No more typing reviews! Try our Samantha, our new voice AI agent.
Sameep Agarwal. - PeerSpot reviewer
Group manager at HCM Technologies
Real User
Nov 3, 2023
It has a drag-and-drop interface, so you don't need to know SQL or Java to construct a query
Pros and Cons
  • "It has a drag-and-drop interface, so you don't need to know SQL or Java to construct a query on Splunk. The resolution time is about the same, but it took longer to discover the issue with ArcSight. Our previous solution took about an hour or more, but Splunk can do it within a few minutes or an hour at most."
  • "The ingestion happens quickly, so you can run up the data costs if you use the default settings. It isn't a problem for government agencies in the Saudi market, but many of the corporations in India are small or medium-sized enterprises that cannot afford that kind of ingestion system."

What is our primary use case?

We deploy Splunk for law enforcement agencies facing attacks from threat actors in China, Iran, and Pakistan. It helps plug the gaps because Splunk can easily identify malicious traffic.

In this instance, Splunk was only deployed for a specific department, not the entire ministry. However, this department has multiple cloud clusters for their operations, storage, and computing. Splunk is monitoring all of these clusters. It started as an on-premise solution, but then the department decided to go for cloud-based services that require a connector. Now, it's more of a hybrid solution.

How has it helped my organization?

 We face a lot of government-backed threats from India's neighbors, so threat intelligence can provide us with the information to take preemptive steps to stop the attacks. We were able to configure our network and the gateway firewalls. So that helped us overall.

We use the threat topology and MITRE ATT&CK features to compile our quarterly reports, but the leaders of the government departments are hardly concerned with these things.  They only respond to certain keywords if you highlight them. However, if you explain that something is an IOC according to the MITRE ATT&CK framework, they won't understand the jargon. They don't have the technical knowledge to comprehend MITRE ATT&CK. A private organization might have that capability. Government agencies may go for a full-fledged enterprise solution, but there are many features they don't understand or want to use. 

We still need to use manual techniques to investigate threats. Once, we had to look for devices that were infected, and we manually located the threat because the attacker had used a particular telecom handle to steal the data. In that sense, we did it manually but used Splunk to find the threat actor and the credentials used in the attack. The investigations were also quicker because we had the necessary information on hand. 

Resilience is essential, but it's something that can't fall entirely on a solution. Information security is the responsibility of every employee. While a cloud system doesn't go down easily, on-prem environments are more vulnerable.

What is most valuable?

Splunk has an excellent threat intel feed, so we can get the latest IOCs. The threat intel service enhances the threat detection capabilities because the solution is purely based on threat intel. They gather each threat intel from the dark web and the other areas of the internet. Once the integration is done, it's much more helpful than the traditional Splunk features, which may yield limited visibility. Splunk isn't purely a threat intelligence solution, but it may not have feeds at that frequency.

The threat detection capabilities are excellent, but it depends a lot on the configuration. If we can't configure the indicators of compromise correctly, then it becomes difficult for Splunk to evaluate a threat. For example, let's say a user is accelerating some data through the email gateway, and the gateway isn't being monitored. Splunk can't do anything about that because it requires a gateway monitoring system to be installed. Splunk is only aggregating the events coming in, and it cannot find the exact DLP agent. The DLP logs need to be forwarded to this Splunk connector.

What needs improvement?

The ingestion happens quickly, so you can run up the data costs if you use the default settings. It isn't a problem for government agencies in the Saudi market, but many of the corporations in India are small or medium-sized enterprises that cannot afford that kind of ingestion system.  

Splunk needs to be tweaked in JSON so you can limit what is coming from the endpoints, especially the events. One needs to filter that out so that only certain events are ingested, like login failures, Active Directory changes, password reset requests, privilege modifications, etc. Each Windows machine generates about 310 KB of information per event, but we can tweak that down to about 50 KB.

Buyer's Guide
Splunk Enterprise Security
June 2026
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
904,146 professionals have used our research since 2012.

For how long have I used the solution?

I have been using Splunk for five years. 

What do I think about the stability of the solution?

Splunk is stable. We haven't had any downtime or performance issues. 

How are customer service and support?

I rate Splunk support 10 out of 10. Splunk has lots of training materials online where our engineers can learn at their own pace. The courses are easy to understand and use simple language. You don't need to learn Java queries. The main reason we rejected QRadar was the fact that it is such a closed solution. If you want to learn something, you have to contact IBM support and request the materials. 

Which solution did I use previously and why did I switch?

I have worked with ArcSight, and Palo Alto has a good SIEM solution. ArcSight's UI has some drawbacks, whereas Splunk is easier to integrate and implement. ArcSight's interface didn't impress me. I didn't like the way you have to write queries. It was a tedious solution to use, and it was not pleasing to the eyes. The charts and reporting were not visually appealing. 

ArcSight was also a costly solution, but the main reason I wanted to switch to Splunk was that it was easier to integrate. It has a drag-and-drop interface, so you don't need to know SQL or Java to construct a query on Splunk. The resolution time is about the same, but it took longer to discover the issue with ArcSight. Our previous solution took about an hour or more, but Splunk can do it within a few minutes or an hour at most. 

What's my experience with pricing, setup cost, and licensing?

Splunk can be an expensive solution. It all depends on how we configure the alerts and the events from the endpoints. You can save some money if you do that correctly. If not, it becomes an expensive solution.

If you don't have the money, you can go for an open-source solution like RedELK, which is based on Elasticsearch. It's cheaper, but you have a lot of support issues. There are no security upgrades. Those are not well supported. If somebody has a basic understanding of the technology and the necessary budget, I would say stick with Splunk. Its ease of use is attractive to an engineer.

What other advice do I have?

I rate Splunk Enterprise Security nine out of 10. There's always room for improvement. 

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
reviewer2512353 - PeerSpot reviewer
Director, Information Technology at a government with 501-1,000 employees
Real User
Jul 11, 2024
Offers complete visibility into the environment, centralize management but latency issues when using cloud services
Pros and Cons
    • "Splunk is on the right path. It's good, but it does not provide everything that we need."

    What is our primary use case?

    We have an engineering team working on the back end to receive data, they do data modeling, and create dashboards. That's been pretty useful.

    How has it helped my organization?

    Splunk Enterprise Security helped our organization a lot. In the past, we relied on every single product that had its own kind of audit trail information. We needed to go and look for it, for example, in the Windows environment. We have to use the event viewer a lot to look for certain things, like system applications and security logs. In Linux, we have to use the log file, and under certain applications in the Linux environment, we have to look at the logs for that as well.

    That's just part of the operating system. It is not the infrastructure, like network devices. When we centralize logs, we put everything in one location. 

    Our advanced users can do the SPL query anything they want. Executives or higher-up management users need to look for certain things, like how many systems are missing patches for this month or who logged in today from where, what they did, and how often they re-authenticated to the systems. 

    We have a lot of data from businesses, data from our devices, and more. When we put it all in the ES, it gives us the ability to look at certain functions. It provides more insight into our data, where it's traveling from, between endpoints, and what they're doing with it. 

    We also look into performance. We use other monitoring tools as well, and that data is also piped into Splunk. We have a centralized platform that we can navigate to look for everything we need rather than having to go to each individual system, like Cisco Syslog or we have to go to the Forcepoint console to look for it. It is a centralized platform that gives us more insights into our data or what's happening in general. 

    It is very important that Splunk Enterprise Security provides end-to-end visibility into our environment because, at any given point in time, we want to know what's happening to the data. Data privacy is the primary concern. We want to make sure that authorized users get access to what they are authorized to so that data would not leak out or travel from a different path. Again, we get a lot of data in there. We understand more about our data to improve the business in certain aspects.

    We know that during certain times of the day, a lot of people access a server or website.

    Then it'll give us more insight about where we need more network bandwidth or where we need to upgrade network devices. We understand more about our data, like how many people access the data lake house. And that's just for performance. 

    On the security side, we would know who's accessing it from where. Are they authorized to do so, or is there any weird access pattern in locations that they're not supposed to be in?

    So again, we get the data, we centralize it, and we can do data mining. We can pull out anything from there rather than looking all over the place, like, "I want to find out if he's working today if someone's using his account, or from which devices he accessed data from two different places."

