NetIQ Sentinel is a security information and event management tool that makes up part of our security solution. We are in the process of migrating to a new solution.
Global Cyber Security Manager at a financial services firm with 5,001-10,000 employees
Stable and works well for certain use cases, but it is inflexible and the technical support needs improvement
Pros and Cons
- "The stability is phenomenal and we never had any issues with downtime or even had to restart."
- "You need a lot of Unix scripting knowledge in order to manage the tool, which is one of the main issues that we faced."
What is our primary use case?
What is most valuable?
The use cases that it was made for, such as server monitoring, worked very well.
What needs improvement?
Frankly speaking, we did not find this product to be valuable, at all.
You need a lot of Unix scripting knowledge in order to manage the tool, which is one of the main issues that we faced.
When we integrated with other log management solutions, the password was not there. We also found it very difficult to create a custom password and in the end, we didn't succeed.
Trying to do something new, outside of use cases like server monitoring, was difficult and we could not do much.
For how long have I used the solution?
I have been working with NetIQ Sentinel for almost two years.
Buyer's Guide
Sentinel
October 2024
Learn what your peers think about Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.
What do I think about the stability of the solution?
The stability is phenomenal and we never had any issues with downtime or even had to restart.
What do I think about the scalability of the solution?
This product did not scale for us. I'm not saying that it was a problem with the product but we had trouble finding the skills and knowledge required for this tool. As our environment started growing, we had to buy new tools.
How are customer service and support?
We have had a lot of problems and Micro Focus technical support was not able to help us. They may have different levels of support packages available, but in our experience, we had to write two or three emails back and forth before we got anything reasonable in response. With other vendors, we have a technical account manager that we can reach out to when we are having problems. This is completely missing in NetIQ Sentinel.
Which solution did I use previously and why did I switch?
We are currently in the process of migrating from NetIQ Sentinel to IBM QRadar.
How was the initial setup?
This product had been implemented by somebody else a few years ago, before I joined the company.
What about the implementation team?
We are a small company with an in-house technical services team.
What's my experience with pricing, setup cost, and licensing?
We inquired about getting support from the vendor, Micro Focus, but the cost was very high.
What other advice do I have?
Whether I would recommend this solution to anyone would depend on their environment. Maybe if they have a hybrid cloud environment then they would not have faced the challenges that we did. As it was on-premises and completely owned by us, we had a lot of trouble with managing the tool. Once it is running, it runs well, but when it comes to adding new devices to it, we always faced issues.
I would rate this solution a six out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Information Systems Manager at a healthcare company with 501-1,000 employees
The query tool of the web UI is so cool.
What is most valuable?
The query tool of the web UI is so cool! (Lucene-based, filters-based on taxonomy). The web interface gives you the ability to design, at query time, a simple report on the fly.
Support from provider its great, good experience with helpdesk.
How has it helped my organization?
Sentinel can help our customers meet PCI, and other requirements based on the reporting and control of related components. Questions like "who has access to that asset" and "who had access in such and such moment" can be solved quickly.
What needs improvement?
The Java desktop tool and the WMI integration (WECS server architecture).
The integration UI and modules deployment can improve.
In my opinion, the web interface can manage all the functionalities and configurations; no Java desktop app is necessary.
The Java app functions can be migrated to the web interface.
On the other hand, WMI integration, can be improved by removing the WECS collector. Sentinel Node can include all the functions. If an escenary needs more power, just deploy another Sentinel node (all in one) that can help in multiples use cases, not just WECS.
RAM consumition... some JRE problems.. but nothing that cannot be fixed by IT (for example file descriptor limits for Java).
For how long have I used the solution?
As part of my work, I’m responsible for deployment, tuning, integrating, and using Sentinel for bank projects.
Reporting IDE environments and processes is hard to take responsibility for, but not impossible.
Some functions look great but, in practice, some key limitations turn the process into something opaque.
What do I think about the stability of the solution?
