OpenText Enterprise Security Manager Reviews

I have almost ten plus years of experience working with ArcSight Enterprise Security Manager (ESM), which includes overall cybersecurity and involves several SIEM solutions that I have worked with, such as QRadar.

We have developed many use cases for ArcSight Enterprise Security Manager (ESM), utilizing a tool called Veriden, which is the attack simulation tool, to test security controls. We perform attack tests that help us identify vulnerabilities, and based on that, we develop use cases such as for ransomware attacks, where we gather information on executing processes and services to create rules. Additionally, I use SOC Prime, an open-source tool that offers built use cases for multiple SIEM solutions, to help build our ArcSight Enterprise Security Manager (ESM) use cases.

ArcSight Enterprise Security Manager (ESM) has improved our organization overall as it is one of the best in the market and is user-friendly, requiring little effort to operate. We use multiple tools, including QRadar and ArcSight Enterprise Security Manager (ESM), because it is in high demand.

In ArcSight Enterprise Security Manager (ESM), the log analysis feature is particularly valuable as it allows analysts to interpret intrusion-related logs efficiently. It is useful when analyzing backdated logs, other solution logs, and coming to conclusions about incidents.

I do not have any areas for improvement in ArcSight Enterprise Security Manager (ESM) as I have not delved deeply into it; overall, it is a good package.

I would like to see the detection and response features included in the next release of ArcSight Enterprise Security Manager (ESM), as security orchestration and automation are increasingly important.

I have almost ten plus years of experience working with ArcSight Enterprise Security Manager (ESM), which includes overall cybersecurity and involves several SIEM solutions that I have worked with, such as QRadar.

I would rate the stability of ArcSight Enterprise Security Manager (ESM) a nine because I have not encountered significant issues, unlike other solutions that sometimes have database errors.

I would rate the scalability of ArcSight Enterprise Security Manager (ESM) as a seven; it is easy to scale, and I have not encountered any issues when we require more storage or deployment.

I would rate the technical support of ArcSight Enterprise Security Manager (ESM) a nine as they are always available and responsive whenever we open a case.

I would rate the initial setup of ArcSight Enterprise Security Manager (ESM) an eight because it is straightforward and has a simple architecture.

For maintenance of ArcSight Enterprise Security Manager (ESM), we have a security team of about four to five people working in shifts from 6 AM to night to handle any issues, including log forwarding, and we also have team members in the United States and India.

I find that using ArcSight Enterprise Security Manager (ESM) provides a valuable return on investment as it serves as a single point of glass for logs and data analysis, which I would rate an eight since it offers clear investment benefits to organizations.

I would rate the pricing of ArcSight Enterprise Security Manager (ESM) around seven, as it varies based on features and demand, making it more affordable for larger organizations, while smaller ones might find it expensive.

There are no additional costs in addition to the standard licensing fees for ArcSight Enterprise Security Manager (ESM).

We have a security team monitoring ArcSight Enterprise Security Manager (ESM) twenty-four-seven, but I am not certain how many users are currently using it as that information is handled by a different team.

I would definitely recommend implementing ArcSight Enterprise Security Manager (ESM), as I have seen organizations benefiting greatly from it, including friends working with it in their companies. I would rate this review a nine overall.

The best feature of OpenText Enterprise Security Manager is its integration capability. If you're integrating with a lot of logs you have to take from the third party, integration is there because this is an old product. So, you can easily build the adapters and take all those logs to ArcSight.

Integration from a SIEM perspective is no challenge with OpenText Enterprise Security Manager, but from the SOAR perspective, they have to improve.

Regarding threat detection capabilities, I think OpenText Enterprise Security Manager covers the MITRE ATT&CK framework at an average level, and on a scale of one to ten, I would rate it only five.

They have to improve in those areas in terms of threat detection capabilities.

For ArcSight, they need to give the complete package, with UBA being part of that. They have added it, but I question what capabilities are there, especially on the SOAR side where they have to improve because the SIEM was very strong.

For the SOAR side, because SIEM was very strong when they were earlier launched, but for SOAR, they were integrating with third-party solutions initially, and then they built the capability. They have acquired some company, but it is not up to that potential. They slowly and gradually lost that ground to Splunk, QRadar, and other companies, so when anybody talks about the full capabilities, they are not thinking about Micro Focus as of now.

