I have worked with ArcSight, and Palo Alto has a good SIEM solution. ArcSight's UI has some drawbacks, whereas Splunk is easier to integrate and implement. ArcSight's interface didn't impress me. I didn't like the way you have to write queries. It was a tedious solution to use, and it was not pleasing to the eyes. The charts and reporting were not visually appealing. 

ArcSight was also a costly solution, but the main reason I wanted to switch to Splunk was that it was easier to integrate. It has a drag-and-drop interface, so you don't need to know SQL or Java to construct a query on Splunk. The resolution time is about the same, but it took longer to discover the issue with ArcSight. Our previous solution took about an hour or more, but Splunk can do it within a few minutes or an hour at most. 

We are also using Microsoft Sentinel and IBM QRadar. We have also used ArcSight. For some customers, we are using LogRhythm and the RSA solution. Different customers have different SIEM tools, but I find Microsoft Sentinel and Splunk better than the others in the market. I feel Splunk is the most mature tool at this time. It is very easy to customize. You can do whatever you want.

IBM QRadar is the cheapest option available in the market. It is a traditional SIEM tool. It is not as fast as Splunk or Microsoft Sentinel, but from a costing perspective, it is convenient. There are also a few open-source SIEM tools. Many companies are using those, but if you go with a commercial tool, IBM QRadar is very good in terms of cost value. When it comes to customization and maturity, Splunk Enterprise Security is definitely number one. Microsoft Sentinel comes second, and IBM QRadar comes third.

I used ArcSight for Level 1 monitoring in my previous company, and my current company was using Splunk Enterprise Security when I joined.

I did not previously use a different solution in this company. 

A long time ago, the company replaced ArcSight with Splunk. 

I have used Sentinel and QRadar. I switched because of the advanced features, support, and good documentation. It is very effective. It is the best solution. The only problem is the cost.

I previously used QRadar and ArcSight. Splunk is one of the top products. Compared to Sentinel or QRadar, Splunk is the market leader in features and security. You can integrate application, physical, or cloud security and onboard those logs into Splunk, then tailor it to your requirements. 

Our client already had Splunk working for them for the past six to seven years. The earlier version of Splunk was not reliable and stable to deploy because it used to take so many resources. Even though it has decreased now, the resource requirement is much greater than other tools. Certain organizations or start-ups feel a little bit restricted because, despite being a great tool, they can't use Splunk because of its cost features.

Some organizations use basic SIEM tools like QRadar, which is a great tool. Some organizations use LogRhythm. LogRhythm has a market presence since it also writes great insights into the dashboard. Splunk has certain tools that precede other SIEM tools. QRadar and LogRhythm are used because they are very intuitive and don't require any previous knowledge of using those tools. With Splunk, you will have to understand the context of using a particular field or setting and what it provides you.

We had on-premises ArcSight. We had one guy run it for our enterprise. Our enterprise has roughly over 130,000 people. We are a global company, and we had one guy run the entire infrastructure. We could tell when he took days off because it would not work. When we moved to Splunk, we went to Splunk Cloud immediately. We were one of the first Splunk Cloud customers or one of the bigger ones. That is what I was told when we made the switch.

I do not know whether we have seen any cost efficiencies by switching to Splunk Enterprise Security because I was not there during the ArcSight days per se. I was there at the very tail end, but I would assume that we have seen cost efficiencies just because ArcSight was only used by the security team, whereas Splunk is used enterprise-wide, not just by the security team. It should be cheaper for us. The value is there. It is cross-functional.

Previously, I used QRadar, McAfee, and ArcSight. However, Splunk Enterprise Security is a more modern solution. While ArcSight from HP is powerful, it is an older system with limited flexibility and complex architecture. Many companies implemented SIEM systems before Splunk became available. It seems that most large companies might still be using ArcSight, but other competitors have entered the market since then.

