OpenText Enterprise Security Manager Valuable Features
NM
Namdev Magar
Senior Security Engineer at Valuepoint Systems
The ability to interpret data is highly valued. Although the user interface is not highly acceptable for writing queries and retrieving data, it is easy to use for writing use cases and correlations.
View full review »
First of all, ArcSight is a renowned name. ArcSight's technology and use cases are well-established and widely utilized. Customers prefer experienced vendors with industry expertise. We have a team of over 20 pre-sales and post-sales resources who are experts in deploying ArcSight within crucial networks and infrastructures. So, it's the combination of a well-known name, a proven track record, and the expertise to deploy it effectively.
The most valuable feature is the correlation of different logs that are collected. Any application can collect logs, but ESM excels at performing regression and correlation on that data to display meaningful information for SOC analysts.
View full review »We are using the correlation part because correlation learning is already built-in. There are two main components: the Persistor and the Correlator. The correlation engine is part of the ESM, so the correlation is already happening.
We can create automatic correlations, but if you want, you can also correlate with any IOCs using external features like MISP (Malware Information Sharing Platform).
I would rate the ease of use for new users an eight out of ten, with ten being easy to use. It is a good tool.
View full review »Buyer's Guide
OpenText Enterprise Security Manager
June 2025

Learn what your peers think about OpenText Enterprise Security Manager. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
861,803 professionals have used our research since 2012.
The quantity of technology that supports integration with it and the other analytics features are also powerful.
View full review »Its comprehensive integration with various log sources was a major benefit.
The correlation engine effectively connects different events, significantly improving our detection reach. However, limitations exist with non-default alerts, where additional costs arise for integration. Overall, it does the job well.
View full review »DB
DavidBrown13
Security Operations Director at Axon Technologies
The UBA features and, again, the correlation engine is nearly bulletproof. Once you have it dialed in, it provides accurate near-time responses as things are coming in to correlate and identify.
View full review »What I found most valuable in ArcSight Enterprise Security Manager (ESM) is its good integration with third-party products. The solution also has good core capabilities.
View full review »PM
PeterMendonca
Sr. Group Manager at WNS Global Services
ArcSight ESM provides us the flexibility to write our own passwords and customize the solution. It lets us search and log a variety of SmartConnectors. It has 480-plus SmartConnectors.
View full review »PM
Peter-Mendonca
Sr. Group Manager at a tech vendor with 10,001+ employees
ArcSight is customizable. You can integrate just about anything. I also like the ease of use.
View full review »I value the event correlation of this product, it handles it well. We are able to eliminate many of the false positives, which eliminates a lot of the noise within the environment.
Usability is the most valuable feature. The accessibility is quite good. If a new person wants to be trained in this product, it's easy for them to be trained, as opposed to other products like Splunk or Sentinel.
ArcSight is good, and it's also scaling up.
View full review »We utilize ArcSight ESM for real-time threat detection in our organization. We have custom rules that we've developed on top of the WAN services, along with scheduled licensing activities.
It provides more granular data compared to solutions like Azure or Splunk. While ArcSight ESM may be considered less user-friendly, it offers a high level of customization, allowing for configuration and adaptation to specific use cases, especially regarding alerting and incident response.
Its integrations are working well. Though I haven't used the solution for an extended period, it seems highly customizable. This level of customization is not commonly found in many solutions. While solutions like Kubernetes offer a variety of apps through app extensions, it allows users to build their features to a considerable extent.
View full review »It is a robust product and has multiple valuable features. For example, it has robust threat intelligence built into its customization and great templates that provide ease of use.
The most valuable features of ArcSight ESM are the dashboards, ease of management for anyone, and simple for teams to provide reports related to cyber security. There are a lot of good features that are provided.
View full review »The most valuable feature of ArcSight ESM is its ease of use.
