Splunk Enterprise Security Reviews

Splunk Enterprise Security serves as our primary tool for endpoint detection.

Our organization manages security across multiple cloud environments. Splunk Enterprise Security is a valuable tool in this process, offering a comprehensive dashboard that centralizes monitoring for all our cloud deployments. This unified view allows us to efficiently track security posture and identify potential threats from a single location.

Splunk Enterprise Security offers strong capabilities for detecting insider threats. This security platform excels at analyzing data from a variety of sources, allowing it to identify unusual user behavior patterns.

It does a good job of analyzing malicious activity and helps us detect threats faster.

Splunk Enterprise Security helps reduce our alert volume and helps speed up our security investigations.

In our financial institution client environment,  The insider threat detection capabilities allow us to closely monitor credit and debit card transactions for any signs of compromise. By leveraging Splunk's capabilities, we can proactively identify and address potential security threats that might impact our client's financial data.

We have improved our incident response time with Splunk.

Splunk Enterprise offers a variety of apps that cater to different needs. These apps provide features like directory management, add-on and data model control, report dashboards, and alerts. Notably, some of these functionalities are available in the free version. Additionally, there are separate apps for security purposes. Our EMEA region has its own set of apps, allowing them to upgrade, maintain, and manage separate dashboards specific to their requirements.

Dashboards can be customized to allow users to easily monitor specific data relevant to their needs. This might include data segmented by country, region, or even customer credit card information. By customizing the view, users can quickly identify trends and gain insights into areas of particular interest. Additionally, dashboards can be configured to automatically display default information or alerts upon opening, further streamlining the monitoring process and ensuring users can find the specific data they need right away.

Splunk Enterprise Security is a valuable tool that allows us to monitor data from the APS daily. This monitoring focuses on the success or failure of APS calls. Successful calls are identified by a status code of 200, while unsuccessful calls are indicated by a status code of 400 or any other code. By monitoring these codes, we can proactively identify situations where the intended data retrieval fails due to backend server issues. This distinction is important because it helps us differentiate between failures caused by backend server problems and those resulting from issues with the monitoring team's ability to send requests. This clear separation allows a dedicated team to investigate these specific backend server failures and implement resolutions.

Data profiling, data onboarding, and data maintenance are all crucial steps in ensuring the quality and usability of our information. However, encountering missing files disrupts this process. When files are absent, troubleshooting becomes difficult, and performance issues inevitably arise.

I have been using Splunk Enterprise Security for many years.

Splunk Enterprise Security is stable.

The initial deployment is straightforward.

I would rate Splunk Enterprise Security eight out of ten.

Splunk Enterprise Security is a powerful security solution that offers flexibility. This flexibility empowers our team to adapt and respond to evolving threats. With Splunk Enterprise Security, we have the tools and adaptability to effectively address whatever security challenges we encounter.

I recommend Splunk Enterprise Security as the most suitable solution for monitoring and protecting our data.

We're using the solution for log analysis and our internal infrastructure. We may use it for customer offering at some point, but currently, it's completely internal.

The solution's most valuable features are the granularity and analysis of the logs. Once you learn the syntax, it's a great tool. These features are important to us because they enable us to drill down to certain users doing certain things and perform trend analysis.

I have been using Splunk Enterprise Security for well over a year.

We’ve had no issues with the solution’s stability.

We have 90,000 users and deal with massive amounts of data volume.

The solution’s technical support is fantastic.

Positive

We were using IBM's TSM backup tool and our own internal tool. We switched to Splunk Enterprise Security because we wanted to be more of a cloud-forward company and didn't want to host everything on-premises.

We installed the solution mostly by ourselves, but we did have a little help. We installed heavy forwarders at a relatively low cost. Since we already had a VMware environment, we just set up the VMs for the forwarding.

We have seen a return on investment with the tool in terms of seeing what users are doing.

Splunk Enterprise Security incurs a significant cost because of the amount of data we send, but we are fine with the value we're getting for that price.