McAfee attempted to develop a similar system, but it lacked scalability and was better suited for small businesses rather than larger enterprises. QRadar, on the other hand, remains robust, but it lacks Splunk's flexibility. One of Splunk's notable advantages is its ability to generate alerts and then allow users to enter searches and queries to investigate network activities and log data. This process, known as threat hunting, enables users to conduct specific searches, such as identifying individuals who accessed a particular system and the internet between four and five o'clock on a Friday. Splunk promptly provides the desired results, typically within a few minutes, making it a strong choice for this purpose. Additionally, Splunk Enterprise Security features a highly effective filtering mechanism.

We previously used Dynatrace but switched to Splunk because it has more features. 

I previously used IBM Security QRadar, Azure Sentinel, and McAfee Network Security Platform. Splunk Enterprise Security is designed for multiple platforms and is easier to implement.

Splunk is much faster when used correctly and has many tools. With the exception of Sentinel, the other solutions do not have many tools. With Sentinel, we have to define the indexes and all those things, such as the aggregation of logs. It is easy to do searches in Splunk, even in a large environment. I find Splunk to be more efficient than the other solutions I have used in the past.

Splunk came into being at Case Western when we were looking for a better log product than Check Point was providing at that point in time. My entire investment in Splunk, in hardware and software and integration cost, was cheaper than what Check Point was going to provide, or what the Check Point solution path was for just looking at firewall data. We knew we needed to be able to do more analytics than what we were currently getting out of our firewall products and Splunk was brought in to do that. It can do this and a whole lot more.

We used something else, but I do not remember the name. Splunk is what we have been using for a long time. It is more advanced in terms of IT security. There is more scalability and the capability to do a lot of different things on multiple platforms. This is where it is more advanced than other products.

I used IBM Security QRadar. The main reason for switching is that Splunk has the scalability to handle bigger enterprise logs. Log management is the biggest issue in any SIEM. Splunk is able to rapidly grow its capacity.

I have used ELK previously. 

I use LogRhythm a lot. I worked for an MSSP, so I have seen several products. So far, Splunk has been my favorite.

We used FireEye, which was our primary one, and then we had CrowdStrike. Splunk has definitely been wonderful for us. The biggest reason for switching was integration. It is very easy to get all the tools fed into Splunk. They also had a cloud version, which was another reason. We are doing a hybrid setup, so cost savings was also a big factor.

We transitioned from AppDynamics to Splunk Enterprise Security, which provides a valuable single pane of glass for managing and viewing security metrics.

We also use the Red Hat OpenShift enterprise Kubernetes container platform. OpenShift is a more popular container tool with excellent support, but all of our OpenShift deployments are on-premises, along with production clusters around the world.

I'm using Microsoft Sentinel. It is a cloud-native tool. Compared to Splunk Enterprise Security, Microsoft Sentinel is easier to handle. We use Splunk Enterprise Security because we have to manage a big infrastructure and may have many security vulnerabilities. The cybersecurity team decided to use Splunk Enterprise Security. The volume of data is high, so it is easier to manage it in Splunk.

I have worked with LogRhythm, and I think Splunk's interface is much better. It's more attractive and has a more interesting feel, so I think it makes things easy for our analysts.

We previously used free Splunk apps.

I had previously used Loggly, developed by SolarWinds and Elastic. However, I found it to be inaccurate and slow. Elastic offers a free version of its solution, which is more commonly used by smaller businesses.

The company may have had QRadar for a while before Splunk. I wasn't around when they switched to Splunk so I cannot compare the two. 

We previously partnered with IBM and used QRadar as our SIEM. Splunk is faster, and I like the look and feel better. If you are looking for the cheapest solution, some free open-source SIEM solutions exist. They can do many of the same things that Splunk can do but maybe not at the same scale. 

We also use IBM QRadar.

We also use IBM QRadar but Splunk Enterprise Security is more functional and user-friendly.

Before Splunk Enterprise Security, I used various solutions, including LogRhythm. I chose Splunk because it proved to be more stable and reliable, especially compared to the issues I experienced with LogRhythm. With Splunk Enterprise Security, it takes my analysts approximately 30-40% less time to resolve alerts compared to our previous solution.

