Splunk Enterprise Security Reviews

We use the solution to build correlation searches around insider threats and exultation of data. We also use it for DLP (data loss prevention) and to get more visibility on what's happening in our environment that could increase risk.

The solution's data aggregation has allowed our organization to unify a lot of inputs from various tools in one space and to be able to search from there.

The solution's most valuable feature is risk-based alerting, focusing on building out user risks for individuals throughout the enterprise.

It is important to our organization's security that Splunk Enterprise Security provides end-to-end visibility into our environment.

Splunk Enterprise Security's ability to find any security event across multi-cloud, on-premises, or hybrid environments is good. It's more about how you configure it and how well your company is equipped to provide and allocate resources to make the best use of the tool.

It has helped reduce our mean time to resolve.

The tool should include more real-world use case examples built out either through videos or in the community. These should not just be examples of how it can be implemented but of how previous solutions have been transitioned to new solutions and how they provide a different and better approach.

I have been using Splunk Enterprise Security for one to three years.

Splunk Enterprise Security is a very stable solution.

The solution’s scalability is based on the cost.

Splunk Enterprise Security is just a tool you can use, and then it's really up to the customer how they leverage it best.

Overall, I rate the solution a six out of ten.

We use it for alerting. It also helps our analysts triage.

It is our bread and butter and our day-to-day tool for the SOC. Besides alerting, just being able to do research and look through various logs to gather context around the alerts has been super valuable.

It is critical to us that Splunk Enterprise Security provides end-to-end visibility. The place that you cannot see is from where you are going to get attacked.

We have a hybrid cloud environment with AWS and Azure. I am pretty confident in its ability to help us find any security event across our environment. We have put in time to feed Splunk Enterprise Security the data that we want to look at.

I am pretty happy with its ability to ingest data. When it comes to normalizing, my company could improve on that a little because we need to do more tuning of some of the data that we are ingesting. That is not much of an issue with Splunk Enterprise Security. That is more of an issue with how we are using it. We need to possibly do a little bit better in terms of how we utilize this tool.

I am pretty confident in its ability to identify and solve problems in real-time. If it has the data and you implement it properly, it will tell you what is wrong.

With risk-based alerting, we are now getting the right context for investigations. It definitely helps and speeds up the investigation. With risk-based alerting, I can see the chain of events. I can see what caused this to occur. I do not have a percentage, but I know my analysts are not getting the alerts that they have not completed by the end of the shift. Previously, that was not the case, so I am pretty pleased.

Splunk Enterprise Security has helped improve our organization’s business resilience.

Splunk Enterprise Security helps to identify and solve problems in real-time, but I do not know if it can also predict the problems in real-time.

I am enjoying our implementation of risk-based alerting. That has helped very much with cutting out a lot of the noise that we have. It has reduced our alert volume significantly. There is about an 80% reduction.

I do not like the pricing model. It is expensive.

I have been using Splunk Enterprise Security for about five years.

I have not had issues with its stability.

It is pretty scalable. It also depends on what you are ingesting, but it does a good job with our data.

I do not use the support that often. Normally, when I am looking for help, I just search on the web. If I am trying to build something and I do not remember the command, it is pretty easy to find.

I have used logging solutions. I find Splunk easier to use than other solutions such as LogStack.

With any such tool, the alert quality that you will get is based on the data that you are feeding it. If you are parsing logs and doing a good job with that, the outcome is good.

I did not deploy this instance, but I deployed it in my last company. It was not as bad as I thought. It was comparable to some of the other product rollouts in the environment.

It is expensive, but it is a good tool.

It is worth the cost. I have worked with organizations that did not want to invest in a security tool. I am glad that we are taking security a little more seriously in this organization.

I would rate Splunk Enterprise Security a ten out of ten. I enjoy it. I like it.

When we identify a threat in the environment, we try to track down whether it has moved from one system to another or there is any lateral movement. When we are trying to figure out how it got started and where it came from, we use Splunk to identify those logs. Palo Alto is our biggest index for the firewall, and we can look into those logs, see the relevant data, and correlate it into something that makes sense, so we can track down the problem.

