A honest Splunk ES review from a system integrator.
February 22, 2022
A honest Splunk ES review from a system integrator.
Score 9 out of 10
Vetted Review
Verified User
Overall Satisfaction with Splunk Enterprise Security (ES)
We are a system integrator for Splunk. We introduce Splunk enterprise security to our customers as a complete SIEM tool. A kind of tool that can address the modern SOC requirements. We try to address the overall security posture of the customer's environment as the business requirement. We also encourage our customers to bring in all kinds of data into Splunk ranging from security data to business data and actively try to get them signed up for training so that they know how to use the product.
- Splunk ES comes out with a few correlation searches which cover a lot of data sets. The benefit of using ES to other security tools is the customers can enable a few correlation searches to get maximum coverage.
- Splunk ES comes with its own built-in investigation tool. This helps the customers drive their SOC workflow end to end. i.e You can ingest your data, run correlations, run investigations, and also integrate it with third-party tools like SNOW from a single application.
- Splunk ES introduced a concept called risk-based scores which is a very interesting concept that allows the SOC team to investigate the highest-priority alerts. This helps in keeping alert fatigue to a minimum.
- Splunk Enterprise Security relies heavily on data model Acceleration for running their correlation searches. It is a very good concept but for new customers, it is quite confusing. It would be nice if there are step by step guidelines on how to enable and fine-tune these data models inside the app. For instance, recommend which all indexes have to be integrated into each data model. Identify which all are data sets are tagged correctly etc. For example, if the customer wants to have authentication data, Step 1: Collect data from Authentication data sources => check. Step 2: are the tags working correctly => check. Step 3=> give recommendations of the ES correlation searches=> check . Step 4: Enable all the correlation searches and the data models => check. So if there is a workflow like this present new customers would find a lot of tasks much more easy to achieve instead of relying on professional services.
- It would be great if ES had a much more polished version of the miter coverage dashboard out of the box. So we don't need to rely on the Security essentials app for finding where we stand on the miter framework.
- Splunk Enterprise security is a unique product that allows you as the organization to run simply out-of-the-box correlation searches on a large number of data sets and help you with detecting incidents with ease. The setup is not very complicated and with assistance from the sales team and professional services, you would be able to set up your own SOC team from scratch.
- Splunk Security team is very well versed in the security field and they can provide you with training opportunities and suggestions on how to run your SOC environment and keep you updated with the latest security trends.
- Splunk Security team also conducts their own investigation into major security breaches and vulnerabilities that come out worldwide and they release correlation searches and suggestions on a regular basis which can be implemented in your environment free of cost.
I personally felt that It is easier to onboard structured data to IBM radar compared to Splunk. But when onboarding unstructured data or unknown data Splunk is king.
Do you think Splunk Enterprise Security (ES) delivers good value for the price?
Yes
Are you happy with Splunk Enterprise Security (ES)'s feature set?
Yes
Did Splunk Enterprise Security (ES) live up to sales and marketing promises?
I wasn't involved with the selection/purchase process
Did implementation of Splunk Enterprise Security (ES) go as expected?
Yes
Would you buy Splunk Enterprise Security (ES) again?
Yes