One SIEM to rule them all
Updated July 20, 2022

One SIEM to rule them all

Anonymous | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User

Overall Satisfaction with Splunk Enterprise Security (ES)

Using Splunk Enterprise Security is just amazing. Splunk Enterprise Security is like no other SIEMs solutions.
Splunk gives us:
- Advanced dashboarding and alerting options.
- Real-time security investigations.
- Anomaly detection.
- With MLTK and SPL, we are implementing some advanced use cases which are included statistics and ML.
- With lookups and data models, we created many custom models to run our Threat Intel schemas and Threat hunting processes.
  • Security investigation.
  • Threat hunting and threat intel processes.
  • Search efficiency with data models.
  • Creating investigation workflows.
  • Splunk Enterprise Security and UEBA could be one platform.
  • Real time searches could be improve. (should be added more real time searches etc.)
  • Configuration and management is hard for newbies.
  • Creating investigation workflows for specific rules or groups.
  • Faster search, index retention and weekly updated Security Content.
  • Reduced time in Threat intel workflows.
It has indeed. With the new version of Splunk Enterprise Security and Core, we see so many differentiations like brand new RBA, Correlation searches, and Investigation dashboards. With RBA you can easily tell your SOC team to prioritize notable events and where to start. You can also prepare custom investigation workflows for custom rules. It's really cool feature that has never seen any other SIEM solution.
- 8 out of 10 and took 2 for the data pipeline and administration part. Even if you'd like to improve yourself or your team, you have to pay a lot of money and it could be more than GIAC education + cert.
- Normalization for Data models and CPU-based searches can be a problem sometimes.
- Schema on the fly indexing --> Gives you faster index searches. Even if you use Datamodes, it's 100x time faster as well.
- Correlation with other domains easily gives you total visibility and reduces the time to investigate and understand the problem.
- With lookups and trust, you can easily ingest your TI platforms and look for backlog and real-time data.
- Splunkbase
- RBA is using unsupervised learning also, so it's not like Qradar or McAfee. If we look at Qradar or McAfee, they are giving some magnitude values with static rules and define incident levels with that.
- Advanced investigation option and out-of-box security metrics tell you that where you are.

Do you think Splunk Enterprise Security (ES) delivers good value for the price?

Yes

Are you happy with Splunk Enterprise Security (ES)'s feature set?

Yes

Did Splunk Enterprise Security (ES) live up to sales and marketing promises?

Yes

Did implementation of Splunk Enterprise Security (ES) go as expected?

Yes

Would you buy Splunk Enterprise Security (ES) again?

Yes

Less appropriate scenario:
- If you don't have enough employees, I recommend using MSSP or maybe other SIEM with Splunk core. It can be hard to catch and replace your current SIEM.
Well Suited scenario:
- Machine learning and statistics. we developed many use cases for anomaly detection and with Splunk, we implemented them and apply on real-time data!

Splunk Enterprise Security (ES) Feature Ratings

Centralized event and log data collection
10
Correlation
9
Event and log normalization/management
8
Deployment flexibility
9
Integration with Identity and Access Management Tools
10
Custom dashboards and workspaces
10
Host and network-based intrusion detection
10
Log retention
10
Data integration/API management
10
Behavioral analytics and baselining
7
Rules-based and algorithmic detection thresholds
8
Response orchestration and automation
10
Reporting and compliance management
10
Incident indexing/searching
10