For the most part, it makes it easier to read the index data. Instead of trying to look through an individual index, all the logs, and other aspects, it brings everything to one area. I can look at the relevant data that I need to identify the threat.

Splunk Enterprise Security has helped reduce our mean time to resolve. I do not have the metrics, but I know it is faster compared to the old way of doing it. Previously, we had to go through Windows logs and security logs. We had to go through each log to figure out what happened. I can pull all of the information way faster with Splunk Enterprise Security. I can look at multiple systems.

Splunk's unified platform has helped consolidate networking, security, and IT observability tools.

Splunk Enterprise Security brings all the logs into one central location to look at the relevant data and filter out the things I do not use. We are able to see the logs of multiple systems, the logs of the firewall, and the logs of the DNS and the Windows servers. It is able to bring all of that together and give a nice, solid picture of what is happening. We can read those logs faster.

Splunk Enterprise Security provides end-to-end visibility into the environment. It is very important for our organization to be able to see the threats, understand the threats, and figure out how to stop those threats. That is the importance of it. We are a casino. After what happened last year with two casinos in terms of hacking, we want to be able to stop that from happening to us. We learned a lot of lessons from what happened to the other two casino properties, and we applied them to a lot of our tools. Splunk Enterprise Security gives us a heads-up a lot faster.

Splunk Enterprise Security helped improve our organization’s business resilience.

Its alerting is most valuable. We have alerts set up in our environment for certain attacks, such as an SQL injection attempt. We have a front-facing server for the website. It is out there, and anybody can access it. When those SQL injection attempts come in, we can detect that with the alert. We get the alert in our mailbox, so we can start looking at it right away. Generally, with a SQL injection attempt, there is way more to it than just the SQL injection. There could be another 15 or 20 different types of attacks attempted during the injection. They are just trying to see if there is any vulnerability, and then they can take a shot at it.

I do not have any pain points for Splunk Enterprise Security. I am still trying to learn it, but there can be more information on the education side for Splunk Enterprise Security. It would be nice if the certification path was more specific to what I use instead of being so broad.

I have been using Splunk Enterprise Security for about six months.

Besides the forwarder, it is nice. The forwarder ran out of space, so it occasionally has to be rebooted to clear out the space that is being utilized.

We have 50 gigs of data.

I never really had to use professional services. For the most part, everybody is knowledgeable and patient, and there is a decent amount of communication back and forth.

I would rate their support an eight out of ten. My biggest issue right now has not been solved yet. Our heavy forwarder ran out of space. It is a VM. By using vCenter, we presented more space to the drive, but we could not get the VM or the Linux OS to allocate the new space. So far, nobody has been able to help us fix that. The current solution is to just upgrade it. We are not in a position to upgrade it right now because of the workload.

Positive

I changed my career last year to InfoSec. I was in IT before that. With IT, if there is a problem with the system, we just look at the logs. With Splunk, it is nice to be able to have it all centralized in my location where I can look at the data relatively fast as opposed to a line-by-line.

I was not involved in its setup. We have a bit of a hybrid setup. We have an on-prem data center and then we also have a cloud. We have Azure Cloud.

I would say that we have seen an ROI, but I do not know the numbers.

I would rate Splunk Enterprise Security a ten out of ten.

I use the solution for data analysis and log collection. 

Splunk Enterprise Security helps with advanced reports and keeps the system scalable and flexible. It provides a clear picture of the current status of any incidents. As a CISO, I see a lot of potential for future innovation, which is interesting. I've noticed better performance, especially with the reports.

Splunk Enterprise Security can provide more details and help CISOs resolve vulnerability situations better. The reason is that the tools we choose for data analysis and log collection cannot collect all the data and logs. Splunk Enterprise Security should help me with this, but it cannot.

I have been working with the product for four years. 

Splunk Enterprise Security's stability is very good. The system consistently performs well, and we don't encounter many issues. Ticketing problems are minimal, which is significant because it handles a lot of logs and data persistently without causing frustration.

