Splunk Enterprise Security Reviews

We primarily use the solution for monitoring our infrastructure.

The models that we use are pretty mature at this point, which means we can be assured we are given the best use cases right out of the box.

We can just plug into the applications and everything is set up. There's very little configuration necessary.

The integrations that are offered with different tools are all very good. They offer integrations for all levels of security and have offerings from some of the other major solutions in the space.

The initial setup is pretty straightforward.

Over the years, I know they've been doing what they can to continue to add integration capabilities to their solution. If they continue to do that, that would be ideal. However, beyond that, there really aren't any features that I find to be lacking in any part of the solution.

On-premises scaling of the solution is a bit more limited than it is on the cloud.

The pricing of the solution needs to be a bit lower.

It would be ideal if the hardware could meet more universal global regulatory requirements. It would be great it the solution better aligned with global standards.

I've been working with the solution for three to four years at this point.

In terms of the cloud, scalability is very straightforward. It's just about as expansive as we want to go. When it comes to an on-premise deployment, there might be some scalability limitations. We've found we just have to cut hard on the resources as it does a lot of processing. Whereas the cloud is easy and has very little limitation, I'd advise others that on-premise may have some difficulties. 

On-premises, it's definitely on the customer to ensure they have the right plates. If they're concerned and they need 100% scalability, it's best to be on the cloud.

Technical support is very good. They know their product and they are responsive to requests. We're satisfied with the level of service provided to us.

We didn't have any issues with the initial setup. It's not too complex. We found the process to be very straightforward and very simple.

While I do understand that it is a premium tool, they could work to make it a bit less in terms of cost. It's a bit expensive.

We use a mixture of public and private cloud deployments.

I would definitely recommend the solution, having seen it work for others so well. Its ease of usage and its man integrations make it a great product. The way you can access whatever you need on the solution is very similar to a Google bar where you can search for anything you need. It's just a super quick responsive, product.

Overall, I would rate it a perfect ten out of ten. We have no complaints.

Our primary use case was really as a client organization, like the government and the IT industries, we are in the telecoms sector. We analyze security reports. We use Splunk to order them and put them in a system and we use the various kinds of integration with Oracle Cloud which is helpful.

Every tool has a drawback. Some aspects of this solution are secure but getting clean data from the cloud takes time. Looking towards the future, I'm looking for a tool that is the most secure in the cloud environment. 

It's very flexible. If you look from the cloud implementation it is there. Reports are made quickly. Unlike other tools, it caters to all kinds of technical information on the front very easily. There's no need to put in any technical information. You can pull up the reports very easily, take action, and notify stakeholders.

I would like to see them develop integration with the help of a rack rest API. Which is an API that helps to secure communication with oracle cloud and pull down records from there.

This integration is currently missing in current version of splunk. I'm looking forward to see this feature getting implemented  in next version of Splunk and so that organizations can get benefit of this  feature in future.

Stability is very good. 

Scalability is good. It's scalable enough. You can play around with this tool. Scalability is one of the main criteria we look for when considering solutions. 

The setup depends on the organization. It is very simple here. You can easily install all of the businesses in the company network. Previously, it was suggested that this solution is not flexible enough. It does not give us permission to implement on-premise so we implement them on the cloud. 

We also looked at HP ArcSight and two other solutions. 

I would rate this solution a nine out of ten. I rated it a nine because every tool will have its drawbacks but ultimately it's a very good tool in comparison to HP ArcSight. If we can add on a scalability feature it would significantly improve the solution. 

I would advise someone considering this solution to use it at least for a year to get a hands-on and technical understanding because it's a good product. Then decide whether or not to move forward with Splunk - but I would advise to stick with Splunk. 

We use it for logging, essentially for auditing and troubleshooting errors in production and finding out what happened.

I have used the product personally for five years and at my current company for a year and a half.

I haven't had any problems with it so far.

There are a lot of plugins to integrate this. The client site login is pretty extensible and probably cost-effective. Plus, it is easy to configure.

I would like some additional AI capabilities to provide additional information about things going wrong and things going well.

It is very stable. We have not had any problems. 

We had to upgrade when it was on-premise, but then we went to cloud version, which is very good.

It is pretty scalability, even though we have a lot of logs. It runs well.

I assume that the pricing is reasonable, because if it was too costly, there are other alternatives. However, with some of the other solutions, you have to spend time on them and manage them yourself. It might also take you three times to get it right. So, Splunk may be more costly upfront, but in the long run, it saves on time and man-hours.

I would consider ELK Kibana a competitor for this solution. If you have time, and you want to do it yourself, you can save a little money going with Kibana. However, Splunk is pretty good and I would recommend an enterprise to switch to Splunk.

Our primary use cases are for detection and remediation.

The benefits we've seen from Splunk is that we can promote it to our customers. The second benefit is that it works. It does what it's purported to do, and the support is more than adequate. 

The most valuable feature is that it brings all of the components necessary to identify, analyze, and respond together.

