Item: Splunk Enterprise Security (ES)
Rating: 8
Author: Allan Crittenden Edwards

Use Cases and Deployment Scope

Splunk is the official SIEM for our organization at EMU. It sits on top of the Splunk log aggregation platform to provide a unified information model and security analysis of the logs ingested by Splunk. It makes it feasible to ask the same security questions of widely disparate data sources without having to do a lot of work for each source oneself. It provides incident tracking, response, and threat analytics.

Pros and Cons

Threat Intelligence
Security Alerting
Adaptive Risk Tracking for Users and Systems

The application seems inefficient/resource intensive
The default searches and alerts are unlikely to provide much value

Return on Investment

Splunk's threat intelligence is helping keep us free from APTs.
Splunk's alerting platform helps us to monitor and stay on top of potential issues.
Splunk helps us meet compliance objectives (having a SIEM).

Alternatives Considered

IBM QRadar

We used QRadar a while ago. Perhaps it was just poorly configured but it provided almost no value. It seemed harder to tune for our environment if it was even possible. Also, they didn't value us as a customer. They tried to make us re-purchase the product when they acquired it, even though we already had it in place.

Support Rating

It's good when it's responsive, but I've had times where I had to wait quite a while for a response. But these are typically the exceptions rather than the rule. When you do get a response it is always well-informed and appropriate. I would say they've been trending better over time with this.

Key Insights

Do you think Splunk Enterprise Security (ES) delivers good value for the price?

Yes

Are you happy with Splunk Enterprise Security (ES)'s feature set?

Yes

Did Splunk Enterprise Security (ES) live up to sales and marketing promises?

Yes

Did implementation of Splunk Enterprise Security (ES) go as expected?

Yes

Would you buy Splunk Enterprise Security (ES) again?

Yes

Other Software Used

Palo Alto Networks Cortex XDR, G Suite, Acunetix

Likelihood to Recommend

If you have Splunk already, definitely consider ES. The ability to do security alerting around the common information model is very useful. In particular, pulling in threat lists automatically and checking for those indicators across all your data sources is awesome. The ability to have alerts that don't display to the analyst but just update the risk on a user or system is great too. It does provide a view of potential incidents and a platform for investigations but I don't feel like these functions are smooth enough to provide much value.

Our Preferred Enterprise Security

Overall Satisfaction with Splunk Enterprise Security