The tool provides much more insight into what users and our apps do. We also use the solution to monitor a lot of machine-to-machine traffic.

We have a hybrid environment. All of our internal tooling is in our internal data centers, but we also have a big cloud presence for some of our other tooling and mostly for our customers. Speaking from the internal side, Splunk Enterprise Security has been fantastic in helping us find all kinds of security events every day.

Splunk Enterprise Security has helped improve our organization's ability to ingest and normalize data. The solution has helped us have everything in one place and grab everything at once. The tool has also helped us solve problems in real time. The Ops team will approach us when they are stuck with a problem ticket. We can look instantly, see what's happening, and track it down.

The solution provides us with the relevant context to help guide our investigations. This context information makes things easier and faster for us. We get more information about exactly what's going on.

Splunk Enterprise Security has helped us save around 50% of our time.

Splunk Enterprise Security has helped reduce our mean time to resolve by 50%.

Overall, I rate the solution ten out of ten.

We have an engineering team working on the back end to receive data, they do data modeling, and create dashboards. That's been pretty useful.

Splunk Enterprise Security helped our organization a lot. In the past, we relied on every single product that had its own kind of audit trail information. We needed to go and look for it, for example, in the Windows environment. We have to use the event viewer a lot to look for certain things, like system applications and security logs. In Linux, we have to use the log file, and under certain applications in the Linux environment, we have to look at the logs for that as well.

That's just part of the operating system. It is not the infrastructure, like network devices. When we centralize logs, we put everything in one location. 

Our advanced users can do the SPL query anything they want. Executives or higher-up management users need to look for certain things, like how many systems are missing patches for this month or who logged in today from where, what they did, and how often they re-authenticated to the systems. 

We have a lot of data from businesses, data from our devices, and more. When we put it all in the ES, it gives us the ability to look at certain functions. It provides more insight into our data, where it's traveling from, between endpoints, and what they're doing with it. 

We also look into performance. We use other monitoring tools as well, and that data is also piped into Splunk. We have a centralized platform that we can navigate to look for everything we need rather than having to go to each individual system, like Cisco Syslog or we have to go to the Forcepoint console to look for it. It is a centralized platform that gives us more insights into our data or what's happening in general. 

It is very important that Splunk Enterprise Security provides end-to-end visibility into our environment because, at any given point in time, we want to know what's happening to the data. Data privacy is the primary concern. We want to make sure that authorized users get access to what they are authorized to so that data would not leak out or travel from a different path. Again, we get a lot of data in there. We understand more about our data to improve the business in certain aspects.

We know that during certain times of the day, a lot of people access a server or website.

Then it'll give us more insight about where we need more network bandwidth or where we need to upgrade network devices. We understand more about our data, like how many people access the data lake house. And that's just for performance. 

On the security side, we would know who's accessing it from where. Are they authorized to do so, or is there any weird access pattern in locations that they're not supposed to be in?

So again, we get the data, we centralize it, and we can do data mining. We can pull out anything from there rather than looking all over the place, like, "I want to find out if he's working today if someone's using his account, or from which devices he accessed data from two different places."

From Splunk Enterprise, we can either do it manually or have our engineers create an audit dashboard. Or, if you are an advanced user, you can do SPL queries that will give you anything you need.

The alert volume depends on the users. If they do what they're supposed to, then there's nothing to talk about. If not, it's more or less on how you manage the data, educate your users, and control your system. Based on that, Splunk might play zero, fifty percent, or seventy-five percent role.

In a way, it has helped improve our organization's business resilience. It's a way for us to predict the pattern of data access and other things going on.

Knowing a way to do that, if we have enough resources to do it, is fine because we have so much data, but no one's really monitoring it. If we get alerts in the middle of the night and we don't have anyone to handle it, it's not going to help.

It's another aspect that we worry the most about, where our data is floating. 

Now that we've centralized our log information into Splunk, we want it to be secured well because now users can predict a pattern of data access from where, and from whom. 