I would desire additional features in OpenText Enterprise Security Manager, especially on the SOAR side, and maybe on the UBA side, as threats intel and all, which are part of bundled solutions. Those are the areas they have to improve so that customers can trust and enhance those things, and maybe the customers will feel they should go for this product. As of now, if we are evaluating our own scenario, we are not even thinking about it. Earlier, that was not the scenario when they were selling this SIEM solution in the market; everybody was thinking OpenText was the default option, but now, if you're looking for a complete solution stack, nobody is even considering it.

Technical support for OpenText Micro Focus is average; while IBM provides good support, it's not excellent. Nevertheless, Palo Alto offers good support.

I would rate OpenText's technical support approximately five to six out of ten.

Response time for OpenText Enterprise Security Manager is an issue; they mostly provide their products to government customers whose needs are different and challenging. I've seen a couple of customers struggling with some challenges and nobody was there to support them. While maybe for the government it is not required and they work in their own way, enterprise customers demand support. Support should be always available, especially now when security is a major challenge in all organizations, so if you are not providing support, what will the customers do?

Neutral

I would recommend Splunk instead of OpenText Enterprise Security Manager as one option, and if you want to go only for the SOAR part, then Palo Alto is another recommendation. If you're looking for a complete solutions stack, IBM is also good and recommendable. If you're looking for something that can improve in the later stage, then Elastic is also coming good.

I have been a reseller of OpenText and Micro Focus.

I've seen the customizable dashboards in OpenText Enterprise Security Manager, but not recently, so I'm not sure what kind of dashboard they have given. When we were evaluating for our SOC, we have not even thought of going for Micro Focus. Nobody talks about it, especially if you're building your own SOC, or maybe it is going into the government and PSU space mostly because, with government, you have to align with the specs and you have to bid and give that solution. Their government team is very strong, but I'm not sure about their enterprise team.

I'm not sure how OpenText Enterprise Security Manager impacts compliance reporting on regulatory adherence tasks.

Pricing for OpenText Enterprise Security Manager is good, so pricing is not a challenge or an issue.

The product is good; I would rate OpenText Enterprise Security Manager seven out of ten, but service is the challenge.

Neutral

ESM is primarily a logger, so we implement it for Security Operation Centers (SOCs) across various customers and domains. This includes government, banking, financial security, insurance, healthcare, defense, and homeland security departments. In our region, the public sector also uses ArcSight ESM for security purposes.

First of all, ArcSight is a renowned name. ArcSight's technology and use cases are well-established and widely utilized. Customers prefer experienced vendors with industry expertise. We have a team of over 20 pre-sales and post-sales resources who are experts in deploying ArcSight within crucial networks and infrastructures. So, it's the combination of a well-known name, a proven track record, and the expertise to deploy it effectively.

The most valuable feature is the correlation of different logs that are collected. Any application can collect logs, but ESM excels at performing regression and correlation on that data to display meaningful information for SOC analysts.

ArcSight is a legacy technology, and many customers want AI-powered technologies integrated with it. That hasn't been done yet, but ArcSight needs to catch up with the newer solutions and technologies available in the market. It can't just rely on the legacy technology from 2010 or 2012. You can't run that in 2024.

It's a legacy technology with its own limitations. Customers often face issues that other software or newer solutions can resolve easily. That's the main challenge we face from customers right now.

So, the only concerns are that AI needs to be integrated and scalability improved. Those are the main areas to be improved.

I have been working with it for last three years. 

We haven't experienced any glitches or latency in the system. It probably depends on the infrastructure and whether it's appropriately sized for the application. But as of now, there are hardly any issues in that regard.

We cater to small, medium, and large enterprises. There hasn't been any challenge for us in terms of customer size.

Scalability presents some challenges from a cost perspective. The cost is quite high when it comes to scaling ArcSight. Smaller vendors offer better pricing and structures compared to ArcSight. ArcSight is quite demanding in scalability scenarios, and the cost factor is a major component when deciding whether to purchase the product. So, I think scalability is a challenge in comparison to the pricing.

The customer service and support are very satisfactory. The relationship we've had for the last three years wouldn't have lasted if the support wasn't good enough for us.

Positive

Our team is quite experienced in deploying ArcSight in any environment. So, deployment or installation is not a challenge for us. The only thing is that the entry points or certain taps need to be provided by the customer. Otherwise, it's a very seamless deployment.

We only need two resources for the deployment process. 

It's easy to maintain as of now, but it depends on the specific use case and customer. Sometimes, the infrastructure is not appropriate or properly maintained, which can lead to complications and complexities in the deployment.

So far, there haven't been issues from our side. 

