Try our new research platform with insights from 80,000+ expert users
Senior Engineering Manager at Happiest Minds Technologies
Real User
Provides integrations, enables customizations, and has a good security posture and a helpful support team
Pros and Cons
  • "The product has a good security posture."
  • "The glass table feature does not perform as expected."

What is our primary use case?

We have many use cases for firewall logs in our system. We collect logs from these firewalls and customize our use cases.

What is most valuable?

The triad is one of the best features. The product has a good security posture. It provides many customizations.

What needs improvement?

The glass table feature does not perform as expected. It must be improved.

For how long have I used the solution?

I have been using the solution for seven years.

Buyer's Guide
Splunk Enterprise Security
November 2024
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
823,875 professionals have used our research since 2012.

What do I think about the stability of the solution?

The tool is stable. I rate the stability a seven or eight out of ten.

What do I think about the scalability of the solution?

I rate the product's scalability an eight out of ten.

How are customer service and support?

If something doesn't work, we reach out to the support team. The support provided by the team is great. The support is part of the entitlements in the license we buy.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I'm using Microsoft Sentinel. It is a cloud-native tool. Compared to Splunk Enterprise Security, Microsoft Sentinel is easier to handle. We use Splunk Enterprise Security because we have to manage a big infrastructure and may have many security vulnerabilities. The cybersecurity team decided to use Splunk Enterprise Security. The volume of data is high, so it is easier to manage it in Splunk.

How was the initial setup?

The initial deployment was complex. If we need to customize the solution, we need one to four weeks to get all the data, manage the license, and calculate the resources.

What's my experience with pricing, setup cost, and licensing?

The solution is costly. The cost is calculated based on the volume of data ingested per day.

What other advice do I have?

It is not complicated to monitor multiple cloud environments using Splunk. It is one of the best solutions. The multiple cloud integration is open source. It's really helpful to monitor the structure and user authentication. I would definitely suggest it to people.

It's feasible to achieve visibility into multiple environments using the product. The cloud solution is recommendable. The on-premise product is tedious to manage, but it will be easier if we have a good resource to take care of the administration as an architect.

The tool has threat-detection capabilities. There are some limitations. We have a set of rules and patterns where we collect the tagging and the data we want to alert. It would have been better if detection and threat analysis recommendations were available out of the box. Though the solution keeps updating with the market demands, I still feel that the feature needs to be more reactive.

The product has inbuilt use cases for analyzing malicious activities and detecting breaches. It helps us run our alerts to catch malicious actions like brute force attacks or user-related authentication challenges. Splunk Enterprise Security has helped us reduce our alert volume. It has many automations and integrations. The SOAR tool detects and automatically manages repetitive and generic alerts proactively.

Splunk Enterprise Security helps us speed up our security investigations. It's at the top of its game. The tool is proactive and helps us take action before something happens. It has reduced our security threats. It is saving us hours of investigation. If you have a big data source, then I would recommend Splunk Enterprise Security. It will be easy for you to manage the data load. If you do not have a high data volume, you can look for other solutions like Sumo Logic.

My experience with the solution is really good. It has the capability to analyze the platform and take care of vulnerabilities. There is scope for improvement. We have a huge data volume of 2 TB per day. Our platform needs a solution like Splunk Enterprise Security to maintain the data volume and filter out our security vulnerability logs.

Overall, I rate the product a nine out of ten.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Information Security Analyst at Apcfss
Real User
The threat intelligence provides insight into how business decisions can make an organization vulnerable to cyber attacks
Pros and Cons
  • "Without Splunk Enterprise Security, it would be difficult for us to manage and prioritize alerts. There's a potential to lose track of important notifications, and it's essential to our security that we do not miss anything. Splunk has improved our investigations because the reporting and dashboarding make things so much easier. We can provide weekly or monthly reports. I also like Splunk's ability to integrate."
  • "Integrating tools and creating use cases could be easier. It's hard for a junior security engineer with only a couple of years of experience to write use cases. They can do it, but it's much easier in a solution like IBM QRadar. Setting conditions is like a multiple-choice type of thing. It's a more user-friendly process."

