Leveraging Splunk ES and the Splunk ecosystem to make quick progress in a nascent SOC environment
February 19, 2022
Leveraging Splunk ES and the Splunk ecosystem to make quick progress in a nascent SOC environment
Score 8 out of 10
Vetted Review
Verified User
Overall Satisfaction with Splunk Enterprise Security (ES)
We utilize Splunk Enterprise Security to collect our logging into a centralized platform then, off the back of the logs that have been ingested into Splunk, design and implement the relevant alerting via appropriate Splunk SPL syntax that is required for our teams, auditors, merchants, etc. By ensuring our alerts trigger notable events on the Incident Review page, Splunk ES has helped us and our analysts have a single pane of view where they can easily investigate and triage possible security incidents. The customisability of the SPL syntax makes creating new use cases very simple and gives us more flexibility compared to competing for open source solutions such as Elasticsearch. Furthermore, our leverage of the hosted Splunk Cloud service enables us to avoid the burden of having to manage the Splunk architecture and infrastructure itself which doesn't bring any real value to our users whereas having that extra freed up time focusing on the actual content and use cases means we can easily and quickly deliver new alerting as required. Additionally, the fantastic Splunk community is a valuable resource to obtain solutions from other advanced Splunk users plus multiple Splunk apps and integrations with different products and vendors are great
- Centralise alerting
- Ingest logs from many different tools, vendors and system
- Enable easy and quick creation of new alerting
- Integrate identity components into each alert so you can reconcile different IP addresses, usernames, email conventions for your corporate staff
- Easy and intuitive case management inbuilt
- Lots of relevant dashboards and alerting out of the box
- Tons of integrations and apps for different vendors
- Performance can sometimes be a letdown depending on implementation
- The whole log ingestion pipeline is quite complex to understand
- There is sometimes a need to disable inbuilt alerting for non-relevant systems e.g. if you don't use a particular OS in your estate to improve performance
- Infrastructure and architecture is complex to maintain if not using hosted Splunk Cloud
- License can be expensive even for modest amounts of data ingested
- Enables a single pane of glass for our SOC
- Reduces triage times
- Enables quick deployment of new use cases
- Speeds up log normalisation and ingestion of new data feeds
- Lowers alert fatigue with customisable suppression rules
Exabeam is Elasticsearch based which has major limitations compared to Splunk's SPL language. Furthermore, in my previous company, we were using Exabeam and there were a lot of false-positive detections caused by the machine learning algorithms, Bayesian inference, and other risk-based alerting Exabeam employed, which unfortunately were not too customizable in the way they worked. Splunk's rule-based approach is less prone to false positives if you invest the appropriate time to tweak the syntax and eliminate major false-positive sources. Furthermore, Exabeam being a product that was new to the market and relatively WIP was much less stable and more prone to random crashes caused by malfunctioning software components. These outages also led to secondary problems with data that could not be accepted by Exabeam having to be temporarily backed up and retained on the Syslog forwarders feeding Exabeam. Splunk so far has been very stable.
Do you think Splunk Enterprise Security (ES) delivers good value for the price?
Yes
Are you happy with Splunk Enterprise Security (ES)'s feature set?
Yes
Did Splunk Enterprise Security (ES) live up to sales and marketing promises?
Yes
Did implementation of Splunk Enterprise Security (ES) go as expected?
Yes
Would you buy Splunk Enterprise Security (ES) again?
Yes
Splunk Enterprise Security (ES) Feature Ratings
Evaluating Splunk Enterprise Security (ES) and Competitors
- Product Features
- Prior Experience with the Product
I've worked with Splunk before at previous companies and was aware of its strong ecosystem with regards to the Splunk community, the powerful SPL syntax language and the wide variety of mature integrations with third party vendors and products.
Elasticsearch doesn't yet have the same maturity of their ecosystem or the feature stability offered by Splunk despite the prices of Elasticsearch based solutions most times being lower than the similar data ingestion Splunk price.
Elasticsearch doesn't yet have the same maturity of their ecosystem or the feature stability offered by Splunk despite the prices of Elasticsearch based solutions most times being lower than the similar data ingestion Splunk price.
We would make the process a bit more comprehensive with regards to evaluation of feature parity between the functionality that Splunk's SPL syntax language offers compared with Elasticsearch's language so that we can evidence why Splunk's slightly higher price is justified by the long term time savings obtained by being able to use the inbuilt features in SPL.
Also, we would evaluate the difference between Splunk Cloud and other vendor hosted solutions against the alternative of having a solution hosted in our own cloud tenant and have this be managed by ourselves rather than fully managed by the vendor.
Also, we would evaluate the difference between Splunk Cloud and other vendor hosted solutions against the alternative of having a solution hosted in our own cloud tenant and have this be managed by ourselves rather than fully managed by the vendor.