Leveraging Splunk ES and the Splunk ecosystem to make quick progress in a nascent SOC environment
February 19, 2022

Leveraging Splunk ES and the Splunk ecosystem to make quick progress in a nascent SOC environment

Anonymous | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User

Overall Satisfaction with Splunk Enterprise Security (ES)

We utilize Splunk Enterprise Security to collect our logging into a centralized platform then, off the back of the logs that have been ingested into Splunk, design and implement the relevant alerting via appropriate Splunk SPL syntax that is required for our teams, auditors, merchants, etc. By ensuring our alerts trigger notable events on the Incident Review page, Splunk ES has helped us and our analysts have a single pane of view where they can easily investigate and triage possible security incidents. The customisability of the SPL syntax makes creating new use cases very simple and gives us more flexibility compared to competing for open source solutions such as Elasticsearch. Furthermore, our leverage of the hosted Splunk Cloud service enables us to avoid the burden of having to manage the Splunk architecture and infrastructure itself which doesn't bring any real value to our users whereas having that extra freed up time focusing on the actual content and use cases means we can easily and quickly deliver new alerting as required. Additionally, the fantastic Splunk community is a valuable resource to obtain solutions from other advanced Splunk users plus multiple Splunk apps and integrations with different products and vendors are great
  • Centralise alerting
  • Ingest logs from many different tools, vendors and system
  • Enable easy and quick creation of new alerting
  • Integrate identity components into each alert so you can reconcile different IP addresses, usernames, email conventions for your corporate staff
  • Easy and intuitive case management inbuilt
  • Lots of relevant dashboards and alerting out of the box
  • Tons of integrations and apps for different vendors
  • Performance can sometimes be a letdown depending on implementation
  • The whole log ingestion pipeline is quite complex to understand
  • There is sometimes a need to disable inbuilt alerting for non-relevant systems e.g. if you don't use a particular OS in your estate to improve performance
  • Infrastructure and architecture is complex to maintain if not using hosted Splunk Cloud
  • License can be expensive even for modest amounts of data ingested
  • Enables a single pane of glass for our SOC
  • Reduces triage times
  • Enables quick deployment of new use cases
  • Speeds up log normalisation and ingestion of new data feeds
  • Lowers alert fatigue with customisable suppression rules
Splunk Cloud does take the pain out of managing data indexes, data storage concerns, data retention, hot/warm/cold storage types as well as abstracting the infrastructure which needs to be upgraded, maintained, and patched regularly. If your company does not have the teams to take care of this, Splunk Cloud is ideal as a solution since it allows you to focus on implementing new use cases and content. However, there are some limitations which are imposed by Splunk Cloud such as lack of support for modular inputs, lack of command line (CLI) access, having to go through Splunk Support (which are usually pretty responsive but there are times when this procedure takes a few days from submitting a request through to it being implemented on Splunk Cloud) every time a new custom Splunk application needs to be installed, etc. I haven't read the latest information on this but there are also limitations as to federated search and hybrid search with regards to linking in with search heads that are hosted in our own cloud tenants and having these search off our primary indexers that are hosted in Splunk Cloud.
Exabeam is Elasticsearch based which has major limitations compared to Splunk's SPL language. Furthermore, in my previous company, we were using Exabeam and there were a lot of false-positive detections caused by the machine learning algorithms, Bayesian inference, and other risk-based alerting Exabeam employed, which unfortunately were not too customizable in the way they worked. Splunk's rule-based approach is less prone to false positives if you invest the appropriate time to tweak the syntax and eliminate major false-positive sources. Furthermore, Exabeam being a product that was new to the market and relatively WIP was much less stable and more prone to random crashes caused by malfunctioning software components. These outages also led to secondary problems with data that could not be accepted by Exabeam having to be temporarily backed up and retained on the Syslog forwarders feeding Exabeam. Splunk so far has been very stable.

Do you think Splunk Enterprise Security (ES) delivers good value for the price?


Are you happy with Splunk Enterprise Security (ES)'s feature set?


Did Splunk Enterprise Security (ES) live up to sales and marketing promises?


Did implementation of Splunk Enterprise Security (ES) go as expected?


Would you buy Splunk Enterprise Security (ES) again?


OneTrust, HackerOne, Kibana, Google Cloud Operations Suite (formerly Stackdriver), Looker
Splunk ES is well suited for any company which can afford to pay the licensing costs and commit to a long-term relationship with Splunk. The ecosystem is unmatched compared to open source solutions such as Elasticsearch since 1) the Splunk SPL syntax is highly configurable and unmatched in terms of flexibility and what functions are available e.g. statistics, modeling, machine learning 2) the Splunk community has loads of helpful users and resources where many, many questions are answered promptly and with great detail sometimes 3) the level of support, number of integrations and apps available for Splunk from third-party vendors is unmatched and you'll be hard-pressed to find an instance where Splunk doesn't already support most of your existing systems The multitude of free and paid Elasticsearch based offerings/vendors can't yet compare with Splunk's maturity and, although they may be cheaper initially, don't offer the same richness of syntax, community, and integrations that Splunk does. Although Splunk architecture is complex and maintaining Splunk infrastructure can be time-consuming, their hosted Splunk Cloud option mitigates some of these concerns.

Splunk Enterprise Security (ES) Feature Ratings

Centralized event and log data collection
Event and log normalization/management
Deployment flexibility
Integration with Identity and Access Management Tools
Custom dashboards and workspaces
Host and network-based intrusion detection
Log retention
Data integration/API management
Behavioral analytics and baselining
Rules-based and algorithmic detection thresholds
Response orchestration and automation
Reporting and compliance management
Incident indexing/searching

Evaluating Splunk Enterprise Security (ES) and Competitors

  • Product Features
  • Prior Experience with the Product
I've worked with Splunk before at previous companies and was aware of its strong ecosystem with regards to the Splunk community, the powerful SPL syntax language and the wide variety of mature integrations with third party vendors and products.

Elasticsearch doesn't yet have the same maturity of their ecosystem or the feature stability offered by Splunk despite the prices of Elasticsearch based solutions most times being lower than the similar data ingestion Splunk price.
We would make the process a bit more comprehensive with regards to evaluation of feature parity between the functionality that Splunk's SPL syntax language offers compared with Elasticsearch's language so that we can evidence why Splunk's slightly higher price is justified by the long term time savings obtained by being able to use the inbuilt features in SPL.

Also, we would evaluate the difference between Splunk Cloud and other vendor hosted solutions against the alternative of having a solution hosted in our own cloud tenant and have this be managed by ourselves rather than fully managed by the vendor.