Splunk Enterprise Security Reviews

Our technical teams are demoing various enterprise tools to develop experience and knowledge so we can better serve our clients. In addition to Splunk, we are evaluating IBM QRadar and one other solution. One of our customers is asking about the Splunk MSP model.

Splunk allows us to customize processing and dashboards, which helps us take care of our customers' needs. Splunk is costly, but it's better than other products. It speeds up security investigations. It helps us detect threats faster. Everything is faster. The only part that's lagging is the management. Otherwise, Splunk is good. It took about a month to realize the solution's benefits. 

We get few alerts except for the other solutions we have integrated with Splunk. We'll monitor those alerts and support their customers, but we don't have any other mechanisms for databases or something outside of the infrastructure. 

Splunk enables us to customize dashboards and queries, and we can add multiple admin users. We only use the essential parts, including the MITRE ATT&CK framework capabilities. Organizations share threat information under the MITRE ATT&CK framework. We do threat hunting and marketing based on that.

We do manual threat hunting. We get all the IP addresses and check the threat databases to determine if it's malicious. 

The algorithms and alerts could be improved. I would also like to pre-build use cases. We need to create the algorithm based on our use cases. 

The threat management part is still lagging. There are some gaps in threat management. Other vendors have built-in threat management systems, but Splunk lacks the threat management component in its portal. The UEBA and everything else is perfect, but it lacks a unified threat intelligence and management feature. 

We've also had problems integrating the solution. We get multiple errors, like search log errors, UI errors, etc., and performance issues. It's fine with basic content, but if we're dealing with multiple data sources and 30 GB of data, it cannot handle the load. Our customer is indexing around 10 GB of data daily, and I can't search the log without getting errors. 

Splunk Enterprise is stable. 

Splunk Enterprise is highly scalable. 

We haven't had to contact Splunk support because we can find all the answers we need online. 

We also use IBM QRadar.

Deploying Splunk is straightforward. We had no issues. 

Splunk is more expensive than most solutions, but it offers lots of value. If a customer wants the cheapest solution, we'll use that.

I rate Splunk Enterprise Security an eight out of ten. I would give it a ten if it had built-in threat management. 

We primarily use the solution for monitoring, intrusion detection, and prevention. It is mostly a lot of security and network and server monitoring.

It automated the way we look at intrusion detection and prevention. It automatically picks up intrusion attempts within our environment.

The monitoring and the security functionality are the most valuable aspects of the solution.

It is easy to set up.

It is very scalable. 

You can basically make it do whatever you want, from log management and monitoring security, intrusion detection, prevention, and linking to your antivirus to report to it. Having kind of a single point where everything feeds in and create dashboards however you like is useful and works with how many ever systems you want in that dashboard.

I've not come across any areas that need improvement.

I'd like to see more integration with more antivirus systems.

We've used the solution for roughly, one year and a half years.

The solution is highly scalable.

We have four people that use the solution and they were split between infrastructure and security.

We don't have a plan to increase usage as we're almost at capacity with our servers, for our purposes. I don't think we're going to scale it as we're using everything we can from anything we need. However, it's intensely used for security purposes.

Technical support is perfect.

Positive

The initial setup was straightforward. It was done by Splunk entirely. After that, the configuration took a bit of time, however, we bought professional service days from them to help us build the configuration.

The full deployment took about five months due to the fact that we have quite a lot of servers.

I'd rate the experience a five out of five in terms of ease of execution. 

The amount of people you require for deployment and maintenance depends on the complexity of the environment. It can be run and managed by a single person if the environment is not highly complex. If you're talking about probably less than 200 servers, and a couple of network endpoints, one person can manage it easily after it's been configured. Otherwise, I wouldn't be able to say. In more complex environments where you've got several geographical locations, several data centers in geographical locations, and so on, you'd probably need more than one.

Splunk handled the implementation. It was a joint effort between them bringing the knowledge and us doing the actual work.

It's a great investment, especially if you want to strengthen your security stance.

It's yearly a yearly license on a three-year contract. On a three-year contract, you get a discount basically - rather than putting it on a rolling yearly contract.

On pricing, if I base it on the functionality of the system out of the box, I would rate it five out of five.

They have several prepackaged modules you can purchase. For example, for the security type, they have Security Enterprise, with the default products getting security essentials. With Infrastructure, the same. We've got an ITOps enterprise, which again, is payable on top of the standard license. 

