ArcSight Enterprise Security Manager (ESM) Valuable Features
We are using the correlation part because correlation learning is already built-in. There are two main components: the Persistor and the Correlator. The correlation engine is part of the ESM, so the correlation is already happening.
We can create automatic correlations, but if you want, you can also correlate with any IOCs using external features like MISP (Malware Information Sharing Platform).
I would rate the ease of use for new users an eight out of ten, with ten being easy to use. It is a good tool.
View full review »Its comprehensive integration with various log sources was a major benefit.
The correlation engine effectively connects different events, significantly improving our detection reach. However, limitations exist with non-default alerts, where additional costs arise for integration. Overall, it does the job well.
View full review »I value the event correlation of this product, it handles it well. We are able to eliminate many of the false positives, which eliminates a lot of the noise within the environment.
Buyer's Guide
ArcSight Enterprise Security Manager (ESM)
April 2024
Learn what your peers think about ArcSight Enterprise Security Manager (ESM). Get advice and tips from experienced pros sharing their opinions. Updated: April 2024.
767,847 professionals have used our research since 2012.
DB
DavidBrown13
Security Operations Director at Axon Technologies
The UBA features and, again, the correlation engine is nearly bulletproof. Once you have it dialed in, it provides accurate near-time responses as things are coming in to correlate and identify.
View full review »Usability is the most valuable feature. The accessibility is quite good. If a new person wants to be trained in this product, it's easy for them to be trained, as opposed to other products like Splunk or Sentinel.
ArcSight is good, and it's also scaling up.
View full review »- Smart Connectors and Flex Wizard
- Multi-tenant access
- Customization for dashboards and reporting
- Improvements made to the ADP platform
What I found most valuable in ArcSight Enterprise Security Manager (ESM) is its good integration with third-party products. The solution also has good core capabilities.
View full review »PM
Peter-Mendonca
Sr. Group Manager at a tech vendor with 10,001+ employees
ArcSight is customizable. You can integrate just about anything. I also like the ease of use.
View full review »ON
BCCB Onil Nunes
Chief Information Officer at Bassein Catholic Co-Op Bank
The reports that we are from getting from ArcSight are very valuable. The reporting in ArcSight is good. Our regulators ask us for the reports on a regular basis, and we have been able to provide the required data.
Its overall functionality in terms of log analysis and the speed at which it does that is also valuable. It is very quick. Whatever alerts we had configured were extremely fast. We immediately get alerts when there is unauthorized access or unknown access, or even positive access. This is where we found the difference between ArcSight and other solutions.
View full review »PM
PeterMendonca
Sr. Group Manager at WNS Global Services
ArcSight ESM provides us the flexibility to write our own passwords and customize the solution. It lets us search and log a variety of SmartConnectors. It has 480-plus SmartConnectors.
View full review »
Custom data parsers and custom event / asset categorization.
View full review »
It is a robust product and has multiple valuable features. For example, it has robust threat intelligence built into its customization and great templates that provide ease of use.
The user interfaces are quite good and speedy, and I like the consoles too. The typology and the setup are also good. It's very similar to QRadar, so it's user friendly although I believe QRadar rates better.
View full review »The filters and the ability to do what you want are the most valuable features. There is nothing that you cannot do in this solution. It has all the features, which makes it very dynamic.
View full review »RS
reviewer2134215
Consultant at a financial services firm with 10,001+ employees
It offers easy integrations.
It's flexible for managing the monitoring of all activities on your network. It offers easy management and good dashboards.
There is good visibility over all of the traffic and logs and the health of the devices. It makes maintenance very easy.
It works with Linux and Mac, and other network devices, including firewalls and proxies.
The solution can take logs from the cloud. That said, we do need to deploy a cloud connector to make that happen.
View full review »I think that the overall experience with this solution is good, but in particular, I think that the dashboards are quite interactive.
View full review »The most valuable features of ArcSight ESM are the dashboards, ease of management for anyone, and simple for teams to provide reports related to cyber security. There are a lot of good features that are provided.
