We performed a comparison between IBM Security QRadar and Trellix ESM based on real PeerSpot user reviews.
Find out in this report how the two Security Information and Event Management (SIEM) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI.
"We can use Sentinel's playbook to block threats. It covers all of the environment, giving us great visibility."
"The main benefit is the ease of integration."
"The pricing of the product is excellent."
"Sentinel is a SIEM and SOAR tool, so its automation is the best feature; we can reduce human interaction, freeing up our human resources."
"I like the unified security console. You can close incidents using Sentinel in all other Microsoft Security portals, when it comes to incident response."
"Its inbuilt Kusto Query Language is a valuable feature. It provides the flexibility needed to leverage advanced data analytics rules and policies and enables us to easily navigate all our security events in a single view. It helps any user easily understand the data or any security lags in their data and applications."
"The UI-based analytics are excellent."
"You can fine-tune the SOAR and you'll be charged only when your playbooks are triggered. That is the beauty of the solution because the SOAR is the costliest component in the market today... but with Sentinel it is upside-down: the SOAR is the lowest-hanging fruit. It's the least costly and it delivers more value to the customer."
"The features that I have found most valuable are that it is very stable, easy to get going, and easy to manage. It is also easy to review all incidents."
"The most valuable feature is user behavior analytics (UBA)."
"There are a lot of great out-of-the-box features included."
"It's built around Red Hat Linux, which is highly robust."
"It can analyze event logs, event security, and give a good consult."
"There are more than 120 extensions in QRadar, which are easy to install and configure. These can improve your analysis of events."
"The most valuable feature is the machine learning module."
"QRadar shows very effective correlations. If you combine all the logins plus user behavior and the current intelligence, it gives a very good correlation for business. I think it reduces the false positives in user activity monitoring because there is a lot of social information to correlate with other data."
"It is easy to use and deploy. It comes with user-friendly manuals."
"The most valuable feature is the correlation rules."
"Trellix ESM is very user-friendly."
"The ease of use is the most valuable feature. Over the years I have always been using this solution and have become comfortable with it."
"I rate the tool's deployment an eight out of ten. The deployment is completed in two days."
"The most valuable features of McAfee ESM are intrusion detection, malware protection, and the device controller."
"The most valuable feature is that if the scanning does find something, it quarantines it. Then you can decide what you are going to do with it."
"The solution's technical support is great."
"Documentation is the main thing that could be improved. In terms of product usage, the documentation is pretty good, but I'd like a lot more documentation on Kusto Query Language."
"They're giving us the queries so we can plug them right into Sentinel. They need to have a streamlined process for updating them in the tool and knowing when things are updated and knowing when there are new detections available from Microsoft."
"The dashboards can be improved. Creating dashboards is very easy, but the visualizations are not as good as Microsoft Power BI. People who are using Microsoft Power BI do not like Sentinel's dashboards."
"If I can use Sentinel offline at home and use it on a local network, it would be great. I'm not sure if I can use Sentinel offline versus the tools I have."
"It would be good to have some connectors for third-party SIEM solutions. Many customers are struggling with the integration of Azure Sentinel with their on-premise SIEM. Microsoft is changing the log structure many times a year, which can corrupt a custom integration. It would be good to have some connectors developed by Microsoft or supply vendors, but they are not providing such functionality or tools."
"The KQL query does not function effectively with Windows 11 machines, and in the majority of machine-based investigations, KQL queries are essential for organizing the data during investigations."
"When we pass KPIs to the governance department, there's no option to provide rights to the data or dashboard to colleagues. We can use Power BI for this, but it isn't easy or convenient. They should just come up with a way to provide limited role-based access to auditing personnel"
"The performance could be improved. If I create 15 to 20 lines for a single-use case in KQL, sometimes it takes more time to execute. If I create use cases within a certain timeline, the result will show in .01 seconds. A complex query takes more time to get results."
"The solution is difficult to understand in the beginning and has complex management configurations that can be improved."
"QRadar needs a lot of fine tuning"
"Some UI enhancements would be nice, such as exporting custom event properties and the ability to export rules."
"The solution should enhance its capabilities of UEBA and AI/ML tech modeling."
"The quality of technical support depends on the IBM support person. Sometimes, it's hard to get the right person on the other side. A ticket coordinator could be the key to better quality delivery."
"I would suggest QRadar release any documentation or give an online demo, like videos on YouTube. It would increase publicity and public appeal."
"The product can be a bit complex."
"With IBM Security QRadar, my company faced issues with the support we received for the product."
"Tech support is required each time there is a system update of the solution."
"Product-wise, adding accounts on a single data source by batch would be a really great help."
"We cannot add new data sources to the most recent version."
"We acquired the IBM product because McAfee is slightly confusing to use, and it's broader."
"The solution needs to improve case management. The UI is confusing."
"The product's stability is an area of concern where improvements are required."
"Cloud integration has room for improvement because they're not full-fledged to integrate with the cloud solutions that come. They use different integration platforms to bring in data, and that needs to be improved."
"The product’s alert response feature needs improvement. It could be more flexible and secure."
IBM Security QRadar is ranked 4th in Security Information and Event Management (SIEM) with 198 reviews while Trellix ESM is ranked 19th in Security Information and Event Management (SIEM) with 34 reviews. IBM Security QRadar is rated 8.0, while Trellix ESM is rated 7.4. The top reviewer of IBM Security QRadar writes "A highly stable and scalable solution that provides good technical support". On the other hand, the top reviewer of Trellix ESM writes "Provides visibility of all the traffic within the company infrastructure". IBM Security QRadar is most compared with Splunk Enterprise Security, Wazuh, LogRhythm SIEM, Elastic Security and Sentinel, whereas Trellix ESM is most compared with ArcSight Enterprise Security Manager (ESM), LogRhythm SIEM, Splunk Enterprise Security, Trellix Helix and Cybereason Endpoint Detection & Response. See our IBM Security QRadar vs. Trellix ESM report.
See our list of best Security Information and Event Management (SIEM) vendors.
We monitor all Security Information and Event Management (SIEM) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
i have implemented the IBM QRadar, its the simplest to install and configure.
install, add log sources,create use cases as per your needs and QRadar will log all the events and network activity.
you can then perform forensics as well as vulnerability scans.
The basic things like adding log sources is hopefully not a problem but i think to get most value from the SIEM is to make a list of use cases tweaked to your organisation and log sources to find the problems/incidents your C-level can understand. Then you will keep on getting the fundings you need to get the issues you think is necessary to make the SIEM a valuable tool.
I've implemented AccelOps SIEM which also does Server/Network Performance and Availability monitoring. Most of the work involved was with configuration of SNMPv2/v3 or WMI on endpoint devices if the SIEM is not agent-based. Also, a lot of configuration with fine tuning the rules/reports specific to your organization as mentioned. Basic Linux knowledge is also recommended for AccelOps. I would also recommend purchasing Proessional Services hours for implementation guidance and proper training of IT staff and end-users (if applicable) that will be accessing/using the SIEM.
Hello. If you need any assistance through sizing and deployment of IBM QRadar, you should contact a local sales partner in your area. A partner should be able to size your specific needs, no matter little or big they are.
is it the same now for Alienvault? What level of Linux knowledge is needed?
I have implemented McAfee Nitro and IMB Qradar, where the later was the easiest to implement. Majority of the work is fine tuning and creating rules that are specific for your organization. All vendors will tell you about builtin intelligence that offer nothing in the read world
We implemented the Alienvault USM product and one of the largest considerations to make is the Linux knowledge required to implement, configure and manage the solution. Depending on the current in-house skill set and architecture this may or may not present as a consideration.