We compared IBM Security QRadar and Splunk Enterprise Security across several parameters based on our users' reviews. After reading the collected data, you can find our conclusion below:
Ease of Deployment: IBM Security QRadar’s setup can be more challenging and time-consuming compared to Splunk Enterprise Security. Some users found both solutions easy to install, but IBM Security QRadar took several weeks or even months, while Splunk Enterprise Security could be set up in just a day.
Features: IBM Security QRadar is praised for its ability to detect threats and its ease of use. It provides customizable rules, real-time network monitoring, and competitive pricing. Splunk Enterprise Security stands out in its ability to capture and analyze various data streams. It offers valuable features like a search function, session reports, and graphing capabilities.
Room for Improvement: IBM Security QRadar could enhance its pricing, threat identification, plugins, and threat detection, EPS challenge, training, and technical support. Splunk Enterprise Security has room for improvement in its search algorithm, licensing model, technical support, AI capabilities, pricing, and machine learning algorithms.
Pricing: IBM Security QRadar’s cost differs based on the organization's requirements and structure. Certain users perceive it as reasonable, while others view it as costly. Similarly, Splunk Enterprise Security's pricing is subjective, as some users find it expensive while others find it reasonable.
ROI: Both Splunk Enterprise Security and IBM Security QRadar are cost-effective solutions with a favorable ROI. QRadar offers user behavior analytics and employee profiling. Splunk enhances security measures and is known for its flexibility and ability to provide global observability.
Service and Support: Both IBM Security QRadar and Splunk Enterprise Security have received varying feedback regarding their customer service and support. Users have commended the staff's expertise and responsiveness for both products. However, there have been complaints about slow response times and a lack of expertise.
Comparison Results: IBM Security QRadar and Splunk Enterprise Security have similarities in terms of setup complexity and value in detection capabilities and user-friendliness. IBM Security QRadar offers a wide range of features, including real network monitoring, security orchestration automated response, and risk scoring for user activity. Splunk Enterprise Security is praised for its search function, session reports, and graphing capabilities, as well as scalability and machine learning capabilities. IBM Security QRadar may have an advantage in features and pricing, while Splunk Enterprise Security may have an advantage in search capabilities and scalability.
"Free ingestion for Azure logs (with E5 licence)"
"The Identity Behavior tab furnishes us with the entire history linked to each IP or domain that has either accessed or attempted to access our system."
"The native integration of the Microsoft security solution has been essential because it helps reduce some false positives, especially with some of the impossible travel rules that may be configured in Microsoft 365. For some organizations, that might be benign because they're using VPNs, etc."
"Azure Application Gateway makes things a lot easier. You can create dashboards, alert rules, hunting and custom queries, and functions with it."
"The best feature is that onboarding to the SIM solution is quite easy. If you are using cloud-based solutions, it's just a few clicks to migrate it."
"It is quite efficient. It helps our clients in identifying their security issues and respond quickly. Our clients want to automate incident response and all those things."
"We didn't have anything similar. So, it really provides value from the incidents and automation point of view. The overview of the security fabric is most valuable."
"It has basic out-of-the-box integrations with multiple log sources."
"I like that it's easy to use and the performance is good."
"It is very stable. We have not faced interruptions in the past four and a half years."
"The flexibility is good in terms of pulling log files."
"Overall a great solution."
"The solution is reliable."
"It has a powerful GUI where you can put together your use cases, and don't have to write your own scripts."
"It has a logical, user-friendly GUI."
"Improved our organization's TCO."
"There are lots of free learning materials on their website."
"The Splunk user community and forum are most valuable."
"We solve issues that we previously could not since we now have the data."
"The technical support is among the best in the market."
"The product is good, it satisfies our customers."
"Splunk has helped improve our company's resilience level."
"We can automatically suspend or terminate suspicious sessions."
"Splunk works based on parsing log files."
"Some of the data connectors are outdated, at least the ones that utilize Linux machines for log forwarding. I believe that Microsoft is already working on improving this."
"Sentinel can be used in two ways. With other tools like QRadar, I don't need to run queries. Using Sentinel requires users to learn KQL to run technical queries and check things. If they don't know KQL, they can't fully utilize the solution."
"Add more out-of-the-box connectors with other SaaS platforms/applications."
"Sentinel's reporting is complex and can be more user-friendly."
"They need to work with other security vendors. For example, we replaced our email gateway with Symantec, but we couldn't collect these logs with Azure Sentinel. Instead of collecting these logs with Azure Sentinel, we are collecting them on Qradar. We couldn't do it with Sentinel, which is a problem for us."
"Documentation is the main thing that could be improved. In terms of product usage, the documentation is pretty good, but I'd like a lot more documentation on Kusto Query Language."
"The AI capabilities must be improved."
"Improvement-wise, I would like to see more integration with third-party solutions or old-school antivirus products that have some kind of logging capability. I wouldn't mind having that exposed within Sentinel. We do have situations where certain companies have bought licensing or have made an investment in a product, and that product will be there for the next two or three years. To be able to view information from those legacy products would be great. We can then better leverage the Sentinel solution and its capabilities."
"In terms of additional features, a mobile app would be nice. Also, the reporting is definitely okay, but you have to make sure that everybody with different roles can understand it. There is room for improvement in the reporting."
