Try our new research platform with insights from 80,000+ expert users
PeerSpot user
Information Systems Manager at a healthcare company with 501-1,000 employees
Vendor
The query tool of the web UI is so cool.

What is most valuable?

The query tool of the web UI is so cool! (Lucene-based, filters-based on taxonomy). The web interface gives you the ability to design, at query time, a simple report on the fly.

Support from provider its great, good experience with helpdesk.

How has it helped my organization?

Sentinel can help our customers meet PCI, and other requirements based on the reporting and control of related components. Questions like "who has access to that asset" and "who had access in such and such moment" can be solved quickly.

What needs improvement?

The Java desktop tool and the WMI integration (WECS server architecture).

The integration UI and modules deployment can improve.
In my opinion, the web interface can manage all the functionalities and configurations; no Java desktop app is necessary.

The Java app functions can be migrated to the web interface.
On the other hand, WMI integration, can be improved by removing the WECS collector. Sentinel Node can include all the functions. If an escenary needs more power, just deploy another Sentinel node (all in one) that can help in multiples use cases, not just WECS.

RAM consumition... some JRE problems.. but nothing that cannot be fixed by IT (for example file descriptor limits for Java).

For how long have I used the solution?

As part of my work, I’m responsible for deployment, tuning, integrating, and using Sentinel for bank projects.
Reporting IDE environments and processes is hard to take responsibility for, but not impossible.
Some functions look great but, in practice, some key limitations turn the process into something opaque.

Buyer's Guide
Sentinel
November 2024
Learn what your peers think about Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,067 professionals have used our research since 2012.

What do I think about the stability of the solution?

Java needs a lot of RAM!! Some queries (if you're not careful) can consume lots of memory and destabilize the instance of the product (or OS platform, including RHEL).

What do I think about the scalability of the solution?

We have not had scalability issues. Storage retention policies and schema, online and offline, are very nice.
If Sentinel is integrated with Identity Manager and User Application Portal, the solution runs simply perfect!

How are customer service and support?

In my experience, support really rocks it! I had an opportunity to meet great people, very human and engineers.

Which solution did I use previously and why did I switch?

Yes.. sure... Syslog!!
SIEM is not a simple logging tool. The big clients (banks, big industries, government, etc.) need a solution according their size.

How was the initial setup?

Just follow the manuals after reading them. Linux knowledge helps, be cause Linux opens your hard mind. It is complex for mortals, familiar for "Linuxers".

What's my experience with pricing, setup cost, and licensing?

Sentinel is not for home use. Others versions are available by the same vendor, like Sentinel Rapid Deployment or Reporting Module that are offered for different needs. In other words, if price is a problem, go open source, not world class tool like Sentinel. NetIQ offers nice licence packages that can adjust better for some clients.

Which other solutions did I evaluate?

RSA Security Analytics was an option, but as part of NetIQ/Novell Identity Manager Deployment we prefer NetIQ SIEM Tools (integrations capabilities). It depends client needs whether another solution, like RSA Analytics, is the appropriate.

What other advice do I have?

Be careful with requirements, production resources are really needed. Be clear with objectives, and test it before use. Understanding SIEM concepts is basically the goal.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
PeerSpot user
Senior IT Security Consultant at a tech consulting company with 51-200 employees
Consultant
Our intital setup was complex but mainly because of all the network variables we had.

What is most valuable?

<ul> <li>Correlation Engine simpleness</li> <li>Visual agent deployment</li> <li>Stream based solution performed by iscale bus (no latency due to the database layer) </li> </ul>

How has it helped my organization?

<ul> <li>Better security incident analysis</li> <li>New scopes for security events and correlation</li> <li>Better performances on device failures actions</li> </ul>

What needs improvement?

<ul> <li>Correlation Engine</li> <li>Device support</li> <li>Agent development flexibility</li> </ul>

For how long have I used the solution?

