Best SIEM Tools & Vendors for 2021

eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

What is SIEM?

It’s acronymed SIEM, pronounced “sim” and has taken its place among the most important sectors in all of IT. Security Information and Event Management is now considered a mandatory component for enterprise systems.

SIEM, the tools of which have been in existence for about a dozen years, is an approach to security management that combines the SIM (security information management) and SEM (security event management) functions into one security management system. SIM collects, analyzes and reports on log data; SEM analyzes log and event data in real time to provide threat monitoring, event correlation and incident response.

Together, both functions provide real-time analysis of security alerts generated by applications and network hardware. Security providers that can combine these two functions are in the driver’s seat for new business.

Key features for enterprise SIEM are: ingestion of data from multiple sources; interpretation of data; incorporation of threat intelligence feeds; alert correlation; analytics; profiling; automation; and summation of potential threats.

Top SIEM Software

Below is a brief summary of the top SIEM vendors. Each summary links to an in-depth look at each SIEM product, including features, intelligence, analysis, pricing and more. In no particular order, here are eWEEK’s picks, based on our own research and that of analysts such as Gartner, Forrester and others for top SIEM products in the current marketplace.

SolarWinds

Value proposition for potential buyers:  SolarWinds’ mission since its founding in 1999 has been to provide purpose-built products that are designed to make jobs easier for IT professionals, MSPs, and DevOps pros. The company offers value-driven products and tools that solve a broad range of IT management challenges—whether those challenges are related to networks, servers, applications, storage, virtualization, cloud, or development operations.

Whether an IT manager is an army of one managing a small environment, an managed service provider responsible for multiple customers, part of an IT team managing an enterprise, or you’ve migrated to the cloud—if you care about IT performance—SolarWinds claims to have powerful, easy-to-use, and affordable products to help you manage it.

Key values/differentiators:

• Users report that this vendor is great to work with and has great support. The best part, they say, is the Thwack community behind the product, in which developers are able to easily engage with other users and product managers.
• SolarWinds eliminates the complexity found in traditional enterprise software and services and makes it easy to find, buy, deploy and maintain solutions–regardless of an organization’s size.
• Users interact daily with SolarWinds’ large, global user community to guide product development and strategy and foster an environment where users with even the most complex IT challenges quickly connect with experts who love to help.
• SolarWinds constantly evolves its products. It ensures that the software is on point to meet the most important problems that IT pros, MSPs, and DevOps engineers face, and it continues to deliver increasing value over the lifetime of ownership.
• SolarWinds was built by IT administrators and senior systems engineers who know what it takes to manage dynamic IT environments. They combine this expertise with a deep connection to the IT community to create IT management products that are effective, accessible and easy to use.

Who uses it: midsize to large enterprises
How it works: subscription cloud service and on-premises options
eWEEK score:  4.9/5.0

Splunk

Value proposition for potential buyers: Not only does Splunk have one of the more colorful names in all of the IT business, its SIEM system is highly rated and popular. Organizations seeking SIEM solutions that can share architecture and vendor management across SIEM and other IT use cases, and those seeking a scalable solution with a full range of options from basic log management through advanced analytics and response, should consider Splunk. Its Security Intelligence Platform is composed of Splunk Enterprise and three solutions: Splunk Enterprise Security (ES), Splunk User Behavior Analytics (UBA) and Splunk Phantom. Splunk Enterprise provides event and data collection, search, and visualizations for various uses in IT operations and some security use cases. The premium ES solution delivers most of the security-monitoring-specific capabilities, including security-specific queries, visualizations and dashboards, and some case management, workflow and incident response capabilities.

Splunk’s most important enhancements during the past 12 months are support for guided investigation via the Investigation Workbench UI in Splunk ES, rapid content updates for ES and UBA and speed improvements.

Remember that you generally get what you pay for. Licensing costs may push it beyond the reach of some SMEs. It is best fit for larger, well-staffed IT organizations that are willing to pay the price for high security effectiveness.