"The user interface and configurability of IBM QRadar User Behavior Analytics can be improved. It has a lot of pre-configured settings and not many things can be changed. It also needs more integrations. Currently, User Behavior Analytics is integrated only with IBM QRadar. It could have deeper integrations. It can also have more complicated scoring models. Currently, it has a very simple linear scoring model for users."
"There is a shortage of skilled individuals with knowledge about the solution. There is training required."
"There should be an extension where we can get the reports. This could be an extension to the dashboard with the Guardian or another product with limited technology, for example IPS. Now, we only have IBM. Basically, it needs more and more integration models."
"The advanced planning management (APM) features should be included."
"Ideally we would like a mobile version so that any alert that comes in will notify us in a mobile app, or by using SMS integration."
"I have also been working with other SIEM solutions, and I have observed that they have extensive Linux-based and Unix-based integrations. They have been able to support some of the Linux-based agents, which is useful to investigate and process the information on the Linux and Unix side."
"It is not app based."
"Splunk could improve its default machine-learning models. Also, Splunk Enterprise's native threat intelligence isn't that good. I prefer a custom threat intelligence model."
"A problem that we had recently had was we licensed it based on how much data you upload to them every day. Something changed in one our applications, and it started generating three to four times as many logs and. So now, we are trying to assemble something with parts of the Splunk API to warn ourselves, then turn it off and throttle it back more. However it would be better if they had something systematically built into the product that if you're getting close to your license, then to shut things down."
"An improved user interface along with multi-tenancy support would be beneficial."
"The GUI can be improved to include some of the capabilities that other BI solutions have."
"The pricing can be better."
"I have concerns about the architecture as well since I can see it is not very well defined."
"Spam has different plugins but by default, the logs are not organized, it shows that there are roll-ups that are out of the box. I saw many plugins that can help improve or extend Splunk's functionality but I haven't tried any of them."
"More training on PetaData using artificial intelligence techniques to identify the events which are not normal and exceptions that would help the organization identify threats and malware on the go with results."
IBM Security QRadar is ranked 6th in Log Management with 198 reviews while Splunk Enterprise Security is ranked 1st in Log Management with 228 reviews. IBM Security QRadar is rated 8.0, while Splunk Enterprise Security is rated 8.4. The top reviewer of IBM Security QRadar writes "A highly stable and scalable solution that provides good technical support". On the other hand, the top reviewer of Splunk Enterprise Security writes "It has a drag-and-drop interface, so you don't need to know SQL or Java to construct a query ". IBM Security QRadar is most compared with Wazuh, LogRhythm SIEM, Elastic Security, Sentinel and Fortinet FortiSIEM, whereas Splunk Enterprise Security is most compared with Wazuh, Dynatrace, Elastic Security, Datadog and Azure Monitor. See our IBM Security QRadar vs. Splunk Enterprise Security report.
See our list of best Log Management vendors and best Security Information and Event Management (SIEM) vendors.
We monitor all Log Management reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
For tools I’d recommend:
-SIEM- LogRhythm
-SOAR- Palo Alto XSOAR
Doing commercial w/o both (or at least an XDR) is asking to miss details that are critical, and ending up a statistic.
Also, remember that any EDR/XDR should integrate to the SIEM/SOAR and a strong threat intel source.
If you consider SOC outsourcing take your time and find one you can integrate like a virtual team member. They are only as good as their depth of knowledge in your business and your on-prem SOC.
Apache Metron, ELK, OSSIM, Splunk and Qradar (in cost/benefit order for starters).
I have no experience with Rapid 7 or InsightIDR.
IBM Qradar works great but is not easy to install. If it is running it is a great tool. Also depending on the budget, Riverbed security is a tool to consider. Costs are lower than QRadar and easier to implement.
Or you can use our SaaS solution with QRadar and a lot more built-in. One holistic solution for your complete IT environment.
@Evgeny Belenky, I found Stellar to be quite intriguing.
I would also recommend McAFee’s new console for centralizing and coordinating a well-deployed enterprise solution.
COMODO MDR
Disclaimer: ICE Consulting offers SOC as a Service to our Clients.
For SOC Tools we use Securonix and other in-house developed solutions. Securonix provides an all in one package (SIEM, UEBS, & NTA) that we believe is competitively priced for the Small to Mid Market. Their Customer Service seems better than most and they are always highly rated in the Gartner MQ reports. Set-up is not difficult, but is time consuming for the first time, afterwards each client deployment we have added has seemed to get easier and quicker.
Please contact several vendors and ask for demos, talk with the vendor engineers to ensure the solution will workfor your needs... We evaluated Rapid7, AlienVault (ATT Cybersecurity), QRadar, LogRythm, and Securonix before deciding on Securonix.
Also take your time in evaluating and re-evaluating the products, I took us about about 18 months and over $30K of working with what was utimately the wrong product for us, before moving to Securonix.
Make sure training for the use of the service is included. We have been able to provide entensive training to out team through the vendor and would not have been able to get out SOC offering off the ground without it.
Good Luck!
COMODO SOC covers your entire network and also your email. It is very easy to deploy and is very effective for reports.
I prefer the COMODO SOC solution because it is a very good and easy to deploy product.