The integration capability of ArcSight is really good. So far, we haven't had any issues related to integration with any of our partners, customers, or vendors. It hasn't been a challenge at all.

The ROI is quite nice. The TCO, the total cost of ownership, is also fine with ArcSight.

ArcSight is expensive.

Overall, I would rate it an eight out of ten. 

ArcSight ESM supports our team or department in meeting compliance requirements. It provides some industry-related use cases by default, which directly map to controls like those related to MITRE framework.

There are 800 to 1000 rules related to MITRE that help us to deploy ArcSight, as well as specific rules related to compliance frameworks like PCI.

These are considered "extenders" that extend compliance and other standards. They combine individual rules into packages that can be deployed in ArcSight. So, in one place, we can monitor logs according to industry standards within our ESM.

However, we still need to find the right approach for specific packages based on the types of devices and logs we receive. We need to enable or disable rules based on our actual customer traffic compared to the existing user rules.

That's why we first need to check our organization's traffic and compare it to our current user rules. If the rules are applicable, then we enable or disable them.

There's also a dashboard that provides a better understanding of the rules. You can see how many rules are created within 24 hours and which ones trigger most frequently. This information is helpful in managing the rules effectively.

ArcSight (ESM) streamlines or optimizes incident detection and response in our organization.

ArcSight collects logs from numerous sources, including firewalls, Check Point, Unix, and others. These logs are forwarded to a central log management hub, called the "Log Forwarding and Transformation Hub."

Once there, the logs are transformed and then forwarded to the ESM. Inside the ESM, there are two key components: the Persistor and the Correlator. The Persistor handles event processing, while the Correlator is where we use code to create correlation rules.

These rules allow us to monitor for specific threats in real-time, such as MitM attacks. We also have use cases for various scenarios, including events and compliance checks. These are all configured based on specific products and customer needs. When an event matches a correlation rule, the ESM triggers an alert on our dashboard in the "Active Channel."

For real-time threat monitoring, there's a tool called the ESM console. This tool automatically triggers the rules we've created when a matching event occurs, and the information is reflected on the console. So, our SOC team monitors it 24/7.

We are using the correlation part because correlation learning is already built-in. There are two main components: the Persistor and the Correlator. The correlation engine is part of the ESM, so the correlation is already happening.

We can create automatic correlations, but if you want, you can also correlate with any IOCs using external features like MISP (Malware Information Sharing Platform).

I would rate the ease of use for new users an eight out of ten, with ten being easy to use. It is a good tool. 

The first limitation is with the ArcSight Data Storage Manager (ADSM). ArcSight's total capacity is currently capped at 12 TB. This becomes an issue if a customer needs a longer real-time data retention period, such as exceeding 90 days or reaching a year or even ten months. Increasing the disk space beyond 12 TB is not currently possible.

So, increasing the storage capacity is one area for improvement. Additionally, the real-time data retention is limited due to the 12 TB restriction. Depending on the Events Per Second (EPS) you receive, you might only be able to retain data for seven to ten days.

Overall, the 12 TB limit is the main issue we face in terms of maximizing real-time data storage.

Moreover, there are a few improvements I would like to see in future releases. 

My main suggestion for ArcSight is to simplify the deployment process. Currently, the installation process is quite complex. There are various components involved, including transformations, multiple installations, and containerization for various components. Ideally, I'd recommend that ArcSight allow the entire installation, including the ESM and database, to be completed within a single unified setup process for a streamlined experience.

Additionally, having readily available and well-organized documentation for the step-by-step installation process would be incredibly helpful.

I would also like to see better support. 

I have been using it for five to six years now. 

I would rate the stability an eight out of ten. 

I would rate the scalability a seven out of ten because there are some limitations. 

It is a good tool for enterprise-level businesses. 

There is room for improvement in terms of the quality of the solution. 

Neutral

I have used IBM Security QRadar, Splunk , and even RSA Network. 

Product-wise, RSA Network doesn't support multi-tenancy, while both IBM Security QRadar and ArcSight do. This allows us to manage multiple customers within a single setup. However, Splunk and LogRhythm are not multi-tenant.

Currently, most companies are starting to offer multiple cybersecurity solutions. So, within a single setup, they can now provide solutions for all their customers.

The installation process is quite complex. There are various components involved, including transformations, multiple installations, and containerization for various components.

Pricing is good, I'd rate the pricing a seven out of ten, with ten being low price. 

It's better than Splunk and IBM QRadar because their pricing is based on EPS (Events Per Second). Overall, ArcSight's pricing model and subscription model are favorable compared to the other SIEM tools we use.