    From Splunk Enterprise, we can either do it manually or have our engineers create an audit dashboard. Or, if you are an advanced user, you can do SPL queries that will give you anything you need.

    The alert volume depends on the users. If they do what they're supposed to, then there's nothing to talk about. If not, it's more or less on how you manage the data, educate your users, and control your system. Based on that, Splunk might play zero, fifty percent, or seventy-five percent role.

    In a way, it has helped improve our organization's business resilience. It's a way for us to predict the pattern of data access and other things going on.

    Knowing a way to do that, if we have enough resources to do it, is fine because we have so much data, but no one's really monitoring it. If we get alerts in the middle of the night and we don't have anyone to handle it, it's not going to help.

    It's another aspect that we worry the most about, where our data is floating. 

    Now that we've centralized our log information into Splunk, we want it to be secured well because now users can predict a pattern of data access from where, and from whom. 

    What is most valuable?

    We put all of our logs and data into Splunk, like network switches, firewalls, and web-based protection. In general, every component within the infrastructure sends data to Splunk. 

    Then, we have an engineering team transforming, manipulating, and analyzing the data to create a front-end dashboard in a meaningful way.   

    What needs improvement?

    With the new announcement of version eight, it's going to give us a single point-and-click. On the front page there, that will give us a whole lot of information that we need to look into on the right panel without navigating down or going to more details, clicking here and there.

    For how long have I used the solution?

    We've been using it for quite a few years now.

    Which solution did I use previously and why did I switch?

    The solution of choice depends on the engineers and teams. If they manage Linux, they're comfortable with certain tools to read the logs. In a Windows environment, it depends on the engineers. They favor any certain tool; they would do it, but it would be to cut down costs and consolidate all the software strings.  

    Splunk was not that big years ago. But then we started seeing that they put more investment into it and made the tool more useful.

    How was the initial setup?

    We're not using the cloud version yet. This is just the enterprise product on-premises.

    What's my experience with pricing, setup cost, and licensing?

    Splunk can improve the pricing. People like certain features, and sales use the features that they provide, the automated features, to hook customers into paying for the big-price license.

    Everyone does it, like Microsoft and Cisco. Initially, you try out the free version, but once you get it in your shop and turn it into production, you start relying on it and don't want to get out. You start paying a lot more for it.

    What other advice do I have?

    Splunk is on the right path. It's good, but it does not provide everything that we need. There's a lot more to it. I look at it as ideal for detecting in real-time, but we're always behind and just look at the log information. 

    If you have a network device, a Splunk Enterprise instance, and you have to send data to it. You're relying on network connections. 

    If you're using a cloud service or anything where Splunk is not on-premises, there's high latency. If that network connection is down, that's it. You don't know what's going on. So even if you have it on-prem, you're still relying on it after the fact. 

    When you look at Splunk, you're looking at things that have already happened. It's nothing that's actively going out there and doing something for you. 

    If you had to give it a number, from one to ten, since they've gone this far, I'd give it a five or six. Because locking or monitoring is just a part of business, and how you're going to receive those alerts and act on them is another part of it, when I look at the overall infrastructure and infrastructure management.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company does not have a business relationship with this vendor other than being a customer.
    PeerSpot user
    Buyer's Guide
    Splunk Enterprise Security
    June 2026
    Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
    904,146 professionals have used our research since 2012.
    reviewer2499738 - PeerSpot reviewer
    Cybersecurity Specialist at a manufacturing company with 10,001+ employees
    Real User
    Jul 9, 2024
    Identifies threats with the help of features like correlation searches
    Pros and Cons
    • "Scalability-wise, the tool is awesome since you can add or reduce your resources in an easy way."
    • "Resource usage can probably be described as an area with shortcomings in the product where improvements are required."

    What is our primary use case?

    I have used the solution in my company since I was an admin for Splunk. Most of the people involved in the use cases associated with the product are those in the SOC team.

    How has it helped my organization?

    The tool has helped us to identify and analyze the possible threats. The product helps identify threats and do further investigations.

    In terms of the benefits I have seen from using Splunk Enterprise Security, I would say that we are still working on implementing Splunk tools.

    What is most valuable?

    The most valuable feature of the solution is correlation searches, which allow you to easily find threats and other such areas.

    It is really important that Splunk Enterprise Security provides end-to-end visibility into our company's environment, as it can help save time and make the response faster.

    Splunk Enterprise Security has helped improve our organization's ability to ingest and normalize data with the use of data models and Splunk CIM.

    The tool has helped reduce our company's alert volume as the identification process is fast.

    Splunk Enterprise Security provides our company with relevant context to help guide our investigations. Any incident can be resolved in a minimal amount of time than expected, and we can get more information about such incidents. It can be resolved mostly on the same day and even in a few hours.

    Splunk Enterprise Security helped reduce mean-time resolve. It has also helped improve our organization's business resilience. Considering the tool's ability to predict, identify, and solve problems in real-time, I would say that it keeps our company safe.

    Splunk's unified platform helps consolidate networking, security, and IT observability tools. I cannot provide too many details because I am not working directly on the analytics part.

    What needs improvement?

    I think in the near future, we want to have Splunk Enterprise Security complemented with Splunk SOAR because we have been checking the administrations. It is pretty cool, considering the things that you can do with Splunk Enterprise Security and Splunk SOAR together.

    Resource usage can probably be described as an area with shortcomings in the product where improvements are required.

    Our company just saw the latest version of the tool here in the Gulf. I am not sure, though, about it because what Splunk showed us was really impressive.

    For how long have I used the solution?

    I have been using Splunk Enterprise Security for five years. My company is a customer.

    What do I think about the stability of the solution?

    It is a stable solution. At my company, there are two Splunk admins. Splunk is so stable that though there are two Splunk admins in the company, nobody complains that something is not working. Stability-wise, I rate the solution a nine out of ten.

    What do I think about the scalability of the solution?

    Scalability-wise, the tool is awesome since you can add or reduce your resources in an easy way.

    How are customer service and support?

    The solution's technical support offered to users could be much more. At times, I get answers related to Splunk from the support team, which I feel are available on Google. I rate the technical support a seven or eight out of ten. I feel that sometimes the tool's support team uses Google to provide me with answers.

    How would you rate customer service and support?

    Neutral

    Which solution did I use previously and why did I switch?

    I did not previously use a different solution.

    How was the initial setup?

    It was harder to get it working and configured correctly in the past. Things have changed a lot since the first version of the tool was released. I honestly feel comfortable anytime the tool releases something new to be deployed or if there is a new upgrade.

    The solution is deployed on an on-premises model. I use the cloud services offered by Azure and AWS.

    What was our ROI?

    I have not seen a return on investment.

    What's my experience with pricing, setup cost, and licensing?

    Splunk Enterprise Security is not a cheap product, but I think it is worth every dollar that you pay.

    What other advice do I have?

    Considering that the initial configuration is difficult, I rate the solution an eight out of ten.

    Which deployment model are you using for this solution?

    Hybrid Cloud
    Disclosure: My company does not have a business relationship with this vendor other than being a customer.
    PeerSpot user
    SOC Analyst at Topcon Omni Systems, Inc.
    Real User
    Jul 9, 2024
    Makes investigations much easier by providing us with the relevant context to help guide our investigations
    Pros and Cons
    • "The most valuable features include the incident review and Dashboard Studio."
    • "Having analysts put their notes directly within the investigation feature in the incident review would be beneficial."

    What is our primary use case?

    The use cases depend on how you want detections to be set up. For example, you can have specific use cases for Office 365 alerts, Carbon Black, or more extensively towards MITRE ATT&CK framework. You can enable different analysis stories and alerts based on these use cases. You can individually go ahead and enable them. 

    How has it helped my organization?

    It is really important that Splunk Enterprise Security provides end-to-end visibility into our environment because there are multiple levels of hierarchy within an organization. 

    We need easy visibility starting from L0 analysts to the SOC manager and director. So, if it is easily visible, it makes the operations easy to teach the basic analyst or also to show the upper management what we have in the current scenario or how an investigation is going on. Visibility is very important.