We put all of our logs and data into Splunk, like network switches, firewalls, and web-based protection. In general, every component within the infrastructure sends data to Splunk. 

Then, we have an engineering team transforming, manipulating, and analyzing the data to create a front-end dashboard in a meaningful way.   

With the new announcement of version eight, it's going to give us a single point-and-click. On the front page there, that will give us a whole lot of information that we need to look into on the right panel without navigating down or going to more details, clicking here and there.

We've been using it for quite a few years now.

The solution of choice depends on the engineers and teams. If they manage Linux, they're comfortable with certain tools to read the logs. In a Windows environment, it depends on the engineers. They favor any certain tool; they would do it, but it would be to cut down costs and consolidate all the software strings.  

Splunk was not that big years ago. But then we started seeing that they put more investment into it and made the tool more useful.

We're not using the cloud version yet. This is just the enterprise product on-premises.

Splunk can improve the pricing. People like certain features, and sales use the features that they provide, the automated features, to hook customers into paying for the big-price license.

Everyone does it, like Microsoft and Cisco. Initially, you try out the free version, but once you get it in your shop and turn it into production, you start relying on it and don't want to get out. You start paying a lot more for it.

Splunk is on the right path. It's good, but it does not provide everything that we need. There's a lot more to it. I look at it as ideal for detecting in real-time, but we're always behind and just look at the log information. 

If you have a network device, a Splunk Enterprise instance, and you have to send data to it. You're relying on network connections. 

If you're using a cloud service or anything where Splunk is not on-premises, there's high latency. If that network connection is down, that's it. You don't know what's going on. So even if you have it on-prem, you're still relying on it after the fact. 

When you look at Splunk, you're looking at things that have already happened. It's nothing that's actively going out there and doing something for you. 

If you had to give it a number, from one to ten, since they've gone this far, I'd give it a five or six. Because locking or monitoring is just a part of business, and how you're going to receive those alerts and act on them is another part of it, when I look at the overall infrastructure and infrastructure management.

The main use cases are with the firewall, DNS, and Windows events. These are the three basic ones to start with. Once they're done with all the compatibility and introductions, custom use cases will follow.

It's currently in the implementation phase. But, it will surely improve response time and make it easier to collect and check everything in one place. Instead of going to multiple dashboards and running multiple queries, all can be integrated into one dashboard. You can just click and then go drill down into deeper levels and get more information.

Splunk Enterprise Security provides end-to-end visibility into our environment. It's very important because: 

1. This tool is used as SIEM implementation. End-to-end visibility is really important in such a case; if something is missed, it's an error. 
2. Also, we belong to the retail sector with over 700,000 employees. We have a lot of endpoints and everything is open, so end-to-end visibility is essential.

It helped our organization to ingest normalized data. With Windows, DNS, firewalls, and the open use cases we've checked, we've gotten more data in. The compatibility with the add-ons helps us add more data in the same compatible format and use data models to elaborate and make it faster.

The investigation dashboard provides a lot of value. In the same dashboard, we get all the drill downs, raw events, and information about what the particular user is doing or where the vulnerability started, all in the same dashboard.

It helps us reduce our mean time to resolve. Now, we can see all the incidents on a single dashboard and it could be assigned to the analysts at the same time on the incident review. People can start working on it right away, so it does reduce the mean time to respond.

Splunk's unified platform helps consolidate networking, security, IT, and IT observability tools. But our major focus or use case is more on the security side. We don't use observability, so we just use logs, matrices, and other security-related features.

Incident review is pretty valuable. You can have everything in one place, review it, and assign things to analysts, and they can work on it. 

We also have different teams segmented; it is not one team. So, we brought that using the teams method in Enterprise Security, which I think most people are not using. This way, different users have different dashboards or lists of incidents.

One thing is multi-tenancy, which is not currently not there. The concept of Enterprise Security assumes only one team using Splunk, but in many companies, including ours, that's not the case. We have multiple security teams operating under one umbrella, with different people using it for different smaller companies. If multi-tenancy could be incorporated, it would surely help us. 

