Know Your SIEM Solutions: Splunk SIEM

Discover whether Splunk's SIEM offering is right for your organization.

Know Your SIEM Solutions: Splunk SIEM

Splunk was founded in 2003 and is based out of San Francisco, California. They have historically specialized in high volume data analytics and monitoring, growing their available security offering through various acquisitions and new deployments. Crucially, their Splunk Enterprise Security (ES) offers endpoint and vulnerability protection through its security information and event management (SIEM) product. In March 2024, Cisco finalized their $28 billion acquisition of Splunk, completing a deal that had been announced the previous year.

Availability

Splunk's SIEM offering is available both in cloud-native and on-premise versions. Users can look to augment the cloud version's default capabilities with numerous add-ons and integration offerings available on Splunkbase.

Features and Integrations

In terms of functionality, Splunk excels in data querying capabilities, leveraging IT observability data to facilitate advanced security operations like threat hunting across vast datasets. It merges robust security features with comprehensive IT observability functionalities. Notably, there's a focus on risk-based alerting, leveraging the combined visibility of security and IT operations data. 

The cloud-native version bundles core SIEM tools with curated detection content, security dashboards, and threat intelligence capabilities courtesy of Splunk’s acquisition of TruSTAR . The integration of user and entity behavior analytics into a cloud-native architecture provides further value to this offering. While Security Orchestration, Automation, and Response (SOAR) remains separate, Splunk has nevertheless transitioned its SOAR solution to a cloud-native application.

State of Development

In recent updates, Splunk (ES) has introduced several noteworthy enhancements and changes to its service offerings and event pricing structure. Among them:

The inclusion of TIP and UEBA functionalities, available at no extra costs and as value added features.

  • The adoption of a Splunk virtual computer (SVC) pricing model, exclusive to the cloud-native version. 
  • The introduction of Splunk Security Analytics for AWS, along with prebuilt dashboards and detection content tailored to AWS-specific security telemetry.

Considerations

To unlock its full potential of Splunk SIEM, it is highly recommended that users acquire a Splunk Enterprise license. At lower usage tiers, users may find that the offerings fall somewhat short where analytics rules and built-in compliance reports are concerned. 

Splunk also currently lacks native Endpoint Detection and Response (EDR) or Network Detection and Response (NDR) capabilities. Users seeking the full benefit of these approaches will want to consider integration options with adjacent applications.

Nevertheless, Splunk still stands among the most well-known and trusted industry-leading SIEM options out there. It only remains to be seen how the acquisition by Cisco may transform the platform and its offerings in the coming quarters. 

Considering building an integration with Splunk or any other SIEM solution? Metron has experience building scalable integration with numerous security products.

If you are considering any custom cybersecurity solution that focuses on the resources and needs of your organisation, please send a note to connect@metronlabs.com.