Key values/differentiators:

• Splunk’s offerings provide organizations with multiple entry points into security monitoring with a path that can start with basic event collection and simple use cases with Splunk Enterprise through to richer SIEM functionality with ES, more advanced analytics with UBA and SOAR capabilities with Phantom.
• The vendor has a strong ecosystem of technology integrations available in the Splunk application marketplace, although users of other technologies that compete with Splunk (for example, in the user analytics space) should validate the depth of integration.
• PII protection features are strong; obfuscation and PII masking are supported down to the field level, and can be applied based on user identities, locations and other characteristics.

To Take Under Advisement:

• Customers and prospective buyers continue to express concerns about pricing models and total cost. The addition of Phantom, and the introduction of the “nerve center” concept (separate SIEM, UBA and SOAR products), results in three pricing models with different measurement approaches.
• Splunk provides no native agent support for FIM or EDR, although there are integrations with numerous third-party solutions.
• Splunk UBA is an on-premises or customer cloud-only solution at this point, which can create friction with Splunk Cloud customers wishing to remain in a SaaS model.

Who uses it: large enterprises
How it works: subscription cloud service and on-premises options
eWEEK score:  4.9/5.0

AT&T Cybersecurity

Value proposition for potential buyers: The former AlienVault was acquired by AT&T in August 2018, had its name changed to AT&T Cybersecurity in February 2019, and is an integral part of AT&T’s newly created Cybersecurity Solutions division. The AT&T Cybersecurity SIEM product, Unified Security Management (USM) Anywhere, is delivered as SaaS, and includes several components for asset discovery; vulnerability assessment; and intrusion detection system (IDS) for network, host and cloud; as well as for core SIEM capabilities. USM Appliance (an on-premises software deployment) is still supported, but the vendor’s emphasis is on the Anywhere SaaS offering. Additional offerings include the Open Threat Exchange (OTX) threat intelligence sharing capability and OTX Endpoint Threat Hunter service, both no-cost services. AT&T Cybersecurity also offers Open Source Security Information Management (OSSIM).

Key values/differentiators:

• AT&T Cybersecurity targets end-user SIEM buyers, with an emphasis on financial services and health care as well as service providers. End-user customers are typically midmarket, not large, enterprises.
• Notable capabilities that have been added since the last Magic Quadrant research include monitoring of Google G Suite and Office 365 SaaS, an API to support app integrations, and a central management console (USM Central) for managed security service (MSS) partners.
• Midsize organizations seeking an SIEM-as-a-service delivery model with bundled security controls, but with little need for extensive database or application monitoring, or advanced analytics, should consider AT&T Cybersecurity.
• USM Anywhere bundles several security controls, sensors and other capabilities like file integrity monitoring (FIM)/endpoint detection and response (EDR) and vulnerability scanning as components of the solution.
• The Anywhere SaaS solution has a straightforward architecture: cloud-based storage and analytics/reporting with on-premises endpoint agents and a network appliance for log aggregation and forwarding, NIDPS, and vulnerability scanning. Scalability requires adding more agents and network sensors as needed.
• Implementation is straightforward: Users request new sensors via the management interface for the specific hosting platform (on-premises virtual machine or a virtual instance in Amazon Web Services [AWS] or Microsoft Azure), and the sensor is made available to be deployed. Configuring the sensor to accept events is supported by a wizard.
• Product currency and scalability are handled on the cloud-based platform. New features and updates are automatically deployed. If a client exceeds its licensed capacity, it is notified so it can arrange to move to a higher-capacity service tier.
• Support for native user analytics is limited to the capabilities provided by the underlying graph database, along with monitoring for attacks against identity and directory services. Integrations with third-party user and entity behavior analytics (UEBA) solutions are not supported.

To Take Under Advisement:

• Anywhere lags competitors in several areas, such as application and database monitoring, and integrations with third-party solutions such as cloud access security brokers (CASB), DAM, DAP and DLP.