We started with it last year. We integrated it last year, and the SOC team is now handling it. They're making it SIM compatible, introducing the first few use cases, and working with the data. 

So, we bought the license nearly a year ago, and started implementing it about six months ago.

Stability is there, but every release has some bugs. For example, in this release, indexes were down, searches were down, and the monitoring console wasn't working. So, it's a bit tough.

It's still being implemented, and a lot of work needs to be done. But, considering the pricing and everything, I would give it a seven out of ten. It does have a lot of use cases, but a lot of work has to be done beforehand. Our data wasn't totally SIEM compliant because we used prebuilt solutions and changed the data format.

We use Splunk Operator on Kubernetes, so it's not on-prem or Splunk Cloud. Customer support is not good at all.

For example, we upgraded the system on Saturday and raised an incident. With Operator, you can only raise a P3 incident, so we needed to escalate it and get the developers involved. Support cannot handle such cases. We always have to get the developers involved to get the issues fixed. This happened very recently. But it is very common; the support for Kubernetes is zero.  

The company didn't have a SIEM solution. It was more of SOAR, so we used FortiSIEM for that. We still use it. 

Setup is not that difficult. You just have to install the search head cluster and a normal app. Data normalization is the main thing required for Enterprise Security. SIEM compatibility is the most important thing. If it's not there, then it won't work.

The deployment of the solution is pretty simple, if your data is SIEM compliant. If not, then you need to make it SIEM compliant. Otherwise, you cannot use the solution.

We have a Splunk partner that helps us with integration and other stuff.

Pricing is a bit costly. It always is.

We considered a couple of other brands. We ran a couple of POCs with other enterprise tools.

Since we've been using Splunk for nearly four years, it was easier to incorporate Enterprise Security. We did try other SIEM solutions like Fortinet, but since Splunk was already there in place and had all of our normalized data, it made more sense to use Enterprise Security.

We use Splunk Enterprise Security to ensure the security of our endpoints, including corporate workstations, tracking proxy logs, and all of the other benefits that Splunk Enterprise Security brings, including observability and visibility into the environment.

We run Splunk Enterprise Security on a single search head, and it talks to about nine separate clusters. It's a hybrid environment of on-prem and AWS. Ideally, we will migrate that to a search head cluster for Enterprise Security for high availability. Then, in the upgrade process, we generally have about two hours of downtime when we upgrade Enterprise Security. Ideally, moving to the cluster environment will allow us to mitigate that entirely. So, we did some assessments earlier in the year. We've gotta do some finalized testing, but we're hoping that will eliminate almost the entire two hours of downtime for our customers when upgrading. Then, it's two hours from start to finish to get the search head back up, and that does not include backfill time or anything like that. It could be a good full workday. So getting that workday back is going to be very important for us, and that's where I think we're gonna end up evolving for the Enterprise Security environment.

One benefit we have seen using Splunk Enterprise Security is keeping it all integrated, so no jumping between tools during investigations is the biggest benefit from the analyst's perspective. When we're setting up an investigation, it allows them to use one tool versus having to compartmentalize all the tools together, link it together, document it, and ultimately end up in one spot. Using Enterprise Security as it allows for integrated tracking for the investigations.

It's very important that Splunk Enterprise Security provides end-to-end visibility into our environment because not seeing something is a potential risk to the business. Having that visibility also assures the business, all the way up to the C Suite level, that there is coverage. And if not, we at least have that identified as an uncovered portion.

As long as we can point the data into Splunk Enterprise Security, it is easy to identify security events across cloud, on-premise, and hybrid environments. Getting it into Splunk is typically the challenge because it needs to be in a usable format. So once I've got it properly shaped and tagged, the rest trickles down. Generally, there are a lot of good TAs for getting data into Splunk around the cloud providers. So we don't have to customize it as much. It's just about getting it implemented, going through the checklist, and doing our due diligence to make sure we have the coverage we need. We will see events as long as they're flowing into Splunk. Once it gets into the data models in Enterprise Security, it will show up.

