We just raised a $30M Series A: Read our story

AlienVault OSSIM OverviewUNIXBusinessApplication

AlienVault OSSIM is #15 ranked solution in top Security Information and Event Management (SIEM) tools. IT Central Station users give AlienVault OSSIM an average rating of 8 out of 10. AlienVault OSSIM is most commonly compared to AT&T AlienVault USM:AlienVault OSSIM vs AT&T AlienVault USM. The top industry researching this solution are professionals from a comms service provider, accounting for 31% of all views.
What is AlienVault OSSIM?

AlienVault OSSIM, Open Source Security Information and Event Management (SIEM), provides you with a feature-rich open source SIEM complete with event collection, normalization and correlation. Launched by security engineers because of the lack of available open source products, AlienVault OSSIM was created specifically to address the reality many security professionals face: A SIEM, whether it is open source or commercial, is virtually useless without the basic security controls necessary for security visibility.

AlienVault OSSIM was previously known as OSSIM.

AlienVault OSSIM Buyer's Guide

Download the AlienVault OSSIM Buyer's Guide including reviews and more. Updated: November 2021

AlienVault OSSIM Customers

Council Rock School District

AlienVault OSSIM Video

Archived AlienVault OSSIM Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Denis L
Sales Solutions Engineer at a tech services company with 51-200 employees
Reseller
Top 5Leaderboard
Integration with OTX enables us to see which IPs are malicious

Pros and Cons

  • "OSSIM is the only solution that includes the large number of modules that we need: a vulnerability scanner, a network IDS system, a host IDS system."
  • "We need more dashboards and we need more customization for dashboards."

What is our primary use case?

The primary use case is local action, vulnerability scanning, and usage of Network IDS. We use some process and correlation rules for our business our customers' businesses.

How has it helped my organization?

When we forward in-traffic from our one interface to Network IDS in OSSIM, we can see all of the requests that we have to and from that interface. Because of integration with Open Threat Exchange from AlienVault, we see which IPs from these requests are malicious and we can use these IPs to block them on our firewall.

What needs improvement?

We need more dashboards and we need more customization for dashboards. It would be great if they would improve in this area.

What do I think about the stability of the solution?

The stability of OSSIM is not bad. Because it is an open-source version of a commercial product, it has some restrictions on the size of infrastructure that you can integrate with it. But if you don't go beyond these restrictions, it has great stability.

What do I think about the scalability of the solution?

The server is the "brain" of the system, and there are the sensors. They are like collectors of information for the server. It depends on the size of the business and on geographical issues connected to the business. You can install sensors in all of your branch offices and the server in your main office and it works well in this type of deployment.

How are customer service and technical support?

Great guys. They work fast and they have great experience with their solutions and give great support.

Which solution did I use previously and why did I switch?

OSSIM was the first solution that I used in this area.

I started to work with its commercial brother, AlienVault USM. When I started to use that, I received some question from my customers about comparing USM and OSSIM. So at the time, I started to use OSSIM, to learn it and compare it with USM. I needed to answer the question, "Why do we need to pay AlienVault money to use their commercial product when they have open-source?" I needed to know the differences.

How was the initial setup?

The initial setup is really straightforward. It's like a Windows program: "Next, next, next, and finish." I don't remember if it was in the open-source versions or the commercial, but it may be that in OSSIM you also have results that can help you with the initial configuration. But overall, the initial setup and configuration are really easy.

In terms of how long the setup took, it's a more complex question. We need to integrate modules such as Network IDS, we need to install agents, we need to perform the initial configuration of OSSIM. For example, we need to configure the SPAN port and send traffic from some of our network devices to AlienVault OSSIM. It can take one hour or one day. It depends on the environment and the size of infrastructure and the size of the business. You may have one firewall or 100 firewalls. It doesn't take a lot of time, but depending on the size of the business, it may take from one hour to a day or two.

When it comes to maintenance of the solution, it also depends on the size of the business. In some companies, where there are 100 users and a small room with servers, you need only one administrator for this system, for maintenance and deployment and everything. But when there is a big company with a big number of employees, 1,000-plus, we may need some more people for deployment and for maintenance.

What about the implementation team?

I've done the setup by myself. In some types of deployments, when I have questions, I also include guys from the AlienVault team, but I haven't had to use them many times.

What's my experience with pricing, setup cost, and licensing?

OSSIM is free.

Which other solutions did I evaluate?

I didn't look at other options. OSSIM is the only solution that includes the large number of modules that we need: a vulnerability scanner, a network IDS system, a host IDS system. The solution also provides us with a correlation engine for our logs. This is the best option on the market and I didn't see any similar solutions.

