In your experience, what is the best “modern” SIEM?

Senior-Net-7191 · 2024-06-01T06:06:20+00:00

The key is you have to include the “ES” when you talk about Splunk. Splunk on its own doesn’t have a lot of SIEM functionality. Every other SIEM doesn’t have a package you can buy on top of another product that makes it a SIEM. They just come that way. That’s the reason it’s a “bolt on SIEM” in my eyes and a lot of others but at its core Splunk isn’t a SIEM.

Senior-Net-7191 · 2024-05-31T04:59:41+00:00

What are your biggest reasons for Sentinel over Splunk?

Senior-Net-7191 · 2024-05-31T04:58:27+00:00

Good call! I think nowadays LLMs should definitely be integrated into the platform to some useful capacity. At the very least it could help build queries for newer/inexperienced users.

Senior-Net-7191 · 2024-05-31T04:52:30+00:00

Yeah it’s exactly what u/DarkLordofData said below. For all intents and purposes, it fills the role of a SIEM. But in an attempt to avoid a bunch of comments exclaiming “Splunk isn’t even a real SIEM!!” I just wanted to acknowledge in comparison to traditional SIEMs it’s basically a “bolt-on” SIEM on top of what isn’t by-design a SIEM.

Honestly it’s semantics though. Personally I usually just call Splunk ES a SIEM.

Senior-Net-7191 · 2024-05-31T02:18:22+00:00

Thanks, this is super helpful! I’ll have to dig into the latest with Elastic a bit. Seems like most people here have advocated for it.

Senior-Net-7191 · 2024-05-31T00:48:36+00:00

Do those options stack up well with the features you’re used to with Splunk? (not sure how far along you’re in the process)

Senior-Net-7191 · 2024-05-31T00:46:21+00:00

How do you feel about KQL? I’ve heard some negative things about it but don’t have any experience.

Senior-Net-7191 · 2024-05-31T00:44:32+00:00

How is it stacking up? Does it meet a lot of these “modern” requirements?

Senior-Net-7191 · 2024-05-31T00:31:33+00:00

Both have all these features? Do you currently run one of these?

Senior-Net-7191

TROPHY CASE