Splunk vs. Elastic Stack

I believe when we built a solution for any customer SOC environment, we need to take a survey of running equipment, their IoS and our product should compatible with their resources , APIs , third party integration, log management and the reporting mechanism should be good enough to understand each and every security aspects.  There are multiple tools are available for the comparison of different SIEM enterprise solution. As per my experience, splunk and arcsight is compatible for most of the customer environment, even though devices are not updated.

Hi @Netanya Carmi​, Below are some comparisons on features and Integrations.  Azure Monitor Splunk Full observability into your applications, infrastructure, and network. It provides sophisticated tools for collecting and analyzing telemetry that allow you to maximize the performance and availability of your cloud and on-premises resources and applications; Search, monitor, analyze and visualize machine data. Splunk Inc. provides the leading platform for Operational Intelligence. Customers use Splunk to search, monitor, analyze and visualize machine data.                                    IT Infrastructure Monitoring Features Application Monitoring √ √ Bandwidth Monitoring √ X Capacity Planning √ X Configuration Change Management √ √ Data Movement Monitoring √ √ Health Monitoring √ X Multi-Platform Support √ X Performance Monitoring √ √ Point-in-Time Visibility √ X Reporting / Analytics √ √ Virtual Machine Monitoring √ X                                                 Integrations Squadcast √ √ Amazon EKS X √ Amazon Redshift X √ Amazon Web Services (AWS) X √ Azure DevOps Services √ X Azure Logic Apps √ X Azure Stack √ X Beats √ X CMS Hub X √ CyberOne X √

Splunk handles a high amount of data very well. We use Splunk to capture information and as an aggregator for monitoring information from different sources. Splunk is very good at alerting us if we have problems somewhere or if we are not getting the flow we expect. It is very easy to search for queries and events and then do analysis. The flexibility of the search capability is extremely valuable. Splunk works well with other solutions. It is very easy to set up and very straightforward to deploy. The more data you process with Splunk, the more expensive it gets; an improved pricing model is needed. It would be great if Splunk had more SIEM functionality with better customization and a better ticket tool. The on-premises scaling is a bit more limited than on the cloud. Splunk currently has some limited default rules and customizations. If they could concentrate more on compliance and security information, that would be an added bonus. Azure Monitor has made it significantly easier for us to monitor applications and infrastructure for possible problems. This solution offers a survey of surveillance in real time and a very helpful dashboard. Azure Monitor, which is integrated with Azure DevOps, has good load gathering and very good analytics. We get useful alerts with Azure Monitor that make recommendations about the security and the platform. There should be more specific detail about where problems lie. Azure Monitor is lacking somewhat in vulnerability assessment; this aspect could be better. Their automation also needs some improvement. From gathering metrics from more applications to getting processes quickly started when something goes down, automation should be better. Conclusion: For us, Splunk is the better solution. We use Splunk to search, monitor, analyze, and visualize machine data, which it does very well. The dashboard is very intuitive. The log collection and log management tools are very good. We find Splunk’s search capability to be very powerful and flexible. Splunk can access any kind of data and there is no limitation to the kind of structured or unstructured data you can extract. Our team also liked that Splunk offers better integration with more solutions.