    Splunk Enterprise Security helped improve our organization's ability to ingest and normalize data. We have different teams approaching us to use Splunk, ingest their logs, and aggregate their logs.

    The system helped us reduce our alert volume mostly because a lot of false positives had been fine-tuned. That was my last two months of work consolidated. I had to go in, check on all the alerts, see what was using a huge spike in alerts, and make sure the false positives were reduced and the alerts had come down. 

    Splunk Enterprise Security provides us with the relevant context to help guide our investigations. It makes investigations much easier. With more information and the right applications, I break down the investigation in such a way that I can build a timeline. Once I have a timeline, I can build a story around it and make a report around it. Splunk definitely has helped a lot.

    Splunk Enterprise Security helped reduce our mean time to resolve. Using the identity investigator and asset investigator applications definitely reduces the meantime for an investigation. I can see all the authentication logs, changes made, and threat IDs by simply inputting a username or asset name. It reduces investigation time by about 60 to 75%.

    We currently use it for our security team. The next step is to pitch it to different teams and get it integrated for them as well.

    What is most valuable?

    The most valuable features include the incident review and Dashboard Studio. My job involves building dashboards, so it's easy to visualize and explain the environment using Dashboard Studio. 

    Incident review with my SOC job helps me check all the incidents and alerts coming in.

    What needs improvement?

    Having analysts put their notes directly within the investigation feature in the incident review would be beneficial. To make notes. 

    We have to go to multiple tabs for each dashboard, for each incident, or each application within Splunk, so if there is a way to consolidate all the tabs or everything into one app for that particular organization where an analyst could just click on that and everything is there. That would be a really good feature.  

    For how long have I used the solution?

    I've been using Splunk for about five years now. I started at my previous job right after my master's. I was working for Santander Bank, where I used Splunk extensively for three years. I was a SOC analyst there.

    Now at the current company, I've been here for about a year, so I've been using it here as well.

    What do I think about the stability of the solution?

    Cisco being Cisco, just bought Splunk. I would give it some more time to see how things go. 

    Prior to Splunk's acquisition by Cisco, Splunk was really good. 

    How are customer service and support?

    Overall, the customer service and support were very good. At times, we had difficulties reaching out for your questions but most of the time, they were answered. Due to the time constraints, we had just 100 hours working with the consultant. So some things kind of took some time with that.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    When I joined this current company, they had Rapid7. It was horrendous and horrible. It was not easy to use. I'm kind of partial to Splunk because I started off with Splunk, so, we switched. 

    I joined last July and asked my manager about the current solutions. He was not happy with how Rapid7 was working either. We evaluated different vendors, including Microsoft Defender and Sentinel. My preference for Splunk played a role in our decision.

    What about the implementation team?

    We had a consultant for the integration process. They were very helpful. We had a consultant named Sayed who guided us through the process. They provided step-by-step instructions (kinda baby steps), walked us through analytics and restoring, and different aspects of Splunk. It was a really helpful experience.

    What was our ROI?

    It's only been about two and a half to three months. It's still fairly new to our environment. I would give it three to four more months before assessing ROI.

    Which other solutions did I evaluate?

    We evaluated Sentinel, Palo Alto, and Splunk, along with Rapid7, which was already in the environment. So, we evaluated these four options. 

    Splunk gave us the opportunity to take in or put in the logs whatever we wanted and plug in different applications, whichever we wanted to have the visibility. 

    We didn't have that flexibility with Palo Alto and Sentinel. We didn't have the investigation ease with the others; the investigation ease within Splunk is very easy. 

    I could build an SQL query within a minute, or I could just open up different documents to have it right there. But if I go to Palo Alto, it's not there. 

    Defender was quite a good competition. Like Sentinel, it was a good competition, but Splunk stopped where the investigation time was considerably less compared to Sentinel.

    What other advice do I have?

    Overall, I would rate it a nine out of ten because we haven't integrated a lot of applications like SOAR and stuff. Once we have everything in place, it might be a ten. But right now, I would go with a nine.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Disclosure: My company does not have a business relationship with this vendor other than being a customer.
    PeerSpot user
    Devin Zayas - PeerSpot reviewer
    SIEM engineer at Broadcom Inc.
    Real User
    Top 20
    Jul 12, 2024
    Fantastic tool that we couldn't do our work without
    Pros and Cons
    • "It has increased our business resilience. It's a top-of-the-line SIEM security product. It's the best tool for our security analysts which helps them do their job better. That then protects our company from adversary actors."
    • "I've never had too many issues with the stability. Years ago we had indexes crash but that was more on us. We didn't understand how to properly size Splunk."

    What is our primary use case?

    Our use cases are mostly for security and detection, basic use cases. It's always been a security use case. We never used it for observability or ITSI. 

    Our analysts use it a lot.

    What is most valuable?

    I like that it's a review panel, you can see all of your alerts. Another valuable feature is that it integrates with other apps like UBA and SOAR

    I also like the guided alert creation. The guided alert creation is useful, especially for new people who don't know CPL. 

    It's a premium app, it's easy to use and intuitive. 

    Enterprise Security has one pane of glass for all of our alerts. We still use the Enterprise Security page where we keep track of everything. 

    It's very important to us that Splunk offers end-to-end visibility into our environment. It has the ability to identify any security events or if data is reingested, we'll get an alert for that. End-to-end visibility is very important for a mature security program.  

    Splunk helped to ingest and normalize data. Anytime that we put data in, we always normalize the SIEM model. ES runs off of that so it helps us to dot our I's and cross our T's. It helps us to use our data effectively.

    It has tools to reduce our alert volume. We get a lot of alerts. It's more of a tuning thing than anything that the app can help with. 

    It provides us with the relevant context to help guide our investigations. It's really useful in that aspect. 

    It hasn't reduced our MTTR. SOAR would do that. It has helped our mean time to detect. 

    It has increased our business resilience. It's a top-of-the-line SIEM security product. It's the best tool for our security analysts which helps them do their job better. That then protects our company from adversary actors. 

    What needs improvement?



    For how long have I used the solution?

    I have been using Splunk Enterprise Security for about five years. 

    What do I think about the stability of the solution?

    I've never had too many issues with the stability. Years ago we had indexes crash but that was more on us. We didn't understand how to properly size Splunk. If you work within the required parameters, it's stable. 

    How are customer service and support?

    Their support is great. I've never had any issues with them.

    How would you rate customer service and support?

    Positive

    How was the initial setup?

    The setup was pretty straightforward unless you add a search head cluster. Then it becomes a lot more complicated very fast. Other than that, it's not too bad. It's pretty simple and intuitive. I've done it before and it's not difficult especially if you have the docs to help you. 

    What was our ROI?

    I can't speak to the dollar amount but we see ROI in the way that it helps the analysts to better do their work. It helps keep track of things and having one pane of glass for all things data. 

    What other advice do I have?

    I would rate Splunk Enterprise Security a nine out of ten. It's a top-of-the-line product. It allows analysts to do their jobs better. It's a single pane of glass. It's a fantastic tool that we couldn't do our work without. 

    Disclosure: My company does not have a business relationship with this vendor other than being a customer.
    PeerSpot user
    Avinash Gopu. - PeerSpot reviewer
    Associate VP and Cyber Security Specialist at US Bank
    Real User
    Feb 7, 2024
    Offers good visibility into multiple environments, significantly reduces our alert volume, and speeds up our security investigations
    Pros and Cons
    • "We can automatically suspend or terminate suspicious sessions."
    • "There are limitations with Splunk not detecting all user activity, especially on mainframes and network devices."

    What is our primary use case?

    Through Splunk Enterprise Security, we have implemented extensive login integration. This allows us to monitor and restrict access for sensitive accounts, such as superuser and master accounts when password rotations occur. If a login attempt is made for such an account, Splunk triggers a real-time workflow that automatically generates a P1 ticket for the Help Desk and IAM Operations teams to investigate and take necessary action.

    Beyond real-time monitoring, we have established additional security measures. We utilize locks within JBOS to control manual account check-ins and user server activity, such as password verifications. Splunk ingests logs from any configured PAM solutions, enabling auditors and our technical team to readily access and analyze all privileged activities. We can also generate reports for session management, session logs, and audit logs.