It's pretty much how much you can actually build in-house. The difference between AT&T, LogRhythm, and Splunk, while AT&T and LogRhythm are pretty out of the box (it's click and configure), Splunk is highly configurable. 

You can make it do whatever you want to, as long as you know how to edit the configuration files. What ITOps and Security Enterprise do, instead of you having to build all that from the ground up, so the dashboards, the logic behind it, the configuration files, and so on, become prepackaged and pre-installed.

We did test AT&T and LogRhythm as well. We chose this solution as a balance between cost and functionality.

AT&T was a great security tool, however, it lacked a lot of the infrastructure things that Splunk does, in terms of server monitoring and network monitoring. LogRhythm did have a dose, however, at a very prohibitive price. It was almost twice the cost of Splunk.

We've got a version of Splunk Cloud. I'm not sure of which version.

I'd advise users to get more professional service days. You get five professional service days with the product, when you buy the license, usually. Definitely get at least ten more.

You need to have some strategy before. You definitely need a strategy. Before you do your PS days, definitely have a look at your strategy and make sure you've arranged your questions rather diligently. Based on how you think you're going to use the system, where you are where you want to be, just box them into separate parts - security, infrastructure, and monitoring. It's going to make life a lot easier when you talk to consultants as the consultants are very, very knowledgeable. However, you need to ask the right questions.

I'd rate the solution ten out of ten.

It's the mainstay of our monitoring solutions that we have for auto-logging, et cetera, for our enterprise solution.

The most valuable aspect of the solution is the ability to capture the different data streams. We also appreciate the reporting in that aspect of Splunk. If we can grow now, with any security arena, it's going to be proactive, not reactive. It allows us to digest the information, the data, the different data streams, so we can make decisions based upon information that we receive, and it is pretty robust.

The configuration could be better.

We would like to see improved pricing, however, I'm kind of out of that arena. I make suggestions based upon the flexibility with which we serve our customer base, which is millions of our veterans. I would say that if someone was not familiar with it, one of the things that I've heard is that it's kind of hard for them to understand the whole thing. Splunk is just one piece to the puzzle. It's not the whole puzzle. It's kind of not the solution's fault, in that sense. That said, if it could be more accessible to people with different skillsets, that would be ideal.

We'd like to see reporting where there's a way that we can get a higher description without being too technical, for example, where it's kind of more of an executive-level of technical.

I've personally been using the solution for over ten years. At this point, it's been more than a decade. I've used it for a while now. 

We're partners and end-users. We don't have a business relationship with Splunk.

We use the latest version. I'm not hands-on. I'm called the architect, however, we do use the latest version as that's a part of our configuration management framework, that all of our applications - especially in security - are up-to-date with the latest and greatest updates, bells, and whistles. We use both public and private clouds.

In terms of creating the solution, for what we do from an enterprise standpoint, everything from monitoring to data capture to reporting, we would rate it at a nine out of ten.

We use the solution in our SOC to support SOAR. We use its alerting capabilities and integrate them with our SOAR platform. Additionally, we tie it in with cyber threat intelligence, cyber threat hunting, and adversary emulation tools to identify gaps in our environment and alert us to notable events.

The tool drastically reduces SOC overhead. Its integration with our tool suite is great and helps us correlate events. The solution is also a lot faster than our standalone instances. 

Splunk Enterprise Security helps address our customers' missions. We want to ensure that our environment is secure and safe and detects anomalies and threat actors as soon as possible. 

The solution helps my organization's ability to ingest and normalize data. It has also improved resilience.  

Enterprise Security is expensive. 

I have been working with the product for three years. 

Splunk Enterprise Security is very stable. 

The tool is very scalable. We can deploy agents seamlessly and get reports. 

We have had good success with customer support. We haven't had any issues contacting them and getting problems resolved. 

Splunk Enterprise Security's deployment is hit or miss. Recently, we got UBA. We were able to spin up an environment easily with Terraform. However, the recent upgrade caused many hiccups and slowdowns. We are working with support to resolve them. Some legacy code is choking the system and slowing us. 

We do market evaluation and continuous research every year to check for alternatives to our security tools. 

It seems like the tool is improving. It incorporates AI into the platform to streamline event identification processes. 

Splunk Enterprise Security does a good job. However, we need many analysts to correlate searches and populate data models, and some overheads are needed in any SOC environment. 

We have a lot of data to process from different sources. However, we have only limited data analysts. It takes time to find malicious threats or what we seek. 