The tool's customer support is good. 

Positive

We chose Splunk Enterprise Security because it was simple and had better data analysis capabilities. 

A reseller helped us with the deployment. 

The tool's licensing is good and we haven't received any complaints from the team handling it. 

I haven't used it for multi-cloud environments. As for on-premise, it's meeting my current needs quite well. When it comes to identifying and solving problems in real time, sometimes it's challenging to understand the situation, and generating reports can be difficult. But overall, it's good for monitoring activities like endpoint and authentication incidents and normalizing.

The solution has helped us reduce alerts by five to ten percent. It processes data and allows us to look back at incidents to see what happened and where they occurred.

I rate the overall product a nine out of ten. 

At a high level, its use cases are related to security monitoring, log aggregation, and a little bit of analysis related to incidents or fraud.

Splunk Enterprise Security has created better visibility for us on the cybersecurity type of events and issues. We are still maturing, but where we have seen some growth is getting better data, knowing what data to look at, and how to understand that data.

It has end-to-end visibility into our cloud-native environment. This is extremely important for us because of the type of business we do. We have a lot of PII data and a lot of compliance data on which we have to maintain very tight controls, so it is extremely important that we are able to put that in the cloud and monitor and watch our environment very closely.

It has reduced our mean time to resolve, but we are still maturing. We have got a lot of maturing to do. We have got a lot of growing to do. We have also been limited on the staff to be able to get the full realization of what we can get out of it yet, so that is a place where we are continuing to grow.

It has improved our business resilience. We have been able to identify things that could have presented a larger problem for us financially or legally through various events. We have been able to leverage the data there. We have been able to maintain that data and support that data. It does the job. It meets the needs.

Splunk has not helped to predict problems in real time because we have not yet matured to that place, but we need to. Generally, it has been helpful, but we know that we have got a lot of growing up there. We still have not got everything identified and captured in the space we want to be able to do better analysis.

Its ability to provide business resilience by empowering our staff is really high. Empowerment is great, but we have a resource problem, so we have not quite realized where we could be. 

We monitor multi-cloud environments. We have three of them. It is difficult to monitor them currently with Splunk. We are living in a highly regulated stack and a very little regulated stack and the ability to get a single pane of glass for all of that is very difficult.

Integration with the cloud is pretty important and good for us. We found the integration with a lot of tools, not all tools yet, valuable. It does make the transfer of data, log files, and other things easier for us.

Its pricing is extremely high. There are other tools out in the market that are competitive. They do not necessarily have all the functionality, but they are competitive. The professional services we have used have been high as well in comparison to the market.

In terms of scalability, it is hard to forecast where you are going. There is room to improve there.

I have been using this solution for about five or six years.

I would rate it eight out of ten in terms of stability. Where there has been ambiguity for me is that I recently had system stability issues that were beyond my control. They were part of my solution, and I was not aware that Splunk was accountable for it. It got quickly resolved, but there was a gap there that created pain for my business.

We have not had any issues. We also have not had any detriment, but it is hard to forecast based on where you are going from a business perspective, at least with the models and the account teams that I have been working with. There is room to improve there. 

It has been a rocky road. I have been through a road where I have had limited to little engagement or support. I am on the cusp of a large turnaround, meeting with my client team and dialoguing through it. Based on the history, I would probably rate their sales support a four out of ten. Going forward, I would rate their sales support an eight out of ten. They are in the right direction. I would rate their technical support a nine out of ten.

Positive

We have been using the same solution for five or six years. It was selected before I joined, so I do not know.

I joined after it was implemented. What I am working on now is the technical depth. I am spending a lot of time with the teams there for direction strategy. Splunk has done a great job there, specifically in pulling the right resources to bear. I had executive briefings directly with executives today where we had an opportunity to talk about different components of our solutions and our stacks, and it has been very good.

