Splunk Enterprise Security is especially compelling for large scale organizations and/or those already using the Splunk platform
June 20, 2022

Splunk Enterprise Security is especially compelling for large scale organizations and/or those already using the Splunk platform

Anonymous | TrustRadius Reviewer
Score 7 out of 10
Vetted Review
Verified User

Overall Satisfaction with Splunk Enterprise Security (ES)

Splunk Enterprise Security is our one-stop-shop for gaining visibility and insight into most of our secops tooling. We currently use it as our primary alerting platform (via Splunk On-Call) and share access/administration with a third-party hybrid SOC. Assets are our biggest pain point, with our current methodology relying on reading a CSV each day, performing data cleaning/sanitization, and using macros to define key fields like category and risk. This is really only feasible for our critical assets, so the remaining hosts are very inconsistent and unreliable at times, especially for our cloud assets.

Pros

  • Powerful searching
  • Handles large sets of logs
  • Integrates with our sec-ops tooling

Cons

  • Out of the box correlation searches
  • Out of the box RBA
  • Out of the box data normalisation
  • Allowing fine control of user access
  • Reduced operating costs
  • Faster MTTD
  • Faster MTTR
Partially, we had difficulties with our deployment from the start of the project and the vendor was required to pull out early. Because of this, we have been behind the eight ball since the start and it has been a very arduous and manual process getting the platform into a usable state. We are now in a place where we can action notables daily, but tuning and general uplift take significant time and effort. Solutions like Admin on demand do not fit a lot of our purposes or use cases, and where they do - it takes significant time to explain the issue sometimes. This has led to a feeling of our organization having to do this work ourselves and not rely on Splunk's assistance.
Flexibility is definitely there, not much more to say
LogRhythm is a superior SIEM from a purely security/SOC perspective in my opinion. However, Splunk shines if you have an expert behind the wheel or if the organization is quite large - as my experience with LogRhythm indicated it couldn't handle large-size organizations.

Do you think Splunk Enterprise Security delivers good value for the price?

Not sure

Are you happy with Splunk Enterprise Security's feature set?

Yes

Did Splunk Enterprise Security live up to sales and marketing promises?

No

Did implementation of Splunk Enterprise Security go as expected?

No

Would you buy Splunk Enterprise Security again?

Yes

Large organizations, especially with an existing Splunk platform in place, are most suited for Splunk Enterprise Security. Smaller organizations, especially those with minimal sec-ops experience or staffing would probably not get the immediate value expected from an investment into a SIEM solution. Competitors like LogRhythm are more closely aligned with the small business ideology.

Splunk Enterprise Security Feature Ratings

Security Information and Event Management (SIEM)
6.7
Centralized event and log data collection
9
Correlation
5
Event and log normalization/management
5
Deployment flexibility
8
Integration with Identity and Access Management Tools
8
Custom dashboards and workspaces
9
Host and network-based intrusion detection
5
Log retention
6
Data integration/API management
7
Behavioral analytics and baselining
5
Rules-based and algorithmic detection thresholds
4
Response orchestration and automation
8
Reporting and compliance management
8
Incident indexing/searching
7

Comments

More Reviews of Splunk Enterprise Security

  1. Home
  2. Security Information and Event Management (SIEM) Software
  3. Splunk Enterprise Security Reviews
  4. User Review of Splunk Enterprise Security