Comparing SentinelOne and Splunk, we've found that SentinelOne requires a thorough understanding of our processes, including their business context, process names, and all relevant conditions. In contrast, Splunk is more forgiving, allowing us time to learn and adapt. Additionally, SentinelOne's pricing structure can be more complex compared to Splunk's straightforward approach.

While Splunk offers ease of use, better visibility, and intuitive management, SentinelOne demands more technical expertise to implement and maintain. Splunk, on the other hand, provides granular control over event filtering, enabling us to retrieve detailed information based on specific criteria, such as Linux or Windows events. SentinelOne, however, may not provide the same level of precision, requiring more precise query formulation.

I previously used Palo Alto XDR. 

I also used an email solution whose name I can't recall. You could check emails flowing into or out of your environment.

I used it in my last organization. In my current organization, we have adopted Microsoft Sentinel. I am creating a new managed service company, so it is going to provide service to multiple clients. We have multi-tenancy and full cloud environments and monitoring of on-prem solutions. When I implemented Splunk, it was not used for multi-tenancy. Their multi-tenancy was not that great. It was the old solution, but they now have the cloud environment that is more supportive of multi-tenancy, but with their on-prem solution, for multi-tenancy, we could just play with permissions. It was not the best. It was not proper multi-tenancy where you need different databases and different control planes. It was not the ideal solution, but now they have the cloud environment.

I have used ELK, ESK, QRadar, Graylog, and LogRhythm in the past. One of Splunk's strengths over its competitors is its dedicated DSS called SPL.

The drawback of Splunk Enterprise Security is that upon initial installation, we need to do a lot of customization in order to have an effective cybersecurity program and deliver quality service to the client.

We did not use a similar solution. We have Carbon Black for endpoints, but this is going to be a lot bigger than that.

Compared to IBM QRadar, Splunk Enterprise Security offers faster alert resolution. Its superior indexing and searching capabilities deliver quicker query results. While QRadar boasts a more user-friendly interface, Splunk provides numerous pre-built use cases that effectively reduce false positives and feature comprehensive application dashboards.

For instance, I encountered a use case unavailable in QRadar which appears to utilize the Cyber Kill Chain framework. MITRE ATT&CK enjoys wider adoption, and Splunk leverages this framework whereas QRadar persists with the Cyber Kill Chain. Additionally, Splunk integrates with a third-party app exchange, offering functionalities like vulnerability dashboards, threat intelligence, correlation dashboards, and EPS dashboards. This extensive library of applications caters to diverse business use cases. Users can install these applications as needed, making Splunk a highly customizable and feature-rich solution. Although undeniably expensive, its capabilities justify the cost.

I've used other solutions in the past. We previously used
ArcSight Enterprise Security Manager (ESM). It was older and very slow. Comparatively, Splunk is very fast and it has a better UI.

Before using Splunk, I relied on the built-in tools of Linux operating systems, such as Syslog NG, but specifically the open-source versions. I haven't had experience with the commercial version of Syslog NG, which is a more advanced tool. In this category, Splunk is essentially my first exposure to such advanced features.

I have experience with another solution called ELK; I find Splunk better, even though it is not free to use.

We did not have a similar product. Splunk came as a security product, and we have evolved it into doing operational work.

We have been using the same solution for five or six years. It was selected before I joined, so I do not know.

We were probably using Elasticsearch.

We have different contractors and they have other solutions. Some of those solutions included Elastic. We want to use Splunk and our contractors want to use Elastic. We're hoping .conf23 will broaden our imagination, so we'll have more to bring back and push towards just using Splunk only.

I have not used Elastic myself. It does sound like it does a lot. There's a lot that Splunk offers that we haven't actually used. I want to play with Mission Control. We only use Enterprise Security but I do want Mission Control where everything is in one centralized application where you don't have to jump to different applications. 

I would love to get Mission Control.

