Enrichments and Analyst Effectiveness
Do Sentinel and Splunk have an integrated threat intelligence platform and other enrichments?
Sentinel does not have an integrated, out-of-the-box TIP. But it does support several connectors with threat intelligence feeds. These must be manually configured in your Sentinel environment. You’ll find documentation on how to manually set up data from TIPs in Sentinel’s documentation: https://docs.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence
Splunk does not offer threat intelligence enrichments out of the box. It does offer the ability to integrate with a TIP, but that integration must be set up manually. The integration process is described in Splunk’s documentation under the section “Threat Intelligence Framework.”
Do Sentinel and Splunk make your SOC analysts more effective?
If you are a 100% Azure cloud organization, or a combination of mostly Microsoft on-premises technology and Azure, then Sentinel could be a very attractive solution. The ease of getting data into Sentinel from Microsoft data sources — such as Microsoft 365 Defender or Defender for Endpoint — gives Sentinel a quick time to value curve for organizations with an entirely Microsoft ecosystem. The Logic Apps offer a way to automate tasks and responses within your Azure environment without an incredible amount of coding.
The weakest link in the Sentinel story is arguably the underlying Microsoft SQL database service, which doesn’t have a great reputation for being the most performant and scalable database. This could lead to long query times, and thus long investigation times, as data ingestion scales up.
For customers who have a broad mix of Microsoft and non-Microsoft technologies, Sentinel could be more trouble than it’s worth. Onboarding custom application logs will be especially difficult. And automating tasks and responses in other cloud providers, such as AWS and GCP, will be equally troublesome.
For an experienced Splunk ninja, it could improve analyst performance. But most SOC analysts are not also Splunk experts. It takes a lot of time and training to become proficient with the Splunk platform. Since Splunk uses a proprietary query language (SPL), it is not easy for general security analysts to use. Many SOC analysts struggle with Splunk Enterprise Security.
If you have a team of dedicated Splunk experts who can perform the configuration, set up the dashboards, and build the queries for your SOC analysts, then you might obtain a lot of value from using it. However, if your security team is on its own to do all the setup, configuration, dashboard and query building, it may be difficult to realize value from such an expensive platform.