    How has it helped my organization?

    Splunk Enterprise Security can enhance our organization's detection capabilities. While SIEM solutions are essential for most companies, choosing the right one is crucial. Splunk Enterprise Security is a popular option, and its benefits extend beyond technical teams. It can empower audit teams and provide visibility into user activities, including data sharing and out-of-the-box reports. Splunk's strength lies in its flexibility. It can integrate with other tools to fill any gaps in its capabilities. However, relying solely on one tool like Splunk isn't ideal. PAM tools often have built-in auditing and reporting features, but they may not offer the same level of customization or enterprise-wide visibility. This is where Splunk comes in. It provides a complementary solution, offering multiple ways to generate reports and gain insights.

    We recently focused on enhancing Splunk Enterprise Security's identity correlation capabilities. This involved integrating it with several chosen applications. One key integration involved moving from Puppet to Ansible for managing privileged access management and performing virtualization tasks. Ansible allows for agentless management, meaning we don't need to install agents on every server. For broader asset management, we leverage CI/CD tools for efficient deployment across all servers. These tools significantly reduce the manual effort required.

    Splunk Enterprise Security offers good visibility into multiple environments. However, certain applications in the financial sector, particularly for high-risk activities, still face regulatory or compliance restrictions that prevent them from migrating to the cloud. Despite these limitations, we see forward-thinking institutions like JPMorgan Chase taking the initiative to move lower-risk applications to the cloud. This trend extends beyond finance, with other sectors like healthcare already embracing cloud adoption.

    In my assessment, Splunk Enterprise Security earns an eight out of ten for its ability to detect malicious activities and breaches, but only a seven out of ten for taking action.

    Once we have an enterprise version set up, Splunk handles the initial identification steps of potential threats, saving us manual effort. I'd even rate Splunk a perfect ten for this initial phase. However, subsequent action items still require manual intervention – a bottleneck we can minimize with additional tools like endpoint security threat analytics that integrate with Splunk. This would enable complete threat modeling, including asset identification and mitigation directly within Splunk. Unfortunately, our company hasn't invested heavily in threat modeling, with a limited team compared to the larger IAM and risk groups. Thankfully, the industry is recognizing the importance of threat modeling, leading to increased hiring in this area.

    Splunk Enterprise Security has significantly reduced our alert volume. This has freed up a substantial portion of the IM operations team, who were previously tasked with continuously monitoring for threats and anomalies across various applications, not just spam. By leveraging these threat detection tools, we anticipate being able to reduce IM operations staff by at least 50 percent.

    Splunk Enterprise Security facilitates the acceleration of our security investigations, reducing the required time from one week to one day.

    What is most valuable?

    One of the features I appreciate most is privileged account threat detection. It identifies suspicious activity associated with fraudulent accounts detected on the endpoints of target systems.

    Furthermore, the platform offers threat analysis and reporting that leverages Splunk data. This allows for the detection of irregular user access from machines directly. This functionality is crucial in large PAM environments with thousands of users, as it identifies inactive accounts.

    For scenarios where users might not access the PAM portal to change passwords, different policies are implemented. Splunk plays a key role in detecting irregular user activity. By establishing a three-month threshold, we can identify cases where users haven't used their accounts despite not being on leave or vacation. Such instances warrant investigation to determine the continued need for privileged access.

    We can automatically suspend or terminate suspicious sessions. We have also customized reporting within Splunk.

    What needs improvement?

    There are limitations with Splunk not detecting all user activity, especially on mainframes and network devices. This is because Splunk relies on agents, which cannot access certain workstations. In these cases, we have to rely on application data. For example, with mainframes, manual reports are generated and sent to Splunk, limiting visibility to what's manually reported. This lack of automation for specific platforms needs improvement from Splunk. Additionally, API access is limited for other applications that rely on API calls and requests. This requires heavy customization on Splunk's end. These are the main challenges we've encountered.

    Monitoring multiple cloud platforms, like Azure, GCP, and AWS, with Splunk Enterprise Security presents some challenges. While Splunk provides different connectors for each provider, consolidating data from two domains across distinct cloud environments can be complex. However, leveraging pre-built templates and Splunk's data collation capabilities can help overcome these hurdles. Despite initial difficulties, I believe Splunk can effectively address this task, earning it an eight out of ten rating for its multi-cloud monitoring capabilities.

    While Splunk Enterprise Security offers insider threat detection capabilities, its effectiveness could be enhanced by integrating with additional tools, such as endpoint security solutions. This integrated approach is particularly crucial for financial institutions, which often require dedicated endpoint security teams. While using multiple tools is valuable, further improvements within Splunk itself are also necessary. Considering both external integration and internal development, I would rate its current insider threat detection capabilities as three out of ten.

    Threat detection is where Splunk falls behind. While it offers tools, other use cases require additional work. PAM is an enterprise tool that centralizes information about users, servers, and everything else. It needs real-time monitoring, which I haven't seen in any of the companies I've worked for. They only rely on Splunk for alerting, but real-time monitoring should be handled by the endpoint security team's tools. This means there's no detection or analysis at the machine or endpoint level. Additionally, threat analysis reporting is also absent.

    For how long have I used the solution?

    I currently use Splunk Enterprise Security.

    What do I think about the scalability of the solution?

    Splunk Enterprise Security's scalability and ability to handle large data volumes is great. Splunk can manage a lot of users and applications. I would rate the scalability a nine out of ten.

    How are customer service and support?

    The technical support is a bit expensive but they respond quickly.

    How would you rate customer service and support?

    Positive

    What's my experience with pricing, setup cost, and licensing?

    Splunk Enterprise Security is expensive but the solution is equipped with a lot of features.

    What other advice do I have?

    My rating for Splunk Enterprise Security depends on the type of logs being analyzed and the company's specific environment and setup. If a company is actively comparing Splunk to competitors and their environment aligns well with Splunk's strengths, then a score of nine out of ten is justified. 

    Which deployment model are you using for this solution?

    Hybrid Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Disclosure: My company does not have a business relationship with this vendor other than being a customer.
    PeerSpot user
    Maaz  Khalid - PeerSpot reviewer
    Manager SOC at Rewterz
    Real User
    Top 10
    Feb 5, 2024
    Robust threat detection with extensive customization options and seamless integration with third-party security solutions
    Pros and Cons
    • "One key advantage of Splunk over competitors like IBM QRadar is its superior device integration capabilities."
    • "Delays in responses from the technical team can pose challenges for both vendors and clients, especially considering that Splunk applications and machine solutions are critical assets."

    What is our primary use case?

    We typically suggest Splunk IT builds for customers with significant EPS requirements and large-scale data environments. While other solutions like Foundry and IBM QRadar may be popular, they often have limitations in handling big data effectively.

    How has it helped my organization?

    It offers visibility across various environments, encompassing diverse infrastructures such as multiple firewalls. Some environments are entirely cloud-based, while others follow a hybrid model with services both on-premises and in the cloud. The infrastructure setup varies depending on the organization's specific model and needs.

    We are highly satisfied with the level of visibility provided by Splunk.

    It offers advanced threat detection capabilities to assist organizations in uncovering unknown threats and anomalous user behaviors. Splunk is utilized for integrating various devices including firewalls and other security controls, enabling coordination of logs and the creation of use cases. Analysts investigate alerts generated by these use cases, identifying and mitigating potential threats. Additionally, Splunk provides built-in and customizable use cases to enhance security measures.

    We utilize the threat intelligence management feature in Splunk, which includes the provision of IOCs. Additionally, we have third-party intelligence services integrated into Splunk, which alert us whenever any related feature is triggered.

    The effectiveness of the actionable intelligence offered by the threat intelligence management feature hinges on the third-party engines integrated or enabled within it. While false positives are common and require investigation, there are instances where identified IOCs are indeed malicious. In such cases, actions like reporting or following a predefined playbook can be taken.

