We performed a comparison between Splunk Enterprise Security and Trellix ESM based on real PeerSpot user reviews.
Find out in this report how the two Security Information and Event Management (SIEM) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."The log query feature has been the most valuable because it's very good. You can put your data on the cloud and run queues from Sentinel. It will do it all very fast. I love that I don't have to upload it to an Excel file and then manually look for a piece of information. Sentinel is much faster and is good for big databases."
"The most valuable features in my experience are the UEBA, LDAP, the threat scheduler, and integration with third-party straight perform like the MISP."
"The most valuable feature is the onboarding of the workloads. You can see all that has been onboarded in your account on the dashboards."
"The connectivity and analytics are great."
"The main benefit is the ease of integration."
"The part that was very unexpected was Sentinel's ability to integrate with Azure Lighthouse, which, as a managed services solution provider, gives us the ability to also manage our customers' Sentinel environments or Sentinel workspaces. It is a big plus for us. With its integration with Lighthouse, we get the ability to monitor multiple workspaces from one portal. A lot of the Microsoft Sentinel workbooks already integrate with that capability, and we save countless amounts of money by simply being able to almost immediately realize multitenant capabilities. That alone is a big plus for us."
"It is always correlating to IOCs for normal attacks, using Azure-related resources. For example, if any illegitimate IP starts unusual activity on our Azure firewall, then it automatically generates an alarm for us."
"Investigations are something really remarkable. We can drill down right to the raw logs by running different queries and getting those on the console itself."
"There are quite a lot of things that we find useful. Splunk agents are useful and good. Its UI is quite impressive."
"It is a one stop shop as a full monitoring and alerting solution for operations and application analysis for most of our back-end systems."
"Search language is easy to understand and teach to new users."
"It gives us good visibility into multiple environments, including cloud, on-premises, and hybrid; irrespective of platform."
"The ability to quickly search logs, performance data, and other inputs has helped tremendously with troubleshooting."
"The solution is very fast and succinct."
"We used it to create a custom anomaly detection data model to monitor the activity of our back-end services on an hourly basis relative to the past three months of activity."
"Splunk incorporates a lot of elements that help to reduce security risks. For it to reach certain compliance, we need to have some security insight. Splunk is a very good SIEM, it’s a top solution, but the best feature is its cost of visibility. We have all the most important features to detect vulnerabilities or risks."
"It can be easily deployed with the other solutions."
"It has good technical support, which is available around the clock. You can call up anytime and get whatever you want. My queues are resolved."
"The most valuable feature is the capability to correlate different events from different platforms that we feed into it."
"Trellix ESM is very user-friendly."
"It blocks the things which are not to be allowed. It has an adaptive mode where it learns for itself."
"It enables us to detect malicious threats, issues, or vulnerabilities in our network."
"This solution integrates easily and very well with other technologies."
"I rate the tool's deployment an eight out of ten. The deployment is completed in two days."
"The KQL query does not function effectively with Windows 11 machines, and in the majority of machine-based investigations, KQL queries are essential for organizing the data during investigations."
"They only classify alerts into three categories: high, medium, and low. So, from the user's point of view, having another critical category would be awesome."
"Sentinel's alerts and notifications are not fully optimized for mobile devices. The overall reporting and the analytics processes for the end user should also be improved. Also, the compatibility and availability of data sources and reports are not always perfect."
"Documentation is the main thing that could be improved. In terms of product usage, the documentation is pretty good, but I'd like a lot more documentation on Kusto Query Language."
"The solution should allow for a streamlined CI/CD procedure."
"The only thing is sometimes you can have a false positive."
"There are certain delays. For example, if an alert has been rated on Microsoft Defender for Endpoint, it might take up to an hour for that alert to reach Sentinel. This should ideally take no more than one or two seconds."
"Microsoft should improve Sentinel, considering that from the legacy systems, it cannot collect logs."
"Our two main complaints are about the difficulty of the initial setup and the licensing model."
"Spam has different plugins but by default, the logs are not organized, it shows that there are roll-ups that are out of the box. I saw many plugins that can help improve or extend Splunk's functionality but I haven't tried any of them."
"The case management area of the ES could be improved. The ability to move cases through various stages and states. The ability to close a case would be key improvement."
"It needs more thoroughly tested releases. Every new big version (6, 7, etc.) has had so many bugs that it makes me wary of customers upgrading right away."
"We will receive alerts only for the administrators and deployment servers, but not for all servers."
"AngularJS/ReactJS inclusion could be made easier in GUI."
"Some of the search functions can be better. There has been a lot of talk at the conference about the update of SPL before each iteration. That will be a lot of help."
"We find that the maintenance process could be a lot better."
"Product-wise, adding accounts on a single data source by batch would be a really great help."
"The product’s alert response feature needs improvement. It could be more flexible and secure."
"I would like to see good analytics in future releases."
"It is not a very advanced solution, and it is for very generic use cases. It cannot cope with the advanced requirements that we're going to have. For example, for multiple authentication failures, it is still based on Windows events for detecting multiple login failures, whereas other companies are going beyond and working on implementing two-factor authentication. It is time to correlate the two-factor authentication results with authentification failures, which is not happening with McAfee ESM. The performance of the tool should be improved because it is very slow. The data display on the console is very slow in McAfee ESM. Its data storage is still old-fashioned, and it should be improved and upgraded to the latest versions. They have to come up with some new ideas to match what other leaders in the same domain are doing. For example, in Splunk, when you search for information for the last 60 days or five months, it quickly shows the information, but that is not the case with McAfee. The results should be quicker and faster on the console. They should integrate some additional features such as User Behavior Analytics (UBA) and automation. The threat intelligence part should also be improved on McAfee."
"Product currently requires Flash."
"The disk space needed for events is not clear. In all clients, we had at least more than 100GB free that we could not use."
"There's no software support from McAfee."
"I have to purchase a new box now. Its existing box is not scalable and I can't use it anymore."
Splunk Enterprise Security is ranked 2nd in Security Information and Event Management (SIEM) with 228 reviews while Trellix ESM is ranked 18th in Security Information and Event Management (SIEM) with 34 reviews. Splunk Enterprise Security is rated 8.4, while Trellix ESM is rated 7.4. The top reviewer of Splunk Enterprise Security writes "It has a drag-and-drop interface, so you don't need to know SQL or Java to construct a query ". On the other hand, the top reviewer of Trellix ESM writes "Provides visibility of all the traffic within the company infrastructure". Splunk Enterprise Security is most compared with Wazuh, Dynatrace, IBM Security QRadar, Elastic Security and Azure Monitor, whereas Trellix ESM is most compared with ArcSight Enterprise Security Manager (ESM), IBM Security QRadar, LogRhythm SIEM, Trellix Helix and Cybereason Endpoint Detection & Response. See our Splunk Enterprise Security vs. Trellix ESM report.
See our list of best Security Information and Event Management (SIEM) vendors.
We monitor all Security Information and Event Management (SIEM) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.