What is our primary use case?

We have integrated different tools to get files from various types of endpoints. We also have Check Point. There are a few Windows use cases for brute force and code block attacks, and we use Splunk to detect when a user is logging in from another country where we don't do business. Splunk is integrated with our AWS environment, so we ingest logs from Amazon CloudTrail, GuardDuty, and other solutions. 

How has it helped my organization?

Without Splunk Enterprise Security, it would be difficult for us to manage and prioritize alerts. There's a potential to lose track of important notifications, and it's essential to our security that we do not miss anything. Splunk has improved our investigations because the reporting and dashboarding make things so much easier.  We can provide weekly or monthly reports. I also like Splunk's ability to integrate. 

We can fine-tune our alerts to reduce false positives or low-priority alerts. It reduces the time our admins spend on responding to alerts by one or two hours weekly. We can alter the policies, do geoblocking, and add certain applications and IPs to our allowed list. 

What is most valuable?

Splunk covers our cloud and on-prem environments. We were exclusively on-prem, but we are slowly moving into the cloud. Our developers can customize investigations by adding multiple interesting fields and aggregate those details in Enterprise Security by using the appropriate SQL queries.

We use Splunk's threat intelligence management feature, which provides insight into how business decisions can make an organization vulnerable to cyber attacks. All of these things fall under tactical threat intelligence. For example, it can tell us if someone is accessing our organization's API. 

We have integrated all our tools so that we can monitor any alert type, but we use Splunk primarily for investigations. We're ingesting audit, security, application, and Windows logs. Once we get an alert, we go to the tool and investigate further

Splunk uses the MITRE ATT&CK framework, giving us new tactics and techniques based on issues observed in other businesses and industries and helping us to address novel threats to our network. MITRE ATT&CK is highly useful. 

What needs improvement?

It's a little difficult to archive data in Splunk for longer than six to eight months. Integration is more challenging compared to other tools we've used, such as LogRhythm. 

Integrating tools and creating use cases could be easier. It's hard for a junior security engineer with only a couple of years of experience to write use cases. They can do it, but it's much easier in a solution like IBM QRadar. Setting conditions is like a multiple-choice type of thing. It's a more user-friendly process. 

For how long have I used the solution?

We have used Splunk Enterprise Security for nearly a year. 

What do I think about the stability of the solution?

I rate Enterprise Security nine out of 10 for stability. Splunk is solidly stable. We've rarely experienced a crash requiring us to rebuild cases. 

What do I think about the scalability of the solution?

Our organization has around 1,000-1,500 groups, and Splunk works fine for us. 

How are customer service and support?

I rate Splunk support nine out of 10. Their support team is excellent. We schedule calls with them when we have issues. They typically rectify any problems in eight to 12 hours. At most, it will take a week to fix an issue. 

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I have worked with LogRhythm, and I think Splunk's interface is much better. It's more attractive and has a more interesting feel, so I think it makes things easy for our analysts.

What other advice do I have?

I rate Splunk Enterprise Security eight out of 10. Splunk is useful for compiling all types of logs for investigation and monitoring purposes. I can recommend Splunk for people if they are comfortable with the deployment and integration. While integration is easier with solutions like QRadar or LogRhythm, Splunk is better for everything else. 

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Splunk Enterprise Security
November 2024
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
823,875 professionals have used our research since 2012.
reviewer2239872 - PeerSpot reviewer
Staff application Security Analyst at a media company with 5,001-10,000 employees
Real User
Enables us to analyze security anomalies and research specific threats that we get on our network
Pros and Cons
  • "The solution has made us more secure."
  • "It takes time to train people."

What is our primary use case?

We use the product to analyze security anomalies and research specific threats that we get on our network.

How has it helped my organization?

The solution has made us more secure. It has given us the ability to address threats faster, with greater accuracy.

What is most valuable?

The availability of the data and the fact that we're able to collect a large amount of data into the system and analyze it is valuable to us. The product’s speed and availability make it really useful for us. I'm excited about the additional enhancements to the machine learning toolkit. To be able to use it more is exciting to me.