What other advice do I have?

I used this product for about a year. It was on-premise.

My advice is to just read the manual. OSSIM is very simple. If you know why you need to use it, you will be happy.

The biggest lesson is that the logs are "power." In these logs, with a good normalization engine, you can find so much very useful information about your infrastructure, sometimes about your employees, and about your business-critical processes.

I would rate the solution at ten out of ten. It's really the best open-source CM on the market. It's simple, it has OTX integration. OTX, the Open Threat Exchange, is also a great product from AlienVault. It's like Facebook for indicators of compromises. 

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
BonganiMkwananzi
Owner & Cyber Security Consultant at Sekurisor
Consultant
Great solution for checking vulnerabilities, and it's free to use, but the initial setup is a bit tricky

Pros and Cons

  • "The open vault component and the checking of vulnerabilities are the most valuable features. The page management helps with this. If you know how your device is vulnerable at least you can do something about it."
  • "The initial setup was a bit complex. You've got to do a lot of reading. It's not an intuitive implementation."

What is our primary use case?

We primarily use the solution just to check on devices. OSSIM does a lot of different things to help with this, including a bit of analytics, vulnerability testing, assessment, etc.

What is most valuable?

The open vault component and the checking of vulnerabilities are the most valuable features. The page management helps with this. If you know how your device is vulnerable, at least you can do something about it.

What needs improvement?

It's not easy to add a device that doesn't have a steady IP. Particularly when you're not putting a sensor on-site. When you have a sensor on-site, then that sensor speaks to the main sensor. We are trying to look for quality devices that give a dynamic IP, so it makes it practically impossible to add a new device.

If there was a way to do dynamic DNS, I think that would help.

For how long have I used the solution?

I've been using the solution for almost one year.

What do I think about the stability of the solution?

The stability of the solution is fine.

What do I think about the scalability of the solution?

Scalability can be a bit tricky, especially for network devices. We have about 150 devices on the solution right now that I am monitoring.

Which solution did I use previously and why did I switch?

We didn't previously use another solution.

How was the initial setup?

The initial setup was a bit complex. You've got to do a lot of reading. It's not an intuitive implementation. The deployment didn't take a long time, however.

What about the implementation team?

I handled the implementation myself.

What's my experience with pricing, setup cost, and licensing?

The solution is open-source, so it's free to use.

Which other solutions did I evaluate?

We did evaluate another solution.

What other advice do I have?

We use the cloud deployment model. I have a server that I subscribe people to.

I would advise others to consider, if they get more customers, to do the commercial version the OSSIM from AlienVault. It's now part of AT&T, so there's a lot of support.

I would rate the solution seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Learn what your peers think about AlienVault OSSIM. Get advice and tips from experienced pros sharing their opinions. Updated: November 2021.
554,382 professionals have used our research since 2012.
Kuzey Aksu
Information Security Manager at a financial services firm with 201-500 employees
Real User
A cost-effective, stable solution that offers timely technical support

Pros and Cons

  • "You pay monthly for the solution. I think it's one of the best products. If you compare with other companies, like LogRhythm, etc., the top 8 or 10 CMs, I think Alien Vault has the best price-performance ratio."
  • "The user interface could be improved."

What is most valuable?

AlienVault's features are all quite valuable. Using the CM to get post pay logs and lateral pay logs to a connection is also helpful.

What needs improvement?

The biggest thing I always complain about is that the user intake is a very old version. In cloud versions, it is very good, but for on-premises versions, it's not so good. If they want to improve the on-premises version, they should upgrade the SQL.

The user interface could be improved.

For how long have I used the solution?

I've been using the solution for 18 months.

What do I think about the stability of the solution?

The solution is very stable. We've never had any availability issues. Our consultant used a 12 core CPU, but he only used half of it.

What do I think about the scalability of the solution?

From a scalability perspective, it's very good software. It is very scalable because it has a very flexible architecture. You can connect one source in one server, and then you can connect four additional ones off that. You can put one on in front of it and you can put four under it and you can put four each off of that, etc. It's pretty open to scalable architecture.

How are customer service and technical support?

Technical support was very good. They've always responded on time.

How was the initial setup?

The initial setup wasn't too complicated. We didn't have any problems.

What about the implementation team?

We implemented the solution with the help of a consultant.

What's my experience with pricing, setup cost, and licensing?

You pay monthly for the solution. I think it's one of the best products. If you compare with other companies, like LogRhythm, etc., the top 8 or 10 CMs, I think AlienVault has the best price-performance ratio.