We are in a growth state right now. We have seen an ROI, but anticipating any point in the future is a little difficult, so it is a mixed response. Our scale is not quite clearly defined to be able to put it to a metric or to tie it back to consumption use. There is a little bit of autonomy in there to over-adjust and still find that we can true-up in a better space. That has been good for us, but if you let that run away from you, then you start to get in trouble. 

We have not seen any cost-efficiency. We have seen our usage and needs grow, so we have seen Splunk go up in cost for us. We have not quite realized any efficiencies yet. It is also indicative of our maturity model.

The licensing is good, but the pricing absolutely needs some work. It is very high. One thing that they put in a contract, but they do not emphasize it enough is true-ups on usage based on the quarterly consumption. They do not follow that methodology. They let a customer use, use, and use, and then at some point, a true-up occurs, and it is a large cost. There is an opportunity to do a quarterly track type of true-ups as per the agreements out there. That would put them in a position where customers are able to plan on, forecast around, and work through volume adjustments that may occur in their environment. 

The other place where Splunk could spend time is the scale-up and scale-down model. Scale-up is easy where you get more business, and it is easy to add more capacity, whether it is storage or SVUs, but when you need to scale down because of a change in a business, it does put customers in a position where they are locked in, and there is no way to maneuver around that. 

We do an evaluation annually. It is important for us to do a market comparison and make sure we are looking at options in our work. What makes Splunk Enterprise Security competitive is the variabilities that they bring to the table for the overall solution. It has things like APIs that you can tie into. There is also the bonus functionality of being able to do analytics there. User behavior analytics is important for us.

I would rate Splunk Enterprise Security an eight out of ten.

We use it mostly to generate notables, and then we can use other tools, such as ticketing systems or other SOAR platforms, to investigate.

I was not around before we had Splunk Enterprise Security in our organization, so I do not know about the before and after, but I can tell it would be very painful to not have it. 

It is pretty easy to monitor multiple cloud environments. All the logs from our cloud environments go to Splunk, and then we can search everything at once. It is pretty helpful.

Splunk Enterprise Security has end-to-end visibility into our cloud-native environments. It is pretty important. Especially if you use it as your single source of truth, it is pretty invaluable that you have everything in there.

It has reduced our mean time to detect, so inadvertently, it has also reduced our mean time to resolve. However, I do not have the metrics.

Splunk Enterprise Security has definitely improved our organization’s business resilience. There are a lot of logs that help with monitoring and alerting and keeping the business up.

It can help to predict, identify, and solve problems in real time. We do have some health alerts, and if they kick off, we might be able to fix something before it is really broken. In that sense, it is good.

Splunk Enterprise Security has been pretty good in terms of providing business resilience by empowering our staff. Most of our users are security-focused, but having everybody with the ability to write their own searches or build upon what we already have for detection of the future things is pretty helpful.

The correlation search functions that generate all the notables are valuable. That can get pretty complicated, and it handles that pretty well.

Some of the search functions can be better. There has been a lot of talk at the conference about the update of SPL before each iteration. That will be a lot of help. 

I have been using Splunk Enterprise Security for about two years.

It is pretty stable. We have not had any instances where Splunk just completely died. Its stability is good.

It seems pretty scalable, especially considering how much data we ingest. It is a good tool.

I have not interacted with them recently, but they are pretty good when I do need something from Splunk. I would rate them a ten out of ten. I have not had any issues with their support.

Positive

We were probably using Elasticsearch.

It was already implemented when I got here.

We have probably seen an ROI. We are in the security space, and there has definitely been improvement in uptime and the mean time to detect and respond to security alerts.

Its time to value is pretty immediate. The more logs and the more standardization that we get into Splunk, the quicker that comes.

Most people share the same thought that the ingestion rates can get pretty pricey. There is a lot of work we do to curate the data that we send to Splunk so that it is not too noisy or too expensive.

Overall, I would rate Splunk Enterprise Security an eight out of ten. There are some cool things. A lot of the talks at this Splunk conference have touched on some of the gaps that Splunk is working to close, but it is a very solid tool. 

