IT Central Station is now PeerSpot: Here's why
Buyer's Guide
Intrusion Detection and Prevention Software (IDPS)
June 2022
Get our free report covering Darktrace, Cisco, Elastic, and other competitors of Splunk User Behavior Analytics. Updated: June 2022.
610,190 professionals have used our research since 2012.

Read reviews of Splunk User Behavior Analytics alternatives and competitors

Cyber Security Specialist at a tech vendor with 10,001+ employees
Real User
Good dashboard and helpful third-party plugins but technical support could be better
Pros and Cons
  • "There are other third-party plugins that we can use."
  • "The AQL queries could be better."

What is most valuable?

There is a Pulse dashboard that they have. From a reporting perspective, we'll be creating dashboards based on the pulse functionalities. 

There are other third-party plugins that we can use as well. We can initiate in the QRadar platform, however, Pulse is one of the most user-friendly options. 

Along with that, there are out the box rules and out the box dashboards that we have available to us. Mostly what we are concentrating on is creating the rules and fine-tuning the rules to align properly with the customer infrastructure depending upon the customer's requirements. Pulse, UEBA, and NBAD are the features that are the best. They are the most useful from a SOC manager perspective.

What needs improvement?

The AQL queries could be better. With the queries, there's an option for you to create dashboards based on the queries that they have. The documentation that is available for AQL queries is not well received. They could maybe look at how Microsoft is leveraging AQLs from a Sentinel perspective and create more documentation and training materials and make those more available to the general public.

They have to facilitate more learning opportunities. Microsoft has something called Playground where you have some sample logs and where you can learn how to work on all this stuff, however, there is nothing like that for IBM. They really could make it more generalized and accessible to the general analyst population.

Technical support should be improved.

For how long have I used the solution?

In terms of QRadar, I've used it for close to two years. I worked for a customer that is a managed security service provider. What we do is we will provide SOC as a service and QRadar. IBM is one of the partners that we have. Depending upon the customer considerations and customer preferences, we will either engage QRadar or Sentinel according to the customer preferences. Splunk and LogRhythm we also use on an as-needed basis. 

What do I think about the stability of the solution?

What they have claimed is 99.5% uptime. However, I'm not very sure whether there's an implementation problem or not. Sometimes the system gets hung and then we have to restart everything from the scratch. You have got these multi printing options, though not functionally. Sometimes it gets some jitters there. Sometimes there are cases where we are finding it very difficult to get into the system as there can be three or four people logging into the same platform at the same time and sometimes the reduces the speed a lot.

What do I think about the scalability of the solution?

From an architect implementation perspective, the role that I have played is very limited. I'm not very sure about scaling. I'm not in a position to comment on that part. That said, once everything is implemented, I've noted that it's not as scalable as Sentinel or Splunk on the cloud, for sure. That is the same for LogRhythm and QRadar. Obviously, cloud-hosted applications will be more scalable and more resilient.

How are customer service and support?

Technical support is something that has always been an issue for us. We have to raise a ticket and the products team will be available, however, depending upon the criticality, sometimes the support is not very easily accessible on weekends and on Friday evenings.

Which solution did I use previously and why did I switch?

I've also worked with Sentinel, Splunk, QRadar, and LogRhythm. 

How was the initial setup?

Compared to Sentinel, the initial setup is a bit complex. Depending upon whether you're going ahead with the cloud version or on-prem version, there is human involvement, however, normally everything is done by the platform engineer. I don't have to get my head into that part. Once everything is up and running, that is when we have to start working from our side. I'm sure it is more complex than a plug-and-play Sentinel, where connectors are easily available and just have to click, click and get things done.

The administration and maintenance would be two or three people depending upon the availability. I'm not very sure about troubleshooting. I'm coming at the solution from a user perspective. I'm more concerned with the rule fine-tuning and rule-building part. That kind of troubleshooting will be done with the platform team, which specializes in that. 

What's my experience with pricing, setup cost, and licensing?

Licensing is mostly dependent on the EPS, events per second. Depending upon the number of products that are integrated with the platform, we have to come to an optimal EPS value. I'm not very sure about the financials, however, the licensing cost cannot be as much as that for Sentinel, which is not very low. For customers who need medium EPS values, we advise QRadar.