What other advice do I have?

We use the on-premises deployment model.

I would rate the solution nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
S Mustafa Afzouni
Development Manager at a tech services company with 51-200 employees
Real User
A free solution with an easy installation, but the system is slow

What is our primary use case?

I primarily use the solution for securing my traffic and the SIEM.

What is most valuable?

The fact that it is free is the most valuable aspect of the solution.

What needs improvement?

It's under heavy traffic. If you have heavy traffic, the system is slow. 

For how long have I used the solution?

I've been using the solution for two years.

What do I think about the scalability of the solution?

The scalability of the solution is okay. We have about 100 users right now.

How are customer service and technical support?

Technical support is fine, but if you have a problem, for example, if you have to decode or fix some bugs, you have to manage it yourself.

Which solution did I use previously and why did I switch?

We did not previously use a…

What is our primary use case?

I primarily use the solution for securing my traffic and the SIEM.

What is most valuable?

The fact that it is free is the most valuable aspect of the solution.

What needs improvement?

It's under heavy traffic. If you have heavy traffic, the system is slow. 

For how long have I used the solution?

I've been using the solution for two years.

What do I think about the scalability of the solution?

The scalability of the solution is okay. We have about 100 users right now.

How are customer service and technical support?

Technical support is fine, but if you have a problem, for example, if you have to decode or fix some bugs, you have to manage it yourself.

Which solution did I use previously and why did I switch?

We did not previously use a different solution.

How was the initial setup?

The initial setup was straightforward. I didn't have any problems.

What about the implementation team?

I implemented the solution myself.

What's my experience with pricing, setup cost, and licensing?

The solution is free to use.

Which other solutions did I evaluate?

We didn't evaluate other options before choosing this solution.

What other advice do I have?

The installation is easy, but it's not very compatible with some of our other solutions. Still, it's okay, it's very good. It integrates well with ELK.

I would rate the solution six out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
MohamedMohsen
Founder & CEO at MnZ Technology Solutions
Reseller
Full fledged solution where everything comes in one box

Pros and Cons

  • "With AlienVault you get everything in one box."
  • "Sometimes technical issues take very long to get resolved."

What is our primary use case?

Our primary use case for AlienVault is incident management. We started as a customer because one of our companies worked on it. Eventually, we started reselling the service. 

What is most valuable?

What I like about this product, is that it is a fully-fledged solution. I don't need to buy any complementary products, everything comes in one box.

What needs improvement?

I would like to see an improvement in their threat exchange database because the OTX is not the best thing in the marketplace. There are better solutions. So if they could enhance our feature development, it would make the product much better. 

For me, the user interface is very important, because the simpler the user interface is, the easier it is to find candidates to run the operation. If the user interface is very complicated, you need to expose your technical people to very intensive training in order to understand the system and to get the output right. So, from a user perspective, I would say the simpler the user interface, the better the product, especially for security issues. You need to let your tech people concentrate on the incident rather than on how to use the software to get the answer.

Lastly, if technical issues could be resolved faster, it would be a huge improvement. 

For how long have I used the solution?

We've been using this solution for two years now.

What do I think about the stability of the solution?

This solution is about 90% stable. I do have a problem with vulnerability.

What do I think about the scalability of the solution?

It's a very scalable product. I will say it is 100% scalable. It is currently managing the entire security of the firm, but it's managed by four members of our staff because it's a 24/7 operation. Three of them work shifts, and one of them is the supervisor. 

How are customer service and technical support?

I will give their technical support 80%. Although I am not completely satisfied, their response is good. I give their response 100% because whenever you open a ticket, you get communication on the spot. But sometimes it takes very long for your issue to get resolved. And that's why I'm only giving them 80%.

Which solution did I use previously and why did I switch?

We also used IBM QRadar before, but we did not get proper support and that's why we switched to AlienVault. 

How was the initial setup?

The initial setup was rather complex and it took us about a day to finalize everything. When we did the deployment, we had some support from AlienVault. And eventually, when we installed it for our customers, our technical team did it by themselves. They didn't require any kind of support from AlienVault.

What's my experience with pricing, setup cost, and licensing?

The price was good and it matched out budget at that stage.

Which other solutions did I evaluate?

We looked at ArcSight as an option at the beginning, but the pricing was not what we were looking for. And we don't have the proper channel to sell ArcSight in Egypt. That's why we decided to go to AlienVault.

What other advice do I have?

If anybody asked me if am I happy with AlienVault, I would say that it is a very good product. Frankly speaking, if anybody asked me about QRadar or ArcSight I will say the same, but it requires lots of training and you need to have a source for the product and for the pricing, otherwise, you will end up paying an enormous amount of money.

