What is our primary use case?
I utilize Splunk Enterprise Security to create alerts within various use cases, including data onboarding, gap analysis, and business testing. I ensure that the use cases adhere to the defined criteria and address any changes or requirements raised by the client. Additionally, I handle any necessary backend modifications in Splunk by deploying code to appropriate environments, including the production environment.
We implemented Splunk Enterprise Security to capture more effective alerts. We create alerts to utilize advanced filtering capabilities. Additionally, we employ Sentinel as our endpoint security application. I have created all instances of the query as intended and have mapped them to Splunk. However, the corresponding alert is not being generated. These are the areas that require attention.
My expertise lies in Splunk Cloud and Azure. While I have worked with AWS in the past for a short period, my current focus is on GCP and Splunk Cloud. My responsibilities involve troubleshooting, alert verification, and key generation. Based on specific requirements, I employ my self-generated queries to identify the relevant fields, such as email or location. Next, I implement lookup conditions and pinpoint the table containing the desired field type. This process allows me to determine the specific requirement of the use case and define the search parameters accordingly. Finally, I conduct a time-bound search to identify any defects.
I deploy to Splunk Cloud, GCP, and on-premises environments. I have experience working with both platforms. When working on the cloud, we don't have the same level of visibility as we do on-premises. For example, we cannot directly access the fraud department systems. In the cloud, we must make all changes and deployments through the Splunk UI. This is relatively straightforward, as there is no backend to manage. However, it requires a thorough understanding of the configuration files and the data fields we need to modify.
How has it helped my organization?
We manage multiple cloud environments, including Splunk Cloud and GCP. Splunk Enterprise Security dashboards make it easy to monitor these environments seamlessly. We have a single user interface that allows us to log in to our account instantly and check for any issues, such as Data Collection Processor errors. This unified UI also provides access to the back end of both Splunk Cloud and GCP instances, eliminating the need to switch between different platforms. Whether we need to manage Splunk Cloud or GCP settings, we can do so directly from the UI, which is easy.
Splunk offers comprehensive visibility into our IT infrastructure. The only challenge lies in managing multiple user accounts. We need to create separate accounts for the UI, production environment, and staging environment. Additionally, if we have a DCP or a system cloud, we need to create corresponding accounts. Once that is done we can log in and use it.
Regarding Splunk Enterprise Security's insider threat detection capabilities, we receive an alert for every new case creation. If there is a high likelihood of a specific alert occurring, we have a corresponding use case in place to address it. We also receive soft tickets, which are potential alerts that may materialize in the future. These soft tickets are documented in Jira, and we continuously monitor them. By analyzing these alerts, we can identify potential issues. For instance, this morning, we received an alert for a new case with a missing application name. The interaction table contains the destination user account, process ID, process name, OS, and other relevant information, but the application name field is blank. We investigate this particular use case to determine the cause and timing of the alert. Since we are receiving the alert slightly earlier than expected, we consult the ticket for further details and substitute any missing information.
I have utilized the MITRE ATT&CK framework when the use case pertains to a specific data model. To comprehend the data model, we examine the processes involved or the fields that a particular tool utilizes. To achieve this understanding, we align the MITRE ATT&CK framework with the data modules. Subsequently, we extract the field name and field value. When dealing with ranges and incident changes, we must input the corresponding MITRE ATT&CK ID. This involves determining the tech ID and identifying the ID values associated with it.
Using Splunk Enterprise Security to analyze malicious activities and detect breaches is an efficient approach. When testing a use case, it's not necessary to manually enter the application name as it's provided automatically. Since the requirement is for SSO, we need to verify whether it's LDAP, Splunk Cloud, or AWS. Occasionally, irrelevant results may appear during data ingestion. We test for subscription-related issues and analyze the results. This testing process provides insights into the circumstances that trigger specific alerts. Malicious activities will undoubtedly be detected, and all our requirements will be met. Alerts are generated whenever unusual timeframes or activities occur. Various filtering criteria allow us to identify and capture specific user IDs or patterns within events. This capability proves to be highly beneficial.
The speed at which Splunk Enterprise Security detects threats could always be faster but it is designed to detect threats quickly. It uses various techniques, including queries, to identify and analyze potential threats. This allows it to produce faster search results than traditional methods, enabling us to locate the information we need more efficiently. While I cannot provide an exact percentage of how much faster it is, it is undoubtedly significantly faster. It can process thousands of events, ranging from twenty thousand to thirty thousand, in a very short period.