Overall, I would rate the solution a seven out of ten. 

We use the solution for detection and alerting.

The quantity of technology that supports integration with it and the other analytics features are also powerful.

It would be nice to have it on the cloud so that you can deploy it easily, saving time and resources.

I have been using ArcSight Enterprise Security Manager (ESM) for around a year.

I rate the solution’s scalability a seven out of ten.

Support is very good.

Positive

OpenText responds quickly to your requests. This technology's support team possesses extensive knowledge and is very effective. They assist you promptly and provide the specific information you need to resolve issues or answer your questions.

I deploy it in an architecture with components, including core, collector, and manager components. It takes three days to deploy completely.

I rate the initial setup a five out of ten, where one is difficult, and ten is easy.

The pricing is competitive.

It is easy to maintain the solution.

The architecture can be somewhat complex because it uses specific components for different tasks, such as collecting data sources, parsing, generating reports, and displaying the main console. Each task has its dedicated component, which can make deployment more challenging. In contrast, our system uses fewer components, making deployment simpler and more efficient. This can save both time and money. Ultimately, customers want clear visibility and quick alerting to detect and respond to attacks as swiftly as possible.

They also use machine learning and AI, which can be very helpful. For instance, AI can assist in filtering out false positives and providing more accurate information. When dealing with specific layers, AI can enhance the system's ability to identify relevant data and improve efficiency. IBM QRadar, for instance, uses machine learning with its UVA technology. On the other hand, Curator requires installing a specific agent on endpoints. Machine learning in Curator helps detect unusual activities, such as a user logging into a different computer than usual. This capability allows for early detection of potential security issues.

Overall, I rate the solution an eight out of ten.

We primarily as a Security Information and Event Management (SIEM) solution.

I am a solution architect. I use it on project basis. 

It enhances our web detection and response capabilities.

It gives better overall visibility. Before, we didn't have a unified system for managing security alerts. ArcSight introduced various alerts, giving us a better visibility of potential problems.

It identifies the logs we send. It has identified many potential threats through various alerts.

Its comprehensive integration with various log sources was a major benefit.

The correlation engine effectively connects different events, significantly improving our detection reach. However, limitations exist with non-default alerts, where additional costs arise for integration. Overall, it does the job well.

More integration with various log sources, especially considering new cloud platforms. Lots of different platforms are now coming. 

For example, nowadays, we have more products related to cloud platforms. So, we have Azure native security firewalls. We have Oracle native security firewalls.

I want that integration with them so that I can receive the logs directly from them and define a unified correlation mechanism for it.

I have been using it for three years now. 

It is a stable product. There is nothing absolute in IT. So, it is relatively stable. 

I would rate the scalability an eight out of ten. 

The customer service and support were satisfactory. There is room for improvement in the first-hand support. It would be helpful if they could understand more of the context of the customer's query.

Neutral

I used Securonix but decommissioned it because we didn't like it. 

We also used LogRhythm. 

The deployment does require some effort. ArcSight is one of the most complex, complicated solutions to deploy.

It's a large-scale deployment. So, it has full modules to be deployed. The footprint is larger compared to some other platforms where the footprint is in single or two virtual machines, which is not the case in ArcSight.

On average, two weeks or three weeks of time for deployment matters. Moreover, deployment involves more than just installing the tools. Integration with it is a second step. That takes longer than just the tool deployment. 

Then, after integration, you have to onboard the different log sources. Even for that, the combined time of deployment and integration is less than onboarding the different source environments.

Once you do all this and then establish the correlation, only then from the customer's point of view, it's a complete deployment. 

From a product perspective, it is different. Some products are easier to have a fresh installation but difficult to integrate, and then they're very difficult to onboard the log sources. 

So, from the product point of view, when you consider a deployment, it should be considered an end-to-end deployment from zero to production-ready. And here, ArcSight is a longer platform to deploy.

Moreover, it is quite difficult to maintain it because of the different components, and it can be because of the licensing model; it takes longer. It will take more effort to maintain it. Sometimes, the hardware fails, and sometimes the virtual machine fails. Sometimes, the operating system and sometimes the database separately. The more components you have, the more knobs you have to keep an eye on.

Two people are required to maintain it.

If a more expensive solution provides the same value as a competitor at a lower price, its ROI is lower. It doesn't deliver the same value for the price point.

The pricing model is expensive compared to open-source alternatives, especially as your needs grow.

Securonix was a cheaper solution and more based on a data science foundation. It is good at handling structured data, making it an attractive option for open platform deployments.

