We compared Splunk Enterprise Security and ArcSight ESM across several parameters based on our users' reviews. After reading the collected data, you can find our conclusion below:
Features: Splunk Enterprise Security stands out for its efficiency, extensive integration options, and powerful search functionality. Users say Splunk is a highly scalable and customizable solution. ArcSight ESM is praised for its well-designed dashboard, real-time reporting, and threat intelligence capabilities that leverage AI and correlation tools.
Room for Improvement: Splunk users recommended improvements in AI capabilities, user-friendliness, and analytics. ArcSight ESM users have recommended improvements in training, speed, and data administration.
Service and Support: While some users found Splunk support to be responsive and helpful, others reported slow response times and a lack of expertise. Some ArcSight ESM users have found the support to be responsive and helpful, while others have faced issues with slow response times and a lack of expertise.
Ease of Deployment: Some users thought Splunk Enterprise Security was easy to deploy, while others found it challenging and needed assistance from Splunk engineers or third-party integrators. Some said that ArcSight ESM is straightforward to set up, while others noted that integration with other systems can be challenging and requires specialized knowledge.
Pricing: Some users consider Splunk Enterprise Security to be expensive, but others said the price is reasonable. A few users expressed concerns about the cost of scaling up the solution and managing large volumes of data. Users consider the pricing of ArcSight ESM to be reasonable and affordable.
ROI: Users said that it’s challenging to calculate an ROI for Splunk Enterprise Security, and the return varies depending on individual circumstances. While some users have observed a substantial ROI, others have not actively explored or been engaged in ROI conversations. Splunk Enterprise Security offers varying ROI outcomes based on different situations, with certain users achieving significant returns. ArcSight ESM delivers an ROI by helping clients achieve compliance objectives and prevent incidents.
Comparison Results: Splunk is highly regarded for its efficient data processing and powerful search features, but users suggested improvements to its AI capabilities and analytics. ArcSight ESM offers robust threat intelligence and real-time reporting but falls short in terms of data administration and speed.
"The product can integrate with any device."
"Sentinel improved how we investigate incidents. We can create watchlists and update them to align with the latest threat intelligence. The information Microsoft provides enables us to understand thoroughly and improve as we go along. It allows us to provide monthly reports to our clients on their security posture."
"The most valuable feature is the UEBA. It's very easy for a security operations analyst. It has a one-touch analysis where you can search for a particular entity, and you can get a complete overview of that entity or user."
"Sentinel is a SIEM and SOAR tool, so its automation is the best feature; we can reduce human interaction, freeing up our human resources."
"Microsoft Sentinel comes preloaded with templates for teaching and analytics rules."
"We’ve got process improvement that's happened across multiple different fronts within the organization, within our IT organization based on this tool being in place."
"The most valuable feature is the alert notifications, which are categorized by severity levels: informational, low, medium, and high."
"Microsoft Sentinel enables you to ingest data from the entire ecosystem and that connection of data helps you to monitor critical resources and to know what's happening in the environment."
"Very good real-time reporting with a good dashboard."
"Usability is the most valuable feature. The accessibility is quite good."
"The tool is good for correlation and aggregation. We use it as a collection platform."
"It has absolutely improved the efficiency of our security team. We use it internally as well. It is such a powerful tool that our internal security team became a customer of our ArcSight managed service."
"I would rate the ease of use for new users an eight out of ten, with ten being easy to use. It is a good tool."
"This process has helped to improve our organization because we have centralized the intra-group security equipment logs."
"We do consulting and I get feedback from our clients that the product really helped them with compliance, especially with GDPR."
"The out-of-the-box rules that help us configure functioning rules within the environment are valuable."
"We can ingest and correlate data from virtually any type of system."
"Splunk's visualizations make it easy for users to understand the data."
"Good for log collection and log management."
"With good domain knowledge, one can build almost anything. If you throw in Alert Manager or an integration with ServiceNow. Then, you have your own SIEM"
"Alerts when a server is malfunctioning, monitors external attacks, and takes action to stop spreading viruses."
"The visibility is amazing with easy dashboard creation."
"It is easy to use, and easy to implement."
"Our clients use the solution to find any threats or vulnerabilities inside their environment."
"It could have a better API to be able to automate many things more extensively and get more extensive data and more expensive deployment possibilities. It can gain some points on the automation part and the integration part. The API is very limited, and I would like to see it extended a bit more."
