Our Outcomes from Using Splunk ES
Use Cases and Deployment Scope
Pros
- Instead of reviewing thousands of low level alerts, I can prioritize risks based on the entity's risk score on the risk based alerts dashboard
- The adaptive response framework allows me to link alerts directly to our SOAR playbooks in phantom. This way I can automate triage steps that traditionally took hours.
Cons
- Creating complex custom correlation searches sometimes feels more complicated than it should. You need deep SPL experience to build anything beyond basic logic.
Likelihood to Recommend
Splunk thrives in environs that already have mature log pipelines and dedicated teams to maintain them. Its power lies in its flexibility. However, if your data sources are unstructured or inconsistent, you'll constantly write and rewrite custom regex transformations - at an unjustifiable cost effort wise.
