Splunk is perhaps the best-known name in log management due largely to its long-standing community edition. It certainly was no surprise to us that the commercial SIEM would be a powerful tool. Virtually every product that we review that has a reason to gather data from a tool such as Splunk, has a direct integration with Splunk, structured data and more. In fact, we support all forms of machine data.
Splunk Enterprise Security (ES) is an analytics-driven SIEM that views machine data generated from security technologies, such as network, endpoint, access, malware, vulnerability and identity information. ES addresses compliance, application security, incident management, advanced threat detection, and real-time monitoring.
The main dashboard is the Security Posture and shows the usual overview, with the exception that it has a function, called "Notables," which comprise correlated alerts. Another thing we liked is that Splunk addresses the concept of risk from the perspective of risk to the business. Also, there has been an obvious effort to make the user experience as smooth and hassle-free as possible. For example, it takes only an average of three mouse clicks to get from anywhere with drill-down capability all the way to raw logs. This certainly speeds up the analysis process from the human side.
The incident review capability is detailed and gives a top-level view from which you can drill into details. These details are well-annotated to the extent that you can drill down to the rule that is causing the alert to see exactly what is going wrong. You can view associated events and look at correlations that might otherwise not seem related. The "Next Steps" can move your investigation forward.
The Asset Investigator is a neat function that shows everything malicious or possibly malicious related to a particular asset searched by IP. It shows on a clear stacked graph such things as all authentications, changes to the asset, threat list activity, various types of attacks - all on a common timeline for easy visual correlation. The authentications to the asset are listed by username.
Access Tracker shows where the asset has connected and when the first access was. Additionally, there is a list of inactive accounts which lets administrators clear out accounts for users no longer with the organization or whose function has changed. This, of course, should be part of an employee's exit but it isn't always so this gives a neat, easy to check list of inactive accounts for some pre-selected period of time. The update center tracks updates that should be applied but for some reason have not.
There is a complete listing of threat artifacts, again, to aid investigation. Incident IDs are hashed for integrity in court should an investigation come to that. The tool can consume STIX files and indicators of compromise of most kinds and can consume just about any third-party intelligence feed.
Devices, logs, etc., can be sent in with one of the universal forwarders. For example, there is one for Windows that works directly between Windows and Splunk. There are forwarders that work for other environments as well and for Linux you can select syslog if you wish.Documentation is first-rate and the website is well-organized and complete. Pricing, though a bit complicated, is very reasonable and is based on index volume per day.