Who uses it: any size enterprise
How it is deployed: subscription cloud service only
eWEEK score:  4.7/5.0

Dell Technologies (RSA) NetWitness

Value proposition for potential buyers: If you buy into Dell Technology, you’re buying into one of the world’s largest one-stop shops for all of IT. Its RSA security arm is the largest such company in the world, and it grew to that point for good reason: its products generally work well. The RSA NetWitness Platform consists of RSA NetWitness Logs, RSA NetWitness Network, RSA NetWitness Endpoint, RSA NetWitness UEBA and RSA NetWitness Orchestrator. These elements are composed of several components for data acquisition, forwarding, storage and analysis. RSA gained in-house UEBA capability with the acquisition of Fortscale in 2018, and security orchestration, automation and response (SOAR) capabilities are delivered via a white-label version of Demisto. These elements can be deployed as software, appliance or virtual appliance, in any combination.

The version 11 release of RSA NetWitness Logs and RSA NetWitness Network introduced or enhanced several capabilities, the most important being better investigation capabilities and workflow, stronger analytics capability via the Fortscale acquisition, and orchestration and response via Demisto.

Enterprises with a mature security operations capability seeking scalable SIEM with flexible deployment options, UEBA and SOAR capabilities should consider RSA.

Key values/differentiators:

• The vendor can support enterprise buyers focused on advanced threat detection and looking for a single vendor that integrates capabilities including core SIEM, network monitoring and analysis, EDR, and UEBA.
• The combination of RSA NetWitness Network and NetWitness Endpoint provides strong coverage of the five styles of advanced threat defense: real-time network and endpoint monitoring, forensic network and endpoint investigation.
• RSA NWP provides strong OT monitoring capability due to its ability to deploy RSA NetWitness Network to capture data in ICS/SCADA environments, and then process it using native support for common protocols.
• NWP customers indicate they find value in the platform’s ability to correlate and analyze logs and network data (and other event sources) into a unified view. Customers provided positive, but limited, feedback on version 11.

• Pricing for RSA NetWitness Logs and RSA NetWitness Network is based on data volume per day. Pricing for RSA NetWitness UEBA is based on users monitored, and pricing for RSA NetWitness Orchestrator is based on number of analysts. RSA NetWitness Logs and RSA NetWitness Network can be licensed by appliance capacity (for physical appliances) or metered (data volume) license on a perpetual or term basis. Metered licensing provides entitlements to all required components. Customers can mix appliance and metered licensing to enable granular capacity growth across the deployment architecture.

To Take Under Advisement:

• The number of technical components of the RSA NWP solution and the licensing models provide extensive flexibility in designing the deployment architecture, but they also require understanding of the breadth of the options and the implications for cost, functionality and scalability.
• RSAs’ focus on larger customers and those with more mature security monitoring capabilities results in a poor match to the needs and resources of less mature buyers.

Who uses it: mid- to large-size enterprises
How it is deployed: subscription cloud service
eWEEK score:  4.7/5.0

Exabeam

Value proposition for potential buyers: Enterprises with behavior-focused use cases, along with those that want integrated orchestration and response capabilities with SIEM, should consider Exabeam SMP. Exabeam’s Security Management Platform (SMP) is composed of six products: Exabeam Data Lake, Exabeam Cloud Connectors, Exabeam Advanced Analytics, Exabeam Entity Analytics, Exabeam Threat Hunter and Exabeam Incident Responder. Each of these products has a release/update schedule, and some are more mature than others. They are available in several form factors: hardened physical appliances, virtual appliances, and private or public cloud deployments (Amazon, Google and Azure). A deployment can consist of multiple form factor (physical/virtual/cloud) options.

Version 2 of SMP was released in March 2018. It included the introduction of Entity Analytics and flow collection, improvements to Incident Responder, support for more SaaS platforms, and stronger correlation rule management features and compliance reports. It also included content updates related to existing and new use cases, and a UW (ML) SDK/API.