With AlienVault you get everything in one box. I will rate this product an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
IA
Chief Operating Officer at a insurance company with 201-500 employees
Reseller
Top 20
A good open-source solution for small setups, but needs more analytic functionality

Pros and Cons

  • "The solution has a very good open source community, and whenever we have problems, we are always able to resolve it online."
  • "The solution needs more integration with cyber intelligence systems."

What needs improvement?

The solution needs more integration with cyber intelligence systems. 

Our customers want to use a single tool for managing cybersecurity. We want integration with existing tools and integration with newer tools that offer the ability to manage or to identify security vulnerabilities in a gateway system or firewall. Basically, we want the solution to offer configuration management. 

I would want it to be integrated with lasting search, in terms that it could gather a lot of intelligence and dump it into the database. Also, it would be useful if we were able to run analytics on the solution. If they can integrate it with an analytic function it would be better.

For how long have I used the solution?

I've been using the solution for four years.

What do I think about the stability of the solution?

I haven't had time to compare the stability to other solutions, but for our purposes it's okay.

How are customer service and technical support?

You need to pay for technical support, but I didn't pay for it, so I can't say much about it. The solution has a very good open source community, and whenever we have problems, we are always able to resolve it online.

How was the initial setup?

The initial setup was straightforward. 

There wasn't any complexity. The only issue we had was when we installed it on a virtual layer. We found a way around it, however. It was the open-source virtualization that gave us trouble. There was a workaround and we applied it and it was okay.

What's my experience with pricing, setup cost, and licensing?

The solution is open-source. You need to pay for support if you want it.

What other advice do I have?

We use the on-premises deployment model.

We have a small setup. It's an environment that supports only about 20 users, so, it's not really a complex setup.

I would give the solution a rating of seven out of ten. I believe if I paid for the support I'd get a higher quality of software and other additional functionalities.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
AF
Cyber Security Specialist at AEC
Real User
A good, stable open-source solution for small environments

Pros and Cons

  • "The solution is very stable. Compared to Qradar and Splunk, it's very stable."
  • "The user interface needs to be friendlier across the board."

What is our primary use case?

I primarily use the solution for log collection.

What is most valuable?

AlienVault sometimes works like an appendix. It's not accurate in most cases, but we use an agent like WinCollect to collect logs. We collate the information. The solution is fast-acting when it comes to collecting the logs, and for all the inter-process work.

What needs improvement?

The log collection is okay, but tracing the logs or tracing the events is a bit difficult. It's not user-friendly. A user must be an expert and must know how to give the logs, how to configure the system, etc. He has to be an expert on this product.

The user interface needs to be friendlier across the board. Also, I would prefer if the kill chain scenario with every event was not stacked. I need to be able to do an SQL query and figure out where the event came from and tag to the source and destination. I cannot see this easily as it is right now.

For how long have I used the solution?

I've been using the solution for 1.5 years.

What do I think about the stability of the solution?

The solution is very stable. Compared to Qradar and Splunk, it's very stable.

How are customer service and technical support?

I've never had to use technical support.

Which solution did I use previously and why did I switch?

I previously used QRadar and Splunk.

How was the initial setup?

I'm not sure how difficult the initial setup was, but it did take a very long time to implement.

What's my experience with pricing, setup cost, and licensing?

The solution is open-source, so there are no licensing costs.

What other advice do I have?

I've used this for a small environment, and it was amazing. I'm currently converting to QRadar now because I am expanding. I am handling more than 30,000 events per second. I can't use Alien Vault, as it's too high a threshold.

I do recommend the solution, however, for those with small environments that don't handle as many events. It works great for anything under 1,000 events per second.

I would rate the solution eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
RajaniKant Singh
CISO with 1,001-5,000 employees
Real User
Provides threat alerts on harmful code in the network

Pros and Cons

  • "The threat alerts it gives me from time to time on harmful code within the network, or if they are generating any network traffic, are very useful."
  • "It takes some time. It does not give me a prompt response for any such [malicious] traffic. It takes time to get that alert from the AlienVault system."

What is our primary use case?

I use it for monitoring. I use it for getting alerts on various malicious activities, if there are such on my network. I'm using the free version of this product, OSSIM.

As a media company, we follow MPAA, which is a set of controls for media businesses. The other set of compliance that we follow is DPP. We use AlienVault to comply to their standards.

How has it helped my organization?

