Share your experience using Hunters

We use Anomali as our threat intelligence platform for a variety of threat intelligence feeds that we subscribe to, needing a more central place to store everything so we can correlate which feeds have seen this indicator before and which haven't. This was the biggest use case for us to solve, which is why we went after it. It is definitely more than just a threat intel platform where we store all these indicators; it's almost very much a threat hunting tool that allows analysts to do investigations on those indicators and make connections, looking for other related things that we didn't necessarily see. It allows us to take a more proactive kind of approach.

The API is our most important feature. We are very much into automation, so being able to handle things programmatically at scale has been immensely powerful for us. We've evolved beyond just the two use cases I mentioned. One of the things we decided to do is utilize the Anomali API to push everything into that platform after sorting and normalizing everything. We now have a very robust collection of threat intelligence based on the capabilities that Anomali provides. It's very adaptable; you can do a lot with it, making it a very powerful tool.

There is always room for improvement, as there are always new ideas. They have been dabbling with some AI functionality built into the platform, which is still very new, so there's a lot of improvement that could happen there, especially as the technology enhances.

I have been using Anomali for about 7 or 8 years.

The initial setup depends on which kind of deployment you choose; they offer both an on-prem solution and a Cloud deployment. If you choose the Cloud deployment, there's nothing you have to do; you just log in and start using it. It's pretty seamless. If you're using an on-prem setup, they provide an appliance for enterprise customers, and after subscribing, they ship you a device that you can set up by following their setup guide, which provides all the details and instructions.

Stability has been pretty seamless so far, but we've run into some issues more recently due to changes in how some platform functions operate. It doesn't seem they're considering enough how customers use those functions as they change them, and they don't give us enough time to adapt to those changes. For example, while Microsoft allows ample time for users to adapt to deprecated features, Anomali only gave us three weeks before switching, so they need to be more cognizant of customer use cases from their engineering side.

The scalability is massive, allowing us to store millions of indicators. Unless you have a threat intelligence platform, you can't scale to the level Anomali offers, especially compared to trying to do it in a SIEM tool such as Splunk or Sentinel. It seems almost unlimited; I'm sure there's a limit, but they do a good job of never allowing us to hit that limit.

Support in the past has been top-notch, but recent trends indicate that it has taken a back seat, as we often don't get answers for days. We'll receive excuses such as "I was out of the office" or "I forgot to follow up on this, I apologize." While they apologize, it doesn't seem very professional how they're handling support anymore.

Positive

You have to have at least a threat intelligence background or a SOC analyst background to use it, as that's the information you'll dig around with in there. If you don't have that kind of knowledge, it probably can be a little hard to use, but they do provide training. They offer training not only for how to use the platform but also some basic threat intelligence training to explain what these things are and what these terms mean.

My company is a customer of Anomali.

I would recommend it to other people.

I would advise making sure you don't pick it without testing other products and have your use cases well thought out and documented before testing, so you know it will solve the problems you're trying to address. Keep an open mind with it and realize that whatever you can dream of, you can probably do with the platform.

Overall, I would rate Anomali an eight out of ten.

Public Cloud

Other

I am working with something that is similar to Trellix ESM for event management. It is similar to Trellix Enterprise Security Manager.

Mainly compliance is the primary concern where organizations have to have log retention for more than six months, one year, or six years, depending on the compliance applicable to the organization for the Enterprise Security Manager. And Trellix gives us good reporting. 

The strongest part of Trellix ESM is that we get quite good reports, while the weakest point is it doesn't cover almost all the devices, so the customer has to be more dependent on the parsers to be written by the Professional Services team. In the case of other ESM solutions, there are no parsers required, and almost every device is covered within the license, so there is no hidden cost as custom parsers.

Functionality and installation of Trellix ESM has never been a challenge.

We need to improve Trellix ESM by making sure that most of the logging devices available in the global market should be covered, and if there is any device which is not covered, there should not be any additional charges for writing the custom parsers on that.

We can add some new features regarding AI in the future for Trellix ESM, but the maturity will take a longer time.

There are many false positives that happen in an environment during the first couple of months, or around six months, so the system analyst is not able to identify whether the event which has occurred is a true positive or a false positive.

With Trellix ESM, I have been using it from day one when the product was launched in India, which is more than 15 years.

For us, Trellix ESM is quite stable.

Scalability is quite easy with Trellix ESM. All we need to do is add more receivers to it, so it can go to any point.

When discussing Trellix ESM suitability for enterprise, commercial, and government sectors, it is quite good. For small and medium enterprises, we have a solution that is an all-in-one device for the ESM, however, the limitation is that it can take a very small number of EPS count, meaning it doesn't suit medium enterprises, and they will not invest in the enterprise type of solution.

I would rate support for Trellix ESM 10 out of 10 because if we connect with the support in the UK, we get excellent support. However, the problems arise if we connect into the India data centers where there are challenges and people are not well equipped with the support infrastructure required to support for the ESM solution.

Positive

I am familiar with other products from Trellix.

Maintenance of Trellix ESM is quite easy and it's not difficult to maintain.

When discussing Trellix ESM pricing and licensing, if you consider some premium product, the pricing also has to be premium, however, enterprise customers who look for a premium product, alongside the Gartner reporting, Forester reporting, and PeerSpot, they don't look at the pricing.

Regarding AI functionality, I have not seen any integrations in the Trellix ESM product.

I rate Trellix ESM 10 out of 10.

Hybrid Cloud

Other