Considerations from an ES implementation in SOCs consultant
Updated July 21, 2022

Considerations from an ES implementation in SOCs consultant

Giuseppe Cusello | TrustRadius Reviewer
Score 10 out of 10
Vetted Review

Overall Satisfaction with Splunk Enterprise Security (ES)

I'm a consultant in SIEM implementation for our customers. I implemented many ES installations in the last years for SIEMs and SOCs.
  • Search and analyze cyber Security Threats
  • cyber risk quantification of customer assents and identities
  • manage notable events and security incidents
  • investigate alerts from Splunk
  • create always new security Use Cases
  • reporting for board
  • support company compliance functions in their activities
  • we hard-worked to customize ES for multitenancy because this feature isn't present in ES
  • Investigations aren't so easy to customize
  • integration of ES with external Asset Management system isn't so easy to implement
  • I should be very useful an integration with an external Vulnerability Management system (e.g. Tenable) to highlight dangerous areas and asset risk quantification
  • We're a Splunk Partner and we implemented many ES infrastructures for our customers
  • We're too small and less structured 8especially in infrastructures) for use in our company
  • Our customers are all satisfied by ES
I usually use Enterprise Security (ES)’s security portfolio in my implementation activities. I had projects using only out-of-the-box Use Cases and projects with only customer Correlation Searches and ES helped me to develop both situations. The availability of always new and added Correlation Searches surely will help me to satisfy the customer's requirements.
because I experimented with installations with a single server and installations with multi-side clusters and I was able to implement and use ES. The only problem I found, but I understand that's mandatory to have quick response times, it needs very many resources (CPUs, RAMs, and storage).
I performed a migration from RSA SA and I found that ES is very easier to implement new Correlation Searches.

Do you think Splunk Enterprise Security (ES) delivers good value for the price?


Are you happy with Splunk Enterprise Security (ES)'s feature set?


Did Splunk Enterprise Security (ES) live up to sales and marketing promises?


Did implementation of Splunk Enterprise Security (ES) go as expected?


Would you buy Splunk Enterprise Security (ES) again?


I daily work in ES implementation for our customers so I hint to use ES in every Cyber Security protection situation because it ensembles threat detection features with notable and security incident management: it isn't a tool for specialists but for all security analysts. I think that it's well suited in all structured and/or big companies. It's difficult to implement (also for its costs) in small companies.

Splunk Enterprise Security (ES) Feature Ratings

Centralized event and log data collection
Event and log normalization/management
Deployment flexibility
Integration with Identity and Access Management Tools
Custom dashboards and workspaces
Host and network-based intrusion detection
Log retention
Data integration/API management
Behavioral analytics and baselining
Rules-based and algorithmic detection thresholds
Response orchestration and automation
Reporting and compliance management
Incident indexing/searching

Using Splunk Enterprise Security (ES)

I'm a consultant in ES implementation
I'm A Splunk Architect and I followed a training dedicated to ES, I'll try to have also a certification in ES
  • all SIEM features Implementation
  • Threat intelligence
  • Cyber Risk Quantification
  • Support for Asset Inventory
  • Support for Asset Inventory
  • Cyber Risk Quantification
  • Integration with our DSS platform for Cyber Risk Quantification (platform developed using Splunk Enterprise)
We are a Splunk Partner and will continue to work implementing ES

Evaluating Splunk Enterprise Security (ES) and Competitors

Yes - I worked to migrate a SOC infrastructure from RSA Security Analytics to Splunk ES for one of our customers
  • Price
  • Product Features
  • Product Usability
The only limit of ES is prize: if a customer must use ES only for SIEM, it's an expensive solution, so I hint to reduce the cost of ES, especially when the customer dimension isn't so great: some customers changed their idea to use Splunk before too expensive and preferred to use Elastic Search.
ES feature and usability are winning points over all the other solutions, I think that only with a few reduction of ES price, there will not be any opportunity for other products.
I always hint to our customers Splunk ES as the best solution for SIEMs and SOCs, even if expensive, is the best solution for features and usability, especially when the use of the platform is extended alto to non security Use Cases (e.g. IT Operations, business insight, etc...).