We have various media organizations from which we get data into our network and then it goes out. If you put any control, any device, or anything to sense the traffic, it will say that it's malicious traffic, because of the nature of most of the traffic that we generate. We usually upload or download TV shows or films, they go in and out. The same size of IP packets increase because of the kind of transfer that we do.

In addition to that, we also are into broadcasting. We send the data to broadcasting stations, and from there it gets broadcasted on air.

It has really helped find critical vulnerabilities in our network at times. There was a brute force attack, a web attack, and I was able to discover that using AlienVault. There was a WannaCry in one of my systems, a trojan, and it was generating traffic towards the WannaCry domain. I was able to see that through the AlienVault system. It was not immediate. It was after almost three days that I was able to discover that there was a vulnerability within our network.

What is most valuable?

The threat alerts it gives me from time to time on harmful code within the network, or if it is generating any network traffic, are very useful. However, it takes some time. It does not give me a prompt response for any such traffic. It takes time to get that alert from the AlienVault system.

I'm using it for discovering assets every day. If there are any changes in my network, I give it additional subnets which have been added. It adds all the assets to my dashboard.

What needs improvement?

I find it very useful when it is for a small or mid-size enterprise. The problem I see in this product is that it is not meant for a large business or for managing critical business services.

AlienVault-like products are not meant for businesses like the banking sector or insurance and places that require strong regulatory compliance, in my experience, because of delays in response. And sometimes it is very complicated to configure this for specific requirements. Writing APIs, etc. takes time. On the other hand, if you look into other products in the market, it's easy to write APIs or integrate them with other database services or middleware and your application layer services, and get the alerts.

It does not help me to respond to the threats all the time. That's why we are also working with Splunk. Splunk is used by one of our service providers and we can directly ask them to use Splunk instead of any other SIEM solutions.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

I find it to be stable. That's why I'm using it. Given that it's free of cost, whatever it gives us is more than enough.

What do I think about the scalability of the solution?

I haven't explored scalability very much but the scalability is open. It's scalable up to a level where we can manage a mid-size business. As I said earlier, it is not suitable for the banking sector at all, because they require stringent controls and monitoring, real-time monitoring, which this tool doesn't have; at least, I haven't seen it. Perhaps it's my bad that I haven't seen this tool give me a proper response, on time. It takes time for it to give a response.

Which solution did I use previously and why did I switch?

I've used and evaluated QRadar vs AlientVault very extensively - I was working with IBM. I used it for ten years. I used and have compared ArcSight vs AlienVault as well, at my previous organization. At that organization, I also deployed AlienVault because I am comfortable with AlienVault.

Those competitors to AlienVault are very user-friendly, their interfaces are very user-friendly. They have multiple options such as generating reports and getting immediate alerts.

If somebody changes the privileges in the system or some code changes the privileges in the system, AlienVault is lacking there. Machine-learning and artificial intelligence are things that AlienVault should explore. If those were added to it, no product could replace it.

How was the initial setup?

My setup is very complex. The network is segmented and configured differently for different customers.

The initial deployment started around two years ago. It took around one-and-a-half years to make this product stable and to talk to each and every device in my network and give me some sort of report which would actually give me the right posture of my security status. I did the complete deployment myself.

The implementation strategy was there and that's why it took a long time. We were also engaged in other business activities, so it took a long time to make this into a proper deployment.

What about the implementation team?

We didn't have any third-parties involved. It was all mine. I started with the web, through YouTube, through various other social media, and a couple of people who used it earlier. I now have several years of experience. That has helped me a lot in getting this deployed.

What was our ROI?

There is a financial value. It's giving me some value and I've already had a good amount of results on AlienVault products. I deployed it at multiple stations, three or four cities in India, two in the US, and one in the UK. I have deployed it widely because I find that it gives value for money. If I got the paid version at the right cost, I think it would be the best product available in the market for a business like ours.

What's my experience with pricing, setup cost, and licensing?

A product like Splunk will squeeze you for money if you ask them to provide similar services. So I find this solution very useful in that sense.

AlienVault pricing is the best. Whatever cost you are paying, you are getting a return on every penny. I have advised multiple friends of mine, those who are into the security arena, to go for AlienVault. It's not like your IBM, your QRadar, or Splunk, where the cost is too high.

What other advice do I have?

If your network is flat, if it is not that complicated, then you should go for it. I'm using it free of cost, so I'm very happy with AlienVault.

I'm the only one who's controlling it. I have a team of five. They are my soft team. They monitor all the alerts 24/7. It takes a team of five to maintain it. I lead the security section and among the other five, two are network specialists and three are system administrators.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free AlienVault OSSIM Report and get advice and tips from experienced pros sharing their opinions.