Splunk was founded in 2002 and went public in 2012. Currently, 40 percent of the company’s business comes from security. Splunk ES is used with its core Splunk Enterprise product, which can search, monitor and analyze any machine data to provide insight.
What Is Splunk ES?
Splunk’s flagship SIEM technology, Enterprise Security (ES), shows Splunk’s origins in analytics. It integrates with the company’s User Behavior Analytics (UBA), Machine Learning toolkit and Phantom Security Orchestration Automation and Response (SOAR). Splunk Enterprise Security supports all basic and advanced SIEM features, as well as tool orchestration and automation across the security and IT ecosystem, and analytics with machine learning-based anomaly and threat detection. Splunk ES is an analytics-driven SIEM that enables security teams to detect, investigate and respond to internal and external attacks, and to simplify threat management. It centralizes and aggregates all security-relevant events as they’re generated from their source. In addition, it supports a variety of reception/collection mechanisms, and provides ad hoc searching and reporting for breach analysis.
In recent months, the company has introduced additional features such as:
- Event Sequencing to help optimize threat detection and accelerates investigations
- Use Case Library simplifies incident detection and response
- Investigation Workbench reduces time to contain and remediate threats by centralizing data
See our complete list of the Best SIEM software solutions.
What Are the Top Features of Splunk SIEM?
Threats blocked: Tops. Splunk ES can help identify and remediate all security threats, including ransomware, cryptojacking, DDoS attacks, malware, phishing, insider threats, and more.
Sources ingested: Very good. Splunk’s app store, Splunkbase, has more than 900 apps from different security technology organizations.
Performance: Very good. Splunk ES customers use it for many Terabytes per day.
Value: Very good. Gartner clients that have implemented Splunk raise concerns about the licensing model and overall cost to implement the solution. However, those willing to pay the price or Splunk ES are likely to see good ROI. A large U.S. cabinet-level department swapped out a legacy SIEM tool with Splunk Enterprise and saved $900,000 a year on software maintenance.
Implementation: Good. For Splunk Cloud, Splunk ES can be ready to use in days if the data sources are accessible. For on-premises deployments, however, Splunk does not offer an appliance version. Organizations must work with a Splunk partner that provides the integration on supported hardware. In general, implementation takes anywhere from a few days to a few weeks.
Management: Very good. Splunk ES has built-in management features and workflows that simplify configuration, maintenance, auditing and customizing. While it may not the easiest security product to manage, users are generally pleased with the benefits.
Support: Good. Customers can choose from Standard or Premium Success Plans. The Standard Plan is for businesses with typical needs and the Premium Plan is for businesses desiring rapid product deployment and adoption (starting at 500 GB capacity).
Scalability: Very good. There are no specific limitations on servers, users or scale for use of ES.
What are Its Security Qualifications?
CC certified. Splunk says it is used by nearly every federal agency.
How Intelligent is Splunk ES?
Splunk’s Adaptive Response framework enables security teams to apply changes to adapt to the attacker. Splunk ES integrates with Splunk User Behavior Analytics (UBA), which uses unsupervised machine learning algorithms to provide anomaly and threat detection. In addition, it is integrated with the Splunk Machine learning toolkit.
How is Splunk ES Delivered?
Splunk ES can be used in on-premises, cloud and hybrid deployment models.
Does Splunk ES Use Agents?
Agents are not required to use Splunk. However, a Splunk universal forwarder can also be used to sit on the endpoint and collect endpoint analytics data.
How Much Does Splunk ES Cost?
Pricing is available as a perpetual or annual term license, is based on maximum daily data ingestion, and starts at $2,000/year for 1 GB/day. Splunk Cloud is available for monthly or annual subscription. Splunk ES is available for Splunk Enterprise and Splunk Cloud and is priced based on max daily volume of data indexed in GB/day. At lower volumes, pricing for Enterprise Security is 1:1 that of Splunk Enterprise and drops to roughly 1:4 at higher volume. Splunk ES pricing is for unlimited users to use all security-relevant data to solve all security-related use cases. It is also available as a cloud service.
What Are the Top Alternatives to Splunk ES?
1 ManageEngine Log360
Log360 is a SIEM solution that helps combat threats on premises, in the cloud, or in a hybrid environment. It also helps organizations adhere to several compliance mandates. You can customize the solution to cater to your unique use cases.
It offers real-time log collection, analysis, correlation, alerting and archiving abilities. You can monitor activities that occur in your Active Directory, network devices, employee workstations, file servers, Microsoft 365 and more. Try free for 30 days!
Graylog is a log management and SIEM that is easier, faster, more affordable than most solutions. It is a scalable, flexible cybersecurity platform that combines SIEM, security analytics, industry-leading anomaly detection capabilities with machine learning that adapts to your environment and grows with your business. Built by practitioners for practitioners, Graylog Security flips the traditional SIEM application on its head by stripping out the complexity, alert noise, and high costs.
3 Managed Threat Complete
Managed Threat Complete extends your team fast with Rapid7 MDR analysts and digital forensics and incident response experts working side-by-side. Your environment is monitored 24/7/365, and threats are acted on, end to end. Data collection is unlimited. Incident response, unlimited. Vulnerability management, unlimited. And it’s consolidation with a strategy: you proactively handle your risks, and Rapid7 reacts for you when a threat gets real.
For more analysis of Splunk, see our SIEM product comparisons IBM QRadar vs Splunk, SolarWinds vs Splunk, ArcSight vs Splunk and LogRhythm vs Splunk.