I worked on version 5 and then 6 for a total of 6 years. My personal score is 4 stars based on my experience with the latest version I worked on (probably version 7 should be much more better.)

What was my experience with deployment of the solution?

On version 5, builder was somewhat unstable during deployment -> workaround strong procedure with too many middle steps of saves.

What do I think about the stability of the solution?

The wizard agent module is very sensible to network changes and needs a restart on every network change (versions 5 and 6).

What do I think about the scalability of the solution?

I have not seen any issues with scalability.

Which solution did I use previously and why did I switch?

I had another SIEM installation (nFX) working for another application domain.

How was the initial setup?

Complex but mainly because of all the network variables we had. Imagine to map firewalls rules passively and then request the ability from an external group not really involved in the installation.

What about the implementation team?

Actually we were the system integrator and we provided a large enterprise solution.

Which other solutions did I evaluate?

Novell SIEM was my second technology of this kind. Previously I experienced the nFX and later even the McAfee ESM and the Splunk ES.

What other advice do I have?

Be aware that without any technical support from NetIQ it could be very hard to administer.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Sentinel
November 2024
Learn what your peers think about Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,067 professionals have used our research since 2012.
reviewer2263155 - PeerSpot reviewer
Lead Security Engineer at a tech services company with 201-500 employees
Real User
Top 5Leaderboard
A cloud-based solution with good automation and Kusto Query Language (KQL) execution time
Pros and Cons
  • "The solution's Kusto Query Language (KQL) execution time is pretty good."
  • "Creating a drag-and-drop dashboard or workbook in Sentinel is a little more complex compared to other tools like LogRhythm and IBM QRadar."

What is most valuable?

Sentinel's GUI design is similar to Microsoft Windows. If you are comfortable with using Windows, you will be comfortable using Sentinel because their icons are similar. Sentinel's integration is pretty easy.

Sentinel's management is very easy because Microsoft guides everything through icons, design, and documentation. The solution's model is pretty good. The solution's Kusto Query Language (KQL) execution time is pretty good.

One good thing I like about Sentinel is its automation. You can automatically respond to the incident via the logic app. You don't need to know about coding and complexity. Everyone who uses Sentinel in my circle has been praising the solution.

What needs improvement?

Creating a drag-and-drop dashboard or workbook in Sentinel is a little more complex compared to other tools like LogRhythm and IBM QRadar.

For how long have I used the solution?

I have been working with Sentinel for almost three years.

What do I think about the scalability of the solution?

Sentinel is a very, very scalable solution. People are now migrating towards Sentinel. Around seven to eight of our customers are using Sentinel.

Since Sentinel is under Microsoft's management, they are responsible for scaling the solution. Sentinel is very scalable. It will automatically scale up, and it will automatically scale down when there is no requirement.

How are customer service and support?

Sometimes, you come across people unfamiliar with the solution, but most of the time, Microsoft support is pretty good.

How was the initial setup?

Sentinel's initial setup is not very easy. You will have to perform some steps, but everything is guided properly. They will tell you what is your next step.

It is a little bit complex when it comes to custom integrations, and you need to understand a little bit of Azure architecture to meet those integrations. However, it is easier for basic integration with well-known devices like Windows and Linux.

What about the implementation team?

I haven't been in those situations where I had to deploy Sentinel, but I know from experience that deploying the solution will take one to two days.

You have to buy your subscription on Azure since it's a cloud-based solution. After getting your subscription, you will need to make sure that you are also subscribing to Sentinel Service, which is on Azure.

Then, you have to create the log analytics workspace, include that workspace under the subscription, and start integrating the log sources via data connectors. You will see those logs in the Sentinel. It takes 15 to 20 minutes to get your Sentinels, and then you can use those data connectors to integrate the logs.

What's my experience with pricing, setup cost, and licensing?

Sentinel is a subscription-based solution. You will have to pay weekly or monthly costs based on your deal with your Azure cloud provider.

What other advice do I have?

Sentinel is a cloud-based solution.