View full review »The user interfaces are quite good and speedy, and I like the consoles too. The typology and the setup are also good. It's very similar to QRadar, so it's user friendly although I believe QRadar rates better.
View full review »It offers easy integrations.
It's flexible for managing the monitoring of all activities on your network. It offers easy management and good dashboards.
There is good visibility over all of the traffic and logs and the health of the devices. It makes maintenance very easy.
It works with Linux and Mac, and other network devices, including firewalls and proxies.
The solution can take logs from the cloud. That said, we do need to deploy a cloud connector to make that happen.
View full review »ArcSight Enterprise Security Manager (ESM) works perfectly. It's a stable and scalable product.
View full review »The features I found most important in this solution are artificial intelligence and correlation tools. Machine learning which was recently added to the platform is also an important feature.
View full review »ON
BCCB Onil Nunes
Chief Information Officer at Bassein Catholic Co-Op Bank
The reports that we are from getting from ArcSight are very valuable. The reporting in ArcSight is good. Our regulators ask us for the reports on a regular basis, and we have been able to provide the required data.
Its overall functionality in terms of log analysis and the speed at which it does that is also valuable. It is very quick. Whatever alerts we had configured were extremely fast. We immediately get alerts when there is unauthorized access or unknown access, or even positive access. This is where we found the difference between ArcSight and other solutions.
View full review »The filters and the ability to do what you want are the most valuable features. There is nothing that you cannot do in this solution. It has all the features, which makes it very dynamic.
View full review »The feature that I have found the most useful is that it can be deployed to the cloud.
View full review »The simplicity of the solution is the most valuable aspect of the product.
The product is quite mature. It's been around for a long time.
The integration is easy for the most part.
View full review »VN
Velly Nusmir
Senior Manager at PT Permata Anugerah Abadi
The solution has a good dashboard, very good real-time reporting and it's easy to use, offering simplicity for implementation and operations.
View full review »JA
Jeremy Ambicha
Forensic Consultant at A Cyber 1 Company
The out-of-the-box rules that help us configure functioning rules within the environment are valuable. For example, they have good resources to help detect and populate the dashboard if something malicious happens. Additionally, we value a good visual representation of a company and network infrastructure.
View full review »The most valuable features of ArcSight ESM are ease of use and readily usable components.
View full review »The most important feature is ArcSight's event correlation capabilities. It's powerful and easy. I also like the flex connector capability. It's easy to develop a new connector that isn't fully supported out of the box. For example, say you created a solution internally that's completely different, and it's not unsupported by the solution. You can write your own connector using the flex connector.
View full review »It is a very useful tool for intelligence building because it has many use cases and many rule sets.
View full review »The most valuable feature is the real-time alerts. We're also currently looking to incorporate some of the SOAR capabilities that are new to the platform.
View full review »I really like the correlation part and the way the logs are correlated. I have never faced issues with parsing in this product. I like the way it parses, and everything is so clear to me.
View full review »The solution is very good at consolidating logs from a variety of sources.
The solution is pretty stable.
The solution can scale.
View full review »VN
Velly Nusmir
Senior Manager at PT Permata Anugerah Abadi
The most useful features are directories, price, and live reporting.
View full review »There are many features that are good for clients who are looking for a good SIEM solution. They like the ease of creating a business that is effective and impressive.
View full review »The solution offers very good monitoring.
The product's log management and event management capabilities are excellent.
There are a lot of really good analytical components. It helps us focus on analysis.
I think the correlation feature is one of the best features of ArcSight.
View full review »US
Utkarsh Srivastava
CISO and DPO at ValueLabs LLP
The most valuable features are lists, correlation, escalation matrix, and customers.
View full review »LH
Luthfiana Hudaya
Works at NOOSC Global
I really like the dashboard.
View full review »I think that the overall experience with this solution is good, but in particular, I think that the dashboards are quite interactive.
