We compared IBM Security QRadar and Splunk Enterprise Security across several parameters based on our users' reviews. After reading the collected data, you can find our conclusion below:
Ease of Deployment: IBM Security QRadar’s setup can be more challenging and time-consuming compared to Splunk Enterprise Security. Some users found both solutions easy to install, but IBM Security QRadar took several weeks or even months, while Splunk Enterprise Security could be set up in just a day.
Features: IBM Security QRadar is praised for its ability to detect threats and its ease of use. It provides customizable rules, real-time network monitoring, and competitive pricing. Splunk Enterprise Security stands out in its ability to capture and analyze various data streams. It offers valuable features like a search function, session reports, and graphing capabilities.
Room for Improvement: IBM Security QRadar could enhance its pricing, threat identification, plugins, and threat detection, EPS challenge, training, and technical support. Splunk Enterprise Security has room for improvement in its search algorithm, licensing model, technical support, AI capabilities, pricing, and machine learning algorithms.
Pricing: IBM Security QRadar’s cost differs based on the organization's requirements and structure. Certain users perceive it as reasonable, while others view it as costly. Similarly, Splunk Enterprise Security's pricing is subjective, as some users find it expensive while others find it reasonable.
ROI: Both Splunk Enterprise Security and IBM Security QRadar are cost-effective solutions with a favorable ROI. QRadar offers user behavior analytics and employee profiling. Splunk enhances security measures and is known for its flexibility and ability to provide global observability.
Service and Support: Both IBM Security QRadar and Splunk Enterprise Security have received varying feedback regarding their customer service and support. Users have commended the staff's expertise and responsiveness for both products. However, there have been complaints about slow response times and a lack of expertise.
Comparison Results: IBM Security QRadar and Splunk Enterprise Security have similarities in terms of setup complexity and value in detection capabilities and user-friendliness. IBM Security QRadar offers a wide range of features, including real network monitoring, security orchestration automated response, and risk scoring for user activity. Splunk Enterprise Security is praised for its search function, session reports, and graphing capabilities, as well as scalability and machine learning capabilities. IBM Security QRadar may have an advantage in features and pricing, while Splunk Enterprise Security may have an advantage in search capabilities and scalability.
"The most valuable feature is the UEBA. It's very easy for a security operations analyst. It has a one-touch analysis where you can search for a particular entity, and you can get a complete overview of that entity or user."
"I like the ability to run custom KQL queries. I don't know if that feature is specific to Sentinel. As far as I know, they are using technology built into Azure's Log Analytics app. Sentinel integrates with that, and we use this functionality heavily."
"Sentinel has features that have helped improve our security poster. It helped us in going ahead and identifying the gaps via analysis and focusing on the key elements."
"Sentinel is a SIEM and SOAR tool, so its automation is the best feature; we can reduce human interaction, freeing up our human resources."
"Microsoft Sentinel enables you to ingest data from the entire ecosystem and that connection of data helps you to monitor critical resources and to know what's happening in the environment."
"We are able to deploy within half an hour and we only require one person to complete the implementation."
"Azure Application Gateway makes things a lot easier. You can create dashboards, alert rules, hunting and custom queries, and functions with it."
"It's pretty powerful and its performance is pretty good."
"The QNI feature is the one I am very interested in, and I have also been interested in Watson. From the log analysis and the security perspective, we are able to dive deep into any of the logs and anomalies."
"Improved our organization's TCO."
"Flexible and valuable product that is modular, so you can easily set up a roadmap for your clients."
"It has improved my efficiency."
"There are more than 120 extensions in QRadar, which are easy to install and configure. These can improve your analysis of events."
"In terms of the most valuable features, the log collections and log processing mechanisms are good. They have good dashboards."
"The correlation and the parsing are important features, since it is very important for a SIEM to have a good scalability and performance."
"The product can scale."
"The dashboard and reporting are very good... It provides very good visibility in a hybrid cloud environment, and you can build custom utilization APIs using Splunk."
"The correlation capabilities are the first value that our clients say they like with Splunk."
"From the class that I took this week, being able to create notable events from whatever you find in the data set is pretty useful."
"The correlation searches are most valuable just because we are able to do things like RBA."
"Exporting is a good feature. It helps me out when I have to do reports. I do a lot of exporting and crunching of the numbers. Dashboards are okay for showing to the leadership, but for doing statistics and updating tickets, the export feature is very beneficial for me."
"Splunk's strongest suit is its user interface. We can integrate multiple solutions and adjust settings in the Splunk interface."
"It has virtual visualization, and other products do not."
"Splunk Enterprise Security comes with 300 pre-deployed use cases that can be easily customized to meet the specific needs of our organization, without the need to purchase additional tools."
"We do have in-built or out-of-the-box metrics that are shown on the dashboard, but it doesn't give the kind of metrics that we need from our environment whereby we need to check the meantime to detect and meantime to resolve an incident. I have to do it manually. I have to pull all the logs or all the alerts that are fed into Sentinel over a certain period. We do this on a monthly basis, so I go into Microsoft Sentinel and pull all the alerts or incidents we closed over a period of thirty days."
"Sentinel should be improved with more connectors. At the moment, it only covers a few vendors. If I remember correctly, only 100 products are supported natively in Sentinel, although you can connect them with syslog. But Microsoft should increase the number of native connectors to get logs into Sentinel."
"They should just add more and more out-of-the-box connectors. It is quite a new product, and it has a lot of connectors, and even more would be good."
"If I see an alert and I want to drill down and get more details about the alert, it's not just one click. In other SIEM tools, you just have to click the IP address of the entity and they give you the complete picture. In Sentinel, you have to write queries or use saved queries to get details."
