Splunk Enterprise Security analyzes relevant data in real-time at scale to give visibility into security intelligence and analytics at the organization level. This visibility helps security teams to quickly detect, investigate and respond to modern attacks and threats. By integrating with adjacent technologies, this SIEM provides a comprehensive security posture across all machine data. Enterprise Security expands and augments detection and investigation capabilities leveraging advanced analytics so security analysts can make informed decisions.

Organizations may easily customize this SIEM, picking and choosing the features they want and displaying them according to their own preferences. A massive library of integrated applications provides many resources from which SIEM systems may ingest data. While the flexibility of this platform will likely work well for seasoned security professionals, some first-time users may find the rather complicated setup and the sheer number of configurations daunting 

The flexible dashboard includes several high-level breakdowns of notable events. It also draws attention to key security indicators (KSIs), those indicators that an organization has deemed relevant, highlighting meaningful environmental trends so security analysts can quickly prioritize threats. Customizable KSIs come available out-of-the-box and integrate easily with the very slick and highly customizable MITRE ATT&CK dashboard. Security teams can also create sequenced events by stringing together notable events and correlations they have uncovered during their investigations.

The powerful Asset Investigator search tool simplifies log searches by identifying suspicious behaviors and providing plain English explanations of events. Asset Investigator also offers a customizable swim lane view that categorizes events for better visualization. Several lanes come out-of-the-box as pre-packaged templates.

Another great investigative tool is the incident review page. It enriches the framework of assets and identities to streamline log data and update lookup tables, thereby adding relevant and readable contextual information about notable events.

Splunk Enterprise Security offers automated threat response as well as manual override. It also maps easily to various cybersecurity frameworks to support compliance efforts and provide suggested remediation actions according to industry best practices. Adaptive response actions point to different elements layered into the platform, while automated actions initiate a playbook or send an event to Phantom for triage.

The free machine learning toolkit available on the platform can predict threats, forecast outliers and cluster events. It comes with several pre-packaged analytic options that group stories together and give a narrative explanation of an event as well as reasons for linking certain elements together.

Splunk Enterprise Security is a very powerful SIEM with one of the most comprehensive integration lists we have seen. The sheer number of customizations and configuration options in this platform may overwhelm first-time users and even experienced professionals may need more time than usual to configure it. However, it is easy to see why Splunk is a segment leader. The flexibility and performance of Enterprise Security impressed us and we believe it is a great choice for more developed security teams with mid-level analysts.

Pricing starts at $2,000 for an annual license at 1GB per day and includes 8/5 phone, email and website support. Customers also have access to a knowledgebase. 

Tested by: Tom Weil