We compared IBM Security QRadar and Splunk Enterprise Security across several parameters based on our users' reviews. After reading the collected data, you can find our conclusion below:
Ease of Deployment: IBM Security QRadar’s setup can be more challenging and time-consuming compared to Splunk Enterprise Security. Some users found both solutions easy to install, but IBM Security QRadar took several weeks or even months, while Splunk Enterprise Security could be set up in just a day.
Features: IBM Security QRadar is praised for its ability to detect threats and its ease of use. It provides customizable rules, real-time network monitoring, and competitive pricing. Splunk Enterprise Security stands out in its ability to capture and analyze various data streams. It offers valuable features like a search function, session reports, and graphing capabilities.
Room for Improvement: IBM Security QRadar could enhance its pricing, threat identification, plugins, and threat detection, EPS challenge, training, and technical support. Splunk Enterprise Security has room for improvement in its search algorithm, licensing model, technical support, AI capabilities, pricing, and machine learning algorithms.
Pricing: IBM Security QRadar’s cost differs based on the organization's requirements and structure. Certain users perceive it as reasonable, while others view it as costly. Similarly, Splunk Enterprise Security's pricing is subjective, as some users find it expensive while others find it reasonable.
ROI: Both Splunk Enterprise Security and IBM Security QRadar are cost-effective solutions with a favorable ROI. QRadar offers user behavior analytics and employee profiling. Splunk enhances security measures and is known for its flexibility and ability to provide global observability.
Service and Support: Both IBM Security QRadar and Splunk Enterprise Security have received varying feedback regarding their customer service and support. Users have commended the staff's expertise and responsiveness for both products. However, there have been complaints about slow response times and a lack of expertise.
Comparison Results: IBM Security QRadar and Splunk Enterprise Security have similarities in terms of setup complexity and value in detection capabilities and user-friendliness. IBM Security QRadar offers a wide range of features, including real network monitoring, security orchestration automated response, and risk scoring for user activity. Splunk Enterprise Security is praised for its search function, session reports, and graphing capabilities, as well as scalability and machine learning capabilities. IBM Security QRadar may have an advantage in features and pricing, while Splunk Enterprise Security may have an advantage in search capabilities and scalability.
"The standout feature of Sentinel is that, because it's cloud-based and because it's from Microsoft, it integrates really well with all the other Microsoft products. It's really simple to set up and get going."
"It's pretty powerful and its performance is pretty good."
"The UI of Sentinel is very good and easy to use, even for beginners."
"Its inbuilt Kusto Query Language is a valuable feature. It provides the flexibility needed to leverage advanced data analytics rules and policies and enables us to easily navigate all our security events in a single view. It helps any user easily understand the data or any security lags in their data and applications."
"There are a lot of things you can explore as a user. You can even go and actively hunt for threats. You can go on the offensive rather than on the defensive."
"I believe one of the main advantages is Microsoft Sentinel's seamless integration with other Microsoft products."
"The dashboard that allows me to view all the incidents is the most valuable feature."
"The native integration of the Microsoft security solution has been essential because it helps reduce some false positives, especially with some of the impossible travel rules that may be configured in Microsoft 365. For some organizations, that might be benign because they're using VPNs, etc."
"An engineer can live-monitor all the flow happening in real-time. This would help us a lot while investigating a case, and it would even help us with preventive actions."
"This solution has excellent security analytics."
"We've found the technical support to be very good."
"It allows us to search data both on-premises and on the cloud."
"QRadar UBA's most valuable feature is the risk rating of users depending on their behavior."
"The most valuable feature is the machine learning module."
"The ability to transition from microscopic to macroscopic view, instantly, is very good."
"The most valuable feature is the searching capability and real-time operational use."
"It is quite extensible. It is a platform that we can build our use instead of each case instead of each case being limited or restricted to each capability. This is probably the best feature."
"It definitely does help with both auditing and as well as regular monitoring. SOC does more monitoring, but ES also gives you other features that are auditing-related. The dashboards are also beneficial."
"The flexibility of the search capability is most valuable. You can use it for more than just a basic log aggregator. It is powerful in that regard."
"It helped us consolidate all our solutions into an easy tool to use for various employees."
"Alerts when a server is malfunctioning, monitors external attacks, and takes action to stop spreading viruses."
"Without Splunk Enterprise Security, it would be difficult for us to manage and prioritize alerts. There's a potential to lose track of important notifications, and it's essential to our security that we do not miss anything. Splunk has improved our investigations because the reporting and dashboarding make things so much easier. We can provide weekly or monthly reports. I also like Splunk's ability to integrate."
"We have a one stop dashboard for health of some of our services where you can click in and it takes you to other dashboards that have custom near real-time metrics that show the application's health."
"I am satisfied with the support."
"The solution could be more user-friendly; some query languages are required to operate it."
"Add more out-of-the-box connectors with other SaaS platforms/applications."
"Sometimes, it is hard for us to estimate the costs of Microsoft Sentinel."
"There is room for improvement in entity behavior and the integration site."
"They should just add more and more out-of-the-box connectors. It is quite a new product, and it has a lot of connectors, and even more would be good."
"I would like to see more AI used in processes."
"The product can be improved by reducing the cost to use AI machine learning."