Another is RapidX, which is an open-source platform based on the free ELK Stack, offering significant cost advantages. With some effort from our side as a Managed Service Provider, we were able to create a RapidX deployment that surpassed ArcSight in functionality.

ArcSight is a commercial, enterprise-grade solution. While it carries a higher price tag, it offers greater scalability suited for large-scale deployments.

In future releases, I would like to see integration with cloud platform security technologies like Azure Native Security Firewalls, Amazon, and Oracle.

Overall, I would rate the solution a seven out of ten. 

Our use cases are for both a government-based entity and an international oil and gas entity, and so our use cases flow for security across both domains. Very similar threat cases are created, but they're targeted specifically for the client's operating environment, including standard access control, endpoint control, and things like that. The use cases themselves vary from active directory exploits to endpoint exploits. We use it for real-time alerting, so we run an alert-centric model that we partnered with a log service and we do a discovery centric model on the back end, so we have a hybrid.

Some of the benefits of using this solution are rapid correlation and near-time response on alerts.

The UBA features and, again, the correlation engine is nearly bulletproof. Once you have it dialed in, it provides accurate near-time responses as things are coming in to correlate and identify.

ArcSight is incredibly complex when configuring and deploying, and if your organization doesn't know what they want and what they need, ArcSight will be a challenge for them, but if they absolutely are skilled and know what they want and know what their end goal is, ArcSight is brilliant.

I would like to see more dynamic reporting. 

It could look a little newer. The interface looks a little dated, but otherwise it's fine.

I have been using this solution for about 10 years. 

This solution is rock solid. The stability is untouchable. If you've scaled the solution correctly, the performance is brilliant. I rate the stability as a ten out of ten. 

If you have employees with knowledge, the solution scales vertically and horizontally. You can just sit there and say, "I'm ingesting this many more log sources, I need this much more processing, and this much more storage," and you can just drop and place. It's easy to scale because we're using clusters and blade servers, so we just slap in a new blade, add it for the cluster, and now it's scaled.

We have SAN storage, all high-speed disks for the 90-day storage, and then mechanical disks for the 188-day storage, and then you go to cold storage after that, which is disk as well, and it's a SAN, so we just swap in new JBODS every time we need more storage.

There are about 40 people using this solution from an analyst point of view within my company. We have threat hunters, endpoint protection research, vulnerability research, and security analysts on levels one through three. Pretty much anyone that operates in a security operation center is using it. We run three shifts, 24 by seven. Each shift is an eight-man team of analysts, and then we have endpoint protection subject matter experts, forensic subject matter experts, and threat hunting subject matter experts all using it Monday through Friday. At any point during the day, there's about 40 active users on the solution. All in all, I think we have 150 named accounts inside of it, but usage, there's about 40 at any one time on it.

I rate the scalability as an eight out of ten.

Micro Focus is less helpful than HP Enterprise was. If I were to rate HP Enterprise when they owned it, I would give them a nine. I'm going to give Micro Focus a six because, after we started operating it, they would provide us professional services or engineers from less desirable skillsets and locations. Being in the Middle East, it's difficult to get quality people, so we ended up getting a lot of people from South Asia and Central Asia that just weren't as good as people we had before coming out of Europe or North America.

We migrated off of QRadar to ArcSight. We switched for better performance, capability, and usability.

The setup can be very complex, depending on the size of the organization. Our organization is huge. We have a vast ArcSight infrastructure, high availability, and multi-noded clusters. Our usage is very unique in that way, and it's very advanced and complex. Most organizations probably won't have the level that we have. The setup is a ten out of ten in functionality. On configuration and getting it set up, it's a one because, again, it requires some very specialized knowledge. 

We used two architects and three engineers on our team for deployment, and the team from ArcSight had nearly an equivalent amount. We handled deployment in-house, and we fully deployed it enterprise-wide in about six months. We had HP ArcSight certified engineers and architects, and then we sent a handful of our own engineers to HP so they could become fully ArcSight certified. Their engineers and our certified engineers then worked hand in hand in kind of a mentor, mentee relationship to ensure that our team had full knowledge and capability going forward.

The first step of deployment was scoping and sizing for five-year growth, based on what we were currently running in the older product, which was QRadar, and so then once we determined what size infrastructure we needed, we deployed that infrastructure. That took about a month. From there, we then on-sourced non-critical assets for testing and piloting. Once we had that done, we deployed the agents for the use to our SOC, and then we ran both systems in parallel to make sure that use cases reported over correctly, and they were all fine-tuned.