Java needs a lot of RAM!! Some queries (if you're not careful) can consume lots of memory and destabilize the instance of the product (or OS platform, including RHEL).
What do I think about the scalability of the solution?
We have not had scalability issues. Storage retention policies and schema, online and offline, are very nice.
If Sentinel is integrated with Identity Manager and User Application Portal, the solution runs simply perfect!
How are customer service and technical support?
In my experience, support really rocks it! I had an opportunity to meet great people, very human and engineers.
Which solution did I use previously and why did I switch?
Yes.. sure... Syslog!!
SIEM is not a simple logging tool. The big clients (banks, big industries, government, etc.) need a solution according their size.
How was the initial setup?
Just follow the manuals after reading them. Linux knowledge helps, be cause Linux opens your hard mind. It is complex for mortals, familiar for "Linuxers".
What's my experience with pricing, setup cost, and licensing?
Sentinel is not for home use. Others versions are available by the same vendor, like Sentinel Rapid Deployment or Reporting Module that are offered for different needs. In other words, if price is a problem, go open source, not world class tool like Sentinel. NetIQ offers nice licence packages that can adjust better for some clients.
Which other solutions did I evaluate?
RSA Security Analytics was an option, but as part of NetIQ/Novell Identity Manager Deployment we prefer NetIQ SIEM Tools (integrations capabilities). It depends client needs whether another solution, like RSA Analytics, is the appropriate.
What other advice do I have?
Be careful with requirements, production resources are really needed. Be clear with objectives, and test it before use. Understanding SIEM concepts is basically the goal.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Sentinel
October 2024
Learn what your peers think about Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.
Senior IT Security Consultant at a tech consulting company with 51-200 employees
Our intital setup was complex but mainly because of all the network variables we had.
What is most valuable?
<ul>
<li>Correlation Engine simpleness</li>
<li>Visual agent deployment</li>
<li>Stream based solution performed by iscale bus (no latency due to the database layer) </li>
</ul>
How has it helped my organization?
<ul>
<li>Better security incident analysis</li>
<li>New scopes for security events and correlation</li>
<li>Better performances on device failures actions</li>
</ul>
What needs improvement?
<ul>
<li>Correlation Engine</li>
<li>Device support</li>
<li>Agent development flexibility</li>
</ul>
For how long have I used the solution?
I worked on version 5 and then 6 for a total of 6 years. My personal score is 4 stars based on my experience with the latest version I worked on (probably version 7 should be much more better.)
What was my experience with deployment of the solution?
On version 5, builder was somewhat unstable during deployment -> workaround strong procedure with too many middle steps of saves.
What do I think about the stability of the solution?
The wizard agent module is very sensible to network changes and needs a restart on every network change (versions 5 and 6).
What do I think about the scalability of the solution?
I have not seen any issues with scalability.
Which solution did I use previously and why did I switch?
I had another SIEM installation (nFX) working for another application domain.
How was the initial setup?
Complex but mainly because of all the network variables we had. Imagine to map firewalls rules passively and then request the ability from an external group not really involved in the installation.
What about the implementation team?
Actually we were the system integrator and we provided a large enterprise solution.
Which other solutions did I evaluate?
Novell SIEM was my second technology of this kind. Previously I experienced the nFX and later even the McAfee ESM and the Splunk ES.
What other advice do I have?
Be aware that without any technical support from NetIQ it could be very hard to administer.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security/Service Engineer at a comms service provider with 10,001+ employees
Valuable features are Anomaly dashboards, search/filters features.
What is our primary use case?
Primarily, I used a NetIQ Sentinel when I worked as a Security Analyst as a tool to collecting and filtering-out logs in order to investigating whether there's something "interesting" i.e. samples of real attack or malware activities. Sentinel is tool that if it's well configured, it remove from view all unnecessary information like logs about that the user opened a window in the system and shows you only needful entries. It removes data that can obscure your perspective and mislead in investigation.