I've gained valuable knowledge from having to troubleshoot various situations. For instance, I've learned that the SIM needs to be flipped to use the new applications. Additionally, I've discovered that the error limit for event results should be increased beyond 10,000 because the source type values have increased significantly. This ensures that alerts are received even when there are large volumes of data. Furthermore, I've learned that some clients have different index limit requirements. Some clients require a seven-day index limit due to licensing restrictions or data ingestion considerations. Those who have the larger license opt for a 15 or 30-day index limit. In these cases, the large amount of data generated can necessitate a 1TB or higher index size limit. These learning experiences have been invaluable in my work, and I'm constantly encountering new scenarios that expand my knowledge base.
Splunk Enterprise Security has helped speed up our security investigations.
What is most valuable?
The best part of Splunk Enterprise Security is its customizable settings. We can modify the front-end interface, data sources, and various other aspects to suit our specific needs. This flexibility makes it extremely user-friendly and convenient.
Apart from its customizable settings, Splunk Enterprise Security also offers a range of other advantages. It enables us to easily analyze logs, use field queries, and perform other tasks without requiring any extensive training. The search function is intuitive and straightforward, making it accessible to anyone.
The UI-based reporting dashboard is another highlight of Splunk Enterprise Security. It provides real-time visibility into important metrics and allows us to drill down into specific events for in-depth analysis.
What needs improvement?
Splunk Enterprise Security has not helped reduce our alert volume. We need to separate a few of the alerts, and if there is a time based on the priority, we put the time at what time it needs to appear every day or for seven days or more days. If an alert is present or if something is triggering, then it will be detected. However, the number of alerts that can be handled effectively depends on the specific use case. For each result that is affecting the system or for any specific issue, only those particular alerts should be generated. We can define a timer and determine how often checks should be performed. For example, weekly checks may be sufficient in some cases. However, if there are hundreds of alerts generated in a week, it may not be possible to handle them all effectively. Testing must be conducted to filter out unnecessary alerts. Therefore, clear boundaries must be defined in the use case when creating alerts.
The price for Splunk Enterprise Security is high and has room for improvement.
For how long have I used the solution?
I have been using Splunk Enterprise Security for two years.
What do I think about the stability of the solution?
Splunk Enterprise Security is an extremely stable product.
Splunk is compatible with a wide range of other products and is not constrained by specific configurations. Whether it's a single-sided or multi-sided cluster, whether it's used by a single team or multiple teams across different program locations, Splunk is flexible and adaptable. Data recovery is also a key feature, ensuring that data is never lost. This is one of Splunk's most significant advantages. Multiple indexes are maintained to safeguard data integrity, so even if one index fails, the data remains accessible to all users at all times.
What do I think about the scalability of the solution?
Splunk Enterprise Security is scalable.
Which solution did I use previously and why did I switch?
Comparing SentinelOne and Splunk, we've found that SentinelOne requires a thorough understanding of our processes, including their business context, process names, and all relevant conditions. In contrast, Splunk is more forgiving, allowing us time to learn and adapt. Additionally, SentinelOne's pricing structure can be more complex compared to Splunk's straightforward approach.
While Splunk offers ease of use, better visibility, and intuitive management, SentinelOne demands more technical expertise to implement and maintain. Splunk, on the other hand, provides granular control over event filtering, enabling us to retrieve detailed information based on specific criteria, such as Linux or Windows events. SentinelOne, however, may not provide the same level of precision, requiring more precise query formulation.
How was the initial setup?
The initial deployment is straightforward. We only require the name and the value, and the process is very quick. We were already using GitHub, GitLab, and GitPass, so integration with Splunk was seamless. Splunk is compatible with all of these applications, which makes it a good fit for our needs. We are also using ServiceNow, and Splunk communicates seamlessly with it to raise tickets. The overall deployment time is minimal. One person can manage the deployment process, and I have completed 18 deployments myself. Each deployment takes one day to finish.
What's my experience with pricing, setup cost, and licensing?
The cost is on the high end, which makes it difficult for some organizations to use. However, the benefits outweigh the cost.
What other advice do I have?
I would rate Splunk Enterprise Security eight out of ten. While I have not explored all aspects of Splunk, I have found Splunk Enterprise Security to be a useful and reliable tool in the areas I have used.
Splunk is deployed in one location. On our team that works on the SIM development team, we have 28 people who use Splunk Enterprise Security.
Splunk Enterprise Security necessitates ongoing maintenance. Tuning tickets are available, so we perform the necessary tuning, and if there is an outdated ticket, we make the required changes. I addressed a ticket from 2018 that required tuning. They requested certain additions, such as authentication or a new index, and maintenance is performed to incorporate these new features.
In multi-cluster environments, maintenance can be performed from different locations simultaneously. This feature is very convenient and allows for flexible maintenance scheduling.
I recommend Splunk Enterprise Security because it is a comprehensive solution for enterprise security. I'm currently working on the SIEM component, but the SIM is also available. Splunk offers various ways to search and configure, making it very easy to use, even without prior knowledge. We can seamlessly integrate Splunk into our existing workflows.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Google
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.