View full review »HJ
Hong Jinki
Security Manager at shinhan DS
The features that we have found to be most valuable are:
- Connectivity with the SOC system
- Flexible connectivity with third-party solutions
FS
Filip Simeonov
Information Security and Business Data Protection Specialist at a comms service provider with 1,001-5,000 employees
The webpage algorithm is the most valuable feature because it was the fastest feature for searching the logs, events, and correlation.
View full review »TB
Teguh Budyantara
IT Manager at Royal Cemerlang
ArcSight ESM: The module has user-defined rules capabilities. This feature lets us define almost any threat.
View full review »- Smart Connectors and Flex Wizard
- Multi-tenant access
- Customization for dashboards and reporting
- Improvements made to the ADP platform
Once the rules are defined, it is capable of detecting minute changes in the systems, which are effectively based on the entries in the log.
View full review »- Large scale installations work well.
- The new user interface is nice.
- The real-time analysis adds value.
- The default packages on the new HPE Marketplace are useful and give nice default dashboards and reports for most of the well-known products.
Customization. ArcSight gives you a platform to on-board out-of-the-box devices with a more accurate way of collecting desired logs/events. Competitors offer the something similar but ArcSight does gives you more detail.
View full review »HM
Hatem Metwally
Senior Security Consultant, CISSP, HPE ArcSight Specialist at a retailer with 5,001-10,000 employees
- SmartConnector: Normalization parses raw logs and converts them into CEF (common event format). This is the core of the product.
- Filtration, Aggregation: Both features provide a good way to save EPS (events per second).
- Logger: Long log retention, fast search, and reporting.
- ESM/Express: Correlation via standard rules and data monitors, active list, session list, active channels, reports, trends, queries, dashboards (query viewers and data monitors), and lightweight rules.
The valuable features are:
- Integration and log collection with different devices.
- Collecting logs from many different sources. If you have your own app, you can do logging for it. In addition, you can customize log parsing.
- Correlations of logs from different device types.
- Built-in content such as reports, dashboard, compliance, and standard packages.
- Option to correlate logs with business data.
- Option to adjust the product to different roles: operations, decision makers, and administrators.
- You can adjust the web console interface to match the specific role.
- Integration with other products, such as databases and IPSs.
- Additional features are available with simple extensions. The solution enables you to monitor logs and to analyze data, but you can also use additional add-ins such as reputation services that can integrate ArcSight ESM with tipping point IPS.
- Correlations of logs from different device types.
- Ready-made content that can be used immediately.
- Customized business tables can be correlated. For example, the employee sick leave register can be correlated with Windows login logs.
The web logger allows me to view and inquire about various events in real time. It is the most useful feature for me for the following reasons:
- Allows me to look at the traffic in real time
- Allows me to add filters that remove the traffic that is not interesting
- Allows me to narrow down my research to only important traffic.
- Helps me in my troubleshooting work. I need to know a bit of SQL query syntax, but that is straightforward.
- Allows me to create reports, evaluate my findings, and send information to my customers.
Correlation and data normalization via CEF: The speed of ArcSight's correlation engine, together with data enrichment, makes it a great tool for exploring vast amounts of data. Other SIEM tools have a hard time giving the same results at the same speed. Also, thanks to CEF log formatting, combining events from different sources takes minimal effort. Whereas, setting up that normalisation on other SIEM competitors could take countless hours.
View full review »- Event correlation across multiple device categories: It allows us to have a full picture of what is happening in the environment.
- Flexible event collection: Besides hundreds of standard devices, you can send custom CEF Syslog prepared with your own scripts.
- Customization of alerts: Velocity macros allows you to send very clear and user-friendly alerts.
Creating dashboards and real-time channels for real-time monitoring: This feature gives real-time alerts for the monitoring team to act upon. In certain cases, we can also create real-time email alerts for relevant teams for faster actions and resolutions.
View full review »It is easy to use when we created some dashboards for analytics. ArcSight allows you to create a dashboard and provides an on-the-fly filter.
