I gave a brief presentation on using Splunk for Enterprise Security after having used Splunk for a while. Here is a summary of my thoughts:
Splunk for Enterprise Security seems to primary be two things. A ticketing system and a investigation system.
The ticketing system is alright. I’d already had Splunk integrated in to an enterprise ticketing system. From the ticketing perspective, Splunk ES is relatively weak. Alerting / notifications and metric tracking leave a lot to be desired.
The investigation system is built on two explorer dashboards, one for identities and one for assets. If I view an asset for example, Splunk ES can show Windows events, IDS events, and firewall events all in a single dashboard. It is very polished. I’d suspect an organization further along in Splunk may already have a home brew version of this. My previous environment had something in the infant stages of this.
Splunk for Enterprise Security is heavily built on data models. I’d argue the Knowledge Object course is more useful to a security practitioner than the Using Enterprise Security or Administering Enterprise Security course. If you’ve already been using Splunk for a while, you likely already have dashboards and alerts with functionality similar to Splunk for Enterprise Security. The ES training seemed focused on understanding the dashboards more than understanding the underlying Splunk ES architecture.
If you’ve been using Splunk for a few years, Enterprise Security isn’t going to wow you. You’ve already got plenty of alerts and dashboards to compete with the package out of the box. It will however allow you to build much better searches going forward. Having used it for a few months, I have correlations in Splunk ES that I doubt I could have ever written as alerts in Splunk.