As far as ingesting data, Splunk Enterprise Security specifically hasn't helped. We shape and normalize our data to meet Enterprise Security's needs. So, we did that as a preemptive during our initial assessment. What does it come in as? What do we want it to look like? How can Enterprise Security more optimally use it? Will it hit the data models? Will it show up? Things like that. So, a lot of that is already there before Enterprise Security, but then using the data is where Enterprise Security shines. It makes the data more usable across all data sources. We don't have to know what to look for in each data type. We could go to the data model and view it.

We've increased our alert volume a little bit, not in a bad way, but getting new detections. The risk-based alerting has decreased. So what is happening elsewhere in the environment correlates with that event, and those risks are bubbling up to the top, whereas somebody getting locked out isn't as important as an account takeover. It's hard to portray that image with one event, but a series of events on the timeline makes it a little easier.

Splunk Enterprise Security lets us know who owns what hardware, who should access it, and who shouldn't, more specifically, during an investigation or escalation path. So we know there's a problem. Who do we talk to next to start that process and up the chain? We have a lot of that in there as well, which helps.

Splunk Enterprise Security has generally helped reduce our meantime to resolve. How much is hard to say because it depends on the investigation's scope and scale. It does help the analysts get a clearer picture of what's happening everywhere in the environment. 

Enterprise Security will automatically correlate those events for us. When an analyst gets assigned to that investigation, it becomes looking at the picture and putting the puzzle together versus having to go through a threat hunt or find those indicators and then identify the account lockouts and takeovers. It's already in one pane of glass, and then that gets us to the meantime to resolution quicker. 

It has decreased our mean time to detection, especially for the high critical alerts. When we leverage that risk-based alerting, we can say, alright, multiple events have now happened to propagate this into a larger event instead of trying to correlate that as an individual or a team of analysts. Ad hoc is going to always be slower than automatic. Doing it in the back end means my analysts get there and get the job done quicker.

Splunk Enterprise Security has helped with our organization's resilience. We generally use observability metrics to determine the state of the hardware and the status of the environment at the time, so that has been a good point. It's definitely made us more resilient to figure out what happened post-incident and on what time scale and then go back and try to either remediate or mitigate that wherever possible. The historical context is just as valuable as their live real-time learning context.

The most valuable feature of Splunk Enterprise Security is the threat intelligence integration because essentially having to go out and correlate all the data on our own becomes convoluted. We don't have the resources, so having that included in the product makes it easier for us.

For us, the area that Splunk Enterprise Security can improve is performance optimization. Enterprise Security is so critical that right now, we're working on getting it to a clustered state to have high availability. The challenge there is hardware procurement and utilization. It's very resource-intensive. A type of performance optimization would generally be a huge improvement.

I have been using Splunk Enterprise Security for six years.

Splunk Enterprise Security seems stable to me. I haven't seen many issues, so I'm looking to try and test the latest version.

Scalability is a mixed bag. So, when we first started Enterprise Security, they told us not to cluster it. Now they're recommending we cluster it. We haven't gone down that road yet. I am looking forward to it. But if they say it can scale, they have customers that have done it. We gotta go through the growing pains of implementing it, rolling it out, and making sure it's ready to go. I think it's possible, but I have no formal experience yet. I am looking forward to it.

We started in Splunk, used it historically, and saw the product's value. It becomes the other data that would not be allowed for business reasons. How can we leverage that to provide value for the business? I know a lot about searchability this year, such as trace logs and metrics. These are generally good, but some trace stacks can be a lot of ingestion against our license. If we could put that in somewhere, that would not be as cost-effective, ideally. The trade-off is performance. Splunk is very performant. It does its job well. It's just a little pricey for the non-business critical logs.

The deployment is generally good. We must stand up the search heads, get them ready, tie them into the index clusters, and then deploy. Generally, we don't expose anything to the customers until it's production-ready. So deploying it was just getting it out there and built, doing some finalized testing to make sure it's ready to be used by the end customer. 