No specific metrics are tracked, but we report this to our leadership weekly, focusing on continuous improvement. Regarding reducing the mean time to resolve, especially with our SOAR integration, we can swiftly address major issues by leveraging alerts to initiate tickets. This allows us to notify the teams and address issues immediately. 

I rate the overall product a ten out of ten. I don't think there is another alternative with similar capabilities. 

We use Splunk Enterprise Security to monitor our environment.

The threat intelligence and monitoring of Splunk are good. 

We have integrated Splunk Enterprise Security with ServiceNow so whenever there is a detection it will automatically raise a ticket and send it to the appropriate team for analysis. The integration was seamless.

Splunk has helped reduce our alert volume by 20 percent and sped up our security investigations.

It does a good job detecting threats fast.

Splunk's reporting functionality would benefit from enhanced customization capabilities, allowing users to tailor reports to their specific needs for better data visualization and analysis.

I have been using Splunk Enterprise Security for one and a half years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is scalable.

The initial deployment was straightforward.

Splunk Enterprise Security is expensive.

I would rate Splunk Enterprise Security ten out of ten.

For reporting we don't use the Splunk dashboard, we use Tableau and Power BI.

I would recommend Splunk to others.

While Splunk Enterprise Security offers robust features for large organizations, its cost might be prohibitive for smaller businesses. To address this, I recommend exploring open-source SIEM solutions for small and medium organizations and Splunk for larger organizations.

The solution is used to detect and protect against threats using a hypervisor infrastructure that works with artificial intelligence. 

There are a lot of third-party applications that can be installed. You get a lot of good visibility on your infrastructure regarding risk. It's very data-driven, and it integrates into systems well. 

We are able to monitor multiple cloud environments with Splunk. Each data source has different stuff that requires monthly payments. 

I have used its threat intelligence management function. It can be a very useful feature for customers. 

The MITRE ATT&CK framework is helpful for helping uncover the scope of incidents. It offers a good level of simplicity.

Splunk Enterprise Security is great for analyzing malicious activities and detecting breaches.

It's costly. 

The data speed between apps could be improved. It could be faster. 

I've been using the solution for 2 years.

The stability is mostly fine. 

I haven't attempted to scale the solution. I'm not 100% sure of how well it scales. 

The technical support is very good. They also offer a lot of basic resources. 

Positive

I'm also familiar with Microsoft Sentinel, and I find Splunk to be better. That said, although I have more experience with Splunk software, I find it a bit slow. Sentinel is much faster. 

The setup is pretty straightforward. It's not overly complicated. I don't have too much experience with the setup, as I'm currently involved as a consultant and only help with support. 

The cost is very high. It's got a fairly high price point in terms of price range. 

I work in cybersecurity consultation. 

I'd recommend the product to others. I'd rate the solution overall 9 out of 10. 

I utilize Splunk Enterprise Security to gather logs, and subsequently, I provide the team with access to the servers through a change management ticket or incident. I wasn't involved in the installation process during my tenure as a Windows server lead. I also verify whether all our actions adhere to the compliance framework.

Our deployment of Splunk Enterprise Security was all on-premises.

The visibility that Splunk Enterprise Security provides is beneficial and valuable.

Splunk Enterprise Security helped analyze malicious activities.

With Splunk Enterprise Security we were able to detect threats faster.

Splunk Enterprise Security contributed to a reduction in alert volume as our employees became aware of being monitored and ceased accessing the server without proper authorization.

Splunk Enterprise Security has significantly accelerated our security investigations by centralizing all log data and enabling us to quickly retrieve the necessary information through simple queries.

The most valuable features are the logs, which allow us to identify what happened and who interacted with the web repository.

Some of the queries are difficult to run and have room for improvement.

I am currently using Splunk Enterprise Security. 

I would rate the stability of Splunk Enterprise Security ten out of ten. We have never had an issue with stability.

Splunk Enterprise Security is scalable.

Splunk Enterprise Security's resilience is a valuable asset.

Organizations seeking a more affordable solution should first carefully evaluate their specific business requirements. While cheaper alternatives exist, they may lack the necessary features to adequately address their security needs. In such cases, Splunk Enterprise Security could be a more suitable option.

Splunk Enterprise Security is a worthwhile investment given the comprehensive range of features it offers.

I would rate Splunk Enterprise Security eight out of ten.

I recommend Splunk Enterprise Security.

I utilize Splunk Enterprise Security to create alerts within various use cases, including data onboarding, gap analysis, and business testing. I ensure that the use cases adhere to the defined criteria and address any changes or requirements raised by the client. Additionally, I handle any necessary backend modifications in Splunk by deploying code to appropriate environments, including the production environment.