The basic out the box cost covers, the EPS value that you have specified, and then some archiving maybe. It should include at least six months of archiving and other functionalities. Most of the customers will go for the standard package and we don't have to go for extra archival or enhanced DPS. 10% to 15% of DPS can always be increased. It will not completely shut down the system, however, it'll start sending us notifications that the DPS is getting increased and then we can go for a higher licensing.

What other advice do I have?

The version we use depends on when the customer is onboarded. Whenever recent onboarding takes place, we use the most up-to-date versions. However, there are customers that we have been facilitating for the past two or two and a half years and they might be using the previous versions. There are proper version upgrades that happen on a quarterly basis. 

I'd rate the solution seven out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
Head of Cyber security analysis at DNV Poland Sp. z o.o.
Real User
Top 20
It has good support and works with Linux platforms
Pros and Cons
  • "It's hard for me to pinpoint any one feature that's most valuable because it is all about consuming logs and analyzing them. We started using QRadar UBA because we needed something that could analyze Linux authentication information. Other products take care of the Windows platform."
  • "I don't give it a 10 because it is something we have to request. I would love it if UBA was included out of the box like Microsoft."

What is our primary use case?

We analyze all our authentication traffic in QRadar UBA using the solution's AI module to detect and understand uncommon authentication patterns. There is also the rule logic, but we don't use that much. Instead, we mostly rely on AI to do that. In that respect, I wouldn't say we are using the product to the fullest extent because we only have the AI and what the CM is providing. We have a suite of security products, and QRadar UBA is only one source of information that we rely on.

QRadar UBA collects information on 16,000 employees in the company, including when they log in and out or when they launch applications. We have a team of 10 security analysts who go into the solution to check the alarms. IBM has set the solution up so that we only need to react to the alarms. The UBA will flag it if someone does something weird, and our security team will investigate the anomaly to see if that was valid or malicious. 

We are currently on QRoC — short for QRadar for Cloud — so it's the latest and greatest solution. It was originally on a private cloud, but we moved to the public cloud three years ago.

What is most valuable?

It's hard for me to pinpoint any one feature that's most valuable because it is all about consuming logs and analyzing them. We started using QRadar UBA because we needed something that could analyze Linux authentication information. Other products take care of the Windows platform.

What needs improvement?

Better algorithms or AI would always be appreciated, but this product does what it's supposed to do. And maybe there is something behind the scenes that could be improved, but I don't know. 

UBA is a plugin for QRadar SIEM. If we're talking about the SIEM solution as a whole, there is a lot I can talk about, but there isn't much to say about UBA as a standalone. I'm not in a position to criticize or comment on the underlying code.

For how long have I used the solution?

I have been using QRadar UBA for six years.

What do I think about the scalability of the solution?

I haven't had any problems. We have never needed to add more memory or CPU. 

How are customer service and support?

IBM technical support is excellent. 10 out of 10. IBM is highly professional when it comes to security support. IBM's support for other types of solutions isn't quite as good, but the security domain is a different world. I've worked with IBM in other areas, and it's different. Security support is on a tier by itself inside IBM. 

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We are also using a Microsoft solution called Azure Advanced Threat Protection. It provides similar UBA features but only for a Microsoft environment.  Most UBA products do exactly the same thing. I haven't tried many other solutions besides QRadar, Microsoft, and Splunk.

Splunk is brilliant. It does the same thing, but it's slightly more expensive, so we selected IBM. Microsoft's solution is a little cheaper, but it lacks Linux support currently. There are minor differences, but we went with IBM in this case because it has the best support.

How was the initial setup?

IBM did the setup. I called them to ask for UBA, and it was available the next day. They handled all the deployment and maintenance. 

What about the implementation team?



What was our ROI?

I have not calculated ROI for this product. QRadar UBA is a tiny part of the entire security portfolio. In the context of the SIEM as a whole, the cost is so low that it's hard to defend not doing it.

What's my experience with pricing, setup cost, and licensing?