Key values/differentiators:

• The scalable architecture is based on Elasticsearch and Hadoop (HDFS), with Kafka message bus and Spark for ML processing.
• There is an easy-to-understand pricing model based on users and entities.
• Orchestration and response capabilities include automated playbooks available with Incident Responder.
• SMP provides granular (predefined and customizable) role-based data access and workflow to support privacy concerns.
• Advanced Analytics, along with solid out-of-the-box content and models, provides mature user behavior analytics (UBA) capabilities. This was the core of the UEBA product that Exabeam developed prior to entering the SIEM market.
• Customers offer good-to-high marks for Exabeam overall, with high marks for evaluation/contracting activities, and deployment and support services.
• Exabeam now provides its analytics solution in the cloud as a SaaS model. This hadn’t been available before 2019.

To Take Under Advisement:

• Organizations with low-maturity investigation and response capabilities will be less likely to get the full benefit from advanced features for those activities and will need to use a service provider.

Who uses it: mid- to large-size enterprises
How it is deployed: subscription cloud service
eWEEK score:  4.8/5.0

Fortinet

Value proposition for potential buyers: End-user organizations and MSPs with investments in Fortinet network technologies should consider FortiSIEM. This solution provides core SIEM capabilities in addition to complementary features that include a built-in configuration management database (CMDB), FIM, and application and system performance monitoring. FortiSIEM’s solution is deployed via virtual appliances that can be installed on-premises in virtual environments or via IaaS platforms like AWS and Azure. The solution can be deployed as a single appliance or as individual, stand-alone components for scalability. Physical appliance options are also available. Licensing is primarily based on the number of data sources, events per second (EPS) and agents deployed.

Version 5 delivered significant updates to FortiSIEM, including a productwide HTML5-based GUI, adoption of Elasticsearch for the event database, incident response enhancements that include automated response actions and workflows, and user risk scoring, among other enhancements. Fortinet now offers a physical appliance option in addition to its virtual appliances.

Key values/differentiators:

• FortiSIEM offers functionality that appeals beyond conventional security operations (e.g., discovering assets, a built-in CMDB and asset context that appeals to teams beyond security operations).
• Enterprises where security operations and network operations are combined can leverage a common platform with native incident management features.
• The integration of FortiSIEM with the rest of the Fortinet portfolio through Fortinet Security Fabric may appeal to organizations leveraging a range of Fortinet products.
• FortiSIEM offers out-of-the-box features designed to help with faster installations and implementations (e.g., the native CMDB that can be populated through its asset discovery feature), as well as multiple delivery options via virtual and physical appliances.

To Take Under Advisement:

• Buyers focused on threat detection use cases should evaluate the out-of-the-box threat detection capabilities of FortiSIEM (e.g., package content and analytics), which lag behind compared to the support for compliance and reporting use cases.
• Analytics are still a work in progress and lag behind many competitors in the use of advanced analytics, such as using ML. Fortinet has indicated additional support for user behavior analytics, and the incorporation of ML is on its roadmap.

Who uses it: mid- to large-size enterprises
How it is deployed: subscription cloud service and physical servers
eWEEK score:  4.7/5.0

IBM QRadar

Value proposition for potential buyers: IBM’s SIEM toolset, QRadar, is designed for large organizations. It is a robust platform used to build a threat detection and response function. It can be used by smaller organizations, because it contains extensive content out-of-the-box for simpler use cases. It has a wide deployment base and a wide availability of service providers that can help organizations procure, run, tune and monitor their IBM QRadar deployment.

The IBM QRadar Security Intelligence Platform builds around IBM QRadar SIEM and includes several components. IBM QRadar Vulnerability Manager contextualizes event data with VM data. IBM QRadar Network Insights provides QFlow-based application visibility from network flows. IBM QRadar User Behavior Analytics is a free UBA module that addresses some insider threat use cases. IBM QRadar Incident Forensics provides forensic investigation support. IBM QRadar Advisor with Watson provides automated root cause research for identified threats.

IBM QRadar SIEM is available as hardware virtual appliances and software packages based on the customer’s event velocity (number of EPS across the data sources in scope). It is also consumable from the cloud as SaaS SIEM hosted by IBM.