    We leverage the Splunk Mission Control feature, and I have hands-on experience with it. Typically, I manage it through Splunk, where I create rules, reports, and dashboards. Enabling third-party intelligence and other features involves a thorough review process, particularly when onboarding new clients. Once set up, we regularly review our baseline configuration and make adjustments as needed to ensure optimal performance. The Splunk Mission Control feature aids our organization in centralizing our threat intelligence and ticketing system data management. We integrate third-party intelligence services along with our company's proprietary advisories, particularly in the retail sector. This integration enables us to maintain a comprehensive reference set within Splunk.

    We utilize the Threat Topology and Mitre ATT&CK Framework features to enhance our understanding of threats. These features offer micro-mapping visibility, allowing us to align identified needs with specific techniques.

    The purpose of the Mitre ATT&CK Framework is to aid in discovering and understanding the full scope of an incident. Using the micro-hypotheses, we assess whether our subcontractors are adequately covered. We evaluate our rules to determine whether we have sufficient use cases for tactics and techniques, such as initial access. This process helps us identify any gaps in coverage within the Mitre ATT&CK Framework and address them accordingly.

    Splunk is a valuable service for analyzing malicious activities and detecting breaches. However, I recommend ensuring comprehensive coverage of threats by integrating all relevant devices and maximizing visibility into logs. For instance, leveraging firewall logs enables the detection of anomalies at the network level, while logs from EDR solutions can identify malicious activities on endpoints.

    Splunk has significantly improved our threat detection speed. Comparatively, when working with other teams, I've found Splunk to be more efficient due to its big data capabilities, allowing for faster analysis compared to IBM QRadar and similar tools.

    The primary benefits our customers experience from utilizing Splunk in their organization are significant. While Splunk may be more costly compared to other machine solutions, its effectiveness shines in handling large volumes of data, making it ideal for organizations with extensive data needs. Unlike solutions like IBM QRadar, which may struggle with processing large amounts of data efficiently, Splunk's big data capabilities enable it to excel in such scenarios.

    Splunk Enterprise has effectively decreased our alert volume across various use cases. Whenever we develop a new use case, we carefully analyze it, occasionally encountering false positives. In such instances, we collaborate with IT to whitelist these cases. Over time, as we accumulate a robust whitelist, the ratio of false positives diminishes, resulting in a higher rate of true positive alerts.

    It has significantly accelerated our security investigations, proving to be immensely helpful. We can efficiently track and analyze user activities with most devices integrated into the Splunk environment. The visibility provided by Splunk allows us to coordinate activities seamlessly and thoroughly investigate any detected incidents. Whether it's identifying the origin of an activity or uncovering correlations between events, Splunk enables us to piece together the entire user activity chain swiftly and effectively.

    Compared to other SIEM products, I've found that Splunk offers quicker alert resolution times. Its ability to efficiently handle large data volumes contributes to this advantage. Analysts typically have predefined playbooks and investigation checklists for when alerts are triggered, which Splunk supports well. Additionally, we've customized dashboards and reports to further streamline our detection process, ultimately reducing our response time.

    For those seeking cost-effective solutions, Elastic Stack stands out as a popular choice due to its single-source administration and competitive pricing. Many industries, recognizing its affordability and robust services, are swiftly adopting Elastic and other similar solutions like Wazuh.

    The value of resilience in a SIEM solution varies depending on the organization's preferences and requirements. Some organizations prioritize high availability and disaster recovery capabilities, which contribute to resilience.

    What is most valuable?

    As an analyst, I've observed that Splunk offers a variety of rule sets, along with built-in and customizable use cases. We have the flexibility to create dashboards and expand reports for management visibility. One key advantage of Splunk over competitors like IBM QRadar is its superior device integration capabilities. With Splunk, we can seamlessly integrate and coordinate data from various sources, enhancing our analytical capabilities.

    What needs improvement?

    I believe there is room for improvement in reducing costs, particularly in the financial aspect, as Splunk tends to be pricier compared to other options. Additionally, enhancing support services with more technical personnel is essential. Delays in responses from the technical team can pose challenges for both vendors and clients, especially considering that Splunk applications and machine solutions are critical assets. Splunk's pricing may pose a barrier for some users, but if it becomes more competitive, it could attract those currently using IBM QRadar or similar solutions. Additionally, considering the trend towards migration to Microsoft Sentinel, which offers a comprehensive suite including identity management and EDR coverage with Microsoft Defender, Splunk could benefit from offering similar modules. In Microsoft Sentinel, they offer a separate identity management module, which I find particularly valuable. Any anomalies detected within identity management trigger alerts, providing enhanced security.

    For how long have I used the solution?

    I have been working with it for two years.

    What do I think about the stability of the solution?

    It provides good stability capabilities.

    What do I think about the scalability of the solution?

    The scalability of Splunk, particularly when implemented as an enterprise solution, is notable. While we work with a limited number of clients, typically five to six, they are spread across various locations, including the US and Pakistan. From a maintenance perspective, our operations are based in Pakistan. Our clientele predominantly consists of customers from Gulf countries, and we also extend our services to clients in the US.

    How are customer service and support?

    There have been instances where the response time from Splunk's support team has been slower in comparison to others. I find IBM QRadar and similar solutions to have more efficient support teams. I would rate it five out of ten.

    How would you rate customer service and support?

    Neutral

    What about the implementation team?

    Our deployment team handles both deployment and support services, including maintenance responsibilities.

    What was our ROI?

    It offers a return on investment for our company.

    What other advice do I have?

    Overall, I would rate it eight out of ten.

    Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
    PeerSpot user
    Manager, Security Engineering at a computer software company with 1,001-5,000 employees
    Real User
    Oct 15, 2023
    Rock-solid reliability with great threat intelligence management and good visibility across environments
    Pros and Cons
    • "The feature that we use the most is the correlation search engine within ES."
    • "It is a hugely complicated product."

    What is our primary use case?

    I've been building SOCs for multinational banks across Asia and Australia, the Middle East, and right now in the United States.

    It's the tool that we use to build SIEMs to meet logging requirements and to identify security issues across larger states of data sets.

    How has it helped my organization?

    We wanted to give our analysts visibility in near real-time to problems as they occur. That's the goal. 

    By using the frameworks that we've adopted, like MITRE ATT&CK and the coverage mapping, we're able to show the divisions that we have in our detection environment. And we map that across with our prevention layers just to describe to the business the deficiencies we have. We can show, for example, these are the areas we can't see since we don't have logging for them, and or these are the areas we can spend more time on to draw down risk due to the fact that, while we have the logging, we haven't got the searches and correlation searches in place. That would perform detection behind the preventative controls. So it gives us a guide as to where we can spend time better.

    What is most valuable?

    The feature that we use the most is the correlation search engine within ES. That is the one we use. Absolutely the most. There are a lot of other features in there, however, that's the one we use.

    Our organization does monitor multiple cloud environments. It's not "easy" per se. I'm a Splunk-certified architect. I've got 30 years of experience. If you've got 30 years of experience and you're a Splunk-certified architect, it's easy. If you haven't, you've got no chance.

    Splunk Enterprise Security's visibility into multiple environments, for example, cloud, on-prem, and hybrid is good. Splunk doesn't care. It's as easy on-prem as it is on the cloud, as it is hybrid. I've built up all three individually and separately depending on the environment.

    The insider threat detection capabilities for helping our organization find unknown threats and anonymous user behavior are okay. It can do it, however, it is not out of the box a UEBA. It doesn't pretend to be. Splunk has a separate product for that which is not the enterprise security suite. That said, if you enable the access domain correctly within ES, it gives you really good insight into what your Insight users are doing. That's what the access domain is. However, it doesn't have the advanced features that you would expect from your UEBA product as it is not one.

    We use the threat intelligence management feature. My impressions of the actionable intelligence provided by the threat intelligence management feature are mixed. We import anomaly threat intel into the Splunk ecosystem to do that. We use the framework that Splunk provides, and we supplement it with the threat intel from a third party, and that works really well.

    We use the MITRE ATT&CK Framework. We’ve mapped all of our detections around that Miter framework. There's there's four frameworks built in, and we chose Miter. It just makes more sense. You only pick one. There’s no sense in picking more than one.

