In terms of its ability to predict, identify, and solve problems in real-time, it works really well when you are connected to the Internet. We work on the issues as we get them and I am sure it saves a couple of hours. We are a small environment, so we do not get a lot of alerts. We can take a look at the raw logs, but we should be able to find the actual event that caused the problem and see all the logs associated with it in a standard log format as opposed to just a text file with all the events added in. ![]() It would be nice if there were better ways to search for the data. It probably saves them a couple of hours considering it is colocating everything in one location. We can easily track down and figure out where issues lie, which minimizes the time of my SOC team. Splunk has helped improve our organization’s business resilience because it is a central location where correlation searches populate. I believe Splunk Enterprise Security has reduced our mean time to resolve, but we do not have any definitive timing metrics. This way, I can track down security events before they become threats. However, it would be nice if I could select certain anomalies that would be helpful with notables. I wish anomalies would go in there, but I can understand why they don't, as it generates so many anomalies. Any threat generated inside of that goes into Enterprise Security. We added user behavioral analytics, so it imports everything. There have been some improvements, especially related to centering.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |