Splunk as a SIEM
June 13, 2022
Splunk as a SIEM
Score 9 out of 10
Overall Satisfaction with Splunk Enterprise Security (ES)
We use Splunk Enterprise Security (ES) as a SIEM. It's used by our SOC for both Incident Review and also for investigations. The Use Cases out of the box have been valuable as we use many of them in our analytics. We also used a previous SIEM which did not perform as well as Splunk Enterprise Security (ES) does, so it has been a huge improvement for us.
- Incident Review
- A little more user friendly. SPL Searching is a learning curve for some.
- The ability to map better to the MITRE ATT&CK framework. We have had to manually map to MITRE, which has been a lot of work.
- Maybe combine some of the ES apps for ease of use.
- Reduced time on incidents
- More visual displays of where our SOC stands via Custom Dashboards
- Better management of incidents via Incident Review
It most certainly has. We went from a clunky slow SIEM to one that is much higher performance and has better visualizations that we had prior.
It has been quite scalable for our organization. For an even larger organization it might be more difficult to scale, especially with a lot of users.
Do you think Splunk Enterprise Security (ES) delivers good value for the price?
Are you happy with Splunk Enterprise Security (ES)'s feature set?
Did Splunk Enterprise Security (ES) live up to sales and marketing promises?
Did implementation of Splunk Enterprise Security (ES) go as expected?
Would you buy Splunk Enterprise Security (ES) again?
The ability to automate searches and dashboards has been a huge success for our organization. We didn't have that ability with our last "traditional" SIEM. It is less appropriate if you want everything carrot fed to you. Although there are many out of the box searches and reports, Splunk Enterprise Security (ES) is suited best for enhancing users views via dashboards and also reporting.