Our primary use case is for cyber security, tracking logs, and incident response.

I haven't had the chance to properly sink my teeth into Enterprise Security but so far I like that they added the MITRE ATT&CK features. 

This feature helps us know how to plan when we have an incident, know where to look, what to look for, and aspects like that. 

The MITRE ATT&CK planning is valuable. When we see those incidents and those logs, having the information right there speeds up the process a bit.

We did not have a SIEM at the time, so we added Enterprise Security as our SIEM. We're hoping to learn more about it and grow as we progress.

They wanted us to do basic training, which was offered to our organization for free. That was great. However, ours is a cybersecurity focus. The training was mostly sales-focused, like how to monitor your sales. It was hard to then come back from doing the training and try to switch it to a cybersecurity focus because all the training we did was sales oriented. The basic training didn't really touch on any kind of cybersecurity use cases or anything like that. That would have been great to see in the training.

We upgraded to Enterprise Security a year ago but have been using general Splunk for longer. 

Stability-wise, despite these issues, it's been solid. I haven't had any issues with access to it or anything like that. The only issue we did have was with the engineer. After informing him of those issues, he went back and tweaked them, and then everything worked fine. 

It seems pretty scalable. Our network isn't extremely large, so I don't think scalability will be an issue in our case, but I definitely see the opportunity to scale if needed.

We have around 8,000 devices, so it's a fairly small network. It's across several different networks.

I have not used support yet mainly because I haven't delved into it as much because of the issues with our initial integration with our engineer not being so trained. 

We have different contractors and they have other solutions. Some of those solutions included Elastic. We want to use Splunk and our contractors want to use Elastic. We're hoping .conf23 will broaden our imagination, so we'll have more to bring back and push towards just using Splunk only.

I have not used Elastic myself. It does sound like it does a lot. There's a lot that Splunk offers that we haven't actually used. I want to play with Mission Control. We only use Enterprise Security but I do want Mission Control where everything is in one centralized application where you don't have to jump to different applications. 

I would love to get Mission Control.

My engineer had a little bit of an issue with it but it was because of his own lack of training. We were pushed to hurry up and get a SIEM. He did the best he could. I let him know what wasn't working, and then he would try to fix what he could on the backend so it could work. He was in talks with Splunk to fix those issues. The results are coming back a bit better, but I think that there is still room for improvement.

I was not involved with the setup. I came in afterward. One of our guys here was the one that was in the initial integration of Splunk. We ended up with Splunk as our main SIEM. I've never had any issues with it and I enjoyed it. 

We will see cost efficiencies mainly just from saving time and the shortened time and response to those incidents that we see. The fact that everything's organized in one application, we should see a bit of an increase in efficiency.

I do see the possibility and the opportunity to increase the meantime to resolution by a lot. We use several different applications to monitor logs. We have the vision. 

I've seen some of the updates and changes like Splunk AI and Splunk Vision Control that look nice. I didn't manage to get on some of the hands-on, which would have been lovely. I would like to get more ideas on how we can integrate Splunk into our networks. 

I would rate Splunk Enterprise Security a nine out of ten. I see the opportunity and I'm hoping with our engineer that we can get to where we can make the best use of Splunk. It really seems great. A lot of our staff here were all ready to use it. We're just hoping our engineer can get to the place where we can actually make use of it. 

The biggest value I get from attending a Splunk conference is being able to see the updates, changes, the features they're adding, the Splunk AI, and Splunk Vision Control. That's been nice. I am looking forward to some of the sessions. I want to get more ideas on how we can integrate Splunk into our networks and things like that, especially focusing on cybersecurity. I would also like to see some of the stock sessions because it's a brand new stock. We're trying to stand it up. Seeing how they're using it for stocks would be great.

The primary use case is security and data analytics. In general, we manage and maintain it for our customers.

Application-wise, it's good. Searching and reporting of data analytics is also fine. The dashboard presentations are also a good feature. Overall, its functionality is great and that's why we use it.