There are mostly pros when comparing Splunk to its competitors because it collects data and analyzes it. It analyzes data better and in a more detailed, documented, and organized fashion than any other SIEM that I've worked with.

I have worked with Microsoft Sentinel and ArcSight.

We've had numerous implementations of SIEM solutions over the years. Splunk offered a lot of capabilities on top of some of our old antiquated Sentinel and Azure. We had many other products before we pursued Enterprise Security. But we weren't in a position to really go down the Enterprise Security route because we hadn't quite fleshed out what our end goal was.

We're still in the evaluation stages. Looking at Enterprise Security, given the fact that we already have an investment in Splunk, it makes sense. We would like to see it grow beyond just Enterprise Security to more of not just observability, but pro actions to utilize the source of that nature. 

We had great success potentially going into a SOAR from Enterprise Security. We hadn't quite evolved to that point yet. At this stage, it's just not really in our pipeline to pursue Enterprise Security until we get a better understanding of our requirements.

Refining those playbooks and so forth also is going to take time. We have customers who have categorically unique requirements. From a security standpoint, one group's security requirements are going to be different from some of the other teams that we have. We are trying to find that uniformity across the board. We may have to entertain multiple security solutions to meet their needs.

In this company, we did not previously use a different monitoring solution.

We used InTrust. We switched to Splunk because of its flexibility and capability.

Previously, I have used QRadar. My current company uses Splunk. 

We used Logrhythm previously but it was not a good fit for our environment. That is why we switched to Splunk.

At the boot camp, we also used Kibana, which looked a little bit more friendly, but when we got into the details, I liked Splunk a little bit more. It was more intuitive, and it did a little bit more on its own rather than Kibana. With Kibana, it felt like I had to hold its hand all the way through the whole process. There were 20 people, and I know a number of people were leaning towards Kibana. It just came down to personal preference.

We previously used many solutions, such as IBM. The implementation times are about the same. There are some ways that IBM is faster and other ways Splunk is faster. However, Splunk offers a more modern look.

I have used Wazuh. From my point of view, Wazuh is a simple and basic SIEM solution compared to Splunk in terms of features. I don’t see Wazuh as a competitor to Splunk. Wazuh relies greatly on human tactics. It is best suited for cloud environments and maybe smaller ones. I have issues with Wazuh’s stability as well because I have found scenarios where it was working for one instance and not for another. These issues might be because it is open-source.

Wazuh is not actively working on their platform. I opine that they need to integrate many components and have many aspects automated so that the solution does not depend on its users. I have found issues with the language of Wazuh as well. It requires a lot of resources and time to learn the language. These issues make me think that Splunk is better than Wazuh.

The previous solution was limited in its functionality. 

We were looking at the additional controls that enterprise security may have, as well as visualization, to gain greater visibility.

Splunk offered us more visibility.

I'm also familiar with Microsoft Sentinel, and I find Splunk to be better. That said, although I have more experience with Splunk software, I find it a bit slow. Sentinel is much faster. 

I have not used any other similar solution previously. Prior to working with Splunk, it was just basic IT administration work involving monitoring with different tools, such as Trellix FireEye. I am not sure how to compare them with Splunk.

We previously used ArcSight. Splunk is at another level. It is easier, more stable, and faster.

We previously used native cloud monitoring. Now, we supplement it with Splunk to benefit from its additional features.

I did not previously use a different solution. 

I've previously used LogRhythm, among other solutions. We sell a few different solutions.

We previously used ArcSight, but found Splunk to be more cloud capable.  

We integrate Jira with QRadar which is helpful.

I have never worked with other similar products. I've worked for three companies, all of which use Splunk. 

Before Splunk, we used Kibana and Elasticsearch. Sometimes, with them, logs wouldn't even be there. We have received an infinite time reduction there. We couldn't use what we had before, so Splunk being there and working does a lot.

We have a SIEM solution, however, now the company is also trying to move to an Excel solution since the automation is better on their side. We aren't going to get rid of it or did not have any other SIEM solution in their mind when they were acquiring it. However, if any XOR solution works perfectly for us, the company might consider moving out of Splunk.