We implemented Splunk Enterprise Security ourselves. Through Splunk, we've engaged some professional services to ensure that our plan of attack is moving in the right direction. Professional services have also provided a lot of guidance.

We have seen a return on investment with Splunk Enterprise Security. Getting that holistic view. Splunk gives us a better picture of what's going on in our environment. Without it, we would have to go hunt for it. It's like Google searching for logs. It's easy, and everybody uses Google. So it's time-tested in the market. It's just about how much data we can get in, how we're storing it, retention, pulling it back, and what goes with that associated.

While Splunk offers generous developer licenses and obtaining annual licenses is straightforward, the cost is a major consideration. As open-source competitors become more sophisticated, Splunk will need to address this pricing issue in the future.

We have not used other SIEM tools in the past, but we are evaluating other tools. We don't want to migrate away from Splunk. We want to replicate it at a larger scale for non-security-based data, such as application and developer data. Anything they want to throw in and search is fine. But at Splunk's current cost, it is generally very expensive to do non-business-critical logs in that environment.

I would rate Splunk Enterprise Security eight out of ten. Things that could be better would be further integrations into other security tools. I know a series of threat intelligence feeds can be integrated, and I'm sure they are slated. It's just a matter of getting the resources to integrate them.  Splunk Enterprise Security is a solid product. I run it in my home lab as well. It's generally one of the better Splunk apps.

We use Splunk Enterprise Security to monitor our environment.

The threat intelligence and monitoring of Splunk are good. 

We have integrated Splunk Enterprise Security with ServiceNow so whenever there is a detection it will automatically raise a ticket and send it to the appropriate team for analysis. The integration was seamless.

Splunk has helped reduce our alert volume by 20 percent and sped up our security investigations.

It does a good job detecting threats fast.

Splunk's reporting functionality would benefit from enhanced customization capabilities, allowing users to tailor reports to their specific needs for better data visualization and analysis.

I have been using Splunk Enterprise Security for one and a half years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is scalable.

The initial deployment was straightforward.

Splunk Enterprise Security is expensive.

I would rate Splunk Enterprise Security ten out of ten.

For reporting we don't use the Splunk dashboard, we use Tableau and Power BI.

I would recommend Splunk to others.

While Splunk Enterprise Security offers robust features for large organizations, its cost might be prohibitive for smaller businesses. To address this, I recommend exploring open-source SIEM solutions for small and medium organizations and Splunk for larger organizations.

I utilize Splunk Enterprise Security to gather logs, and subsequently, I provide the team with access to the servers through a change management ticket or incident. I wasn't involved in the installation process during my tenure as a Windows server lead. I also verify whether all our actions adhere to the compliance framework.

Our deployment of Splunk Enterprise Security was all on-premises.

The visibility that Splunk Enterprise Security provides is beneficial and valuable.

Splunk Enterprise Security helped analyze malicious activities.

With Splunk Enterprise Security we were able to detect threats faster.

Splunk Enterprise Security contributed to a reduction in alert volume as our employees became aware of being monitored and ceased accessing the server without proper authorization.

Splunk Enterprise Security has significantly accelerated our security investigations by centralizing all log data and enabling us to quickly retrieve the necessary information through simple queries.

The most valuable features are the logs, which allow us to identify what happened and who interacted with the web repository.

Some of the queries are difficult to run and have room for improvement.

I am currently using Splunk Enterprise Security. 

I would rate the stability of Splunk Enterprise Security ten out of ten. We have never had an issue with stability.

Splunk Enterprise Security is scalable.

Splunk Enterprise Security's resilience is a valuable asset.

Organizations seeking a more affordable solution should first carefully evaluate their specific business requirements. While cheaper alternatives exist, they may lack the necessary features to adequately address their security needs. In such cases, Splunk Enterprise Security could be a more suitable option.

Splunk Enterprise Security is a worthwhile investment given the comprehensive range of features it offers.

I would rate Splunk Enterprise Security eight out of ten.

I recommend Splunk Enterprise Security.