View full review »MY
Mahmoud Younes
Soc Cybersecurity Analyst at VaporVM
We utilize ArcSight ESM for real-time threat detection in our organization. We have custom rules that we've developed on top of the WAN services, along with scheduled licensing activities.
It provides more granular data compared to solutions like Azure or Splunk. While ArcSight ESM may be considered less user-friendly, it offers a high level of customization, allowing for configuration and adaptation to specific use cases, especially regarding alerting and incident response.
Its integrations are working well. Though I haven't used the solution for an extended period, it seems highly customizable. This level of customization is not commonly found in many solutions. While solutions like Kubernetes offer a variety of apps through app extensions, it allows users to build their features to a considerable extent.
View full review »- Logger
- Command Center
The real-time correlation (CORR) engine and ability to build complex correlations from simple 'building blocks', provided the base 'building blocks' are well throughout in the first place, are the most valuable features for us.
View full review »ArcSight Enterprise Security Manager (ESM) works perfectly. It's a stable and scalable product.
View full review »Correlation and data normalization via CEF: The speed of ArcSight's correlation engine, together with data enrichment, makes it a great tool for exploring vast amounts of data. Other SIEM tools have a hard time giving the same results at the same speed. Also, thanks to CEF log formatting, combining events from different sources takes minimal effort. Whereas, setting up that normalisation on other SIEM competitors could take countless hours.
View full review »The most valuable feature of ArcSight ESM is its ease of use.
View full review »HJ
Hong Jinki
Security Manager at shinhan DS
The features that we have found to be most valuable are:
- Connectivity with the SOC system
- Flexible connectivity with third-party solutions
Once the rules are defined, it is capable of detecting minute changes in the systems, which are effectively based on the entries in the log.
View full review »- It has flexible and rich correlation capabilities. This is the most mature product in this area.
- It has the capability to manipulate every parameter - sub-strings, indexes, and custom functions.
- Active Lists - This is the most powerful feature which supports correlation. It also has multi-column active lists, parameters manipulation, and correlation capabilities that provide great flexibility.
- Full control of correlation flow - There are no black-box closed rules, unlike with McAfee Nitro, and no default aggregation which is hard to analyze, unlike Offenses in QRadar.
The features I found most important in this solution are artificial intelligence and correlation tools. Machine learning which was recently added to the platform is also an important feature.
View full review »SS
reviewer1069233
Principal Enterprise Architect (Technology, Cloud & Security) at a retailer with 10,001+ employees
The feature that I have found the most useful is that it can be deployed to the cloud.
View full review »The most valuable feature for us is its ability to correlate security events and then allowing us to take action to address those events.
View full review »They're the leader of the SIEM market for fifteen years or so. ArcSight is a very capable product that integrates with many different platforms. It's huge with a lot of moving parts, but nothing can compete with it in terms of capability.
View full review »
Not really a feature, per se, but the ability to do multi-tenant SIEM.
View full review »
The web logger allows me to view and inquire about various events in real time. It is the most useful feature for me for the following reasons:
- Allows me to look at the traffic in real time
- Allows me to add filters that remove the traffic that is not interesting
- Allows me to narrow down my research to only important traffic.
- Helps me in my troubleshooting work. I need to know a bit of SQL query syntax, but that is straightforward.
- Allows me to create reports, evaluate my findings, and send information to my customers.
It’s a highly customizable solution. Rules can be customized to a great extent. Session lists, active lists, and global and local variables are pretty unique to the solution.
View full review »Correlation and flexibility are the most valuable features.
View full review »VN
Velly Nusmir
Senior Manager at PT Permata Anugerah Abadi
ESM has valuable features for event prediction and security analysis.
View full review »JA
Jeremy Ambicha
Forensic Consultant at A Cyber 1 Company
The out-of-the-box rules that help us configure functioning rules within the environment are valuable. For example, they have good resources to help detect and populate the dashboard if something malicious happens. Additionally, we value a good visual representation of a company and network infrastructure.