Splunk is similar to IBM QRadar, which we also have experience with. However, Splunk has advanced SIEM features included with it, so we often use it to satisfy this requirement. Whenever an organization is looking to implement SIEM, they have the flexibility to choose Splunk, QRadar, or the ArcSight Logger solution.

One of the major differences that I see between Splunk and QRadar is that Splunk gives the users fewer devices, so they can do things quicker. 

I have used McAfee Nitro in the past and IBM QRadar as well.

We did not use a different solution before. The closest thing that we would have done to this would have been personally scraping logs reactively, which cost us roughly two to three hours per issue that arose purely through log searching and remediation.

No solution was available at the time.

I've previously used QRadar and it wasn't ideal.

There were certain times I integrated with other solutions too.

I previously used LogRhythm. I found this tool particularly difficult to use. It was more rigid in its normalization of data.

Previously, we were using HPE ArcSight.

Yes, ArcSight. We switched because of how slow the support can be with HPE sometimes and also because Splunk is simpler to use, is more data oriented, and is more adapted for business security use cases.

No enterprise solution was in place.

We worked with QRadar for some time, but after that, we just came to Splunk.

We used SurfWatch and VMware in the past.

While we did not have a previous solution, we took what little of Splunk that we have been using and have increased it greatly.

We were using an assist log backend with Rsync and Kiwi prior to that. It was more of a co-solution than a cobbled-together solution. Splunk was a big improvement. The main reason for going for it was just the rate at which we were growing. We needed to have something that was more scalable than what we had before.

We did not have a previous solution.

My client has some pain points with QRadar and does not feel the kilogram function is accurate. Other features do not match with the customer behavior as well. They want to replace QRadar with Splunk because they are familiar with this solution.

I'm a fan of QRadar. I use them as well.

Previously, only the service owner could see the data and he might have gone to several places to obtain it. Now, it is all in one place and easy to access. 

We were previously using Excel.

We used to use Splunk a lot more, however, we've moved more to Comodo right now. I'd say we've moved to Comodo from Splunk in a lot of areas.

On the security side, we use Comodo. Not all of our clients even have Comodo. A lot of them are using Splunk, however, a lot of them are using Splunk for enterprise operations and network operations items. Some of them are using security and a lot of them aren't. Splunk is offered as a security option now, however, originally, when you used it, it was to collect enterprise operations information and know-how your systems are running. 

We didn't use any other solution.

We did not use anything else on the production scale. Our first experience was with Splunk.

We were not able to get the value we needed from the previous solution. It was too difficult or complex. With Splunk, we can do things we want and things we have not even dreamed of yet.

We broaden the scope of IT governance and IT security.

We look at everything from SIEM to network management to endpoint protection, server protection, database protection, and anything else that can aid in visibility, policy enforcement, and monitoring.

Our organization is using a combination of Splunk and Elasticsearch. We get most of what we need from the ELK suite. ELK Stack is usually the primary focus.

ELK has the same inbuilt reports and dashboards that you can customize, but ELK is better for central logging and log aggregation. Once they've all been aggregated, you'll be able to run any kind of queries and APIs to query the logs on ELK and then use Splunk as a presentation layer for the consumers to use.

Security tools, in my opinion, are business tools and should be used by businesses rather than security engineers. I'm experimenting with a hybrid of the two, in which ELK serves as the engine for central logging and Splunk handles the presentation layer and aggregation of additional third-party logs from tools that might be difficult to integrate into ELK.

I would rate Elasticsearch a ten out of ten.

Previously to using Splunk we only had some Syslog servers that we sent logs to. However, Syslog servers, do not analyze your logs, they only capturing them. Whereas, in Splunk, you can assess the logs and you can do other things with the log.

I have dabbled with LogRythm and ArcSight and they are both OK, but Time-To-Value is WAY shorter with Splunk, IMHO.