What needs improvement?

My organization needs more people to learn how to use the solution effectively. It takes time to train people.

For how long have I used the solution?

I have been using the solution for six years.

What do I think about the stability of the solution?

I have never seen any issues with the tool’s stability.

What do I think about the scalability of the solution?

Considering how much we have in place, I would assume that the solution’s scalability is pretty strong.

How are customer service and support?

I haven't had to go to Splunk directly for many things. Communicating with our success managers has been very positive.

How would you rate customer service and support?

Positive

What other advice do I have?

We need to improve our implementation. We're a pretty large customer of Splunk, so I think we do have a lot of resources available. Splunk has really good courses and availability. We need to get more people to be more familiar with the tool. The solution has helped us reduce our mean time to resolve. It really works well for us, and it helps us to look at our data more effectively.

Splunk has helped improve our organization’s business resilience. It's not just used for security. We have big use for it. It has definitely helped us prevent problems from occurring and identify them when they do. Splunk’s ability to predict, identify, and solve problems in real time is very strong. It works as well as we use it. There's a lot of value within the tool. It can be very powerful if used properly and if people are knowledgeable about it.

Splunk has a strong ability to provide business resiliency by empowering staff. I've been using it for as long as I've been with this organization. Compared to other solutions, Splunk is really strong.

I have seen time to value using this solution. I love using it. It’s a great tool. I cannot compare Splunk to other tools because I've been using it for as long as I've been with my current organization. In my previous organization, we didn't have big data, so we really didn't need the product. I am a consumer of the solution from a security perspective.

Overall, I rate the solution an eight or a nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Hari Haran. - PeerSpot reviewer
Technical Associate at Positka
Real User
Top 5
Multiple components are very useful, providing us with a lot of security information for our clients
Pros and Cons
  • "It gives us good visibility into multiple environments, including cloud, on-premises, and hybrid; irrespective of platform."
  • "One issue is that we are getting a lot of false positives. We are trying to reduce them by customizing the default rules, changing thresholds, and using white-listing and black-listing. It's getting better and better as a result. But they need to build components that would reduce the false positives."

What is our primary use case?

We use it to provide both operational and security dashboards based on our clients' equipment. We use it for infra monitoring and threat analysis.

We have multiple rules for analyzing malicious activities and detecting breaches. We get the notable events from the logs and from there we drill down into the cause. We correlate that with the framework and get a score. Based on that, we proceed to the investigation.

How has it helped my organization?

It gives us a complete correlation between data processes and security threats. It has threat analysis and the MITRE ATT&CK framework. From a SOC perspective, it uses multiple components or frameworks and, in that way, is very useful, providing us with a lot of information for our clients. They don't want multiple teams dealing with security and malware, et cetera. Splunk Enterprise Security gives us everything in one place.

We get all the real-time logs and, based on the configuration, it's pretty easy to use to find threats. It has helped to speed up our security investigations. Before we went with Splunk Enterprise Security we had limited information but now we have threat intelligence to enhance things.

We are now handling multiple customers globally. We are able to build custom rules based on customer requirements and the applications and data they are using. It is enhancing the security of each customer's infrastructure. We are able to provide weekly and monthly reports and, based on that, our customers are honing their firewalls and other security infrastructure. Splunk Enterprise Security is very helpful in improving the security of our clients.

What is most valuable?

It gives us good visibility into multiple environments, including cloud, on-premises, and hybrid; irrespective of platform.

The UI is also very friendly. You don't have to work very hard to find things.

What needs improvement?

One issue is that we are getting a lot of false positives. We are trying to reduce them by customizing the default rules, changing thresholds, and using white-listing and black-listing. It's getting better and better as a result. But they need to build components that would reduce the false positives. 

Also, we have a lot of security feed providers. If there was some kind of management tool for that, it would be a great tool to have.

For how long have I used the solution?

I have been working with Splunk for about four and a half years.

What do I think about the stability of the solution?

I started working with Splunk Enterprise Security at version 6 and now we are up to 9 and it needs more resources. But it's okay because we have a lot of functionality now. It's better than it was earlier. I would rate the stability at nine out of 10.