I have no idea what QRadar UBA costs as a standalone solution because it is bundled with the QRoC security operation center and several other modules that we pay for in a big lump sum. However, I don't think that part is too expensive. It's a plugin to the QRadar SIEM that feeds off the same data. We have X-Force Threat Exchange, so IBM is operating the SIEM for us. I say to them, "I want UBA," and there it is.

What other advice do I have?

I rate QRadar UBA eight out of 10. It's a small product doing exactly what it's supposed to do as an integrated part of our SIEM. It looks good and works well. I don't give it a 10 because it is something we have to request. I would love it if UBA was included out of the box like Microsoft.

Regardless of which solution you use, I recommend user behavior analytics. It provides valuable information to the security team. It doesn't matter whether you use Splunk or Microsoft— you should use a UBA solution. 

We will probably stick with QRadar for the foreseeable future. It depends on the developments in the SIEM market. We will probably continue with IBM because changing SIEM is not something you do lightly. As long as we keep the IBM SIEM, we will continue to use QRadar UBA.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Lead Security Engineer at a tech services company with 1-10 employees
Reseller
Top 5
Useful for behavioral analysis of users and behavioral analysis of network traffic
Pros and Cons
  • "One of the most valuable features is UEBA. It's pretty helpful for us to make sure of our thresholds for any of our clients."
  • "The area that needs improvement is reporting."

What is our primary use case?

We are using the solution for behavioral analysis of the users and behavioral analysis of network traffic. For example, if we know that there is an IP address that keeps reaching out, we confirm it with the client, put that in behavioral analysis and say, "Okay. This is a regular behavior." It's not going to trigger us if they reach out to a certain threshold. If that IP reaches out to over that threshold, then we are going to tell the client, "Something seems to be wrong over here. This machine does not go to that IP address a lot, but this is going on a lot today."

From a behavioral analysis perspective, the use cases are data exportation by contractors, by determination, account accessing, removal of media.

The version we are using is SNYPR.

What is most valuable?

One of the most valuable features is UEBA. It's pretty helpful for us to make sure of our thresholds for any of our clients. Another great feature is how Investigation Workbench works with all of the user analysis.

They are continuously improving things. They keep putting new policies and new rules as well as updating the old ones.

What needs improvement?

The area that needs improvement is reporting. They don't focus on that area enough, but everything else is good.

For how long have I used the solution?

We have been using this solution for a year and a half.

What do I think about the stability of the solution?

It's stable but every product has ups and downs. Sometimes it gets extraordinarily overloaded because sometimes I push billions of events in an hour. It takes a little bit of time to run the analysis, but it is pretty stable in the back end.

What do I think about the scalability of the solution?

The solution is scalable.

How are customer service and support?

I deal with their tech support on an almost daily basis. I would give it a 6 out of 10.

Which solution did I use previously and why did I switch?

I have also used Loglogic and LogRhythm, which is not a good tool. I prefer Splunk. Securonix is my second choice. Third would be QRadar, and my fourth choice would be AlienVault.

We are not currently using Splunk, but we are considering them to be our secondary SIEM.

How was the initial setup?

Setup is pretty straightforward. If you are going to set up everything on the back end, on cloud port and everything, then they're going to send you a forwarder package. You just install that on the VM and get going from there.

It's pretty easy to maintain if you go through the documents.

What's my experience with pricing, setup cost, and licensing?

Their pricing is pretty comfortable. They will work with you on the cost.

What other advice do I have?

I would give this solution and 8 out of 10.

Make sure that you get the training properly and get a hold of the correct people so that things are done properly. Don't try to find a way in the middle.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
Senior Network Engineer at a comms service provider with 10,001+ employees
MSP
Top 10
Very stable with good technical support, but can be quite expensive
Pros and Cons
  • "The technical support on offer is very good."
  • "The solution is pretty expensive."

What is our primary use case?

We primarily use the solution for email scanning.

What is most valuable?

The solution is very good at tracking attacks.

The solution automatically upgrades itself well in order to be effective against future attacks.

We can manually bypass IP addresses and DNS entries if we need to.

The technical support on offer is very good.

What needs improvement?

Right now, we are stuck with an older platform, 1400 N. It's more like a software base, so bypassing is done through software. If you go with the newer system, for example, the 4-40s, that's a hardware-based bypass, so those are more powerful. It has more throughput.

