One SIEM to rule them all
Updated July 20, 2022

One SIEM to rule them all

Anonymous | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User

Overall Satisfaction with Splunk Enterprise Security (ES)

Using Splunk Enterprise Security is just amazing. Splunk Enterprise Security is like no other SIEMs solutions.
Splunk gives us:
- Advanced dashboarding and alerting options.
- Real-time security investigations.
- Anomaly detection.
- With MLTK and SPL, we are implementing some advanced use cases which are included statistics and ML.
- With lookups and data models, we created many custom models to run our Threat Intel schemas and Threat hunting processes.
  • Security investigation.
  • Threat hunting and threat intel processes.
  • Search efficiency with data models.
  • Creating investigation workflows.
  • Splunk Enterprise Security and UEBA could be one platform.
  • Real time searches could be improve. (should be added more real time searches etc.)
  • Configuration and management is hard for newbies.
  • Creating investigation workflows for specific rules or groups.
  • Faster search, index retention and weekly updated Security Content.
  • Reduced time in Threat intel workflows.
It has indeed. With the new version of Splunk Enterprise Security and Core, we see so many differentiations like brand new RBA, Correlation searches, and Investigation dashboards. With RBA you can easily tell your SOC team to prioritize notable events and where to start. You can also prepare custom investigation workflows for custom rules. It's really cool feature that has never seen any other SIEM solution.
- 8 out of 10 and took 2 for the data pipeline and administration part. Even if you'd like to improve yourself or your team, you have to pay a lot of money and it could be more than GIAC education + cert.
- Normalization for Data models and CPU-based searches can be a problem sometimes.
- Schema on the fly indexing --> Gives you faster index searches. Even if you use Datamodes, it's 100x time faster as well.
- Correlation with other domains easily gives you total visibility and reduces the time to investigate and understand the problem.
- With lookups and trust, you can easily ingest your TI platforms and look for backlog and real-time data.
- Splunkbase
- RBA is using unsupervised learning also, so it's not like Qradar or McAfee. If we look at Qradar or McAfee, they are giving some magnitude values with static rules and define incident levels with that.
- Advanced investigation option and out-of-box security metrics tell you that where you are.

Do you think Splunk Enterprise Security (ES) delivers good value for the price?


Are you happy with Splunk Enterprise Security (ES)'s feature set?


Did Splunk Enterprise Security (ES) live up to sales and marketing promises?


Did implementation of Splunk Enterprise Security (ES) go as expected?


Would you buy Splunk Enterprise Security (ES) again?


Less appropriate scenario:
- If you don't have enough employees, I recommend using MSSP or maybe other SIEM with Splunk core. It can be hard to catch and replace your current SIEM.
Well Suited scenario:
- Machine learning and statistics. we developed many use cases for anomaly detection and with Splunk, we implemented them and apply on real-time data!

Splunk Enterprise Security (ES) Feature Ratings

Centralized event and log data collection
Event and log normalization/management
Deployment flexibility
Integration with Identity and Access Management Tools
Custom dashboards and workspaces
Host and network-based intrusion detection
Log retention
Data integration/API management
Behavioral analytics and baselining
Rules-based and algorithmic detection thresholds
Response orchestration and automation
Reporting and compliance management
Incident indexing/searching