Splunk Enterprise Security


Splunk Enterprise Security offers continuous monitoring, threat detection and incident response in a SIEM platform. It also runs a SOC and executive view of compliance and business risk, enabling organizations to detect, investigate and respond to threats. It is scalable and analyzes all security relevant data in real-time to provide organization-wide visibility, intelligence, and analytics. Options for deployment models include on-premises, public or private cloud and SaaS. The solution aims to make all solutions work together in a bidirectional way with more than 1,000 applications and add-ons.

Splunk ES uses a set of frameworks to support monitoring and alerting to enable organizations to quickly respond to attacks, bolster security operations, gain comprehensive visibility into their security posture across all machine data, augment detection and investigation with advanced analytics, and make informed decisions backed by leveraged threat intelligence, network, and endpoint data. It supports a variety of full integrations. All dashboards can be exported into a downloadable report through the Protocol Center.

Upon logging into Splunk Enterprise Security you are greeted with a window that asks if you would like to take the tour, which allows you to interact in almost every main tab. The interface itself is modern and virtually anything can be drilled down into for more detail.

The Security Posture tab shows occurrences by level of urgency that users can click on to see all categories related to that scoring. This essentially shows a high-level overview so analysts know what they should investigate. This is customizable with thresholds based on your specifications. The Incident Review tab is where most analysts will look first with notable events and metadata around them that can be used for correlation searches ranging from simple to very complex statistical analyses. You can also perform actions on individual events of groups of events. You can also pivot from here directly into the Asset Investigator. Analytic Story Detail shows you what the search is with a description appropriately labeled “Explain it like I’m 5” to give you a thorough understanding of detection, implementation, investigation and the like. The Asset Investigator and Identify Investigator have charts akin to swim lanes comprising various categories of attack types on a timeline. Select any of these periods in individual categories or several periods across multiple lanes for deeply granular information. You can use the group select feature to aggregate data into a single place.

Starting price depends on maximum daily volume of data ingested in GB/day. Perpetual, Term, and multi-year term license options are offered. Annual term license pricing is $2,000 for 1GB/day, $6,000 for 10GB/day, and $20,000 for 100GB/day.

Tested by Matthew Hreben

Product title
Splunk Enterprise Security
Product info
Vendor: Splunk Price: Dependent on maximum daily ingestion. Contact:
Explain it like I’m 5” thoroughly breaks down the entire security response phase from detection and investigation to remediation and beyond.
Lack of free support options beyond online documentation and community support.
Unique Use-Case Library and search functionality allows for quick, single-pane viewing of aggregate data for investigation, manual threat hunting, and complex statistical analyses.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.