What do I think about the scalability of the solution?

Splunk on the cloud is scalable, a 10 out of 10.

How was the initial setup?

If someone is doing the deployment for the first time, it will be a little complex. The installation is straightforward, but for the configuration, you need to follow the documentation and understand it. That is a little difficult the first time if you are doing it on your own. If you have anyone with experience who can explain the configuration, the second time it will be straightforward.

The solution requires maintenance but not much, mostly when there are upgrades 

What's my experience with pricing, setup cost, and licensing?

Most of the companies we work with are keen on budgeting. They can't spend much on security. Their problem is with the cost. They would like to have it but the problem is the budget. If they got a taste of Splunk Enterprise Security and its benefits, they might be able to cope better. A 15-day trial doesn't give them much hands-on or benefit from the tool. From a security perspective, they would need to have it for six months or a year to get a sense of it.

We try to explain, to someone who is concerned about the cost, the functionality and how powerful the application is. Security people know it's better to have a better solution, but management has to look at the budget.

Which other solutions did I evaluate?

We tried some other solutions, but they didn't work like Splunk. We found that Splunk is the best one.

What other advice do I have?

We work on multiple cloud environments including AWS, Azure, GCP, and most of the popular clouds. We have built our own combined app to monitor most of the cloud service providers. We have our own solution for cloud security monitoring.

My advice is that for big firms, because it has better detection and security, Splunk Enterprise Security is a very good tool. For big companies, good security is important, especially if they have a global market.

I don't see any other software having as much functionality and different ways to investigate security.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer2182467 - PeerSpot reviewer
Director of Security Engineering and Operations at a legal firm with 1,001-5,000 employees
Real User
Top 5
Helps us reduce the volume of alerts we receive and speed up our security investigations
Pros and Cons
  • "The varied prebuilt feature is the most valuable because it ensures that we have complete coverage over all of the key questions."
  • "It is important to make sure that everything is built off of the threat models and all the underlying items within Splunk."

What is our primary use case?

We use Splunk Enterprise Security as our primary security event manager. We collect data from various log sources into our Splunk SIEM to build context around what is happening in our environment. We then use the capabilities of Splunk Enterprise Security and other tools to enrich this data and help us manage the data, events, and detections.

How has it helped my organization?

Splunk Enterprise Security helps us focus on security. It provides us with data and a number of pre-built learnings that allow us to view the content in very useful ways. We can apply filters to the data to get more value out of it. This is the primary use case for Splunk Enterprise Security: to help us analyze and leverage the content we have.

Monitoring multiple cloud environments can be relatively easy, but it depends on the vendors. There can be challenges, such as ensuring that all of the data is ingested and aligned correctly. This is because vendors, especially in the cloud, can change their log formats at any time. Additionally, some vendors may not provide the same log feeds in the cloud as they do with on-premises solutions. As a result, it is important to be aware of these potential challenges and to take steps to mitigate them.

Splunk Enterprise Security provides reasonable visibility into multiple environments by harnessing the power of Splunk and the data it ingests to unify and provide a consistent view.

Splunk Enterprise Security's threat detection can help our organization find unknown threats and anomalous user behavior. We are early adopters of the user behavior piece, so we are still working to normalize our data. Splunk is working with developers to ensure that they can intake our data. We use Windows Log Forwarding for a lot of our host-based logs. We are leveraging this with an on-premises GPO. The gathering mechanism is a little bit different than what Splunk has seen, but it is still within the realm of acceptable. We are working through this issue.

We have a few different STIX and TAXII feeds that are being processed by the Threat Intelligence Management feature. We are members of a few different organizations that provide these feeds, and we use them as needed. The feeds also feed into some of our security products.

Actionable intelligence provided by Threat Intelligence Management is valuable, but it is important to be aware of its limitations. Threat intelligence can help organizations to correlate and build context around security events, but it is important to remember that the information provided is often brittle and can change quickly. For example, an IP address that is associated with a threat actor today may be used by a legitimate user tomorrow. Additionally, some threat intelligence feeds may be contaminated with false positives, which can lead to false alarms. It is important to carefully evaluate the quality and reliability of the threat intelligence before taking any action. Organizations should also have a process in place to verify and validate any threat intelligence before using it to make security decisions.