The initial setup is not straightforward.

The solution is pretty expensive.

For how long have I used the solution?

We've been using this solution for many, many years so far. It's been a while at this point.

What do I think about the stability of the solution?

The stability is excellent. It's 99.9% stable. There aren't issues with bugs or glitches. It doesn't crash or freeze. It's reliable.

What do I think about the scalability of the solution?

The solution is scalable, however, you need to swap the box. It's not the kind of scalability that you can do it via software. You need to swap the box and get a better model to expand it out. That said, it can scale. A company that needs to scale can do so. It just takes a hardware upgrade.

How are customer service and technical support?

We've dealt with technical support in the past. We've found them to be very good. They are responsive and knowledgeable. They are helpful. We're satisfied with the level of support we receive.

Which solution did I use previously and why did I switch?

We also use Splunk. We use both together. Splunk will warn us if something is happening, and then we can use TippingPoint to block access as necessary. We tend to use Splunk everywhere.

How was the initial setup?

The initial setup is not so easy. It's not that it's complex, per se. It's just not super-simple. You need some technical folks to manage it. It's not like anybody can do it. You have to have some knowledge. Otherwise, you'll run into a lot of issues.

What's my experience with pricing, setup cost, and licensing?

This is not the cheapest option. The solution is quite expensive.

Which other solutions did I evaluate?

We're currently looking at Cisco and considering deploying their solution in the new year.

What other advice do I have?

I'd recommend the solution, however, it depends on what a company needs. Before jumping in, a company needs to ask, themselves questions like: "What's our requirement". That said, for general enterprises, it's a good enough option. 

For our organization, however, as of next year, we're going to move away from it and deploy with a Cisco-based solution.

Overall, I would rate the solution at a seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Guido Pellillo - PeerSpot reviewer
Head of Cybersecurity Business Unit at S2E
Real User
Top 20
Provides a visual representation of attack history, with a nice GUI, but the analysis could be simplified
Pros and Cons
  • "I find it very good in the way that they show the past events, including the attack history."
  • "It would be helpful if they could recognize incidents and simplify the customer's challenge to identify what is happening."

What is our primary use case?

We are a system integrator and we pose solutions, including this one, to our clients.

It is mainly used to reinforce response capabilities with respect to network security.

What is most valuable?

I find it very good in the way that they show the past events, including the attack history. You are able to visualize all of the attack paths and connectivity to see what's happened.

The GUI interface is very good.

They are using the best machine learning and AI at the moment.

What needs improvement?

The need to simplify the analysis from a user perspective. In a few cases, you have to be a specialist in order to understand what's happening. It would be helpful if they could recognize incidents and simplify the customer's challenge to identify what is happening.

For how long have I used the solution?

I was been working with Darktrace for two years.

What do I think about the stability of the solution?

Stability-wise, we have not had any issues and it has been quite good.

What do I think about the scalability of the solution?

We haven't had any trouble with scalability.

How are customer service and technical support?

We have had contact with technical support and help was quite straightforward. Our feedback for them is good.

Which solution did I use previously and why did I switch?

We work with a variety of products in the security space including Darktrace, Splunk, Elastic, and others.

How was the initial setup?

The initial setup is really simple. This product is normally deployed as an on-premises appliance and it normally takes less than one day. It depends on how complex the network is, but it's usually quite simple.

What's my experience with pricing, setup cost, and licensing?

Our customers feel that the price of Darktrace is quite high compared to other solutions. However, I feel that they are one of the top solutions in this space and they want to be paid for that.

What other advice do I have?

They are currently working on improving their interface by including AI to help simplify things, but it does not work on real-time data. Rather, it works on historical events.

This is definitely a product that I can recommend, although I would probably be using it together with a SOC service or somebody else who can manage it properly.

I would rate this solution a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Buyer's Guide
Intrusion Detection and Prevention Software (IDPS)
June 2022
Get our free report covering Darktrace, Cisco, Elastic, and other competitors of Splunk User Behavior Analytics. Updated: June 2022.
610,190 professionals have used our research since 2012.