I would recommend users to use Sentinel. If users are paying for the service, they should make sure to use each and everything they know about it. Users should not pay for things that they are not using. Sentinel has a lot of potential that people don't know.

Overall, I rate Sentinel eight and a half out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
it_user674118 - PeerSpot reviewer
Security/Service Engineer at a comms service provider with 10,001+ employees
Real User
Valuable features are ​Anomaly dashboards, search/filters features.

What is our primary use case?

Primarily, I used a NetIQ Sentinel when I worked as a Security Analyst as a tool to collecting and filtering-out logs in order to investigating whether there's something "interesting" i.e. samples of real attack or malware activities. Sentinel is tool that if it's well configured, it remove from view all unnecessary information like logs about that the user opened a window in the system and shows you only needful entries. It removes data that can obscure your perspective and mislead in investigation.

Later, I used a NetIQ Sentinel more "administratively", which means that I created/remove/change a new event source and/or also investigate why they hasn't sent anything to log collector. I can tell that from administration perspective the interface of Sentinel is also very simple to operate and navigate. When interface is intuitive as in case of Sentinel, there's no need a special effort to done your job faster, convenient and with high performance.

What is most valuable?

Anomaly dashboards, search/filters features.

Anomaly dashboard provides possibility to find 0-day attacks. This feature is built based on the second-search/filters. It's great and very useful, because I would first find out if search/filter can give me the data that I needed. If not, I have possibility to change it, e.g. using regex or do search/filter fine-tuning. And when I have search/filter tested and know that it will catch information that I want see on chart, then I implement search/filter in new Anomaly dashboard.

The great idea is also fact that I can receive anomaly alerts via email. I don't need to watch charts all the time.

How has it helped my organization?

For example, from version 7.1 the company where I worked started using an anomaly dashboards. It very convenient, because SOC could and can react on possible attack, which are not seen in alerts made by rules. As I said before, anomaly dashboards can help detect a type of attacks called 0-day attacks. 0-day attack is threat haven't categorized as an attack yet and because of that there is no patch or solution, because it's unknown for systems like IDS/IPS.

What needs improvement?

I would prefer to extend dashboards part and their functions in Web GUI version, so the charts could be for configurable.

Efficiency of Security Team

Yes, it has.

Events per Day

~240 mln.

For how long have I used the solution?

One and a half of year.

What do I think about the stability of the solution?

No.

What do I think about the scalability of the solution?

No.

How are customer service and technical support?

8/10.

Which solution did I use previously and why did I switch?

No.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
CEO at ITCORE
Reseller
Makes it easier to create queries
Pros and Cons
  • "The most valuable feature is the flexible log for identifying security threats inside an application. Sentinel is very good at this."
  • "The dashboard and customer view should be improved"

How has it helped my organization?

Sentinel has improved the user experience inside. It is easier to create queries. 

What is most valuable?

The most valuable feature is the flexible log for identifying security threats inside an application. Sentinel is very good at this. 

What needs improvement?

The dashboard and customer view should be improved

In the next release, I would like for there to be monitoring inside the sentinel.

For how long have I used the solution?

I have used NetIQ for 18 months.

What do I think about the stability of the solution?

Stability is very good.

What do I think about the scalability of the solution?

Scalability is very good.

How are customer service and technical support?

Their customer support is very good. 

How was the initial setup?

The initial setup was very easy. It took around one or two weeks.

What other advice do I have?

I would rate NetIQ a ten out of ten. 

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: My company has a business relationship with this vendor other than being a customer: reseller
PeerSpot user
Syspecid67 - PeerSpot reviewer
System specialist IDM/SIEM at SV Informatik GmbH
Real User
Provides an important central locking system for audit data, but it needs a new interface
Pros and Cons
  • "The most valuable feature of this solution is that it provides a central locking system for many event sources."
  • "There is no integration in the web-side of the tool."

What is our primary use case?

We are using this solution for logging.

Our environment is an on-premises deployment.

