ArcSight License

ArcSight Licensing


ArcSight Enterprise Security Manager (ESM)

Experience powerful, efficient threat detection and response through security analytics from a next-gen SIEM.

Real-time threat detection and response backed by a powerful, open and intelligent SIEM (Security Information and Event Management).


ArcSight ESM leverages the Security Open Data Platform, whose Smart Connectors can connect to 450+ data source types to collect, aggregate, clean, and enrich your data before feeding it into your security analytics. By structuring your data, ESM makes it both more useful and more cost-effective. It’s also scalable, so you don’t have to worry about data growth.


Real-time correlation offers the fastest way to detect and escalate known threats – and ArcSight does it better than anyone. Backed by intelligence feeds, distributed correlation, customizable rulesets, layered analytics, community content, and the Activate framework, ArcSight is equipped to scalably address any SIEM use case your organization faces, no matter how complex.


Enable your SOC with swift, efficient threat response. ArcSight enables both simple and complex automated responses, out-of-the-box, that can be triggered on-demand or by specific alerts. It can even report back if additional response is needed. In addition to this, ArcSight also integrates with leading SOAR and digital workflow solutions such as ATAR Labs and ServiceNow.


ArcSight’s open architecture enables it to swap data, insights, and alerts with your existing security analytics solutions, including Interset UEBA, ArcSight Investigate, and our many ArcSight partners. This layered analytics approach helps ESM deliver even more effective threat detection with fewer false positives and more informative alerts, for a more efficient SOC.

ArcSight vs Splunk: Top SIEM Solutions Compared

Organizations looking to purchase a security information and event management (SIEM) solution really can’t go wrong with either Micro Focus ArcSight or Splunk. Customers rate both solutions highly, and analysts have also given them favorable reviews.

But while Splunk gets high marks for ease of use, deploying it at scale can be a challenge. And while ArcSight offers an open architecture and provides its users with an unusual degree of detail, some users have expressed frustration with its learning curve.

Both were featured in eSecurity Planet’s list of top 10 SIEM products. This article takes a look at some key features of each solution and delves into their respective strengths and weaknesses.

ArcSight and Splunk features and options

Micro Focus purchased ArcSight Enterprise Security Manager (ESM) from HPE in 2017. The solution, which can collect and correlate data from up to 75,000 events per second (EPS), combines an open architecture for security data, real time correlation, and an analytics-driven approach. ArcSight is comprised of three key layers: ArcSight ESM for threat detection, ArcSight Data Platform (ADP) for data collection/distribution, and ArcSight Investigate for investigation/analytics.

“ArcSight differentiates from the competition by combining the power of open architecture for security data, real time correlation, and an analytics-driven approach to hunt and investigation, which helps leading companies stay ahead of cyber threats,” Micro Focus product marketing lead for security operations Sonny Dasgupta told eSecurity Planet.

Splunk Enterprise Security (ES) gives users a security-specific view of data, enhancing detection capabilities and optimizing incident response. The Security Posture Dashboard provides clear situational awareness by tracking key security indicators and security metrics. All aspects of data source, key indicators and visual displays are customizable to meet the user’s needs.

The Splunkbase app store library includes more than 1,000 apps and add-ons from Splunk, the company’s partners, and the user community, including Splunk Security Essentials for Ransomware, G Suite for Splunk, Splunk Security Essentials for Fraud Detection, and Splunk App for PCI Compliance. The Adaptive Response Initiative, a Splunk-led security collective with more than 30 partners, also helps integrate technologies such as cloud security, endpoint security and threat intelligence.

Recent SIEM product improvements

In October 2016, ArcSight launched a new open architecture security data model with its intelligent Event Broker solution, which provides users with clean, enriched security data for third party analytics and machine learning tools. The intuitive security hunt and investigation solution ArcSight Investigate was launched in 2017. ArcSight ESM also now supports a distributed correlation mode, allowing the deployment of multiple instances of correlators and aggregators to increase processing speed.

In the past year, Splunk has introduced Booz Allen Hamilton Cyber4Sight for Splunk, which combines data from Booz Allen’s threat intelligence service with analytics-driven security insights from Splunk ES. The subscription service Splunk ES Content Update was also launched in 2017, providing dynamic new security content on an ongoing basis. And Splunk User Behavior Analytics (UBA) 4.0, launched in 2017, allows users to create and load their own machine learning models to identify custom threats.

Strengths and weaknesses: ArcSight

ArcSight is able to ingest data from a wide variety of sources – and its open platform enables structured data to be used outside the ArcSight solution. Its API allows for extensive integration in SOC environments, Gartner reports, and the solution can be fully customized to support threat management and compliance-focused use cases.

Still, the research firm notes that several elements of ArcSight’s architecture were being updated prior to the Micro Focus acquisition, so prospective users should make sure Micro Focus will continue to meet those commitments regarding functionality improvements and support.

Some of those changes have involved the introduction of ADP, Investigate and other components to support richer analytics, while still supporting legacy functionality. “As a result, customer choices regarding the deployment of some elements of the solution can result in duplication of data,” Gartner advises.

Strengths and weaknesses: Splunk

Splunk users have access to advanced analytics functionality in several ways – built into the core search capabilities, with the Machine Learning Toolkit, prepackaged in UBA, and from third-party app providers – and Gartner notes that Splunk’s large partner ecosystem offers a wide range of integration services and additional content.

Still, Gartner says its clients who have implemented Splunk consistently express concern about the licensing model and the cost of implementation. Additionally, while Splunk UBA is attractive to Splunk users who want to add UBA functionality, it competes with other UEBA solutions, some of which also offer SIEM features.

“Buyers considering using Splunk for SIEM and a third-party solution for UEBA must validate the degree of integration of the solutions and assess the commitment of the respective vendors to continued integration,” the research firm suggests.