861
Senior Manager - Cyber Security at a comms service provider with 1,001-5,000 employees
Real User
Top 10Leaderboard
Mar 10, 2016
The two most valuable features for us are the deployment strategy and its operational ease.
it_user400656
Security Practice Director at Rolta AdvizeX
Consultant
Mar 10, 2016
Capable product that integrates with many different platforms.

What other advice do I have?

Make sure you tune it to your business and infrastructure, which isn't necessarily part of technical support. It requires some consulting, which is a market challenge of the product. It's not a one-size-fits-all solution and it isn't sold with the appropriate professional services. So the number one thing with ArcSight is that you have to make sure that you get professional services to help size it for your particular use case, including integrations with your tools, operational model, and security operations.
it_user399357
Security Response Engineer at a media company with 10,001+ employees
Vendor
Mar 10, 2016
It reduces the amount of time required to perform an investigation because of the correlation and aggregation of all the events.

Valuable Features

It reduces the amount of time required to perform an investigation because of the correlation and aggregation of all the events. From what I've seen for our network, it's the best at ingestion of events.

Improvements to My Organization

We're a large organization, and the tool scales very well for us.

Room for Improvement

The technical support needs to be improved.

Deployment Issues

We've had no issues with deployment.

Stability Issues

Whether we've had issues with stability is a hard thing to say because we're on the cutting edge of virtualization. When we were on older hardware with physical servers, it was relatively stable. But we ran into issues with support, and we decided to virtualize a lot of the it -- everything from the loggers to the ESM. We…
Vinod Shankar
Manager, Enterprise Risk Consulting at a tech company with 1,001-5,000 employees
Consultant
Jan 27, 2015
Network investigation is poor but it's highly customizable

Valuable Features:

Powerful Correlation Customization  Integration capabilities

Room for Improvement:

Very complex install and management Steep learning curve Poor Network Investigation Poor analytics.

Use of Solution:

Six years.

Stability Issues:

Yes, Logger, ESM and Connector ecosystem if not set up properly, lead to stability issues both in point operations as well as integrations.

Scalability Issues:

No. ArcSight is very scalable.

Customer Service:

3 out of 5.

Implementation Team:

We implemented it in-house.

ROI:

Poor as the product takes more effort to generate value. Its CAPEX cost is high too.

Other Advice:

If you really want the power and flexibility of…
it_user147210
Sr Security Engineer at a tech services company with 51-200 employees
Consultant
Aug 17, 2014
There are SO MANY things you can do in AS, and there is a lack of really in-depth documentation on a lot of it.

What other advice do I have?

Implementation advice: this is a big job, and unless you are able to hire and train a dedicated SIEM engineer, I would look at getting staff augmentation from HP or other consulting types. Be prepared to Read The Friendly Manual (RTFM), and do a lot of searches online. Take the entry-level certs that HP offers, and get classes if there is budget.
it_user142611
Information Security Professional at a financial services firm with 1,001-5,000 employees
Vendor
Jul 24, 2014
The response is good for Read/Write functions but I've encountered other minor issues. Better than it's competitors.
it_user140673
Senior Manager of System Security with 501-1,000 employees
Vendor
Jul 20, 2014
4 stars, not 5 due to the sheer magnitude of work and understanding to have a highly functioning implementation.

What other advice do I have?

Understanding of your environment and data sources is key before correlation can occur. You make sure your environment is at a point that augmentation of the existing analysis workflow is required and not using a SIEM to establish one.
it_user126918
Information Security Consultant with 1,001-5,000 employees
Vendor
Jun 11, 2014
ArcSight helps a lot in auditing system and network admins; Needs to improve in High Availability

What other advice do I have?

I would recommend buying ArcSight.
it_user126648
Senior Security Analyst at a tech services company with 10,001+ employees
Consultant
Jun 11, 2014
Great Scalability and Adaptability but it's Expensive

What other advice do I have?

Best SIEM product but it's high on pricing and licensing.
it_user126642
IT Security Consultant at a tech services company with 51-200 employees
Consultant
Jun 10, 2014
The ESM and logger are powerful tools but log support needs improvement

What other advice do I have?

Consider the complexity of this solution and choose the right people to deploy it.
Buyer's Guide
Download our free ArcSight Enterprise Security Manager (ESM) Report and get advice and tips from experienced pros sharing their opinions.