We have been watching this tool since it was born years ago as the NitroView SIEM. At that time, we said it was a vastly superior analysis tool but for user friendliness it had a way to go. A lot of its powerful functionality required a user with more than a little knowledge in the art of SIEM management. You certainly could not make that statement now. This is many times more powerful than those early models and so much is done automatically, if you wish, that it is a great SOC tool without sacrificing its value as an analyst tool.
This amazed us since the UI has not changed fundamentally since the first release. Moreover, it is a next-generation SIEM that is constantly evolving. Even so, it has immense functionality and integrates with a huge list of industry-standard log sources. The basic tool provides SIEM, compliance enterprise log management, network analysis functions and includes McAfee Event Receiver, which collects data for correlation and analysis by McAfee Enterprise Security Manager. It is licensed per VM instance.
Enterprise Security Manager - ESM - provides scalability and the performance needed for collecting and correlating massive volumes of log, flow and contextual data, including third-party threat feeds, application sessions and database activity. It provides simultaneous real-time and historical operations for optimizing threat investigations and forensics. While that is a bit of a mouthful, ESM does deliver. It comes standard with the McAfee Integrated Threat Defense and Global Threat Intelligence, but can consume threat feeds from a large number of third-party sources.
In addition, the tool can ingest indicators of compromise (IOCs) from leading sources and, something we really like, STIX xml files. All of this goes into the mix and the tool analyzes based on the usual log input, asset input and weighting and other traditional SIEM capabilities, plus the threat intelligence and IOCs. There is an expanded watch list capability that now includes such things as https, and IOCs can be searched over a user-selected period using Backtrace. This allows analysis and alerting based on an IOC that was not available at the time of an earlier event but that might describe aspects of the event that weren't caught at the time.
Other new features include access to a sandbox and preconfigured use cases. One of the challenges with earlier versions of ESM was setting up meaningful dashboards. That usually meant figuring out what you wanted to see in a particular use case, setting up a dashboard, a set of assets and weightings, and experimenting until you got just the right combination of displays to give a meaningful starting point for drilldown. True, there always have been some canned use cases supplied with the product but they were limited. Not anymore. Now the tool comes with dozens of preconfigured use cases and they are among the richest and most complete we've seen in any tool. Drilldown is excellent and you can pivot on findings within a particular drilldown for more detail.
Should a particular use case yield a questionable file, it goes to a sandbox where it is analyzed and the results are fed back into the overall threat analysis and alerting. While the product is an on-premises tool, it communicates regularly with the McAfee cloud where it gets updates to such things as use cases, rules and content packs.Documentation is excellent and support is comprehensive. Pricing is not inexpensive, but it is more than reasonable for this powerhouse. This is a tool that shines in a large environment, but we have used it in a much smaller venue with very good success.