Item: Splunk Enterprise Security (ES)
Rating: 7
Author: Verified User

Use Cases and Deployment Scope

ES is being useful to me for many security-related aspects the key role ES played is well known Data models where we can make index data CIM Compliant which coming from any indexes e.g Email, Authentication, Endpoint, etc we can map those Data models to create use cases for user authentication to identify threats and anomalies which can be further addresses in Dashboards to analyze the problem.

Pros and Cons

Security use cases creation using data models to make data CIM compliant will be useful in further analysis.
Dashboards and other knowledge objects which are created in ES are other keys to identifying the threats.
Users present in the organization can set up them in lookup and gain information about User Behaviour to run analysis to find other threats and anomalies.

To identify User Behaviour analysis is lacking component which we get in Splunk UBA.
The documentation part is hard to work on because if the new user tries to learn ES then the documentation is not user-friendly.
ES must ass more Knowledge objects by default to make security-related aspects more reliable and enhance the details.

Return on Investment

ES has highly impacted ROI because as the customer of the ES the work we do for creating use cases for clients in terms of security-related aspects by their logs has given more return than investment.
The correlation searches we run to get detailed results from the Data models are very less time-consuming than Splunk Enterprise itself we can get quick responses to the use cases and dashboards populated because of ES.
The CIM compliance feature is ES has made more jobs easy in the terms of finding more Authentication related data we can get data onboarded in the Email data model from O365 and search is email data model instead of searching for particular indexes.

Scalability

In terms of installing and deploying ES in a specific environment is been very difficult we have to install necessary packages if there is a new user who tries to learn ES and install it cannot be installed with no error there will be a lot of troublesome errors we can to go through so making deployment friendly I will give less user friendly.

Alternatives Considered

Dynatrace and IBM Security QRadar

Apart from ES I have used Dynatrace and Qradar SIEM tool to work on security findings in organization where in Dynatrace with the help of collector agent we can monitor proper host data and it can be further classified in host process, memory usage, cpu usage etc as per Qradar it is again the best tool for analysis but the offenses o create is troublesome which is more user friendly in Splunk ES

Key Insights

Do you think Splunk Enterprise Security (ES) delivers good value for the price?

Yes

Are you happy with Splunk Enterprise Security (ES)'s feature set?

Yes

Did Splunk Enterprise Security (ES) live up to sales and marketing promises?

I wasn't involved with the selection/purchase process

Did implementation of Splunk Enterprise Security (ES) go as expected?

Yes

Would you buy Splunk Enterprise Security (ES) again?

Yes

Other Software Used

Apache Kafka, IBM Security QRadar, Sumo Logic

Likelihood to Recommend

The great and easy work I encountered in ES is of security purposes where I can create specific Data models from the index data and can only use those result set to work on creating dashboards and knowledge objects wider and also the CIM compliant part where we can create correlation searches which will trigger less time to create results from the query and populate more efficiently in Dashboards.

ES the best platform to wipe out attackers and malicious behaviours.

Overall Satisfaction with Splunk Enterprise Security (ES)