Key values/differentiators:

• QRadar offers a flexible and powerful SIEM platform with extensive out-of-the-box content for a broad selection of use cases.
• There is a solid ecosystem of value-added integrations with other IBM security portfolio solutions (such as IBM QRadar Advisor with Watson, IBM Resilient or the free UBA module) and content developed by third parties (community, and security and IT vendors), easily accessible via IBM QRadar’s marketplace.
• Strong support for network data monitoring, with a large number of application flow signatures to parse flow data.

To Take Under Advisement:

• User experience can lag behind some of the newer competitors, with a non-unified look and feel among the tabs and modules in IBM QRadar.
• Risk scoring in QRadar is represented as magnitude within offenses, and it can require a level of maturity in security processes to operationalize this. Risk scoring in UBA is provided out of the box, with no customization required.
• Gartner Peer Insights data indicates that IBM receives lower scores than other SIEM leaders for integration and deployment, and service and support. Reference customers for SIEM give IBM below-average scores for service and support. IBM has indicated that it has recently increased staffing levels for service and support.

Who uses it: mid- to large-size enterprises
How it is deployed: options for subscription cloud service, virtual appliance, physical servers
eWEEK score:  4.5/5.0

LogRhythm

Value proposition for potential buyers: Organizations seeking SIEM with native network monitoring, endpoint agent, and cloud-based analytics should consider LogRhythm. The company’s SIEM solution, branded as LogRhythm NextGen SIEM Platform, is available in configurations for both large (LogRhythm Enterprise) and midsize (LogRhythm XM) enterprises. Add-on components to either are System Monitor (SysMon Lite and Pro), Network Monitor (NetMon and NetMon Freemium), and CloudAI. LogRhythm’s SIEM can be deployed as software, a physical appliance or a virtual appliance. LogRhythm can be deployed on-premises, in IaaS and in hybrid models. Multitenancy is also natively supported.

In 2017, LogRhythm introduced a cloud-based add-on component to the existing capabilities of the platform. Additionally, other enhancements include better identity detection and tracking across multiple sources, branded as TrueIdentity, as well as enhancements to its alarm and incident management features and a new generation of physical appliances.

Key values/differentiators:

• LogRhythm offers a single vendor approach for buyers that want an SIEM solution that offers complementary and self-contained options for network and host-level monitoring, as well as UEBA capabilities.
• LogRhythm SIEM is focused on ease of deployment and use through its emphasis on UX and UI elements of the application, as well as through use of prepackaged content in frequent content updates and SmartResponse actions to aid in the incident management process. Ease of administration and use-case enablement are facilitated through Co-Pilot services for administration, analytics implementation and custom content creation.

To Take Under Advisement:

• LogRhythm does not have an app store for exposing its technology partnerships and integrations both for users and marketing purposes, compared to competing SIEM vendors with online app stores.
• LogRhythm includes some case management and response capabilities as part of its solution, but buyers looking for a stand-alone SOAR product will need to leverage third-party solutions. Integrations are available with Phantom (acquired by Splunk), Demisto, CyberSponse and ServiceNow. Buyers should confirm availability for their preferred SOAR solution.

Who uses it: midrange enterprises, new-gen companies
How it is deployed: options for subscription cloud service, virtual appliance, physical servers
eWEEK score:  4.7/5.0

ManageEngine

Value proposition for potential buyers:  Midsize organizations with Windows-centric and AWS/Azure environments that want to address IT operations and basic threat detection uses cases should consider ManageEngine. The company’s SIEM portfolio consists of its core ManageEngine Log360 SIEM offering and several modules that can integrate with it to extend its value proposition — particularly for Microsoft and cloud environments — and are capable of addressing security as well as IT operations use cases. These include ManageEngine EventLog Analyzer (central log management), ManageEngine ADAudit Plus (Active Directory change auditing and reporting), ManageEngine Cloud Security Plus (CLM and SIEM for AWS and Azure), ManageEngine O365 Manager Plus (Office 365 security and compliance) and ManageEngine Exchange Reporter Plus (Exchange Server change audits and reporting).