When I came to the company, they were already using Splunk. It's only now that we're looking to possibly move to another vendor. The cost of Splunk is much too high.

Up until we trialed Splunk we did not have any solution. We used Splunk because we don't have anything to monitor our system. I contacted our local vendor in Vietnam, and they suggest using the trial version of Splunk to see how it works in our environment. This is the main reason I trialed Splunk. We just used the trial version in our office and, since it expired, we haven't used it.

Years ago, we did use another solution, but I am not sure it exists any longer. We have been using Splunk for many years.  

We tried to work with Exabeam for user behavior analytics, but we stopped it.

This is the only solution that we have been using.

I used ELK. It was good. It is an open-source solution, but there is some complexity in configuring it, working with it.

In choosing a vendor I use industry reviews to find feedback from the community that works with the solution.

We are using OpManager to monitor server logs. 

I am familiar that there are other solutions out there but I haven't used them. Started with Splunk.

I am familiar with other products and Splunk can handle much more data than IBM QRadar or any other competing product.

Direct competitors are more flexible when it comes to licensing.

We no longer resell Checkmarks. 

We were unable to assist in establishing their business on-premises because It could have been too expensive for our clientele.

I have used previously Qlik Sense and Kibana.

We were using a different SIEM, which was old-fashioned and very structured.

We never used other solutions.

I have worked a little bit with Elasticsearch. I also have an instance of SIEMonster running, and I'm trying to get used to it. I found that Splunk provided a good benefit compared to Elasticsearch.

With Elasticsearch, if you have already inserted the data then it's gone because you need to do the pre-filtering. Once you've inserted or ingested the raw data, using Logstash, for example, you are no longer able to build the fields such as IP address, hostname, username, and the other fields that you want to export. This unsorted, raw data that you have is really a drawback for Elasticsearch and some other products. This is something from Splunk that I consider to be a heavy feature, where you can just insert data and ingest it later on.

I have previously used RSA and I prefer Splunk.

We did not have a previous solution.

We didn’t have a previous solution.

We didn't previously use a different solution. We've only ever really used Splunk.

Our organization did not have an established SIEM tool.

We were using AlienVault. We switched because we weren't really happy with it. So, we looked into different solutions, such as Splunk.

We used to deploy Elastic Stack. The search language of Splunk is easier and friendlier than Elastic Stack. It has helped me to search quickly and easily. Based on the results, it’s easy to visualize and add results to a previously built, personal dashboard.

We also use a traditional monitor, and Microsoft SCOM.

Splunk is an enterprise monitoring tool. Qlik Sense can do a little bit of log monitoring, but it is mostly used for dashboard reporting, whereas Splunk is more around monitoring and figuring out threats and all such things. They are different, but both deal with the data and allow you to create operation reports. 

Power BI is another tool that a lot of our customers use, but Splunk is quite often requested. It is also a lot more popular than Qlik Sense. We have a fair number of Qlik Sense customers.  

We usually sell Blue Prism to business users who are more concerned with the reporting aspect, which is why they would like to have easy tools like Qlik Sense in their ecosystem, but on the infrastructure side, it would be Splunk for enterprise monitoring.

We did not use another solution previously.

• AlienVault
• LogRhthym
• ArcSight
• QRadar

I've used a whole bunch of different solutions. For a SIEM based solution, they are more purpose-built for that function. Where Splunk is purpose-built for a general logging and data capture solution so you'd be able to capture a lot of different information.

Not applicable.

I have previously used Curator and it was much easier to use than this solution.

We were not using any other solution previously.

I evaluated ELK Stack but at the time, Splunk offered more flexibility, better support and was easier for us to implement.

Previously, we worked with different vendors and solutions.

This was our first try for log analysis.

Our clients switch from Nagios or other monitoring solutions because the other solutions were not as flexible as Splunk. With Splunk, you can do things very programmatically. With a help of a developer and included SDK you can add needed functionality.

The client was using an open source solution. They decided to switch to an enterprise product.