"At the network level, there is a limitation in integrating some of the switches or routers with Microsoft Sentinel. Currently, SPAN traffic monitoring is not available in Microsoft Sentinel. I have heard that it is available in Defender for Identity, which is a different product. It would be good if LAN traffic monitoring or SPAN traffic monitoring is available in Microsoft Sentinel. It would add a lot of value. It is available in some of the competitor products in the market."
"If I see an alert and I want to drill down and get more details about the alert, it's not just one click. In other SIEM tools, you just have to click the IP address of the entity and they give you the complete picture. In Sentinel, you have to write queries or use saved queries to get details."
"The following would be a challenge for any product in the market, but we have some in-house apps in our environment... our apps were built with different parameters and the APIs for them are not present in Sentinel. We are working with Microsoft to build those custom APIs that we require. That is currently in progress."
"I would like to be able to monitor applications outside of the Azure Cloud."
"If I can use Sentinel offline at home and use it on a local network, it would be great. I'm not sure if I can use Sentinel offline versus the tools I have."
"In terms of features I would like to see in future releases, I'm interested in a few more use cases around automation. I do believe a lot of automation is available, and more is in progress, but that would be my area of interest."
"Not all information shows up in Sentinel. Sometimes there are items provided in 365 and if you looked in Sentinel you would not see them and therefore think they do not exist. There can be discrepancies between Microsoft tools."
"When I asked our networking juniors for a comparison between LogRhythm and ArcSight, they said that both platforms are almost the same. It is just that LogRhythm is more modern with a digital platform, which probably gives it some advantage over ArcSight. ArcSight is a very old and mature product that is running on an old platform. It is an old legacy platform. In terms of new features, it just requires platform upgrades so that it becomes lighter and easily adaptable, specifically in the cloud. It would be a good thing if they can also make reporting easier."
"We have pricing issues. ArcSight ESM may not be the most user-friendly option, and its interface is quite traditional. However, despite these aspects, we find it a good cybersecurity solution. It needs to improve the dashboards, documentation, and support as well."
"Administration of ArcSight is not an easy job. The admin needs to be well experienced in it to identify the root cause and fix it."
"The initial setup is very complex. We had to architect a deployment which allowed us to incorporate an ever growing number of customers into our hosted instance of ArcSight."
"ArcSight ESM could improve the alerts for the storage capacities or actions."
"There are several improvements that we would like to see, including: Building a system based on a log collection (SOC), a scenario for external encroachment, and Operator training."
"Micro Focus does not have a physical presence here in Pakistan, although IBM does."
"The UI interface is somewhat complex and needs to be simplified."
"I'd say I am happy with the technical support, not elated. They provide great support, but sometimes they don't have the answers that I need."
"We do have to educate developers on how to not blow it up. It is a little to easy to write an expensive query and overly stress the system. This could be improved."
"The analytics of Splunk could be improved."
"The CIM model is the method Splunk uses to normalize data and categorize its important parts, but it is quite complex."
"The Enterprise Security app could be improved. We have had trouble with it working from the first day."
"Sometimes, there is latency in the logs."
"It takes time to train people."
"They should make data onboarding easier."
More ArcSight Enterprise Security Manager (ESM) Pricing and Cost Advice →
ArcSight Enterprise Security Manager (ESM) is ranked 12th in Security Information and Event Management (SIEM) with 93 reviews while Splunk Enterprise Security is ranked 2nd in Security Information and Event Management (SIEM) with 227 reviews. ArcSight Enterprise Security Manager (ESM) is rated 7.8, while Splunk Enterprise Security is rated 8.4. The top reviewer of ArcSight Enterprise Security Manager (ESM) writes "Allows for monitoring logs according to industry standards within ESM but has a total capacity capped at 12 TB, limiting real-time data retention periods". On the other hand, the top reviewer of Splunk Enterprise Security writes "It has a drag-and-drop interface, so you don't need to know SQL or Java to construct a query ". ArcSight Enterprise Security Manager (ESM) is most compared with ArcSight Intelligence, Trellix ESM, IBM Security QRadar, AWS Security Hub and LogRhythm SIEM, whereas Splunk Enterprise Security is most compared with Wazuh, Dynatrace, IBM Security QRadar, Elastic Security and Azure Monitor. See our ArcSight Enterprise Security Manager (ESM) vs. Splunk Enterprise Security report.
See our list of best Security Information and Event Management (SIEM) vendors.
We monitor all Security Information and Event Management (SIEM) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.