    It’s helpful to uncover the overall scope of an incident. If you've done the work to map your MITRE ATT&CK Framework into the product, then you have a hit against a MITRE ATT&CK technique. Then at least you know where it is in the MITRE ATT&CK framework so that you can describe it as a common frame of reference with a third party. However, it doesn't necessarily give you an idea of the scope. It requires more effort. That said, it's certainly a really good starting guide as to where you are.

    Splunk Enterprise Security is okay for analyzing malicious activities and detecting breaches. It's only as good as the operators that use it. Out of the box, it doesn't do anything. You have to put the work in to make it do that. I can't begin to say how useful it is when it's first configured. You need to spend a lot of time working on your environment to make it do that.

    It helped us detect threats faster. Without it, you can't check anything. It's too complicated.

    The solution has helped us speed up our security investigations. Without it, you don't have investigations. Also, with the alerting itself, Splunk becomes best of breed.

    What needs improvement?

    Enterprise Security hasn’t helped us reduce our alert volume. The analysts have, however.

    We do all of our enterprise security on-prem. We avoid the Splunk Cloud solution since we want the flexibility to build our own. It is a hugely complicated product. Obviously, anything that they could do to make it easier would be ideal. 

    For how long have I used the solution?

    I've used the solution for over ten years. 

    What do I think about the stability of the solution?

    It's rock solid. It never failed. Having resilience in our organization is fundamental to our security position. 

    What do I think about the scalability of the solution?

    We're a multinational and have Splunk in the UK and US. We have 2,000 employees, and 2,000 endpoints, at the employee level. We also have around 12,000 production endpoints and it runs across a multi-cloud hybrid that includes GCP and AWS. It also has a tiny on-prem footprint.

    You can horizontally scale someone instantly. I've never been afraid we would exceed horizontal requirements. 

    How are customer service and support?

    We don't use technical support. 

    Which solution did I use previously and why did I switch?

    I did not previously use a different solution in this company. 

    A long time ago, the company replaced ArcSight with Splunk. 

    How was the initial setup?

    The initial deployment was complex. 

    Our strategy has been to avoid clustering for searching and to build a significantly larger virtual machine for running the ES environment as a stand-alone. It's got 128 cords and 256 Giga RAM so that it can run inside itself and not have to cluster since a cluster adds too much complexity.

    We only need one person, myself, to deploy the solution. I'm a Splunk certified architect and I have 15 years of experience doing nothing but Splunk. 

    The solution does require some maintenance. We have seven people in total handling maintenance. 

    What was our ROI?

    I have witnessed ROI. However, luckily, our center does not have to pay for the license. 

    What's my experience with pricing, setup cost, and licensing?

    We get enterprise licensing via Intuit, our parent company. The licensing is horrendously expensive. 

    Which other solutions did I evaluate?

    I did not evaluate other options. This solution was in place when I arrived. 

    What other advice do I have?

    I'm an end-user.

    If you are looking for a cheaper option, you probably don't have a focus on security or have a risk that you care about enough to purchase a premium solution. If you look at the Gartner roadmap, Splunk is a clear leader, and it's always at the top right quadrant. Everything else is attempting to catch up to Splunk. There's no one else in front of it. If you choose something like Elastic or Sumo, your company doesn't place an emphasis on security. 

    I'd rate the solution nine out of ten. It's a lot of work. Almost nothing works out of the box. You have to invest in it for three to five years at a minimum. 

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    Rishabh Gandhi - PeerSpot reviewer
    Senior Security Analyst at Inspira Enterprise India Pvt. Ltd.
    Real User
    Sep 21, 2023
    Can be used to find any threats or vulnerabilities inside a user’s environment
    Pros and Cons
    • "Our clients use the solution to find any threats or vulnerabilities inside their environment."
    • "It would be great if I could have a certain dialogue box in Splunk that uses innovative AI tools like ChatGPT, which are available now in the tech department."

    How has it helped my organization?

    Splunk Enterprise Security has given me quite a context of how I will approach deploying use cases. I'm also using other tools that Splunk sells. The query-based Splunk deployment certainly needs a specific knowledge requirement because knowledge transfer has to be there. There has to be practice on the query side because the query is the main part of understanding Splunk.

    In other tools, it's just click and drag where you take the fields from one place and copy-paste them. There is a learning curve in the context of understanding Splunk, which is difficult for every user to grasp within a short time. It is easy to use the solution after having that knowledge. There is a certain learning curve to learn Splunk query language.

    With Sentinel, you can click on the field and select it, but with Splunk, we have to write queries to understand what is in the logs and understand certain fields from the logs that are visible to us. We need to know what kind of fields we need, how to create statistics or tables through it, and how to create visibility of reports through query because everything is through query. A query is the main thing for Splunk. There is a learning timeline that users will have to cover to benefit from Splunk because that is something that a user has to be careful about.

    What is most valuable?

    We use Splunk Enterprise Security to serve our clients. Our clients from the financial and health sectors deploy the solution in their environment for cloud visibility. Our clients use the solution to find any threats or vulnerabilities inside their environment. We use the solution to get use cases, reports, dashboards, or visibility onto their environment. We use the solution to detect any attack or malicious intent of users inside the environment. We try to create use cases specific to their environment through Splunk Enterprise Security.

    What needs improvement?

    Splunk Enterprise Security has a learning curve that needs to be improved. I have seen users struggle with Splunk just because of the language they've used to create it. I've recently started working for the past three months on Sentinel. The same thing happens with Sentinel, where you select certain things, and it will create a query for you.

    It would be great if I could have a certain dialogue box in Splunk that uses innovative AI tools like ChatGPT, which are available now in the tech department. If a user is struggling, they can just ask an AI tool what they are trying to do with a query, and then it can suggest how a query can be written for a particular user. It can help in a way to understand the context of what the user is trying to write, which will be very helpful for ongoing operations.

    Even if users have zero knowledge, they can get comfortable with Splunk much more easily if an AI tool helps them write a query or search for any indexes or data models. It will be able to give more context to the user regarding how they should approach the query. This can be done using AI tools like ChatGPT, which will understand the context of what the user is trying to approve and give suggestions based on it.

    For how long have I used the solution?

    I have been regularly using Splunk Enterprise Security for the last seven months.

    What do I think about the stability of the solution?

    Splunk Enterprise Security is stable 70 or 80% of the time. However, the query gets slow whenever a large number of people are working on Splunk.

    What do I think about the scalability of the solution?

    Splunk Enterprise Security is a scalable solution, but the scalability part impacts the solution's performance.

    How are customer service and support?

    We have not yet contacted Splunk's technical support, but we do get regular emails from them providing some context of updating something or threats and vulnerabilities. They do provide a certain kind of visibility, which I do like. They provide their clients with insights into what kind of threats might be present or what kind of composition they're trying to resolve. They give quite a library of expertise and particular emails.

    The documentation side of Splunk is something that I appreciate as a Splunk user. This is something that is not visible in other environments. Splunk has taken a step ahead compared to other SIEM tools in providing context for understanding the documentation of how the tools work and how you can utilize the tools.

    There is a great learning website for Splunk users, where they provide sets of videos. A small environment will be deployed for users to test and understand the queries. That is something which Splunk has invested quite heavily in, which is very much appreciated by the users. We can easily learn Splunk from their environment and understand any attacks happening because they've already provided so much of the content library. That is great from Splunk's perspective.

    Which solution did I use previously and why did I switch?

    Our client already had Splunk working for them for the past six to seven years. The earlier version of Splunk was not reliable and stable to deploy because it used to take so many resources. Even though it has decreased now, the resource requirement is much greater than other tools. Certain organizations or start-ups feel a little bit restricted because, despite being a great tool, they can't use Splunk because of its cost features.

    Some organizations use basic SIEM tools like QRadar, which is a great tool. Some organizations use LogRhythm. LogRhythm has a market presence since it also writes great insights into the dashboard. Splunk has certain tools that precede other SIEM tools. QRadar and LogRhythm are used because they are very intuitive and don't require any previous knowledge of using those tools. With Splunk, you will have to understand the context of using a particular field or setting and what it provides you.

    How was the initial setup?

