We performed a comparison between NetWitness Platform and Splunk Enterprise Security based on real PeerSpot user reviews.
Find out in this report how the two Security Information and Event Management (SIEM) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."It is able to connect to an ever-growing number of platforms and systems within the Microsoft ecosystem, such as Azure Active Directory and Microsoft 365 or Office 365, as well as to external services and systems that can be brought in and managed. We can manage on-premises infrastructure. We can manage not just the things that are running in Azure in the public cloud, but through Azure Arc and the hybrid capabilities, we can monitor on-premises servers and endpoints. We can monitor VMware infrastructure, for instance, running as part of a hybrid environment."
"The in-built SOAR of Sentinel is valuable. Kusto Query Language is also valuable for the ease of writing queries and ease of getting insights from the logs. Schedule-based queries within Sentinel are also valuable. I found these three features most useful for my projects."
"It is quite efficient. It helps our clients in identifying their security issues and respond quickly. Our clients want to automate incident response and all those things."
"The standout feature of Sentinel is that, because it's cloud-based and because it's from Microsoft, it integrates really well with all the other Microsoft products. It's really simple to set up and get going."
"It's easy to use. It's a very good product. It can easily ingest data from anywhere. It has an easily understandable language to perform actions."
"It's pretty powerful and its performance is pretty good."
"Azure Application Gateway makes things a lot easier. You can create dashboards, alert rules, hunting and custom queries, and functions with it."
"The most valuable feature is the UEBA. It's very easy for a security operations analyst. It has a one-touch analysis where you can search for a particular entity, and you can get a complete overview of that entity or user."
"The development of use cases on the SSA console is quite user friendly. This means that the security analyst or the researcher does not have to learn another language."
"I can have enterprise security, email security, next generation firewall security log, HIDS and NIDS logs, etc. all on the same dashboard. It makes it easy to pinpoint or correlate our server to this. I can find out if there is lateral movement. This is the biggest advantage of this solution."
"The packet capture aspect of it is a valuable feature because it is quite different from a traditional SIEM solution that only carries out investigations based on captured logs."
"The solution is really scalable for the high-end power, enterprise customer."
"Alerting Module: It provides real-time event processing language on all the logs/packets stream for advanced alerting, i.e., using SQL LIKE statements."
"The product's initial setup phase was not at all difficult."
"Performance and reporting are very good."
"NetWitness can be highly beneficial for incident detection and response."
"It is user-friendly. It is more effective than other solutions. The support and help for troubleshooting and the documentation from Splunk make it very effective."
"It gives us good visibility into multiple environments, including cloud, on-premises, and hybrid; irrespective of platform."
"Splunk allows us to customize processing and dashboards, which helps us take care of our customers' needs."
"The reporting aspect is good and it does what I need it to do."
"It is easy to use, and easy to implement."
"It helped us consolidate all our solutions into an easy tool to use for various employees."
"The solution is very fast and succinct."
"The initial setup isn't overly complex."
"There is room for improvement in entity behavior and the integration site."
"Its documentation is not so simple. It is easy for somebody who is Microsoft certified or more closely attached to Microsoft solutions. It is not easy for those who are working on open-source platforms. There isn't a central point where everything is documented, and there is no specific training or certification."
"The performance could be improved. If I create 15 to 20 lines for a single-use case in KQL, sometimes it takes more time to execute. If I create use cases within a certain timeline, the result will show in .01 seconds. A complex query takes more time to get results."
"It would be good to have some connectors for third-party SIEM solutions. Many customers are struggling with the integration of Azure Sentinel with their on-premise SIEM. Microsoft is changing the log structure many times a year, which can corrupt a custom integration. It would be good to have some connectors developed by Microsoft or supply vendors, but they are not providing such functionality or tools."
"If I can use Sentinel offline at home and use it on a local network, it would be great. I'm not sure if I can use Sentinel offline versus the tools I have."
"Some of the data connectors are outdated, at least the ones that utilize Linux machines for log forwarding. I believe that Microsoft is already working on improving this."
"The built-in SOAR is not really good out-of-the-box. The SOAR relies on logic apps and you almost need to have some kind of developer background to be able to make these logic apps. Most security people cannot develop anything..."
"If I see an alert and I want to drill down and get more details about the alert, it's not just one click. In other SIEM tools, you just have to click the IP address of the entity and they give you the complete picture. In Sentinel, you have to write queries or use saved queries to get details."
"The system looks like it is a mix of a bunch of different systems, and nothing looked like it was quite together."
"If we have the ability to run a dynamic analysis through malware in the same suite, it would be great to have a sandbox solution to analyze malware through dynamic analysis."
"The solution should have more integration capabilities with different platforms."
"The implementation needs assistance."
"Its technical support could be better."
"The user interface is a little bit difficult for new users and it needs to be improved."
"The documentation is not as structured as I would like, personally, and I think that it can be improved and made much more user-friendly."
"They should implement algorithms to digest that data and produce additional, more advanced reporting, alerting and support of internal security teams."
"The implementation and the scanning of the logs can be difficult."
"The historical data extraction needs improvement. I would like the capability of taking data and having it trend longer."
"Some of the search functions can be better. There has been a lot of talk at the conference about the update of SPL before each iteration. That will be a lot of help."
"Their technical support sucks."
"Splunk could add more ways to manage archiving and storage. There isn't a web interface. You can do this on the SaaS version, but the on-premise platform doesn't have this option. It has other things but no option for remote NAS. I would like to have a personal web interface where I can specify how long logs should be stored. To have this readily available on the web, you need to adjust some settings on the backend. That is tricky."
"The cluster environment should be improved. We have a cluster. In the Splunk cluster environment, in the case of heavy searches and heavy load, the Splunk cluster goes down, and we have to put it in the maintenance mode to get it back. We are not able to find the actual culprit for this issue. I know that cluster has RF and SF, but it has been down so many times. There should be something in Splunk to help users to find the reason and the solution for such issues."
"The product must improve insider threat detection."
"When you get into large amounts of data, Splunk can get pretty slow. This is the same on-premise or AWS, it doesn't matter. The way that they handle large data sets could be improved."
NetWitness Platform is ranked 15th in Security Information and Event Management (SIEM) with 36 reviews while Splunk Enterprise Security is ranked 1st in Security Information and Event Management (SIEM) with 240 reviews. NetWitness Platform is rated 7.4, while Splunk Enterprise Security is rated 8.4. The top reviewer of NetWitness Platform writes "Can find out if there is lateral movement, but integration and workflow need improvement". On the other hand, the top reviewer of Splunk Enterprise Security writes "It has a drag-and-drop interface, so you don't need to know SQL or Java to construct a query ". NetWitness Platform is most compared with RSA enVision, IBM Security QRadar, Cisco Secure Network Analytics, Trellix Network Detection and Response and LogRhythm SIEM, whereas Splunk Enterprise Security is most compared with Wazuh, Dynatrace, IBM Security QRadar, Elastic Security and Datadog. See our NetWitness Platform vs. Splunk Enterprise Security report.
See our list of best Security Information and Event Management (SIEM) vendors and best Log Management vendors.
We monitor all Security Information and Event Management (SIEM) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.