Once we had them working on our test samples, we then did a rapid deployment across the entire environment. We ingested everything from the old system into the new one to the log collector. Once all the old logs were in there, we then switched over to real-time and transferred the real-time logging from the old system to ArcSight, and then that system was live. We did one after the other, and that's what took the six-month window, because after about a three-month deployment of getting all 35,000 log sources ingested and up and running, it took about another three months to do the rest.

The ability to detect and respond to an event within 60 seconds is priceless to us because a detected for each event becomes escalation, and objectives on target add about 60 seconds or more. Having ArcSight provide us these alerts within 15 to 30 seconds of something actively happening, where our analysts can then begin to engage, isolate, and mitigate, that's priceless.

The solution is super expensive. I think we're paying about 1.2 million a year. We have a full, perpetual, all-we-can-eat license, which is why we pay that, because at any moment we may onboard entirely new infrastructures. 

The problem with QRadar is that you're paying EPS licensing, and the moment you exceed your licensing, QRadar stops processing anything above that license count, and that becomes an immediate security event. With our license with ArcSight, we don't have that problem. You pay for all-you-can-eat and we can give it all-we-can-eat, as long as the hardware that we have running it can support it. The hardware is ours, so we can just grow that as we go. 

Part of our yearly price model is also including extra blade servers and disks, so as we need them, we can just slap them in, and boom, we expand the cluster by three or four more processing nodes on the blade server, and now we can double the amount of queries and searches.

At our organization size and license model, I think the price is average to what anyone else would charge us. I would rate the price as a five out of ten because obviously we would like to be cheaper, but we know what we're getting for that money, so we're okay with that. We're neutral about the price. 

My advice would be to ensure that you understand what your goals for the product are, and ensure that you have the correct engineering knowledge to implement those goals.

I rate the solution as a nine out of ten.

We use ESM for compliance, log retention, and general security operations. We don't use all the features. We have been late in terms of taking advantage of the cloud option. 

ArcSight is customizable. You can integrate just about anything. I also like the ease of use.

The API integration could be better, and I'd like to see more machine-learning capabilities in the future. 

I have used ArcSight ESM for nearly 12 years.

ArcSight is more stable than other solutions I've used if you take care of the maintenance. I've seldom had significant issues. 

Scaling up ArcSight isn't a challenge.

I've had mixed experiences. Sometimes, it was fine, and it was not so good at other times. It isn't as good as it used to be. 

The setup is simple to me because I've been doing it for a while, but I'm not sure a beginner would find it easy. It could be simpler. I haven't had the opportunity to deploy it on the cloud, but you should be able to do it without problems. 

I rate ArcSight ESM six out of 10 for affordability. In my last company, I evaluated Sentinel. The annual license for ArcSight is equal to about two months of Sentinel. 

I rate ArcSight ESM seven out of 10. I've worked with it my whole life and watched it evolve. ArcSight doesn't do much that other solutions can't. ArcSight has been around for 20-plus years. A lot of companies have moved on to other solutions. At the end of the day, you get out of a SIEM product what you put into it. 

I supervise a team at our company that uses this solution. Our organization uses the solution with our customers. We run a SOC for our clients that are on ArcSight. We provide monitoring, SIM administration, and incident management to our customers.

We have many use cases including multiple route logins, multiple administrator login failures, multiple failures, and successful logins.

I value the event correlation of this product, it handles it well. We are able to eliminate many of the false positives, which eliminates a lot of the noise within the environment.

ArcSight could improve by using AI and ML. More people are leaning towards this type of solution. They also could improve the product by integrating user and identity behavior analytics.

The traits' environment is changing every day. The traditional approach of discovering traits within the environment is gradually changing. We need new approaches to intelligently discover traits within the environment. ArcSight needs to improve its product to move in this direction.

I have been using ArcSight Enterprise Security Manager for one year.

The solution is stable.

We have integrated a couple of technologies into ArcSight, both on-premise and on-cloud. We were able to integrate the DNS and the firewalls. We were not able to integrate the EDR.

When comparing the initial setup of ArcSight ESM with Curator, the setup is easier with Curator. 

We evaluated Curator. Curator is easier to set up than ArcSight, and it has a UI that is simpl to use.

I would recommend ArcSight Enterprise Security Manager to a small degree. However, there are quite a few products on the market now that are easier to use. Other products are providing more insight and providing user entity behavior analytics. 

Overall, I would rate ArcSight ESM a six out of ten.