    The ease of deploying Splunk Enterprise Security is very good. You can get visibility on which particular device you are receiving logs from, give them an index name, and give them a field where you want the logs to go. That is something good that we can understand directly from Splunk. We don't have to go and do that manually from different tools. That was one of the good things while implementing the solution.

    What about the implementation team?

    From the client team, two people were involved in the deployment process. One person was from their implementation team to understand how the tool is deployed. Another person was from the admin team of engineering, where they were trying to understand what resources they needed to deploy to get usability of plans. A third person was there to understand the context of how the log will be initiated into Splunk.

    That is something that was required from their environment. From our side, there were three resources with expertise in Splunk. They were the first hands-on people who were working on the implementation side. Later on, I came into the picture so that implementation could be done to create visibility in the client's environment. Before passing and giving them indexes, the context was taken from us by giving us visibility into the environment and how we want to approach it.

    What was our ROI?

    US customers or customers with a bigger cybersecurity budget have seen a return on investment with Splunk Enterprise Security because their internal team is using it. They have seen much more return on investment regarding how their environment is visible. However, the majority of Splunk users have faced issues because of licensing purposes.

    Companies cut out budgets to include a reasonable SIEM tool rather than having the costliest solution. For certain markets, it serves a purpose and gives a great ROI. One of our customers has said that it's a good investment tool. They have been using it, and they have been getting great insight. It is certainly serving them a purpose, and that's why they are using Splunk Enterprise Security.

    What's my experience with pricing, setup cost, and licensing?

    Splunk Enterprise Security is a very good tool, but it uses many resources and comes at a very particular cost, while other tools can easily do the work. There are certain pros and cons to using Splunk Enterprise Security.

    The solution's pricing will depend on enterprise to enterprise. For a small enterprise, the solution's cost of ingestion to the cloud will be very high compared to other tools. The licensing cost of data usage is much higher for Splunk than any other tool. Splunk Enterprise Security is not at all cost-friendly to be deployed in very small enterprises like start-ups. Using Splunk for small enterprises is unreliable, and I rate the solution two or three out of ten for its pricing in small enterprises.

    I rate the solution five out of ten for its small to medium-enterprise pricing. If they deploy it and have expertise, Splunk Enterprise Security will give them more visibility into their environment. This tool will require licensing costs. If they don't have more environments from where they ingest logs, their data licenses will also be less.

    If large enterprises can afford Splunk Enterprise Security, they must select it since the experts working on Splunk can give much more complex insight than any other tool. For large enterprises, it's a great tool for visibility because it can create complex queries, including two different indexes. That is something quite unique about Splunk Enterprise Security.

    What other advice do I have?

    I am working with the cloud version of Splunk Enterprise Security.

    Splunk has certain kinds of health issues that usually get reported. If the search query is lagging, we do check where the query is lagging. That is something that we have to refine. It's a hectic activity, which requires the workforce to understand the context because not every user with a simple understanding of Splunk will be able to do it. It requires understanding how the queries are running, how it is scheduled, and how it uses the resources.

    Two sets of people work on it: the analyst from our side and those directly using resources from the client side, who work in their security department. They might have some precedence in the environment, which we might not have. We may face lagging of query and, sometimes, queuing of the query, even though we have run it. It will be the first query we are running, but it will be skewed since we don't have the precedence of running a query.

    It will give precedence to other queries over ours. It's a thing that we have to manage. This usually doesn't happen with other SIEM tools. That is something where Splunk has to be less expensive or less maintenance. We are struggling because we only identify after the query has gone rogue to invest in it and spend more time resolving issues.

    Until now, I haven't used the threat intelligence management feature or even the data model. I use the documentation provided by Splunk on different attacks, which we can view on their site. They already provide insight into attacks on Active Directory or AWS in their documentation library. That gives a good context of how I can search for the different kinds of attacks.

    I'm also automating some of the reports on how I challenge threat intelligence. I'm also doing threat hunting in their environment for some of our clients. I'm trying to find any anomalies with the configuration in their environment, which they are unaware of.

    Suppose someone gets a response from their environment regarding weak encryption or a configuration that provides certain privileges to certain users, like any query or command line. We find great visibility from their documentation side. We will need time to get acquainted with Splunk threat intelligence management.

    Earlier, I started using Splunk Enterprise Security in 2021. I had a trial with Splunk Enterprise Security and contacted the Singapore team to understand the solution. I was working in a startup and wanted to integrate this solution. I was able to get a trial period for three months. I was able to deploy it on the whole server and learn about the Splunk query language. After the trial, we couldn't purchase Splunk as it's a costly tool.

    I initiate use cases, analyze the logs, and implement new logs. Since Splunk supports add-ons specifically for different services, we have created plug-ins to integrate any new AWS logs. Implementation of logs also falls under our category. My main job is cybersecurity. I need to understand all the logs to create use cases that cannot be specifically created by a single person who only understands the injection. The context is important to create the use cases.

    We use Splunk Enterprise Security to create visibility into the client's environment and research the threats or vulnerabilities inside their servers. We're trying to detect any vulnerabilities regularly by creating specific reports for our purposes for some exploitation, which can happen if you get certain kinds of privileges. Whenever something malicious happens, Splunk Enterprise Security will send us a report containing that specific activity's data.

    I can create specific queries to get reports, which I have not observed in other tools. The same can be replicated for the dashboard or vice versa. Splunk already provides a library of use cases regarding attacks. Their website also has a great amount of documentation on how to search for different kinds of attacks in an environment using certain scripts.

    It's very good for users to go through their documentation. Users need not purchase a second solution or outside inventory to get visibility about the kind of attacks they can see. That is something Splunk has already prepared for its clients or users.

    Everything concerning Splunk Enterprise Security is quite different from other tools. Splunk Enterprise Security has features that are very different from other vendors. These features include viewing correlation or drill-down searches of specific use cases, mapping those comments, and closing any alerts triggering the incident review.

    The solution gives us some visibility on the use cases directly. Query is one of the strongest things that Splunk has. With the respective data models, we can create queries running much faster than other environments.

    Splunk Enterprise Security gives certain advantages of deploying and automating some of the things we usually do manually in other tools. One of the biggest advantages of the solution is that we can detect threats and vulnerabilities in the environment by creating certain dashboards that give visibility. We can create certain reports, giving us continuous activity reports of anything malicious. We can schedule it at a specific time and send it as a mail.

    That gives Splunk a greater advantage of providing insight to the person trying to see any kind of threats or visibility. The solution is intuitive because it lets you choose how you want to be notified regarding any kind of threat. I can correlate from one index to another by correlating searches by stretching one of the fields from one index and then searching for that information in another index. That is not quite possible in other tools and is unique to Splunk Enterprise Security.

    With Splunk, we can correlate between any kind of endpoint device, what IP they are mapping through, and search the firewall in the same query whether that IP was allowed or not. It's a very intuitive tool that allows us to create multiple complex queries to solve a problem in a single go rather than opening different instances of different devices and then comparing them manually.

    We deploy all of our use cases and reports with respect to the MITRE ATT&CK framework. We write the tactics and techniques of the MITRE ATT&CK framework inside the use cases because there are fields we can fill in about the MITRE ATT&CK framework. It is very useful for us to monitor what kind of MITRE tactics and techniques we have already covered. For anything missing out, visibility is also great so that we can monitor all the users with respect to the MITRE ATT&CK framework.

    In our organization, rather than using only the field change, which covers only some parts, we always deploy use cases with respect to the MITRE ATT&CK framework. We have assessed specific use cases for every environment, whether Windows or AWS. We cover certain default use cases, which we want to create in the environment for covering the MITRE so that those are crucial for discoverability whenever something triggers.

    Those are also crucial whenever we want to see how much coverage we have according to one device, like Windows log, Linux log, or AWS or Azure environment. If there is any scope of vulnerability present, someone might be trying to attack AD, and the MITRE ATT&CK framework covers it. On the MITRE ATT&CK framework side, I can put a technique they're using for a threat that might be present for initiating the attack. That gives us great visibility of providing threats.

    When we are filling out the MITRE ATT&CK framework, any person from cybersecurity will be directly able to copy-paste any technique onto their Google search. They will be able to know what kind of MITRE technique we are trying to cover and how the use case will help them. That can already be done from a use-case perspective. We don't have to go to the library to know how we deployed the use case. That can be done from every different alert.

