ES from a consultants perspective
February 08, 2022

ES from a consultants perspective

Michael Simko | TrustRadius Reviewer
Score 10 out of 10
Vetted Review

Overall Satisfaction with Splunk Enterprise Security (ES)

As a consultant and instructor, I've used ES for a wide variety of purposes, from standard security to compliance, and lately Risk-Based assessment. ES is configurable for many use cases, and since it is built on Splunk, it can be extended to include any type of use that we can do in a search or dashboard.
  • Piece together the actual trail of an incident event by using all of the logs from each system.
  • Correlate indicators of compromise that otherwise may be left. Instead of failing 3 times to log on, smarter systems will fail once, leave, and then return an hour later, or go to a different machine. All of that behavior stands out when you are searching across the enterprise.
  • ES lets you pivot outside of the pre-canned items to perform searches of the data. That way, when you think you've found something you can chase down the assumptions.
  • Searching at scale. There is something to be said for systems that can handle enterprises without having to perform shortcuts.
  • Extensibility. Any time we come up with new use cases we can make correlation searches (think rules) or dashboards that let us keep the work so we won't have to repeat it in the future.
  • It is coming along, but alert fatigue is a real issue in SIEMs. Better logic on RBA and even some ML to bring the most likely issues to the forefront would be great.
  • Machine Learning algorithms out of the box. Several correlation searches use ML algorithms for grouping. I'm hoping we see the ML integrate more with better algorithms without requiring the users to be solid with ML.
  • AI, or AIOPS if you prefer, to help perform initial triage based upon past choices would be great. Have we always closed similar findings, then why keep bringing them?
  • Piece of mind knowing what is happening in the enterprise and what the level of threat is.
  • Faster finding of resolution over other SIEMs due to SPLs power
  • Completeness. Having all the data means being less likely to have holes. Only collecting some data would lead to gaps in visibility.
Splunk Enterprise Security and Splunk Enterprise / Splunk Cloud, provide a flexible platform for my customer's security needs. ES brings a lot of prebuilt content that can then be customized without having to reinvent the wheel. Often I hear people (who don't use ES yet) say they could just make all that content themselves, so why purchase? Because you don't have 2 years to make it all. Whereas in a couple of weeks with ES we can have a robust system that meets our customer's use cases.
Splunk can search huge datasets. I'd give a perfect 10 if we had enough trained source types, but will go 9 as I've seen environments that were set up, but the getting data incorrectly part wasn't complete. That's not Splunk's fault, but perhaps we could have more ways to help to get that taken care of so the customer doesn't need to be quite as good at Splunk.
Flexibility, the power of the search language, the amount of premade content put ES above.

Do you think Splunk Enterprise Security (ES) delivers good value for the price?


Are you happy with Splunk Enterprise Security (ES)'s feature set?


Did Splunk Enterprise Security (ES) live up to sales and marketing promises?


Did implementation of Splunk Enterprise Security (ES) go as expected?


Would you buy Splunk Enterprise Security (ES) again?


ES is well suited to the SOC with some Splunk expertise. With that, the customization can take ES to the next level. Security threats change and ES can morph to fight the new issues, but it will take some care and feeding. ES isn't particularly well suited to the SOC that won't work to customize or extend it. For those cases, perhaps a security MSP can assist?

Splunk Enterprise Security (ES) Feature Ratings

Centralized event and log data collection
Event and log normalization/management
Deployment flexibility
Integration with Identity and Access Management Tools
Custom dashboards and workspaces
Host and network-based intrusion detection
Log retention
Data integration/API management
Behavioral analytics and baselining
Rules-based and algorithmic detection thresholds
Reporting and compliance management
Incident indexing/searching