The Best SIEM Solution the market has to offer!
June 21, 2022

The Best SIEM Solution the market has to offer!

Saibal Banerjee | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User

Overall Satisfaction with Splunk Enterprise Security (ES)

Splunk ES is used as the SIEM solution in my organization for centralized logging and monitoring of Threats. We create new use cases as per our environment requirement and also leverage the different Analytical stories published by Splunk and tune them to our requirements. Splunk Incident review is used for Analysts Eye on the glass monitoring on a 24*7 basis.

Splunk ES is the single platform the SOC team uses to ingest new Threat Intelligence, Manage Assets, identify and also work towards identifying new threats.

Splunk ES can also be used to develop business use cases which focus on operational metrics and the alerts once triggered are sent out as notifications to different business teams.
  • Threat Intelligence Management - Splunk ES does a great job in automating the Intelligence collection from different sources like STIX and TAXII feeds, other third-party sources as well as internally built IOC repository.
  • Incident Review - The Incident Review tab is the single most important view on the Splunk ES which provides analysts with a crisp view of all newly triggered alerts and also provides enough filtering options.
  • The Search tab - The Splunk search tab is a very powerful utility to work on custom queries in SPL and also investigate ad-hoc detections and work towards building new use cases. This is where the real deep-dive investigation truly happens.
  • Investigations - The Splunk Investigations tab provides a unified view of all details pertaining to an incident to an analyst and it helps in faster triaging and remediation of incidents.
  • Alert Suppression - There should be a more user-friendly mechanism of performing alert suppressions and also a single console to track all use cases that have suppression enabled and what are those suppressions.
  • Extracting of new fields can be made simpler with fewer items to select so that even beginner-level analysts can extract fields as per requirement.
  • There should be dedicated options to search for IOCs in Splunk. SOC on a daily basis needs to hunt for IOCs and a copy-paste style of IOC hunting would help instead of writing queries.
  • Greater visibility of the organization infrastructure.
  • Faster detection and response ( MTTD, MTTA and MTTR) were reduced.
  • Improved storytelling with ES Investigations feature.
  • Better Intelligence management and risk reduction.
Splunk has helped to speed up the objective of improving the security posture of our organization. The machine-learning-based alerts since have a long way to go, before the false positives are reduced substantially to be feasible for analysts to actually take them up for triaging, but the biggest strength that ES brings is the strong correlation of different entities when investigating an alert. It is an investigation ecosystem in itself. One can check all details on assets, identities on Splunk saving time on going to IAM or AD consoles to do that. So around those lines, Splunk has helped improve the security of the organization.
The scalability options for Splunk are absolutely insane, it caters to companies as small as a 10-member firm to a company as huge as Walmart. The offering of Splunk as a service over the cloud is great for small-scale companies and the hybrid options are a great solution for organizations that still have not completely migrated to the cloud, so Splunk helps to monitor both their cloud infra as well as on-prem infra.
Splunk ES is by far the best solution in the market as per flexibility, features and support. Cost-wise, it is the most expensive option to go with, but that has its own advantages as the product that we get is premium and superior to other SIEM. The best thing about Spunk ES is that it can also serve as a business intelligence tool for Data Analytics so both Security and Business teams can create use cases and monitor dashboards as per their needs.

Do you think Splunk Enterprise Security (ES) delivers good value for the price?

Yes

Are you happy with Splunk Enterprise Security (ES)'s feature set?

Yes

Did Splunk Enterprise Security (ES) live up to sales and marketing promises?

Yes

Did implementation of Splunk Enterprise Security (ES) go as expected?

Yes

Would you buy Splunk Enterprise Security (ES) again?

Yes

Having used multiple SIEM solutions over the past 8 years, can confidently say that Splunk is the single most versatile Platform for all Security Monitoring as well as Data Analytics needs. The platform just has enough flexibility for new integrations for apps and also fast rolling out of new features for customers. Also Splunk Docs is one excellent resource to refer to for anything related to Splunk. The platform offers great reporting options for management as well. The dashboards are super customizable so it serves as a perfect suite for any organization that needs to collect data for security monitoring as well as Big Data analytics.

Organizations that do not have a high budget for security, may choose the cloud only instances of Splunk, but if even that is expensive, and the company is too small and doesn't need that much work with data, they are better off with any other affordable alternative to Splunk, like LogRythm or Sentinel One. Splunk is the single most expensive SIEM and well it justifies the cost.

Splunk Enterprise Security (ES) Feature Ratings

Centralized event and log data collection
8
Correlation
8
Event and log normalization/management
9
Deployment flexibility
9
Integration with Identity and Access Management Tools
9
Custom dashboards and workspaces
10
Host and network-based intrusion detection
8
Log retention
6
Data integration/API management
8
Behavioral analytics and baselining
7
Rules-based and algorithmic detection thresholds
8
Response orchestration and automation
8
Reporting and compliance management
8
Incident indexing/searching
9