Overall Satisfaction with Splunk Enterprise Security
Splunk is the official SIEM for our organization at EMU. It sits on top of the Splunk log aggregation platform to provide a unified information model and security analysis of the logs ingested by Splunk. It makes it feasible to ask the same security questions of widely disparate data sources without having to do a lot of work for each source oneself. It provides incident tracking, response, and threat analytics.
- Threat Intelligence
- Security Alerting
- Adaptive Risk Tracking for Users and Systems
- The application seems inefficient/resource intensive
- The default searches and alerts are unlikely to provide much value
- Splunk's threat intelligence is helping keep us free from APTs.
- Splunk's alerting platform helps us to monitor and stay on top of potential issues.
- Splunk helps us meet compliance objectives (having a SIEM).
We used QRadar a while ago. Perhaps it was just poorly configured but it provided almost no value. It seemed harder to tune for our environment if it was even possible. Also, they didn't value us as a customer. They tried to make us re-purchase the product when they acquired it, even though we already had it in place.
It's good when it's responsive, but I've had times where I had to wait quite a while for a response. But these are typically the exceptions rather than the rule. When you do get a response it is always well-informed and appropriate. I would say they've been trending better over time with this.
Do you think Splunk Enterprise Security (ES) delivers good value for the price?
Are you happy with Splunk Enterprise Security (ES)'s feature set?
Did Splunk Enterprise Security (ES) live up to sales and marketing promises?
Did implementation of Splunk Enterprise Security (ES) go as expected?
Would you buy Splunk Enterprise Security (ES) again?
If you have Splunk already, definitely consider ES. The ability to do security alerting around the common information model is very useful. In particular, pulling in threat lists automatically and checking for those indicators across all your data sources is awesome. The ability to have alerts that don't display to the analyst but just update the risk on a user or system is great too. It does provide a view of potential incidents and a platform for investigations but I don't feel like these functions are smooth enough to provide much value.