ManageEngine Log360 is available for on-premises deployments as software for physical or virtual systems. A notable outlier is ManageEngine Log360 Cloud, which is only offered as a web-based cloud-hosted service, available as a subscription with pricing based on the number of cloud accounts in scope, with upsell pricing for additional AWS S3 buckets.

ManageEngine Log360 is at version 5.0, with the latest update in April 2018 offering deeper integration with ManageEngine Exchange Reporter Plus. Other notable enhancements include the update to ADAudit Plus 5.1 to support Azure Audit data, or EventLog Analyzer version 11.12 with column integrity monitoring to support GDPR.

Key values/differentiators:

• The vendor’s focus is on cloud environments, with native and seamless integration with several IaaS/PaaS offerings (e.g., AWS and Azure), as well as some SaaS cloud applications (e.g., Salesforce).
• There is a focus on Microsoft environments with native and seamless integration with Windows infrastructures. Autodiscovery features for Windows systems and Microsoft SQL/IIS devices allow for faster deployment in Windows-centric environments.
• The ability to capture information is strong as a variety of capture methods are supported and automatic parsing of fields from new data sources is supported. The native ability to monitor hypervisor activities specifically is well-supported.

To Take Under Advisement:

• ManageEngine has low visibility in the SIEM market with Gartner clients, and particular attention should be paid to reference checking for environments and use cases similar to those of your organization.
• Not all modules integrate seamlessly with ManageEngine Log360. For example, although ManageEngine Cloud Security Plus and ManageEngine O365 Manager Plus can be accessed via a unified interface, they are deployed separately and used as separate products.
• The lack of native advanced analytics and inability to bolt on a UEBA module on ManageEngine Log360 limits its applicability for use cases on insider threats and advanced threat detection.

Who uses it: any size enterprise
How it is deployed: options for subscription cloud service, virtual appliance, physical servers
eWEEK score:  4.6/5.0

McAfee

Value proposition for potential buyers:  Enterprises with mature security monitoring and operations capabilities, and those with OT/IoT use cases, should consider McAfee. Its SIEM capabilities are delivered via an all-in-one device or discrete components. McAfee Enterprise Security Manager (ESM) is the core element of the platform. McAfee Event Receiver (ERC) is for collection and correlation of data. McAfee Enterprise Log Search (ELS) is for Elastic-based log search. McAfee Enterprise Log Manager (ELM) is for long-term log management and storage. McAfee Advanced Correlation Engine (ACE) is for dedicated correlation, including risk and behavior-based correlation, and statistical and baseline anomaly detection.

Additional SIEM options include McAfee Application Data Monitor (ADM) for application monitoring, McAfee Direct Attached Storage (DAS) for additional capacity, and McAfee Global Threat Intelligence (GTI) for IP reputation. These can be augmented with other products from the McAfee Security Operations portfolio, including McAfee Behavioral Analytics (MBA), McAfee Investigator (MI), McAfee Active Response, McAfee Advanced Threat Defense (ATD) and McAfee Database Activity Monitoring (DAM). McAfee targets the public-sector and critical infrastructure sectors, healthcare, and higher education. The McAfee SIEM components are sold with perpetual licenses (MI is subscription-based) and the pricing models vary by type of component, and whether they are delivered as physical (EPS) or virtual (core count) appliances.

With the release of version 11 in 2018, McAfee introduced a modern SIEM architecture. It also recently introduced MBA as a stand-alone UEBA/security analytics offering that integrates with McAfee ESM and third-party SIEMs.

Key values/differentiators:

• McAfee has implemented a modern SIEM architecture that leverages big data technologies, such as Kafka and Elasticsearch. The open nature of the data tier allows organizations looking to feed data into or out of ESM to have flexible options.
• User behavior capabilities are available through several options. In addition to basic user monitoring via a content pack for ESM, McAfee offers MBA as a UEBA/analytics offering, plus support for numerous third-party UEBA integrations.
• Application support is strong across databases, ERP solutions, OT and IoT, either leveraging native capabilities or enhanced through the use of its ADM and DAM solutions.
• MI (an add-on subscription product in the Security Operations product portfolio) provides guided incident investigation support for analysts, including context/evidence collection and recommended actions.