    There are glitches and notes, and it gives more context with respect to the sensing tool. The main field is the activity field, where jobs are there. The usability of that particular feature, where I can see which particular job they're running, gives context to us on how the query is being run in the back end and how they are scheduling it.

    If I don't have certain admin privileges, I might not be able to schedule my query. It will certainly give precedence to the admin account, and if I want to see great visibility into the search I'm doing, it will take a certain time.

    Only after a certain privilege query is being run will it give precedence to my query. That is something where the distribution of resources can be separate. A separate tool can also be created for giving certain privileges to temporary users so that they can run their queries to find any threats or vulnerabilities. Also, not every query for admin needs to be run at certain privileges. It can be asked during the time of deploying whether this query requires a certain precedence.

    Splunk already has specific definitions for finding threats. It can be through a network or a signature. They already have different kinds of internal assessments of how we're deploying use cases and how Splunk understands it. The same can be given to users because sometimes when we try to search for any threats, it gives precedence to other things. Even though the tool is good, it takes time to give us visibility because of the involvement of so many resources.

    On the admin side, if I have certain privileges and everything is running fine, I have great visibility on understanding the use cases and deploying correlation between two different indexes to find any threat. That is great because I don't have to manually create ten use cases, where I can create five and cover both the indexes from which I want to get a query. If I want to search a user's active directory for the kind of privileges they have, I can only create a single use case and cover both.

    I don't have to search for it on different use cases manually. Splunk gives great visibility into the dependents of both indexes' coverage in one field. It gives much more context. I can get output from both indexes and correlate what has happened in the user's environment much more quickly rather than using other tools.

    Compared to other tools, Splunk Enterprise Security has helped us reduce the volume of alerts and visibility of fine-tuning because it provides many different aspects. I can reduce the volume of alerts by helping users. If they have certain kinds of IPs or exceptions to the rule, I can create a macro. If they have a list of things, they can directly include another macro to make it an exception.

    I can create a local file, which is a very good thing for them. They can provide insight on the local file, and I can create a specific query if they want insights on that particular local file whenever something is happening. This useful feature that Splunk provides allows users to have visibility because these are the things users might have done manually on other tools.

    Since some dependencies or add-ons for visibility are already inside Splunk, it gives a lot of insight into threats. It reduces threats and gives more context to what we are trying to search for. It automatically gives us a report rather than manually checking for every other field.

    Compared to other tools, Splunk Enterprise Security gives context into the raw logs, which are present in my environment, and also what are the fields I'm trying to see. It gives visibility rather than showing all the empty fields, usually presented in other tools, whenever I open any alert.

    There are certain fields that are empty and others that are filled. With Splunk Enterprise Security, I can directly check which particular fields I want to see. I don't have to manually go through the whole logs page and select whatever field I'm trying to see. That is a feature in Splunk for investigation purposes.

    The time taken by our analyst to resolve alerts compared to other solutions is less. Other tools provide all the available fields, and a person has to decide which field they require for a particular use case.

    In Splunk, you can directly point out all the necessary fields required for a particular query you are trying to run. Then, the user can easily assess which particular field they want to investigate more. This great feature from Splunk gives an analyst less time to wait for the alert and more time to do an analysis.

    The recent CrowdStrike report reported that the majority of the cyber attacks are from active directories and from the carelessness of users through phishing emails. Even though the visibility needs to be there in cyber security, organizations still usually use SIEM tools, which are much cheaper. For such cheaper tools, they have to hire many analysts, and every analyst has to be on the same page to understand the context of what is going on in their environment.

    If they already have a small team, they can do this work easily in Splunk. An organization needs to understand how complex their environment is. If their environment needs a certain kind of visibility, they need to go for a tool that serves their purpose of providing insight rather than going for the cheapest solution. Also, it will be much more beneficial for their hiring purposes. Relatively fewer people will be required if they can closely monitor Splunk and create queries. If certain users have already used Splunk, it will be great for them to deploy the solution.

    Splunk provides much more insight concerning the closeness of understanding everything going on in their environment. A certain group of people can get the context of what is working in their environment and how they're approaching it. This is less of a hassle in other tools where every use case will be deployed irrespective of dependency on one use case.

    One field or one endpoint solution will be different from an authentication tool, and they won't be correlating as such. We will have to do that manually and search for any similar field manually. Whereas in Splunk Enterprise Security, you can deploy it at once. So, less workforce will be required for deploying, understanding, and giving context to the users working on the environment inside their organization.

    Our US customer has more than 15,000 to 20,000 devices deployed since it's a hospital. They have ingestion of data from every side from where logs can be ingested. Every employee working in the environment will be interacting with the internal sources. So, we see logs in every device, including laptops, desktops, medical devices, firewalls, and mobile devices. Usually, doctors get updates and visibility on their mobile devices. These mobile devices should not be attacked as they are the ones where the user data or the patient's data is exchanged very informally.

    They have deployed specifically Armis to get visibility onto their network communication, which is a very good tool. They have invested in automating the resources, creating visibility onto their environment, and blocking certain communication. They can create specific playbooks with respect to it. It has given them a much more context. The same thing is not necessarily happening with other clients because they have deployed very few devices.

    So, there was no complexity in understanding the environment as such. For them, Splunk provides the same insight as any other tool. For them, it's not serving the same purpose. For them, the deployment of use cases is good and not that complex. Besides that, Splunk is not serving this client's purpose because they already have fewer resources deployed. For them, Splunk does not provide any visibility or context that could not have been filled out with any other SIEM application.

    I will certainly say that Splunk Enterprise Security is a great tool if you have the context and patience to learn it. It can also serve a great purpose of understanding the environment much more clearly and easily than other tools. Users will have to compare the pros and cons if they can afford it because it will be expensive for any organization.

    Overall, I rate Splunk Enterprise Security an eight out of ten.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    Cyber Security Analyst
    Real User
    Top 20
    Jul 9, 2025
    Creates dashboards for analysis and provides notifications for security incidents
    Pros and Cons
    • "The ability to easily aggregate data and make meaningful reports is what makes Splunk Enterprise Security excellent."
    • "They should put out more educational resources for users to learn how to use Splunk Enterprise Security."

    What is our primary use case?

    Most times I use Splunk Enterprise Security for log analysis, and I also use it to create alerts for any security incidents. There are some alerts I set up on my endpoint, and once the alert is triggered, I get a notification. I also use it for visualization. I create my own dashboard to send to my managers for analysis, for reports, and all of that.

    What is most valuable?

    The ability to easily aggregate data and make meaningful reports is what makes Splunk Enterprise Security excellent. If I want to search for the number of failed passwords, I can go to my index, write my query, and create a report quickly. When my manager wants me to create a report concerning a particular incident, I go to my dashboard, type my query, create my dashboard from there, and everything works out smoothly.

    What needs improvement?

    They should put out more educational resources for users to learn how to use Splunk Enterprise Security. If they could have a manual or guide similar to Linux, where users can search and see various commands for different searches, it would help users navigate their way around the product more easily so it wouldn't be so complex.

    For how long have I used the solution?

    I have been using Splunk Enterprise Security for over two years now.

    What do I think about the stability of the solution?

    There was one instance when I was trying to use the Forwarder and it wasn't working properly. Apart from that, Splunk Enterprise Security has been perfect for me.

    What do I think about the scalability of the solution?

    When trying to connect to other endpoints using the Splunk Enterprise Security Forwarder, I encountered connectivity issues. This occurred while setting up for a company, and the connection wasn't working properly.

    Which solution did I use previously and why did I switch?

    I have used Wazuh.

    What's my experience with pricing, setup cost, and licensing?

    The pricing could be reduced to make it more accessible.

    What other advice do I have?

    I would rate Splunk Enterprise Security an eight out of ten.

    Disclosure: My company does not have a business relationship with this vendor other than being a customer.
    PeerSpot user
    Buyer's Guide
    Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros sharing their opinions.
    Updated: June 2026
    Buyer's Guide
    Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros sharing their opinions.