View full review »Correlation capabilities: This product provides an advanced level of correlations, which is highly valued.
View full review »The ESM's interface is really comprehensive. While the ArcSight console is really heavy, and I tend to dislike Java-based Windows GUIs, it's feature-rich and provides a seamless way to move between analyzing events and creating content.
View full review »It’s a highly customizable solution. Rules can be customized to a great extent. Session lists, active lists, and global and local variables are pretty unique to the solution.
View full review »The ArcSight solution supports your security team with many SIEM features:
- Monitoring
- Analysis
- Alerts
- Incident response
In my opinion, ArcSight is an open solution. It is easy to:
- Customize components
- Use FlexConnector to collect logs from your own application
- Edit rules and the dashboard
- Create work flows
- Enrich information for events
- High flexibility: There are many custom sources of information that we wouldn't be able to integrate with another SIEM solution, thus compromising our security.
- High performance: The amount of data fed to the solution is huge (100s of millions of events per day).
- Capacity for multi-tier hierarchical deployment: We are able to integrate and standardize security incident detection and response over many locations.
One of the most valuable features is the Active List/Session List capability.
Multiple use cases were only possible to be created due to this feature list. The feature list allows us to input data dynamically to list it as a rule action.
For example: If you need to take a Source IP from an IPS event and put it in an ActiveList suspicious IP, you can create another rule for AntiVirus events where it only matches IPs within that list.
View full review »The most valuable features are flexible setup of the architecture and large coverage of devices. Most devices deployed in enterprise environments are covered out-of-the-box by ArcSight. Unlike a few other solutions, the last-mile connectivity with ArcSight agent servers is free and flexible across all location deployments.
View full review »Correlation and flexibility are the most valuable features.
View full review »- Collection - Collects logs from a wide range of products, even those not supported by default and the users can develop a connector for log collection.
- Detection - Caliber to detect subtle attacks with a powerful correlation engine.
- Report/Alert - The user has multiple levels of options to generate reports and get alerted based on conditions.
- Alert correlation
- Reporting
- Retention
These are the features we find most valuable for us and which we use the most.
View full review »- Scalable though it is not "plug-and-play".
- Various deployment configurations, based on requirements, budget and the EPS/GB per day
- Stable, performance predictable based on used capacity
- Integration with alerting/ticketing systems such as Tivoli
View full review »- Security, understanding detection, intrusion, and how to do prevention and take action on an event that occurs from a security layer.
- Having a single solution that can actually manage the entire infrastructure, soup to nuts.
- Ability to detect and then take action on it.
OS
Omar Sánchez (Mr.Tech)
Information Security Advisor, CISO & CIO, Docutek Services at Docutek Services
Intrusion Detection System (IDS)
Security Information and Event Management (SIEM)
View full review »- Real-time rules for threat detection
- Event correlations that are automated and prioritized according to level of security risk and compliance violation
The best feature of ArcSight is its flexibility. Almost no other vendor provides such a good framework to collect, parse, and analyze data. Its flexibility is achieved by being easy to use, and at the same time having very sophisticated FlexConnectors. Also, I've found ArcSight's correlation engine to be the most advanced on the market.
View full review »- It has flexible and rich correlation capabilities. This is the most mature product in this area.
- It has the capability to manipulate every parameter - sub-strings, indexes, and custom functions.
- Active Lists - This is the most powerful feature which supports correlation. It also has multi-column active lists, parameters manipulation, and correlation capabilities that provide great flexibility.
- Full control of correlation flow - There are no black-box closed rules, unlike with McAfee Nitro, and no default aggregation which is hard to analyze, unlike Offenses in QRadar.
The dashboard is the most valuable feature for us as it can show a lot of information about real-time incidents.
View full review »- Logger
- Command Center
The real-time correlation (CORR) engine and ability to build complex correlations from simple 'building blocks', provided the base 'building blocks' are well throughout in the first place, are the most valuable features for us.