Splunk Enterprise Security is a valuable tool for analyzing malicious activities and detecting breaches. I am glad we added it to our security stack. Previously, we ran for a year or so without it, and while we had some capabilities, we were truly missing out on some things by not having Enterprise Security. It definitely added value for us, and I would not go back to not having it. I think it has been a solid addition to our security posture.

Splunk Enterprise Security helps us detect threats faster, but the lion's share of the work is still in the process of customizing it to our needs. Taking enterprise security and modifying it to apply to our needs is where we see the biggest bang for the buck. From that perspective, it is probably better for us.

A lot of the prebuilt capabilities in Splunk Enterprise Security are extremely beneficial because they cover all the use cases. I think another important aspect is the consistency of their approach and how methodical they are. This is very helpful because it sets a structure for how we view our data and what we can leverage from it. This page clearly drives us to what is happening and what we need to do, and it has a workflow associated with it. This also helps to reinforce the process. When we deal with security issues, this can always be a challenge. We are dealing with a fire drill, and we need to be able to react. We don't want to make mistakes, and it is easy to do so if we are trying to wing it. However, the structure of this approach helps to reinforce that. I think this is another area that is beneficial in terms of the workflow and how it approaches what it does.

Splunk Enterprise Security helps us reduce the volume of alerts we receive. However, we still have to take action on a number of items. Splunk Enterprise Security helped us to do this by ensuring that our input data is accurate and reliable. We are still evolving and maturing in our use of Splunk Enterprise Security, and we believe that it will continue to help us to reduce the volume of alerts we receive and improve our security posture.

Splunk Enterprise Security helps speed up our security investigations to a degree. The workflow is improved, and when we encounter an incident, we can take ownership of it, manage it, dive into individual facets of it, run queries, and expand on them. It makes some items easier to access or understand.

What is most valuable?

The varied prebuilt feature is the most valuable because it ensures that we have complete coverage over all of the key questions. By seeing how others analyzed the data, we can develop new dashboards and approaches. It is always helpful to see how someone else used a tool to spark ideas about how we can enrich our items based on our specific needs. This feature covers a lot of our core general questions and is helpful, but it also allows us to see what someone who is really focused on this area has done and how we can tune and tweak it to our needs.

What needs improvement?

It is important to make sure that everything is built off of the threat models and all the underlying items within Splunk. This includes making sure that the log feeds are aligned correctly so that when we look at data and alarms, everything makes sense. Sometimes, I see alarms that are caused by data sources that have snuck in. For example, if my firewall says something about AV, it might get mapped into antivirus. This can happen because firewalls are multipurpose devices, and they can end up in models that aren't really applicable. Part of the problem is the infrastructure within Enterprise Security with how they group data types. For example, authentication data, firewall data, network data, and user-based data are all gathered in different ways. This can lead to confusion, especially when multifunction devices are involved. For example, if a firewall says that antivirus is not enabled, it might still detect something as if it was antivirus-related. This can blur the incidents and the information we have. It is important to identify items that creep in or issues that need to be cleaned. This will help us identify problem areas and their root causes more effectively and quickly. We can then clean up the data model, make sure the lines are correct, and get higher-quality alarms.

For how long have I used the solution?

I have been using Splunk Enterprise Security for over a year. We have used Splunk as a security SIEM for at least three to four years.

Which solution did I use previously and why did I switch?

We previously used free Splunk apps.

What's my experience with pricing, setup cost, and licensing?

I believe that Splunk Enterprise Security is worth the price, but it is expensive. I am always trying to balance the need for security with the need to be cost-conscious.

What other advice do I have?

I give Splunk Enterprise Security an eight out of ten.