Splunk Enterprise Security (ES) Implementation

It's a fantatic product and it was very useful the presence of Splunk Professional Services for the Design Phase and the final Health Check.
  • Third-party professional services
We are a third party professional services company and we perform consultancies in ES implemntation.
In addition, we used Splunk Profesisonal Services consultancy in one of our projects for the dimensions of the customers, because it needed a multi tenant installation (and ES isn't so) and for a final certification of the ES infrastructure developed.
Yes - the project was the migration of the SOC infrastructure from RSA Security Analytics to Splunk ES, so it was divided into:
  • architectural Design and infrastructure dimensioning,
  • ES configuration and tuning (installation was done by the custem by itself),
  • log ingestion configuration (check of the ingestion already done by the customer),
  • correlation searches migration (all custom correlation searches),
  • threat intelligence configuration (all custom sources),
  • final check and certification.
Change management was a small part of the implementation and was well-handled - The only change management was related to the process of developing new correlation searches and dashboards for visibility for the SOC's customers.
  • ES isn't multi tenant but we had to implement multi tenancy to manage the customers of that SOC maintaining separation between them

Splunk Enterprise Security (ES) Training

I experienced only on-line training, but the trainers were very professional and competent. Maybe it could be more useful if they also have an experience in projects because sometimes they didn't have a real project experience to communicate to the students. Anyway, it was very interesting and I learned many thing that's very difficoult (or maybe impossible!) to have by myself, aven if I have more than 10 years of Splunk activity experience.
It was very interesting and I learned many thing that's very difficoult (or maybe impossible!) to have by myself. The only problem was that, when I worked with the Splunk Professional Services, I found some difference between the training contents and the information from PS. In addition is required a long experience on Splunk Enterprise for the data ingestion part, in other words I'm able to work with ES because I'm worling on Splunk since 11 years, otherwise I'd some problem.

Configuring Splunk Enterprise Security (ES)

Configurability is high for Correlation Searches and thear intelligence, we were able to configure multi tenancy but with an hard work.
So I'd like to have multitenancy out of the box in ES features.
In addition I'd like to have an easier configurability for investigations and notable and security incidents management.
At first put a very great attention to data sources because having clean data it's possible to have clean results, otherwise it isn't.
Then ES isn't a platform for improvisations: it need a knowledge of Splunk and a specific knowledge on ES itself.
I found some customer that tried to do all by itself, the result was only muck lost time.
No - we have not done any customization to the interface
Some - we have added small pieces of custom code - We had to customeize the installation for a customer implementing multi tenancy. The customizations were mainly related to the data structure: each final customer had its own index, all datamodels were customized to use index and other fields for the final customers, in each datamodel index was a main grouping field, all correlation search was customized using index as grouping field, for threst intelligence, it was needed to modify one ot the Splunk Python script for index grouping.
Our project was a migration from RSA Security Analytics to Splunk ES, so we had to create one Correlation Search for each Use Case to have the same Use Cases of the precedent installation.
In addition, out customer had two Threat Intelligence sources (MISP and Crowdstrike) and we had to customize the information update process taking data from that sources.

Splunk Enterprise Security (ES) Support

I continously work with Splunk Support and they always are quinck and professional in their intervenes.
Quick Resolution
Good followup
Knowledgeable team
Kept well informed
No escalation required
Immediate help available
Support understands my problem
Support cares about my success
Quick Initial Response
Problems left unsolved
I worked with Splunk Professional Services only one time and I was very satisfied of them.
They are very expensive (probably too much and out of market) but I hada all the answers that me and the customer needed.
Yes - They always answerd in a quick time with the solution, or, at least a workaround to pass the situation.
In my last project, we opened a case for a problem that should be solved in a past release of Splunk, but it's still present.
The support gave us a workaround to immediately solve the problem waiting if in the next release it will be solved.