View full review »LB
reviewer1417383
Presales Manager at a tech services company with 51-200 employees
The most important feature is ArcSight's event correlation capabilities. It's powerful and easy. I also like the flex connector capability. It's easy to develop a new connector that isn't fully supported out of the box. For example, say you created a solution internally that's completely different, and it's not unsupported by the solution. You can write your own connector using the flex connector.
View full review »LH
Luthfiana Hudaya
Works at NOOSC Global
I really like the dashboard.
View full review »
Correlation Rules, Dashboards, Active Channels, Active Lists and many more. All these features make this product better than it's competitors.
View full review »
Creating dashboards and real-time channels for real-time monitoring: This feature gives real-time alerts for the monitoring team to act upon. In certain cases, we can also create real-time email alerts for relevant teams for faster actions and resolutions.
View full review »I think the ability to create rules more flexible than in other products (i.e. IBM QRadar) is its most valuable feature. It has good options for shaping data and using them in very complex rules.
View full review »VS
Vinod Shankar
Manager, Enterprise Risk Consulting at a tech company with 1,001-5,000 employees
- Powerful Correlation
- Customization
- Integration capabilities
BS
reviewer1370811
Head - Professional Services at a computer software company with 51-200 employees
The simplicity of the solution is the most valuable aspect of the product.
The product is quite mature. It's been around for a long time.
The integration is easy for the most part.
View full review »HM
Hatem Metwally
Senior Security Consultant, CISSP, HPE ArcSight Specialist at a retailer with 5,001-10,000 employees
- SmartConnector: Normalization parses raw logs and converts them into CEF (common event format). This is the core of the product.
- Filtration, Aggregation: Both features provide a good way to save EPS (events per second).
- Logger: Long log retention, fast search, and reporting.
- ESM/Express: Correlation via standard rules and data monitors, active list, session list, active channels, reports, trends, queries, dashboards (query viewers and data monitors), and lightweight rules.
- Alert correlation
- Reporting
- Retention
These are the features we find most valuable for us and which we use the most.
View full review »It reduces the amount of time required to perform an investigation because of the correlation and aggregation of all the events. From what I've seen for our network, it's the best at ingestion of events.
View full review »SW
reviewer987771
Senior Manager at a tech services company with 51-200 employees
The most valuable features of ArcSight ESM are ease of use and readily usable components.
View full review »JM
reviewer1738932
Security Sales Engineer
The most valuable feature is the real-time alerts. We're also currently looking to incorporate some of the SOAR capabilities that are new to the platform.
View full review »The valuable features are:
- Integration and log collection with different devices.
- Collecting logs from many different sources. If you have your own app, you can do logging for it. In addition, you can customize log parsing.
- Correlations of logs from different device types.
- Built-in content such as reports, dashboard, compliance, and standard packages.
- Option to correlate logs with business data.
- Option to adjust the product to different roles: operations, decision makers, and administrators.
- You can adjust the web console interface to match the specific role.
- Integration with other products, such as databases and IPSs.
- Additional features are available with simple extensions. The solution enables you to monitor logs and to analyze data, but you can also use additional add-ins such as reputation services that can integrate ArcSight ESM with tipping point IPS.
- Correlations of logs from different device types.
- Ready-made content that can be used immediately.
- Customized business tables can be correlated. For example, the employee sick leave register can be correlated with Windows login logs.
- High flexibility: There are many custom sources of information that we wouldn't be able to integrate with another SIEM solution, thus compromising our security.
- High performance: The amount of data fed to the solution is huge (100s of millions of events per day).
- Capacity for multi-tier hierarchical deployment: We are able to integrate and standardize security incident detection and response over many locations.
For us, there are several valuable features.
- The ability to correctly parse the most number of products comparing to its competitors;
- The ability to create very complex scenarios to detect security risks and anomalies;
- Very stable system components (connectors, logger and correlation engine) combined with satisfactory vendor support; and
- The ability to create parsers for all kinds of applications and systems is an important differentiator.