How has it helped my organization?

We have a regular database to audit and this solution is able to lock the audit data.

What is most valuable?

The most valuable feature of this solution is that it provides a central locking system for many event sources.

What needs improvement?

The web interface needs to be improved, as it has a java-based way to call its controls.

There is no integration in the web-side of the tool.

It is an important requirement to be able to develop collectors because the tool does not provide a portfolio of collectors for systems or devices.

For how long have I used the solution?

We have been using this solution for approximately fifteen years.

What do I think about the stability of the solution?

The stability of this tool is good, and we haven't had a big crash.

What do I think about the scalability of the solution?

It is not easy to scale the tool. In the live version, you have the usability tool that is the scaling version of Sentinel, but we do not use it. We have about one hundred people using this solution who feed events into Sentinel to look for anomalies in the database audits.

How are customer service and technical support?

Technical support for this solution is good.

Which solution did I use previously and why did I switch?

We did not use another solution prior to this one.

How was the initial setup?

This solution is easy to install. Our initial deployment took approximately three months.

There are a team of four people who maintain this solution.

What about the implementation team?

We used a consultant from NetIQ to assist with our deployment and it was a good experience.

Which other solutions did I evaluate?

We evaluated three other tools in addition to this one. They were Splunk, ArcSight, and Elasticsearch.  

What other advice do I have?

We are planning on changing tools.

I would rate this solution a four out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user674067 - PeerSpot reviewer
Manager Platform Monitoring at a non-tech company with 10,001+ employees
Vendor
It provides real time security event analytics. Take a look at other vendors like LogRhythm.

What is most valuable?

Scalability is the best feature.

How has it helped my organization?

It provides real time security event analytics.

What needs improvement?

Take a look at other vendors like LogRhythm. They are light years ahead of where this product is.

For how long have I used the solution?

I have used this solution for seven years.

What do I think about the stability of the solution?

We did have issues with stability. Java is not stable.

What do I think about the scalability of the solution?

We did not have scalability issues.

How are customer service and technical support?

Support is good, but only for backend support. Both Level-1 and Level-2 support teams are terrible.

Which solution did I use previously and why did I switch?

We did not have a previous solution.

How was the initial setup?

The setup was complex.

What's my experience with pricing, setup cost, and licensing?

It's probably not a product that I would recommend to anyone.

Which other solutions did I evaluate?

We did not evaluate other options.

What other advice do I have?

The amount of time spent implementing this solution, tweaking it to suit our needs, and then maintaining it, ended up being the same as building one from scratch, using something like ELK.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user147231 - PeerSpot reviewer
Development Manager at a security firm with 51-200 employees
Vendor
The correlation engine allows our clients to generate rules more efficiently.

Valuable Features

Correlation rules - The correlation engine allows our clients to generate rules more efficiently. For example: the company has a policy which said that all connections to the databases can only be done by internal connection. So you can correlate the VPN logs, FW logs, dB logs to alert when this policy has been breached.

Improvements to My Organization

Detection of unauthorised access to systems.

Use of Solution

10 years

Deployment Issues

I haven't encountered any issues with deployment

Stability Issues

I haven't encountered any issues with stability

Scalability Issues

I haven't encountered any issues with scalability

Customer Service and Technical Support

Customer Service: Our clients have told us that they like their customer service.Technical Support: I provided technical support to LATAM.

Initial Setup

Initial setup was straightforward

Implementation Team

I was the implementer

Other Advice

Prepare a plan for short, medium and large implementation. Start with the simple, like so: FW, routers, etc., then move to more complex ones like applications in house.
Disclosure: My company has a business relationship with this vendor other than being a customer: I used to work for a company that was a Novell partner
PeerSpot user
Buyer's Guide
Download our free Sentinel Report and get advice and tips from experienced pros sharing their opinions.
Updated: November 2024
Buyer's Guide
Download our free Sentinel Report and get advice and tips from experienced pros sharing their opinions.