Using Splunk Enterprise Security (ES)

I's very usable the part of configuration and correlation searching creation.
It could be better in Notable and Security Incident management.
Like to use
Relatively simple
Easy to use
Technical support not required
Well integrated
Feel confident using
Lots to learn
  • Threat Intelligence
  • Correlation Searches
  • I know that ES isn't Multi Tenant, but it's very difficoult to configure and use it on many customers
  • Investigations could be more easy to use

Splunk Enterprise Security (ES) Reliability

I'm not an ES user, but, in my implementation I usually try to prevent all service stops to guarantee High availability to the final customers.
ES requires a very performant infrastructure: if it has it's performant, otherwise not.
I had situation with a very performant infrastructure and I didn't notized that it was a distributed architecture, it seemed that there ware few data on my PC, othewise I experienced less performant infrastructures with less performaces.

Integrating Splunk Enterprise Security (ES)

It's easy to take logs and information from external logs using Technial Add-Ons, I'd like to have some integration tool for some specific feature like Asset Management, customer Threat Intelligene sources, vulnerability Management Systems.
In addition I'd like to also have some feature to easily export data to external systems.
  • our DSS platform
Our DSS platform is developed in Splunk Enterprise environment so integration was very easy!
  • Vulnerability Management
  • Asset Management
  • Anti Fraud Management System
Most of them have a Splunk App or Add-On, so I think that it will be very easy to do this.
  • File import/export
  • Single Signon
  • API (e.g. SOAP or REST)
We usualy use file import/export for integration and, when available, APIs to extract data from external systems (e.g. Cyber Quant or Tenable Security Center).
The Splunk Enterprise smart integration featutes is the reason why we choosed this environment to develop out DSS solution that integrates information from many external systema.
As I said many timkes in this review, I'd like to have some feature for integration of external systems as Asset Management, Vulnerability Management and so on, but also in multi tenancy mode.
In other words, I'd like to have the possibility to integrate many different asset managent sources from different final customers.

Relationship with Splunk

Splunk technical sales engineers are always available for supporting commercial process.
In addition, it's available the Oxygene 2 environment to have a demo environment.
Sometimes, the discount process should be less rigid and hear the indication from the partners and from the Splunk sales, because each customer has its own story, it's different from the others and requires a different approach.
They are always available.
It could be useful to have the possbility to give to the final customer a development period license: in few words, if I need a month to install and customize the solution for the final customer, the licesnse should start from the final acceptance test and not from the order date, because in this way the customer cannot have the license for the use or the full period they paid.
I had a fantastic experience with Splunk Professional Services:
they worked with us in our last SON project (a SOC migration for a very large customer) and helped to build a multi tenent environment even if ES isn't a multi tenant platform.
Th Splunk PS was a very professional and competent people, he is italian and was able to speak with our italian customers.
In our experience there are many negotiations with Splunk:
usually they are ready and available to find the best approach for the customer.
I experienced only one negative situation: when a big price redution is needed to take the customer, Splunk sales need approvation from their management that sometimes isn't so flexible to understand the situation.
for my exterience, unit pricing and billing frequency are correct. As I already said, I hint to have more discount flexibility, expecially with new customers, because there are competitors less expensive and very aggressive that are dangerous. In addition the possibility to don't pay the license for the development period could be a very interesting feature for the final customers.
As I already said, I hint to have more discount flexibility, expecially with new customers, because there are competitors less expensive and very aggressive that are dangerous. In addition the possibility to don't pay the license for the development period could be a very interesting feature for the final customers.

Upgrading Splunk Enterprise Security (ES)

Yes - I didn't experienced big problems in the upgrading process, even if the ES packages start to be large and heavy.
If it's possible to divide in separated packages the full installation package, probably the upgrade process could be easier.
I say this because I experienced an installation and an upgrade of ES in a customer with a slow connection and usually the process was aborted for timeout, so I needed to upload the package using SSH and instaling it via CLI, to avoid installation timeouts.
  • bug solving
  • new Correlation searches available
  • multi tenancy (but I know that there isn't!)