We implemented Splunk Enterprise Security to capture more effective alerts. We create alerts to utilize advanced filtering capabilities. Additionally, we employ Sentinel as our endpoint security application. I have created all instances of the query as intended and have mapped them to Splunk. However, the corresponding alert is not being generated. These are the areas that require attention.

My expertise lies in Splunk Cloud and Azure. While I have worked with AWS in the past for a short period, my current focus is on GCP and Splunk Cloud. My responsibilities involve troubleshooting, alert verification, and key generation. Based on specific requirements, I employ my self-generated queries to identify the relevant fields, such as email or location. Next, I implement lookup conditions and pinpoint the table containing the desired field type. This process allows me to determine the specific requirement of the use case and define the search parameters accordingly. Finally, I conduct a time-bound search to identify any defects.

I deploy to Splunk Cloud, GCP, and on-premises environments. I have experience working with both platforms. When working on the cloud, we don't have the same level of visibility as we do on-premises. For example, we cannot directly access the fraud department systems. In the cloud, we must make all changes and deployments through the Splunk UI. This is relatively straightforward, as there is no backend to manage. However, it requires a thorough understanding of the configuration files and the data fields we need to modify.

We manage multiple cloud environments, including Splunk Cloud and GCP. Splunk Enterprise Security dashboards make it easy to monitor these environments seamlessly. We have a single user interface that allows us to log in to our account instantly and check for any issues, such as Data Collection Processor errors. This unified UI also provides access to the back end of both Splunk Cloud and GCP instances, eliminating the need to switch between different platforms. Whether we need to manage Splunk Cloud or GCP settings, we can do so directly from the UI, which is easy.

Splunk offers comprehensive visibility into our IT infrastructure. The only challenge lies in managing multiple user accounts. We need to create separate accounts for the UI, production environment, and staging environment. Additionally, if we have a DCP or a system cloud, we need to create corresponding accounts. Once that is done we can log in and use it.

Regarding Splunk Enterprise Security's insider threat detection capabilities, we receive an alert for every new case creation. If there is a high likelihood of a specific alert occurring, we have a corresponding use case in place to address it. We also receive soft tickets, which are potential alerts that may materialize in the future. These soft tickets are documented in Jira, and we continuously monitor them. By analyzing these alerts, we can identify potential issues. For instance, this morning, we received an alert for a new case with a missing application name. The interaction table contains the destination user account, process ID, process name, OS, and other relevant information, but the application name field is blank. We investigate this particular use case to determine the cause and timing of the alert. Since we are receiving the alert slightly earlier than expected, we consult the ticket for further details and substitute any missing information.

I have utilized the MITRE ATT&CK framework when the use case pertains to a specific data model. To comprehend the data model, we examine the processes involved or the fields that a particular tool utilizes. To achieve this understanding, we align the MITRE ATT&CK framework with the data modules. Subsequently, we extract the field name and field value. When dealing with ranges and incident changes, we must input the corresponding MITRE ATT&CK ID. This involves determining the tech ID and identifying the ID values associated with it.

Using Splunk Enterprise Security to analyze malicious activities and detect breaches is an efficient approach. When testing a use case, it's not necessary to manually enter the application name as it's provided automatically. Since the requirement is for SSO, we need to verify whether it's LDAP, Splunk Cloud, or AWS. Occasionally, irrelevant results may appear during data ingestion. We test for subscription-related issues and analyze the results. This testing process provides insights into the circumstances that trigger specific alerts. Malicious activities will undoubtedly be detected, and all our requirements will be met. Alerts are generated whenever unusual timeframes or activities occur. Various filtering criteria allow us to identify and capture specific user IDs or patterns within events. This capability proves to be highly beneficial.

The speed at which Splunk Enterprise Security detects threats could always be faster but it is designed to detect threats quickly. It uses various techniques, including queries, to identify and analyze potential threats. This allows it to produce faster search results than traditional methods, enabling us to locate the information we need more efficiently. While I cannot provide an exact percentage of how much faster it is, it is undoubtedly significantly faster. It can process thousands of events, ranging from twenty thousand to thirty thousand, in a very short period.

