The company charges you for extra storage, they charge extra for encrypting your data at rest, and the SIEM itself is an additional cost on top of their core product (which you must buy). It’s challenging for Sentinel users to plan an annual budget for SOC costs. This model presents a challenge for customers with bursty data needs - either you over-provision for the majority of the time, or you pay occasional penalties for exceeding your reserve. Since Sentinel pricing is reserve-based, exceeding your reserve puts you into an “on-demand” pricing structure, which can escalate quickly if you significantly exceed your reserve. The biggest charge to watch for is the additional cost associated with exceeding your reserve pricing.
SPLUNK EDUCATION LICENSE
While Sentinel’s license includes all features, it does have some pricing pitfalls you need to consider.
However, if your security team is on its own to do all the setup, configuration, dashboard and query building, it may be difficult to realize value from such an expensive platform. If you have a team of dedicated Splunk experts who can perform the configuration, set up the dashboards, and build the queries for your SOC analysts, then you might obtain a lot of value from using it. Many SOC analysts struggle with Splunk Enterprise Security.
Since Splunk uses a proprietary query language (SPL), it is not easy for general security analysts to use.
It takes a lot of time and training to become proficient with the Splunk platform. But most SOC analysts are not also Splunk experts. And automating tasks and responses in other cloud providers, such as AWS and GCP, will be equally troublesome.įor an experienced Splunk ninja, it could improve analyst performance. Onboarding custom application logs will be especially difficult. This could lead to long query times, and thus long investigation times, as data ingestion scales up.įor customers who have a broad mix of Microsoft and non-Microsoft technologies, Sentinel could be more trouble than it’s worth. The weakest link in the Sentinel story is arguably the underlying Microsoft SQL database service, which doesn’t have a great reputation for being the most performant and scalable database. The Logic Apps offer a way to automate tasks and responses within your Azure environment without an incredible amount of coding. The ease of getting data into Sentinel from Microsoft data sources - such as Microsoft 365 Defender or Defender for Endpoint - gives Sentinel a quick time to value curve for organizations with an entirely Microsoft ecosystem. If you are a 100% Azure cloud organization, or a combination of mostly Microsoft on-premises technology and Azure, then Sentinel could be a very attractive solution. The integration process is described in Splunk’s documentation under the section “Threat Intelligence Framework.”ĭo Sentinel and Splunk make your SOC analysts more effective? It does offer the ability to integrate with a TIP, but that integration must be set up manually. Splunk does not offer threat intelligence enrichments out of the box.
SPLUNK EDUCATION HOW TO
You’ll find documentation on how to manually set up data from TIPs in Sentinel’s documentation: These must be manually configured in your Sentinel environment. But it does support several connectors with threat intelligence feeds. Sentinel does not have an integrated, out-of-the-box TIP. It can be difficult for users of Splunk Enterprise Security to integrate with a different SOAR platform.ĭo Sentinel and Splunk have an integrated threat intelligence platform and other enrichments? For example, Splunk has its own SOAR (a really good one it acquired from Phantom) and encourages end users to use it. But Splunk wants you to use everything in its ecosystem. Splunk ingests data from just about any on-premises or cloud data source. For customers who are 100% Azure, Sentinel has a great deal of flexibility, but for customers who have a multi-cloud environment, it may not be the best fit. However, automating tasks for anything outside of Azure - such as Amazon Web Services (AWS) or Google Cloud Platform (GCP) - will be much more difficult and require a great deal of effort and coding.
Sentinel also provides pre-built playbooks, including more than 200+ connectors so you can build your own actions. Azure Logic Apps’ managed connectors are used to link Sentinel to other components or services. Microsoft includes a SOAR as part of the solution and provides playbooks to automate tasks and responses to alerts and detections. Sentinel plays well with anything inside the Azure stack. Which works better with other applications and platforms?
0 kommentar(er)