Using a SIEM is not cheap, no matter how you slice it. So, the first question I would ask is, what are we trying to do with our SIEM? In my opinion, Splunk, including ES shines when we are willing to invest in learning and modifying our SIEM, our solution, and our environment to align it with what we do and how we do it. If we are willing to make that investment to contextualize the security and visibility, then Splunk is a tool that can help us do that. If we are looking for a turnkey solution, where we can just throw logs at something and then pull the arm of the slot machine and get things out, then Splunk is not necessarily the right tool for us. We can get there, but it will be a pricey slot machine. I think we will get the most value out of Splunk if we want to get things that are more contextual to us. We may need to enhance or build off of the Splunk dashboards that ES includes, and that will help us to create dashboards that are extremely relevant to our environment. If we are comfortable with creating Splunk queries, then we will have a lot of power at our fingertips.

To those looking into the solution, I would ask: What are they looking for? What are they willing to invest in? Do they want to understand queries? Do they want to build the knowledge around how to structure them? Are they willing to put in the effort to get the real power out of it, or are they expecting something to tell them what is going on? They need to realize that it is never going to be built for them at that point. So they are going to be getting something generic. They have to consider their specific situation, such as how many people they have on their team, etc. They should also probably take a good stock of what they are trying to log and how long they have to retain it. I have been very happy with our Splunk Cloud instances. They have been very reliable. I think it has been incredibly powerful for us. I think that is also another aspect of whether they are going to have their SIEM in their environment or outside of their environment. They need to think about some of these items. Obviously, Splunk can go either way. They have to make their decisions there. We have been very happy with our Splunk Cloud instance. So that's what's been really good for us. And, also, it takes some of the administrative aspects and puts them on somebody else. That's valuable for us too.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
System Administrator at Nournet communications
Real User
Top 20
Helps reduce threat detection time, security investigation time, and alert volumes
Pros and Cons
  • "The most valuable feature of Splunk Enterprise Security is the comprehensive logging capabilities it provides."
  • "Given the ever-increasing number of threats, I would like Splunk to update its threat signatures more frequently."

What is our primary use case?

We use Splunk Enterprise Security to identify and resolve critical issues and errors within our environment.

How has it helped my organization?

The visibility that Splunk Enterprise Security provides is good. We can easily find the data we need using the logs.

Monitoring multiple cloud environments using Splunk Enterprise Security was not difficult.

Splunk Enterprise Security's insider threat detection capabilities enable us to effortlessly identify unknown threats and anonymous user behavior.

Splunk Enterprise Security helped us analyze malicious activities and detect breaches between 50 to 90 percent faster.

Splunk Enterprise Security has helped reduce alert volumes by up to 90 percent.

Splunk Enterprise Security has helped speed up our security investigation time by almost 90 percent.

What is most valuable?

The most valuable feature of Splunk Enterprise Security is the comprehensive logging capabilities it provides.

What needs improvement?

The price of Splunk Enterprise Security is high and can be improved.

Given the ever-increasing number of threats, I would like Splunk to update its threat signatures more frequently.

For how long have I used the solution?

I have been using Splunk Enterprise Security for one and a half years.

What do I think about the stability of the solution?

Splunk Enterprise Security is stable.

What do I think about the scalability of the solution?

Splunk Enterprise Security is scalable.

The resilience of Splunk allows organizations to protect their data and resolve vulnerabilities quickly.

How are customer service and support?

The technical support provides good resolution.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I had previously used Loggly, developed by SolarWinds and Elastic. However, I found it to be inaccurate and slow. Elastic offers a free version of its solution, which is more commonly used by smaller businesses.

What about the implementation team?

The implementation was completed by a third party.

What's my experience with pricing, setup cost, and licensing?

Splunk Enterprise Security is expensive. I would rate the cost an eight out of ten with ten being the most expensive.

I recommend Splunk Enterprise Security over cheaper SIEM solutions because of its offerings.

What other advice do I have?

I would rate Splunk Enterprise Security nine out of ten.

Splunk Enterprise Security does not require any maintenance. It is plug-and-play.

I recommend Splunk Enterprise Security for organizations that want to detect threats quickly.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: partner
PeerSpot user
Security Engineer at State of Nevada
Real User
Good at predicting, identifying, and solving problems in real-time
Pros and Cons
  • "Splunk has helped improve our company's resilience level."
  • "The upgrading process could be smoother."