"The AI capabilities must be improved."
"Sentinel provides decent visibility, but it's sometimes a little cumbersome to get to the information I want because there is so much information. I would also like to see more seamless integration between Sentinel and third-party security products."
"The playbook is a bit difficult and could be improved."
"The solution could be more user-friendly; some query languages are required to operate it."
"IBM QRadar Advisor with Watson could be more user-friendly. You need some skills and understanding of what you're looking at, especially if you're going to draw down specific information."
"I would also like to see more integration with other vendors. IBM doesn't integrate well with products from China, like Huawei. Many Middle Eastern customers are switching to Huawei from American vendors like Cisco because of the price. In most RFPs, Huawei wins because it costs less."
"The product does not have a team for investigating malware."
"IMB should reduce the pricing, or reduce some of the features for a more economical solution for the customer."
"The user interface needs improvement."
"The implementation and configuration are not easy."
"The reporting system could use some upgrading."
"The custom rules could be simplified more or it should be possible to use a different language, other than the ones that the solution is already using. They should add other languages into the mix."
"It will be helpful for customers if they can create some real-world cases, and we can find a case study to align with. I know that Splunk has tremendous potential. We only include a tiny piece of it. There is a lot of stuff that we need to learn. If Splunk can provide more real-time examples, that will be helpful for customers."
"We were inundated with the amount of alerts and alarms that we could get out of it. It is also a resource hog and we didn't have the resources to support it on-prem so we're taking it offline now."
"The administration of the cluster and app deployment to indexers or search heads can be done only using ssh access and command line, there is no GUI tools for that."
"Some of the queries are difficult to run and have room for improvement."
"The tool itself is very difficult to configure. It's great for its number of inputs, for the different types of systems devices, and things that it could collect information from. To actually make good use of it, you need a fairly dedicated team of people that have some reasonably good programming or modeling skills to be able to do the things that you need to do with it. Whereas a lot of the other tools are better packaged for that, and so require a lot less training and a lot less dedication."
"Splunk could improve its default machine-learning models. Also, Splunk Enterprise's native threat intelligence isn't that good. I prefer a custom threat intelligence model."
"Search head clustering is often temperamental in its current state and should be improved, replaced by something better, or be reverted to search head pooling."
"Splunk needs local technical support."
IBM Security QRadar is a security and analytics platform designed to defend against threats and scale security operations.
IBM Security QRadar is ranked 6th in Log Management with 34 reviews while Splunk Enterprise Security is ranked 1st in Log Management with 65 reviews. IBM Security QRadar is rated 8.0, while Splunk Enterprise Security is rated 8.4. The top reviewer of IBM Security QRadar writes "Good dashboard and helpful third-party plugins but technical support could be better". On the other hand, the top reviewer of Splunk Enterprise Security writes "Can be used to find any threats or vulnerabilities inside a user’s environment". IBM Security QRadar is most compared with Wazuh, LogRhythm SIEM, Elastic Security, Fortinet FortiSIEM and ArcSight Logger, whereas Splunk Enterprise Security is most compared with Wazuh, Dynatrace, Elastic Security, Azure Monitor and Datadog. See our IBM Security QRadar vs. Splunk Enterprise Security report.
See our list of best Log Management vendors and best Security Information and Event Management (SIEM) vendors.
We monitor all Log Management reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
For tools I’d recommend:
-SIEM- LogRhythm
-SOAR- Palo Alto XSOAR
Doing commercial w/o both (or at least an XDR) is asking to miss details that are critical, and ending up a statistic.
Also, remember that any EDR/XDR should integrate to the SIEM/SOAR and a strong threat intel source.
If you consider SOC outsourcing take your time and find one you can integrate like a virtual team member. They are only as good as their depth of knowledge in your business and your on-prem SOC.
Apache Metron, ELK, OSSIM, Splunk and Qradar (in cost/benefit order for starters).
I have no experience with Rapid 7 or InsightIDR.
IBM Qradar works great but is not easy to install. If it is running it is a great tool. Also depending on the budget, Riverbed security is a tool to consider. Costs are lower than QRadar and easier to implement.
Or you can use our SaaS solution with QRadar and a lot more built-in. One holistic solution for your complete IT environment.
@Evgeny Belenky, I found Stellar to be quite intriguing.
I would also recommend McAFee’s new console for centralizing and coordinating a well-deployed enterprise solution.
COMODO MDR
Disclaimer: ICE Consulting offers SOC as a Service to our Clients.
For SOC Tools we use Securonix and other in-house developed solutions. Securonix provides an all in one package (SIEM, UEBS, & NTA) that we believe is competitively priced for the Small to Mid Market. Their Customer Service seems better than most and they are always highly rated in the Gartner MQ reports. Set-up is not difficult, but is time consuming for the first time, afterwards each client deployment we have added has seemed to get easier and quicker.
Please contact several vendors and ask for demos, talk with the vendor engineers to ensure the solution will workfor your needs... We evaluated Rapid7, AlienVault (ATT Cybersecurity), QRadar, LogRythm, and Securonix before deciding on Securonix.
Also take your time in evaluating and re-evaluating the products, I took us about about 18 months and over $30K of working with what was utimately the wrong product for us, before moving to Securonix.
Make sure training for the use of the service is included. We have been able to provide entensive training to out team through the vendor and would not have been able to get out SOC offering off the ground without it.
Good Luck!
COMODO SOC covers your entire network and also your email. It is very easy to deploy and is very effective for reports.
I prefer the COMODO SOC solution because it is a very good and easy to deploy product.