It's a reliable service and provides our team members with a lot of knowledge. In turn, it provides solutions for the needs of the IT department.
View full review »FS
technica402861
Senior Manager - Cyber Security at a comms service provider with 1,001-5,000 employees
The two most valuable features for us are the deployment strategy and its operational ease.
View full review »SS
ShilpaSingh
Security Engineer at a tech services company with 1,001-5,000 employees
I really like the correlation part and the way the logs are correlated. I have never faced issues with parsing in this product. I like the way it parses, and everything is so clear to me.
View full review »There are many features that are good for clients who are looking for a good SIEM solution. They like the ease of creating a business that is effective and impressive.
View full review »AB
reviewer1342554
Associate Vice President at a consumer goods company with 201-500 employees
The solution offers very good monitoring.
The product's log management and event management capabilities are excellent.
There are a lot of really good analytical components. It helps us focus on analysis.
TB
Teguh Budyantara
IT Manager at Royal Cemerlang
ArcSight ESM: The module has user-defined rules capabilities. This feature lets us define almost any threat.
View full review »- Scalable though it is not "plug-and-play".
- Various deployment configurations, based on requirements, budget and the EPS/GB per day
- Stable, performance predictable based on used capacity
- Integration with alerting/ticketing systems such as Tivoli
View full review »VN
Velly Nusmir
Senior Manager at PT Permata Anugerah Abadi
The most useful features are directories, price, and live reporting.
View full review »- Large scale installations work well.
- The new user interface is nice.
- The real-time analysis adds value.
- The default packages on the new HPE Marketplace are useful and give nice default dashboards and reports for most of the well-known products.
- Event correlation across multiple device categories: It allows us to have a full picture of what is happening in the environment.
- Flexible event collection: Besides hundreds of standard devices, you can send custom CEF Syslog prepared with your own scripts.
- Customization of alerts: Velocity macros allows you to send very clear and user-friendly alerts.
Correlation capabilities: This product provides an advanced level of correlations, which is highly valued.
View full review »The ESM's interface is really comprehensive. While the ArcSight console is really heavy, and I tend to dislike Java-based Windows GUIs, it's feature-rich and provides a seamless way to move between analyzing events and creating content.
View full review »The best feature of ArcSight is its flexibility. Almost no other vendor provides such a good framework to collect, parse, and analyze data. Its flexibility is achieved by being easy to use, and at the same time having very sophisticated FlexConnectors. Also, I've found ArcSight's correlation engine to be the most advanced on the market.
View full review »
Too many to name, but here are a few:
- Its versatility when it comes to vendor support.
- The ESM and logger are powerful tools. If used properly, we can achieve much more than we previously could. The Alert and Case Tracking mechanism contribute to the work of ESM and Logger.
- Express, all-in-one component is best for small businesses.
- NTP is efficient in blocking identified threats.
- ArcSight Flex Connector Development module is an excellent feature if you want to get the logs from unsupported vendor products.
LL
Ly Binh Lap
Network Security Engineer, Security Monitoring Center at a tech services company
The ArcSight solution supports your security team with many SIEM features:
- Monitoring
- Analysis
- Alerts
- Incident response
In my opinion, ArcSight is an open solution. It is easy to:
- Customize components
- Use FlexConnector to collect logs from your own application
- Edit rules and the dashboard
- Create work flows
- Enrich information for events
GS
ProductS9907
Product Specialist Security Solutions at a tech services company with 201-500 employees
One of the most valuable features is the Active List/Session List capability.
Multiple use cases were only possible to be created due to this feature list. The feature list allows us to input data dynamically to list it as a rule action.
For example: If you need to take a Source IP from an IPS event and put it in an ActiveList suspicious IP, you can create another rule for AntiVirus events where it only matches IPs within that list.