Later, I used a NetIQ Sentinel more "administratively", which means that I created/remove/change a new event source and/or also investigate why they hasn't sent anything to log collector. I can tell that from administration perspective the interface of Sentinel is also very simple to operate and navigate. When interface is intuitive as in case of Sentinel, there's no need a special effort to done your job faster, convenient and with high performance.
What is most valuable?
Anomaly dashboards, search/filters features.
Anomaly dashboard provides possibility to find 0-day attacks. This feature is built based on the second-search/filters. It's great and very useful, because I would first find out if search/filter can give me the data that I needed. If not, I have possibility to change it, e.g. using regex or do search/filter fine-tuning. And when I have search/filter tested and know that it will catch information that I want see on chart, then I implement search/filter in new Anomaly dashboard.
The great idea is also fact that I can receive anomaly alerts via email. I don't need to watch charts all the time.
How has it helped my organization?
For example, from version 7.1 the company where I worked started using an anomaly dashboards. It very convenient, because SOC could and can react on possible attack, which are not seen in alerts made by rules. As I said before, anomaly dashboards can help detect a type of attacks called 0-day attacks. 0-day attack is threat haven't categorized as an attack yet and because of that there is no patch or solution, because it's unknown for systems like IDS/IPS.
What needs improvement?
I would prefer to extend dashboards part and their functions in Web GUI version, so the charts could be for configurable.
Efficiency of Security Team
Yes, it has.
Events per Day
~240 mln.
For how long have I used the solution?
One and a half of year.
What do I think about the stability of the solution?
No.
What do I think about the scalability of the solution?
No.
How are customer service and technical support?
8/10.
Which solution did I use previously and why did I switch?
No.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
CEO at ITCORE
Makes it easier to create queries
Pros and Cons
- "The most valuable feature is the flexible log for identifying security threats inside an application. Sentinel is very good at this."
- "The dashboard and customer view should be improved"
How has it helped my organization?
Sentinel has improved the user experience inside. It is easier to create queries.
What is most valuable?
The most valuable feature is the flexible log for identifying security threats inside an application. Sentinel is very good at this.
What needs improvement?
The dashboard and customer view should be improved
In the next release, I would like for there to be monitoring inside the sentinel.
For how long have I used the solution?
I have used NetIQ for 18 months.
What do I think about the stability of the solution?
Stability is very good.
What do I think about the scalability of the solution?
Scalability is very good.
How are customer service and technical support?
Their customer support is very good.
How was the initial setup?
The initial setup was very easy. It took around one or two weeks.
What other advice do I have?
I would rate NetIQ a ten out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: My company has a business relationship with this vendor other than being a customer: reseller
System specialist IDM/SIEM at SV Informatik GmbH
Provides an important central locking system for audit data, but it needs a new interface
Pros and Cons
- "The most valuable feature of this solution is that it provides a central locking system for many event sources."
- "There is no integration in the web-side of the tool."
What is our primary use case?
We are using this solution for logging.
Our environment is an on-premises deployment.
How has it helped my organization?
We have a regular database to audit and this solution is able to lock the audit data.
What is most valuable?
The most valuable feature of this solution is that it provides a central locking system for many event sources.
What needs improvement?
The web interface needs to be improved, as it has a java-based way to call its controls.
There is no integration in the web-side of the tool.
It is an important requirement to be able to develop collectors because the tool does not provide a portfolio of collectors for systems or devices.
For how long have I used the solution?
We have been using this solution for approximately fifteen years.
What do I think about the stability of the solution?
The stability of this tool is good, and we haven't had a big crash.
What do I think about the scalability of the solution?
It is not easy to scale the tool. In the live version, you have the usability tool that is the scaling version of Sentinel, but we do not use it. We have about one hundred people using this solution who feed events into Sentinel to look for anomalies in the database audits.
How are customer service and technical support?
Technical support for this solution is good.
Which solution did I use previously and why did I switch?
We did not use another solution prior to this one.
