We performed a comparison between IBM Security QRadar and NetWitness Platform based on real PeerSpot user reviews.
Find out in this report how the two Log Management solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."Sentinel is a SIEM and SOAR tool, so its automation is the best feature; we can reduce human interaction, freeing up our human resources."
"Azure Application Gateway makes things a lot easier. You can create dashboards, alert rules, hunting and custom queries, and functions with it."
"What is most useful, is that it has a good connection to the Microsoft ecosystem, and I think that's the key part."
"The standout feature of Sentinel is that, because it's cloud-based and because it's from Microsoft, it integrates really well with all the other Microsoft products. It's really simple to set up and get going."
"Sentinel pricing is good"
"We’ve got process improvement that's happened across multiple different fronts within the organization, within our IT organization based on this tool being in place."
"It is able to connect to an ever-growing number of platforms and systems within the Microsoft ecosystem, such as Azure Active Directory and Microsoft 365 or Office 365, as well as to external services and systems that can be brought in and managed. We can manage on-premises infrastructure. We can manage not just the things that are running in Azure in the public cloud, but through Azure Arc and the hybrid capabilities, we can monitor on-premises servers and endpoints. We can monitor VMware infrastructure, for instance, running as part of a hybrid environment."
"The Identity Behavior tab furnishes us with the entire history linked to each IP or domain that has either accessed or attempted to access our system."
"IBM QRadar User Behavior Analytics's most important feature is its ease of use."
"I think it's a very stable product that provides much more visibility than the other product."
"This solution provides me with various alarms, and I have found security issues with some of my other products."
"It has improved my efficiency."
"The ability to transition from microscopic to macroscopic view, instantly, is very good."
"The threat hunting capabilities in general are great."
"The most valuable features are log monitoring, easy-to-fix issues, and problem-solving."
"QRadar shows very effective correlations. If you combine all the logins plus user behavior and the current intelligence, it gives a very good correlation for business. I think it reduces the false positives in user activity monitoring because there is a lot of social information to correlate with other data."
"The most valuable feature is the ability to write rules and triggers for network communication, and then being able to investigate based on that."
"The most valuable feature is the correlation. It can report in real-time and monitor the management."
"The most valuable features are the integration and ease of use."
"The product has a user-friendly interface and a valuable feature for threat intelligence integration."
"I can have enterprise security, email security, next generation firewall security log, HIDS and NIDS logs, etc. all on the same dashboard. It makes it easy to pinpoint or correlate our server to this. I can find out if there is lateral movement. This is the biggest advantage of this solution."
"The software is scalable to whatever is required, and you can also put a lot of resources in the cloud."
"The most valuable feature is the security that it provides."
"The newer 11.5 version that my team is using has found it to have good mapping."
"There is some relatively advanced knowledge that you have to have to properly leverage Sentinel's full capabilities. I'm thinking about things like the creation of workbooks, how you do threat-hunting, and the kinds of notifications you're getting... It takes time for people to ramp up on that and develop a familiarity or expertise with it."
"I would like Sentinel to have more out-of-the-box analytics rules. There are already more than 400 rules, but they could add more industry-specific ones. For example, you could have sets of out-of-the-box rules for banking, financial sector, insurance, automotive, etc., so it's easier for people to use it out of the box. Structuring the rules according to industry might help us."
"They should integrate it with many other software-as-a-service providers and make connectors available so that you don't have to do any sort of log normalization."
"Microsoft Defender has a built-in threat expert option that enables you to contact an expert. That feature isn't available in Sentinel because it's a huge product that integrates all the technologies. I would like Microsoft to add the threat expert option so we can contact them. There are a few other features, like threat assessment that the PG team is working on. I expect them to release this feature in the next quarter."
"If you're looking to use canned queries, the interface could be a little more straightforward. It's not immediately intuitive regarding how you use it. You have to take a canned query and paste it into an operational box and then you hit a button... They could improve the ease of deploying these queries."
"The playbook development environment is not as rich as it should be. There are multiple occasions when we face problems while creating the playbook."
"Microsoft Sentinel is relatively expensive, and its cost should be improved."
"The solution could be more user-friendly; some query languages are required to operate it."
"The biggest problem was built on top of the QRadar in the executive operations center network. The integration was not using the network security specialist properly, and all the incidents were inferior with QRadar. Its compatibility is not really good."
"They need to improve their threat intelligence feed and they need to improve their user behavior analytics modules."
"I think QRadar is very complex. It's a distributed system and IBM QRadar has an all-in-one solution which is not like that distributed solution but it's a good product. IBM needs to consider the user interface because if we compare it with AlienVault, the AlienVault user interface is fantastic but the IBM QRadar user interface is very complex. They should focus on how to make it easier for the client."
"The features that could be improved include the licensing model and the dashboards and all those presentations. Overall, the user experience part can be improved."
"Some UI enhancements would be nice, such as exporting custom event properties and the ability to export rules."
"I think that the search speed of this solution could be improved."
"I'd like them to improve the offense. When QRadar detects something, it creates what it calls offenses. So, it has a rudimentary ticketing system inside of it. This is the same interface that was there when I started using it 12 years ago. It just has not been improved. They do allow integration with IBM Resilient, but IBM Resilient is grotesquely expensive. The most effective integration that IBM offers today is with IBM Resilient, which is an instant response platform. It is a very good platform, but it is very expensive. They really should do something with the offense handling because it is very difficult to scale, and it has limitations. The maximum number of offenses that it can carry is 16K. After 16K, you have to flush your offenses out. So, it is all or nothing. You lose all your offenses up until that point in time, and you don't have any history within the offense list of older events. If you're dealing with multiple customers, this becomes problematic. That's why you need to use another product to do the actual ticketing. If you wanted the ticket existence, you would normally interface with ServiceNow, SolarWinds, or some other product like that."
"We would like to see better instrumentation for debugging changes in the log flow."
"The log system is a bit complex and has room for improvement."
"An area for improvement would be better automation and more inbuilt use cases."
"The solution should have more integration capabilities with different platforms."
"Log aggregation is an issue with this solution because there are a huge number of alerts in a single instance."
"The user interface is a little bit difficult for new users and it needs to be improved."
"The multi-tenant capabilities are lagging compared to IBM QRadar."
"The initial setup is complex. There are other solutions that are easier to implement."
"The system looks like it is a mix of a bunch of different systems, and nothing looked like it was quite together."
IBM Security QRadar is ranked 6th in Log Management with 198 reviews while NetWitness Platform is ranked 19th in Log Management with 36 reviews. IBM Security QRadar is rated 8.0, while NetWitness Platform is rated 7.4. The top reviewer of IBM Security QRadar writes "A highly stable and scalable solution that provides good technical support". On the other hand, the top reviewer of NetWitness Platform writes "Can find out if there is lateral movement, but integration and workflow need improvement". IBM Security QRadar is most compared with Splunk Enterprise Security, Wazuh, LogRhythm SIEM, Elastic Security and Sentinel, whereas NetWitness Platform is most compared with Splunk Enterprise Security, RSA enVision, Cisco Secure Network Analytics, Trellix Network Detection and Response and LogRhythm SIEM. See our IBM Security QRadar vs. NetWitness Platform report.
See our list of best Log Management vendors and best Security Information and Event Management (SIEM) vendors.
We monitor all Log Management reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.