View full review »OS
Omar Sánchez (Mr.Tech)
Information Security Advisor, CISO & CIO, Docutek Services at Docutek Services
Intrusion Detection System (IDS)
Security Information and Event Management (SIEM)
View full review »From the time that we purchased it, the multi-tenancy feature has been the most valuable for us. At the time, HP was the only vendor with this feature, but it seems that every vendor today does. Another feature we like is the live threat feed that's quite advanced. HP is the industry leader with this from an SIEM perspective.
View full review »VN
Velly Nusmir
Senior Manager at PT Permata Anugerah Abadi
The solution has a good dashboard, very good real-time reporting and it's easy to use, offering simplicity for implementation and operations.
View full review »GK
reviewer1751472
Chief Technological Officer at a tech consulting company with 51-200 employees
It is a very useful tool for intelligence building because it has many use cases and many rule sets.
View full review »- Real-time rules for threat detection
- Event correlations that are automated and prioritized according to level of security risk and compliance violation
- Security, understanding detection, intrusion, and how to do prevention and take action on an event that occurs from a security layer.
- Having a single solution that can actually manage the entire infrastructure, soup to nuts.
- Ability to detect and then take action on it.
MS
reviewer1501149
Managing partner at a tech services company with 11-50 employees
The solution is very good at consolidating logs from a variety of sources.
The solution is pretty stable.
The solution can scale.
View full review »- Collection - Collects logs from a wide range of products, even those not supported by default and the users can develop a connector for log collection.
- Detection - Caliber to detect subtle attacks with a powerful correlation engine.
- Report/Alert - The user has multiple levels of options to generate reports and get alerted based on conditions.
The dashboard is the most valuable feature for us as it can show a lot of information about real-time incidents.
View full review »US
Utkarsh Srivastava
CISO and DPO at ValueLabs LLP
The most valuable features are lists, correlation, escalation matrix, and customers.
View full review »FS
Filip Simeonov
Information Security and Business Data Protection Specialist at a comms service provider with 1,001-5,000 employees
The webpage algorithm is the most valuable feature because it was the fastest feature for searching the logs, events, and correlation.
View full review »It is easy to use when we created some dashboards for analytics. ArcSight allows you to create a dashboard and provides an on-the-fly filter.
View full review »
The ArcSight log collection mechanism is simple and it supports a large number of devices. Rules, Report and Dashboard can be customized based on the user requirements and hence it helped a lot to impress our customers. Additionally, ArcSight has tight integration with incident response tools such as HP Threat Response Manager, CIRT and Encase. ArcSight provides platform to integrate third party dashboard tools such as idashboard and Tableau. Also HP ArcSight inbuild case management is very simple and can be exported to external HP service Manager.
View full review »
Scalability and Adaptability. By Scalability, I mean, the number of supported devices by ArcSight. You can make changes to the current deployment if required or add a new region in the scope by adding components of ArcSight. By Adaptability I mean, once the analysts see what can be achieved by utilizing the various resources of ArcSight, it motivates them to come up with new ideas and how to implement them. The interface is quite user friendly compared to other Vendors.
View full review »
MJ
MuhammadJunaid3
Techniqal Lead Enterprise Solution at a tech services company with 51-200 employees
Corelation Engine by corelating the cross domain logs.
View full review »GM
reviewer1284078
Information Security Analyst at a comms service provider with 1,001-5,000 employees
I think the correlation feature is one of the best features of ArcSight.
View full review »Customization. ArcSight gives you a platform to on-board out-of-the-box devices with a more accurate way of collecting desired logs/events. Competitors offer the something similar but ArcSight does gives you more detail.
View full review »The most valuable features are flexible setup of the architecture and large coverage of devices. Most devices deployed in enterprise environments are covered out-of-the-box by ArcSight. Unlike a few other solutions, the last-mile connectivity with ArcSight agent servers is free and flexible across all location deployments.
View full review »Buyer's Guide
ArcSight Enterprise Security Manager (ESM)
April 2024
Learn what your peers think about ArcSight Enterprise Security Manager (ESM). Get advice and tips from experienced pros sharing their opinions. Updated: April 2024.
767,847 professionals have used our research since 2012.