I would like additional support for custom add-ons, as well as cloud integration. Right now we have concerns because we have to customize applications for direct integration. But on-prem, it is all functional. We have to build it on our own. Previously, they developed custom connectors or add-ons for a lot of applications. But that number can be upgraded still. There are a lot of applications in the world that are not supported.

I have been using Splunk Enterprise Security for over two years. I received Splunk certification six years ago.

The stability of the functionality is good, but there are still bugs that keep hindering things. I am waiting but they are there and that is quite common. I think they have not yet been resolved from the older versions. The stability is a seven-plus out of 10.

It's scalable for all environments. Splunk Cloud can be scaled to a small or medium company, depending on their inputs or log resources. Businesses at the high end of medium-sized, and large companies, can go with the on-prem solution.

The technical support is good. 

However, there is a lot of delay nowadays. The last time we raised a case, it took quite a long for them to come back with their first response. That's not for a P1 or P2, but if it is a P3, they don't respond at the earliest. When they respond, it is quite late and we have to ask again. The first response is never an answer. It's always a query.

Still, the people I have worked with there are all an eight-plus out of 10.

Positive

It can be deployed on-prem or in the cloud. With the latter, it is Splunk's own cloud. 

The deployment of the solution is straightforward, but there is a lot of engineering activity involved in designing the architecture. Architecture-wise, it is fine, and bringing things together is not that tough, but maintaining and managing it is a tough job because we don't work in a normal environment. We work on something that is very defined to the network. That means we have to build everything from scratch and deploy it.

The implementation strategy depends on how the customer wants things done. But in general, I go through research and then develop and design. I ask the client what sort of environment is flexible or cost-effective for them. It's done in stages. It's a matter of understanding the infrastructure and then implementing,  or designing and handing it over to them.

If there are 1,000 log sources, it takes six months to a year to deploy, depending on how the customer is supporting the process.

Every on-prem solution involves maintenance, including keeping things upgraded, whereas Splunk Cloud is managed by the vendor. The number of people involved in on-prem maintenance depends on the size of the environment and how long our update window is. For example, if we have a green zone at midnight for three hours, and we want to upgrade at least 20 to 30 servers, it will take eight to 10 people working in parallel. But for a very small environment of 10 servers, it will take four people to manage it, or if we have a large window, even three people can do it.

We do it ourselves.

The pricing depends on the bandwidth of an organization and is good compared to some SIEM tools. IBM, for example, is quite costly. But Microsoft Sentinel is notably cheaper. I have seen a lot of organizations running on Sentinel.

IBM is for quite large organizations that don't want to have their data on the cloud. Splunk has both on-prem and cloud modules and, cost-wise, Splunk is better. Internally, we cannot push everything to the cloud. That would become too expensive for us. So we have it sitting in our data center and that is good.

I have worked with a number of other solutions including RSA enVision, IBM QRadar, as well as Microsoft, McAfee, and LogRhythm. 

If we want to build an add-on feature in Splunk, we have to build an application and then integrate it. But in other applications, there is a direct integration that only requires partial development and it will start functioning.

Also, there is something called correlation in a lot of other tools. Splunk also has it but it consumes a lot of memory. If we tag all the data, it is better, but tagging consumes storage and it makes it a little tough for us to run a search. 

If we want to work towards SOAR, if there were a little bit more integration so that our customers could taste SOAR, they could then move to Splunk Phantom or other tools. Right now, people are not using automation. Everything is done manually. Hopefully, that's the next goal. Security operations will surely use SOAR and, once they start tasting it, they'll get to know how it works. They can design playbooks and start using it. That's an additional feature I would like Splunk to bring in. 

Splunk's advantage is its search capability. Its search is notably faster. With Splunk, I can search easily on keywords. That is great. It also has something called "stats" and it runs much faster. Within minutes, it gives the data from a very large set. Spunk's dashboards are also a very good thing. No other application or tool is as versatile in presenting the dashboard. It all comes down to presentation. It may take a little bit of engineering work to develop and customize, to parse the fields and fetch the data, but the presentation is good.