"They can work on the EDR side of things... Every time we need to onboard these kinds of machines into the EDR, we need to do it with the help of Intune, to sync up the devices, and do the configuration. I'm looking for something on the EDR side that will reduce this kind of work."
"The weak signal detection with QRadar needs improvement. You can detect what you know, but what is unknown to the rule engine can't be detected."
"QRadar needs to be improved on the storage side, particularly when the disc exceeded the maximum threshold."
"There should be more opportunity for community kind of distribution where, for example, if there was a zero-day threat targeting companies."
"We sometimes get an error about the hard drive. Approximately once in two months, we can't find the logs, and they go missing, which is a terrible issue. We are getting support for this issue from our support company."
"A lot of information that we receive for the devices is IP-based, but it would help if we could have a default dashboard in which we can add more details about the assets for which we are receiving the information. For example, if it is a Windows or Linux device, we only get the IP for that particular device. We don't really get the name and other details of that particular device. For that, you have to drill down into your own asset management system. It would be good to have a place where we can probably add this information so that we don't have to look into other tools."
"The pricing of the solution is a bit high. If they could lower it, that would be ideal."
"The implementation and configuration are not easy."
"The AI engine could be smarter."
"The case management area of the ES could be improved. The ability to move cases through various stages and states. The ability to close a case would be key improvement."
"Splunk is not very user-friendly. It has a complex architecture in comparison to other solutions on the market."
"My company could benefit from doing more Splunk training with Splunk consultants teaching us how to use it."
"We had some connections issues with the solution at the beginning."
"Professional support is great, but too expensive."
"For on-premise, it's more about optimization. With such a heavy byte scale of data that we are operating on, the search for disparate data sometimes takes about a minute. This is understandable considering the amount of data that we are pumping into it. The only optimization that I recommend is better sharding, when it comes to Splunk, so that data retrieval can be faster."
"The integration with all our tool sets felt like we were reinventing the wheel, which was a pain point for us."
"It does not give us permission to implement on-premise so we implement them on the cloud."
IBM Security QRadar is ranked 6th in Log Management with 198 reviews while Splunk Enterprise Security is ranked 1st in Log Management with 230 reviews. IBM Security QRadar is rated 8.0, while Splunk Enterprise Security is rated 8.4. The top reviewer of IBM Security QRadar writes "A highly stable and scalable solution that provides good technical support". On the other hand, the top reviewer of Splunk Enterprise Security writes "It has a drag-and-drop interface, so you don't need to know SQL or Java to construct a query ". IBM Security QRadar is most compared with Wazuh, LogRhythm SIEM, Elastic Security, Sentinel and Fortinet FortiSIEM, whereas Splunk Enterprise Security is most compared with Wazuh, Dynatrace, Elastic Security, Datadog and Azure Monitor. See our IBM Security QRadar vs. Splunk Enterprise Security report.
See our list of best Log Management vendors and best Security Information and Event Management (SIEM) vendors.
We monitor all Log Management reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
For tools I’d recommend:
-SIEM- LogRhythm
-SOAR- Palo Alto XSOAR
Doing commercial w/o both (or at least an XDR) is asking to miss details that are critical, and ending up a statistic.
Also, remember that any EDR/XDR should integrate to the SIEM/SOAR and a strong threat intel source.
If you consider SOC outsourcing take your time and find one you can integrate like a virtual team member. They are only as good as their depth of knowledge in your business and your on-prem SOC.
Apache Metron, ELK, OSSIM, Splunk and Qradar (in cost/benefit order for starters).
I have no experience with Rapid 7 or InsightIDR.
IBM Qradar works great but is not easy to install. If it is running it is a great tool. Also depending on the budget, Riverbed security is a tool to consider. Costs are lower than QRadar and easier to implement.
Or you can use our SaaS solution with QRadar and a lot more built-in. One holistic solution for your complete IT environment.
@Evgeny Belenky, I found Stellar to be quite intriguing.
I would also recommend McAFee’s new console for centralizing and coordinating a well-deployed enterprise solution.
COMODO MDR
Disclaimer: ICE Consulting offers SOC as a Service to our Clients.
For SOC Tools we use Securonix and other in-house developed solutions. Securonix provides an all in one package (SIEM, UEBS, & NTA) that we believe is competitively priced for the Small to Mid Market. Their Customer Service seems better than most and they are always highly rated in the Gartner MQ reports. Set-up is not difficult, but is time consuming for the first time, afterwards each client deployment we have added has seemed to get easier and quicker.
Please contact several vendors and ask for demos, talk with the vendor engineers to ensure the solution will workfor your needs... We evaluated Rapid7, AlienVault (ATT Cybersecurity), QRadar, LogRythm, and Securonix before deciding on Securonix.
Also take your time in evaluating and re-evaluating the products, I took us about about 18 months and over $30K of working with what was utimately the wrong product for us, before moving to Securonix.
Make sure training for the use of the service is included. We have been able to provide entensive training to out team through the vendor and would not have been able to get out SOC offering off the ground without it.
Good Luck!
COMODO SOC covers your entire network and also your email. It is very easy to deploy and is very effective for reports.
I prefer the COMODO SOC solution because it is a very good and easy to deploy product.