What is our primary use case?

We primarily use the solution for SOC purposes.

How has it helped my organization?

The solution has made it possible to check and detect our traffic a bit better.

What is most valuable?

The incident review is great for working inside of a SOC if we want to see everything and we want to configure notables and have all notable features, it's useful. We're moving to SOAR right now for configuration for our work center. As far as ES in our work center, just detecting our notables and monitoring all our traffic, is the most important feature as far as what our day-to-day is concerned. 

Splunk has helped us with mean time to respond, although I don't have exact numbers.

Splunk has helped improve our company's resilience level.

Splunk is very good at predicting, identifying, and solving problems in real time. I've never used anything else, however, I'm impressed with the ease of it and the ability to find anything and everything we need. 

What needs improvement?

I do a lot of the maintenance. A lot of my workers are fresh into Linux and need to monitor, manage, and do maintenance on it. They should bring back the maintenance mode button. Splunk used to have it and they took that feature away.

The upgrading process could be smoother. 

For how long have I used the solution?

I've used the solution for about a year.

What do I think about the stability of the solution?

The stability and availability of Splunk are great. It does get weird when we initially update items, however. That's the only time we see issues. It may try to input data in areas it doesn't need to. That said, we are aware of the quirks of the setup. 

What do I think about the scalability of the solution?

Scaling is easy if you have done it a couple of times. 

The environment I have has multiple servers. We might have around 100 servers. 

How are customer service and support?

Splunk support is very communicative about our concerns. That said, the answers I've gotten back don't make sense. I'm not sure if they communicated our issue in the right way or if they misunderstood, however, they did not correctly address our issue. In the end, we do have a good dialogue. I now expect that they will misunderstand the problem on the first round and we have to go back and forth. The effort is there to try to understand. 

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

The company may have had QRadar for a while before Splunk. I wasn't around when they switched to Splunk so I cannot compare the two. 

How was the initial setup?

I was not involved in the initial deployment of Splunk. 

What was our ROI?

The company has witnessed an ROI in terms of the amount of time saved via being able to tweak our searches. The docs are great. They help tremendously in filling knowledge gaps. The ROI is solid. 

What's my experience with pricing, setup cost, and licensing?

I don't deal with pricing or licensing. 

What other advice do I have?

I've only worked with Splunk as far as data ingestion. 

The solution does take a bit of understanding. It does need improvements in some areas. I'd rate the solution seven out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer2239899 - PeerSpot reviewer
Insider Thread Consultant at a manufacturing company with 10,001+ employees
Consultant
A reliable and stable solution that helps detect internal threats and improves business resilience
Pros and Cons
  • "The search lookups are useful."
  • "The product must improve insider threat detection."

What is our primary use case?

My use cases are very limited. I use the product mostly to detect internal threats like data exfiltration.

What is most valuable?

I am a basic user. The search lookups are useful.

What needs improvement?

The product must improve insider threat detection. Almost everything is outside in, but not inside out.

For how long have I used the solution?

I have been using the solution for four years.

What do I think about the stability of the solution?

The solution is very reliable. I like its stability. It always works.

What do I think about the scalability of the solution?

Sometimes, it takes time when we need additional information or something extra. However, the tool’s able to do it.

How are customer service and support?

I haven’t contacted the support team. I reach out to the internal expert. My searches and my requirements are very basic. The expert is great. He’s always able to help me and guide me.

How would you rate customer service and support?

Positive

What was our ROI?

We do see a return on investment. The product saves us time by automating reports and helping us see data.

What other advice do I have?

The solution helps reduce our mean time to resolve. It’s great to automate some tasks. I believe Splunk has helped improve our organization’s business resilience. We have become stronger in insider threats by just stopping things, being able to show what is leaving, and taking action on it. It's very useful when I try to identify events.

When I started working in my organization, they were using Splunk. Overall, I rate the product a nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros sharing their opinions.
Updated: November 2024
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros sharing their opinions.