To Take Under Advisement:

• McAfee’s visibility with end users has decreased year over year as it increasingly competes against other SIEM vendors. In the MSE and smaller enterprise space, McAfee’s visibility in deals where SIEM solutions are considered for co-management by third-party service providers has decreased.
• McAfee’s underlying architecture and focus on its ESM, MI and Active Response products is more appropriate for large enterprises with mature security monitoring and response operations than for those without. Midsize and smaller enterprises interested in McAfee should carefully evaluate how the solution will fit their requirements.
• McAfee users providing feedback for product capability and support put the vendor in the middle of those evaluated, indicating room for improvement in features and support.

Who uses it: large enterprises
How it is deployed: options for subscription cloud service, virtual appliance, physical servers
eWEEK score:  4.5/5.0

Micro Focus Arcsight

Value proposition for potential buyers:  Enterprises with mature security monitoring operations should consider ArcSight. Micro Focus offers two SIEM technologies, Micro Focus ArcSight and Micro Focus Sentinel, as a result of the spin-merge in 2017 of Hewlett Packard Enterprise and Micro Focus. Sentinel SIEM is featured in the NetIQ brand, and Micro Focus appears to position ArcSight as its premier SIEM platform. Gartner clients have not shown interest in Sentinel, so our analysis is confined to the ArcSight platform. Micro Focus ArcSight is composed of Enterprise Security Manager (ESM), providing core SIEM functions of real-time analytics, incident management and reporting, and ArcSight Data Platform (ADP), providing event and data collection and management capabilities. ArcSight Investigate provides a dedicated solution for data searching and visualizations to support incident investigation and threat hunting use cases. ArcSight User Behavior Analytics provides advanced analytics to detect anomalous user and entity behaviors. ArcSight ESM Express is available as an all-in-one solution for smaller deployments.

In the past 12 months, Micro Focus has focused enhancements on the ArcSight platform with its 7.0 release that added new features to scale the correlation capabilities in ESM. ArcSight Investigate, currently at version 2.2, has added integrations with several third-party SOAR tools, support for DNS analysis and product fixes.

Key values/differentiators:

• Micro Focus is redefining its architecture to take advantage of new technologies (for example, using big data Kubernetes-driven Event Broker within ArcSight ADP).
• The ArcSight platform supports very large enterprises and service providers with environments that require scalable and distributed architectures that can ingest high velocities of events and provide flexibility in managing the data once ingested (e.g., routing to other ArcSight components or third-party solutions).
• ArcSight ESM is leveraged by many very large enterprises, government organizations and MSSPs. This is due to its correlation engine, which was upgraded in version 7 to support federated event ingestions that can handle 100k EPS per ESM cluster via horizontal scaling or 100k EPS per node in vertical scaling models.

To Take Under Advisement:

• The Micro Focus ArcSight platform relies on multiple databases, depending on the components and applications used (e.g., ESM uses CORR-Engine, Investigate uses Vertica and UBA leverages Microsoft SQL). The roadmap for a simplified storage tier based on Vertica has not been released.
• Buyers looking for an integrated UBA solution should confirm the status of Micro Focus’ offering as the version is licensed from Securonix and, while recently updated, is an older version.
• Although Micro Focus ArcSight occasionally appears on shortlists for new SIEM deployments, inquiries about replacing ArcSight are common. Client interest in Micro Focus ArcSight Express specifically is minimal and is rarely mentioned or included on shortlists of MSEs and smaller enterprise clients.
• Customer feedback on the overall experience with Micro Focus is below average and lags behind most competitors in the market.

Who uses it: large enterprises
How it is deployed: options for subscription cloud service, virtual appliance, physical servers
eWEEK score:  4.5/5.0

How Do You Find the Best SIEM Tool for Your Business?

SIEM products are differentiated by cost, features and ease of use. Generally, you get what you pay for–greater sophistication and management complexity require higher-end management, so buyers must weigh their needs, budget and expertise as they decide on a SIEM system.