Item: Splunk Enterprise Security
Rating: 8
Author: Verified User

Overall Satisfaction with Splunk Enterprise Security

Use Cases and Deployment Scope

I use the product to help monitor, analyze and potentially mitigate certain security issues that may come up. This includes acting as a secondary for escalations and looking at some alerts. I also use it to action on data that may be of use to our organization. It is helpful to organize alerting and easy to take action.

Pros and Cons

Pros

Monitoring log activity for potential security problems
The interface for investigations is pretty easy to use
Enjoy the high level detail the product gives for alerting
Nice playground for keeping track of investigations
Ease to create new notables to track further items.

Cons

Crazy awful latency when loading
Sometimes the events tab won't show any logs
Difficult to follow certain parts of investigations, but this is being addressed with Mission Control. (I'm talking about the original interface)
Confusion about where to easily navigate to view what items make up risk score as the interface can be confusing.
lowering risk score is extremely obnoxious.

Return on Investment

Fast MTTD but no specific numbers
Excellent integration with other tools so we don't have to pay for an additional service

Usability

Is mostly easy to use, but can be difficult to find all the pieces as a user. Investigations can be challenging and since the information is not all there, it is still required to do general searches with logs. The logs that the page directs to are mostly just the risk alerting that compiles and creates the alert, rather than the original logs that were tied to the risk creation of the alert.

Alternatives Considered

Microsoft Sentinel

I did not choose this product. Overall although I like ES, I think Sentinel in certain ways is the superior product. The Kusto Query language is a lot easier to use. For instance anything that requires manual parsing in query can be more difficult with this product. Also some of the logs are hard to find and you have to have a better knowledge of the environment to know which logs you need to look through. It's not just listed on the side.

Key Insights

Do you think Splunk Enterprise Security delivers good value for the price?

Not sure

Are you happy with Splunk Enterprise Security's feature set?

Yes

Did Splunk Enterprise Security live up to sales and marketing promises?

I wasn't involved with the selection/purchase process

Did implementation of Splunk Enterprise Security go as expected?

I wasn't involved with the implementation phase

Would you buy Splunk Enterprise Security again?

Yes

Other Software Used

CrowdStrike Falcon, Carbon Black App Control

Likelihood to Recommend

I like how it's all one dashboard and there is not a separate SIEM from the actual log agregator. This makes investigation a lot more efficient and easy to complete said investigation. It is easy to close multiple alerts together and to link items when the notables are part of an overarching issue. It is also easy to make another notable. It is easy to change the risk score to lower the alerting threshold.

Splunk Enterprise Security Feature Ratings

Splunk Enterprise Security Reliability

Scalability

The sky's the limit on this product. It is easy to correlate logs from multiple sources and create excellent results from the product. It's a really good product, the issue is that it wasn't created as this, but a log aggregation tool that later someone created a mostly usable app to tack on top of.

Reliability and Availability

Performance

It takes a long time for items to load if you are just generally searching through logs. It is best to use the data models which load faster but can be strange in terms of what is coming from which logs where. Yes, you can look it up, but this also requires familiarity with where things are and how to look them up.

Comments

Please log in to join the conversation

Splunk ES, a great tool to use with some caveats!