I have worked in a couple of areas of Splunk. Initially, I was part of a monitoring team that used it for security information. I used to monitor security alerts which we used to get on Splunk, which was based on the use cases and we set up specific rules for it. Currently, I am part of the administration of Splunk. Now I onboard different log sources to Splunk. We pass over the logs so that it can be used for the security team.

It helps with security and making sure our infrastructure is compliant. It also allows reporting to be in one centralized location. We can monitor the security logs effectively. It really helps as a cybersecurity element for the company infrastructure to protect us from attacks.

It is quite reliable in terms of data. We have a good amount of licenses currently and find it to be very flexible. It can handle and pull up any amount of data.

Splunk is very fast and user-friendly as well. The UI and design is user friendly. It is easy to understand. 

We can do a lot of things on Splunk. We can integrate a lot of other applications on Splunk. And that can be used for day-to-day security operations. It is easy to use, easy to implement, and it is fast. It is reliable.

Our organization monitors multiple cloud environments. We monitor all the infrastructure and cloud environments of clients.

It is easy to monitor multiple cloud environments with Splunk. You have to get clients onboarded to Splunk first, and then the monitoring part comes last. We have a couple of things that have to be done before the security team starts monitoring. For example, we install the agents and set up the hosting. We get the data from the host, we pass it. It is quite a lengthy process. It is easy, however, we have to do it very carefully and cautiously.

Splunk Enterprise Security provides visibility into different environments.

The solution's insider threat detection capabilities for helping our organization find unknown threats or anomalies in behavior are good. We have multiple security frameworks. For example, we have micro frameworks. There are different sets of rules. We set it. What Splunk does internally is just match the incoming logs. Based on the rules that we have set, it will match with the incoming logs. If it matches, then it will generate alerts for the security team. Based on that, we can identify if there is a potential threat trying to get into the company or internal infrastructure. 

The actionable intelligence provided in Splunk Enterprise Security is good. 

It will help us to automate things and can handle certain items on its own. It will just investigate, remediate, and close the necessary alert. If it is beyond Splunk's capability, then an investigation team will be involved in it. 

I have used the threat topology and attack framework feature, however, now I am more of an administrator.

Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches. There are a couple of other tools as well, which do the same thing. However, with Splunk, it's very easy to work with the dashboard and do search queries. You can easily look through the logs via Splunk UI.

The solution helped reduce our alert volume. It will just minimize the false alerts, and just post positive alerts. It's likely reduced false alerts by 60%. A lot is automated now and that helps cut down on manual work.

The solution has helped to speed up our security investigations. Once again, the automation will speed up the process of investigation. It saves a lot of time for analysts as it allows them to see the initial data. If a team has multiple alerts, it will take them time to go through and check everything. However, Splunk does the initial investigation for analysts and will escalate to analysts as needed. It might have reduced security investigations by 80% compared to earlier versions. 

When we do a rollout from the server or host or anything, we'd like to see more automation. It would save us time. We wouldn't have to write anything. We would just like the raw log automation.

I've been using the solution for three years now. 

It is a stable product.

There are two types of users: the administrators and then the users where the logs are coming from. We have about ten to 15 administrators working directly with Splunk. Overall, there may be more than 1,000 end users we get logs from.

The solution is scalable. In terms of data, it's very flexible. 

Technical support is good.

Positive

I've used other solutions in the past. We previously used
ArcSight Enterprise Security Manager (ESM). It was older and very slow. Comparatively, Splunk is very fast and it has a better UI.

The initial setup was easy. It was not complex. I didn't do the implementation on my own. The deployment times vary. There are many moving parts, such as approvals that need to be taken into consideration. 

We get logs from various sources from various clients.

It does require a bit of maintenance. It requires, for example, server upgrades and patching. 

I can't comment on pricing. I don't take care of that aspect. 

I'm a customer and end-user.

I'd recommend the solution to others and invite them to test the service first on the infrastructure they have. It's a very valuable product to have.

I'd rate the solution nine out of ten.