I've gained valuable knowledge from having to troubleshoot various situations. For instance, I've learned that the SIM needs to be flipped to use the new applications. Additionally, I've discovered that the error limit for event results should be increased beyond 10,000 because the source type values have increased significantly. This ensures that alerts are received even when there are large volumes of data. Furthermore, I've learned that some clients have different index limit requirements. Some clients require a seven-day index limit due to licensing restrictions or data ingestion considerations. Those who have the larger license opt for a 15 or 30-day index limit. In these cases, the large amount of data generated can necessitate a 1TB or higher index size limit. These learning experiences have been invaluable in my work, and I'm constantly encountering new scenarios that expand my knowledge base.

Splunk Enterprise Security has helped speed up our security investigations. 

The best part of Splunk Enterprise Security is its customizable settings. We can modify the front-end interface, data sources, and various other aspects to suit our specific needs. This flexibility makes it extremely user-friendly and convenient.

Apart from its customizable settings, Splunk Enterprise Security also offers a range of other advantages. It enables us to easily analyze logs, use field queries, and perform other tasks without requiring any extensive training. The search function is intuitive and straightforward, making it accessible to anyone.

The UI-based reporting dashboard is another highlight of Splunk Enterprise Security. It provides real-time visibility into important metrics and allows us to drill down into specific events for in-depth analysis.

Splunk Enterprise Security has not helped reduce our alert volume. We need to separate a few of the alerts, and if there is a time based on the priority, we put the time at what time it needs to appear every day or for seven days or more days. If an alert is present or if something is triggering, then it will be detected. However, the number of alerts that can be handled effectively depends on the specific use case. For each result that is affecting the system or for any specific issue, only those particular alerts should be generated. We can define a timer and determine how often checks should be performed. For example, weekly checks may be sufficient in some cases. However, if there are hundreds of alerts generated in a week, it may not be possible to handle them all effectively. Testing must be conducted to filter out unnecessary alerts. Therefore, clear boundaries must be defined in the use case when creating alerts.

The price for Splunk Enterprise Security is high and has room for improvement.

I have been using Splunk Enterprise Security for two years.

Splunk Enterprise Security is an extremely stable product.

Splunk is compatible with a wide range of other products and is not constrained by specific configurations. Whether it's a single-sided or multi-sided cluster, whether it's used by a single team or multiple teams across different program locations, Splunk is flexible and adaptable. Data recovery is also a key feature, ensuring that data is never lost. This is one of Splunk's most significant advantages. Multiple indexes are maintained to safeguard data integrity, so even if one index fails, the data remains accessible to all users at all times.

Splunk Enterprise Security is scalable.

Comparing SentinelOne and Splunk, we've found that SentinelOne requires a thorough understanding of our processes, including their business context, process names, and all relevant conditions. In contrast, Splunk is more forgiving, allowing us time to learn and adapt. Additionally, SentinelOne's pricing structure can be more complex compared to Splunk's straightforward approach.

While Splunk offers ease of use, better visibility, and intuitive management, SentinelOne demands more technical expertise to implement and maintain. Splunk, on the other hand, provides granular control over event filtering, enabling us to retrieve detailed information based on specific criteria, such as Linux or Windows events. SentinelOne, however, may not provide the same level of precision, requiring more precise query formulation.

The initial deployment is straightforward. We only require the name and the value, and the process is very quick. We were already using GitHub, GitLab, and GitPass, so integration with Splunk was seamless. Splunk is compatible with all of these applications, which makes it a good fit for our needs. We are also using ServiceNow, and Splunk communicates seamlessly with it to raise tickets. The overall deployment time is minimal. One person can manage the deployment process, and I have completed 18 deployments myself. Each deployment takes one day to finish.

The cost is on the high end, which makes it difficult for some organizations to use. However, the benefits outweigh the cost.

I would rate Splunk Enterprise Security eight out of ten. While I have not explored all aspects of Splunk, I have found Splunk Enterprise Security to be a useful and reliable tool in the areas I have used. 

Splunk is deployed in one location. On our team that works on the SIM development team, we have 28 people who use Splunk Enterprise Security.

Splunk Enterprise Security necessitates ongoing maintenance. Tuning tickets are available, so we perform the necessary tuning, and if there is an outdated ticket, we make the required changes. I addressed a ticket from 2018 that required tuning. They requested certain additions, such as authentication or a new index, and maintenance is performed to incorporate these new features.

In multi-cluster environments, maintenance can be performed from different locations simultaneously. This feature is very convenient and allows for flexible maintenance scheduling.

I recommend Splunk Enterprise Security because it is a comprehensive solution for enterprise security. I'm currently working on the SIEM component, but the SIM is also available. Splunk offers various ways to search and configure, making it very easy to use, even without prior knowledge. We can seamlessly integrate Splunk into our existing workflows.