View full review »I think the ability to create rules more flexible than in other products (i.e. IBM QRadar) is its most valuable feature. It has good options for shaping data and using them in very complex rules.
View full review »For us, there are several valuable features.
- The ability to correctly parse the most number of products comparing to its competitors;
- The ability to create very complex scenarios to detect security risks and anomalies;
- Very stable system components (connectors, logger and correlation engine) combined with satisfactory vendor support; and
- The ability to create parsers for all kinds of applications and systems is an important differentiator.
From the time that we purchased it, the multi-tenancy feature has been the most valuable for us. At the time, HP was the only vendor with this feature, but it seems that every vendor today does. Another feature we like is the live threat feed that's quite advanced. HP is the industry leader with this from an SIEM perspective.
View full review »The most valuable feature for us is its ability to correlate security events and then allowing us to take action to address those events.
View full review »It's a reliable service and provides our team members with a lot of knowledge. In turn, it provides solutions for the needs of the IT department.
View full review »The two most valuable features for us are the deployment strategy and its operational ease.
View full review »They're the leader of the SIEM market for fifteen years or so. ArcSight is a very capable product that integrates with many different platforms. It's huge with a lot of moving parts, but nothing can compete with it in terms of capability.
View full review »It reduces the amount of time required to perform an investigation because of the correlation and aggregation of all the events. From what I've seen for our network, it's the best at ingestion of events.
View full review »VS
Vinod Shankar
Manager, Enterprise Risk Consulting at a tech company with 1,001-5,000 employees
- Powerful Correlation
- Customization
- Integration capabilities
Not really a feature, per se, but the ability to do multi-tenant SIEM.
View full review »
Correlation Rules, Dashboards, Active Channels, Active Lists and many more. All these features make this product better than it's competitors.
View full review »
Custom data parsers and custom event / asset categorization.
View full review »
The ArcSight log collection mechanism is simple and it supports a large number of devices. Rules, Report and Dashboard can be customized based on the user requirements and hence it helped a lot to impress our customers. Additionally, ArcSight has tight integration with incident response tools such as HP Threat Response Manager, CIRT and Encase. ArcSight provides platform to integrate third party dashboard tools such as idashboard and Tableau. Also HP ArcSight inbuild case management is very simple and can be exported to external HP service Manager.
View full review »
Scalability and Adaptability. By Scalability, I mean, the number of supported devices by ArcSight. You can make changes to the current deployment if required or add a new region in the scope by adding components of ArcSight. By Adaptability I mean, once the analysts see what can be achieved by utilizing the various resources of ArcSight, it motivates them to come up with new ideas and how to implement them. The interface is quite user friendly compared to other Vendors.
View full review »
Too many to name, but here are a few:
- Its versatility when it comes to vendor support.
- The ESM and logger are powerful tools. If used properly, we can achieve much more than we previously could. The Alert and Case Tracking mechanism contribute to the work of ESM and Logger.
- Express, all-in-one component is best for small businesses.
- NTP is efficient in blocking identified threats.
- ArcSight Flex Connector Development module is an excellent feature if you want to get the logs from unsupported vendor products.
On the positive side, ArcSight ESM's performance was excellent. It was very fast when writing queries. It provided good performance monitoring and had built-in rules to show which rules triggered most often and impacted performance. This performance monitoring was well-implemented.
View full review »VN
Velly Nusmir
Senior Manager at PT Permata Anugerah Abadi
ESM has valuable features for event prediction and security analysis.
View full review »MJ
MuhammadJunaid3
Techniqal Lead Enterprise Solution at a tech services company with 51-200 employees
Corelation Engine by corelating the cross domain logs.
View full review »Buyer's Guide
OpenText Enterprise Security Manager
June 2025

Learn what your peers think about OpenText Enterprise Security Manager. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
861,803 professionals have used our research since 2012.