How was the initial setup?
This solution is easy to install. Our initial deployment took approximately three months.
There are a team of four people who maintain this solution.
What about the implementation team?
We used a consultant from NetIQ to assist with our deployment and it was a good experience.
Which other solutions did I evaluate?
We evaluated three other tools in addition to this one. They were Splunk, ArcSight, and Elasticsearch.
What other advice do I have?
We are planning on changing tools.
I would rate this solution a four out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Manager Platform Monitoring at a non-tech company with 10,001+ employees
It provides real time security event analytics. Take a look at other vendors like LogRhythm.
What is most valuable?
Scalability is the best feature.
How has it helped my organization?
It provides real time security event analytics.
What needs improvement?
Take a look at other vendors like LogRhythm. They are light years ahead of where this product is.
For how long have I used the solution?
I have used this solution for seven years.
What do I think about the stability of the solution?
We did have issues with stability. Java is not stable.
What do I think about the scalability of the solution?
We did not have scalability issues.
How are customer service and technical support?
Support is good, but only for backend support. Both Level-1 and Level-2 support teams are terrible.
Which solution did I use previously and why did I switch?
We did not have a previous solution.
How was the initial setup?
The setup was complex.
What's my experience with pricing, setup cost, and licensing?
It's probably not a product that I would recommend to anyone.
Which other solutions did I evaluate?
We did not evaluate other options.
What other advice do I have?
The amount of time spent implementing this solution, tweaking it to suit our needs, and then maintaining it, ended up being the same as building one from scratch, using something like ELK.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Development Manager at a security firm with 51-200 employees
The correlation engine allows our clients to generate rules more efficiently.
Valuable Features
Correlation rules - The correlation engine allows our clients to generate rules more efficiently. For example: the company has a policy which said that all connections to the databases can only be done by internal connection. So you can correlate the VPN logs, FW logs, dB logs to alert when this policy has been breached.
Improvements to My Organization
Detection of unauthorised access to systems.
Use of Solution
10 years
Deployment Issues
I haven't encountered any issues with deployment
Stability Issues
I haven't encountered any issues with stability
Scalability Issues
I haven't encountered any issues with scalability
Customer Service and Technical Support
Customer Service: Our clients have told us that they like their customer service.Technical Support: I provided technical support to LATAM.
Initial Setup
Initial setup was straightforward
Implementation Team
I was the implementer
Other Advice
Prepare a plan for short, medium and large implementation. Start with the simple, like so: FW, routers, etc., then move to more complex ones like applications in house.
Disclosure: My company has a business relationship with this vendor other than being a customer: I used to work for a company that was a Novell partner
Buyer's Guide
Download our free Sentinel Report and get advice and tips from experienced pros
sharing their opinions.
Updated: October 2024
Product Categories
Security Information and Event Management (SIEM)Popular Comparisons
Wazuh
Splunk Enterprise Security
Microsoft Sentinel
IBM Security QRadar
Elastic Security
LogRhythm SIEM
Rapid7 InsightIDR
Fortinet FortiSIEM
Securonix Next-Gen SIEM
Cortex XSIAM
USM Anywhere
ManageEngine Log360
Google Chronicle Suite
ArcSight Enterprise Security Manager (ESM)
Coralogix
Buyer's Guide
Download our free Sentinel Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What Solution for SIEM is Best To Be NIST 800-171 Compliant?
- When evaluating Security Information and Event Management (SIEM), what aspect do you think is the most important feature to look for?
- What are the main differences between Nessus and Arcsight?
- Which is the best SIEM solution for a government organization?
- What is the difference between IT event correlation and aggregation?
- What Is SIEM Used For?
- What Questions Should I Ask Before Buying SIEM?
- RSA-EMC vs. other SIEM products?
- What are the pros and cons of internal SOC vs SOC-as-a-Service?
- Between AlienVault and LogRhythm, which solution is suitable for Banks in Gulf Region