It's pretty important that Splunk provides end-to-end visibility into your environment. As in any product that one purchases to fulfill a function, we want to recognize where it came in, who it affected, and what the challenges are that need to be met in order to resolve something, both immediately and also to make sure that it doesn't replicate in the future. Splunk does a good job of being able to do the former half. Dealing with issues requires tier-three support and above and it takes time. You can work through it with the help of your vendor team.

I would rate them an eight out of ten. It's not so much the problem of the application itself, although there are always improvements that can be done. There are a lot of moving parts that need to be added in and if you don't have the information that you need, especially within identity and inventory, then that can be an added challenge when you have to start making imprints based on what you do know.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. There are a number of different standards that can be presented, which is beneficial. Some customers like to have the information that they receive in one format. The driving factor is that when you work with federal customers, some of them want it in one format. The response will be in one format as opposed to another. 

Splunk has helped to improve my company's business resilience. It's an active component in ensuring that we are vigilant against intrusion and detecting it.

Splunk is such a large product. Allowing it to be more easily used by people who have not had a lot of training on it would be an improvement. That's something that they're accomplishing with their current version, although I haven't had an opportunity to learn much about it. With AI capabilities coming on board, a lot of that will alleviate the minutiae that people need to know in order to resolve problems as they come up.

Splunk's ability to predict, identify, and solve problems in real-time is a work in progress.

I have been using Splunk Enterprise Security for the past four years.

Aside from the fact that it can be a resource hog, I'm satisfied with the stability. I don't have too many problems except for a few occasions when we have a threat intelligence file blow up a drive because there's not enough room. It might be because a complete configuration has not been implemented. 

I like the fact that it can be tweaked, but a lot of the various configurations for how long data is held or how long particular components of investigation are held. 

I encourage users to use the vendor management team and cultivate a relationship with them. I have worked with companies who had support that I would rate 11 out of 10. I would rate Splunk an eight out of ten because as any large growing company, they have challenges with keeping the talent necessary, who are not only educated to evaluate a problem and pass it on or solve it themselves.

Positive

The largest challenge with the setup is that it has so many different components. The environment that we're in is a multi-tenant. Enterprise Security with all of its components is huge. If you're using something like a deployment server you can't break it up. It makes it rather unwieldy. I'm sure that there are workarounds that have not been implemented in-house.

Splunk provides more than the people who pay for it realize. I had a few exercises in presenting ROI and benefit-cost analysis and I have been able to demonstrate where it has performed superior to other options.

I was deeply distressed when they went away from their perpetual license.

We evaluated Splunk's typical competitors. We went with Splunk because Splunk has the underlying capability of not only ingesting anything and storing it using their bloom filters and whatnot in order so that you can do sparse and large searches relatively quickly. It also has a wonderful presentation layer, which can basically plug into many other systems. I find Splunk to be a veritable Swiss Grey knife of capabilities.

I would rate Splunk Enterprise Security an eight out of ten because there's always room for improvement and because it can be difficult to learn.

Our primary use case is for security audit log collection correlation. We wanted something that the security team could focus on versus going directly into our enterprise. We had some initial use cases to supplement our IT ops security into one product. We had a SIEM but not one that was as customizable as Splunk Enterprise Security.

The out-of-the-box capabilities that Enterprise Security offers were very helpful. We're not using it anymore because it was almost overkill. We have shifted to go back to just the core functionality. We were inundated with the amount of alerts and alarms that we could get out of it. It is also a resource hog and we didn't have the resources to support it on-prem so we're taking it offline now.

We saw the granularity that we could get from Splunk far exceeded what we already had. We had the ability to have our security team really focus on the platform and stay within the platform, but they could correlate with a variety of other stakeholders, and our stakeholders were growing. So we tried to get ahead of that and filter it in to create customizable KPIs for those user groups versus having a one-size-fits-all approach. That unique was very helpful for us to expand upon. The driving force is resources, and we were lacking those.

We use it to monitor multiple clouds. We weren't leveraging it for all of our clouds, but we have a presence in GCP, AWS, and Azure. The unity and uniformity across all of it would have been great but at that stage, we were only using it for on-prem coverage. We would like to go ahead and understand how we can implement it as a cloud solution as we are increasing our daily footprint too. We weren't really prepared to understand the workflows we already had in the CSPs or the new integrations of data lakes at a warehouse that were and are still being built out to get Enterprise Security to function off of that too. We hadn't gotten to that stage.

A lot of what we were doing was done manually in terms of vulnerability and remediation and is still being done manually now. Evolving to a stage where the alerts weren't inundating our customers and getting familiar with the product would have helped us perhaps get a bit more functionality and usability out of it. We are seeing some value out of Enterprise Security and think we can get similar results elsewhere. I think that down the road, as our understanding gets better of how we want framework requirements, Enterprise Security could come back into the picture.

I have been using Splunk Enterprise Security for around twelve months.

Stability had its drawbacks because of how much it consumes. We had to justify whether or not it was worth keeping it up. The decision was to not keep up with it.

We are only on-prem so we do manual scaling. We don't have the elasticity that we would have in the cloud which limited us. Justifiably, in order to scale up the platform, we would have to go through procurements and more hardware, which was not an option. So we were limited, and we knew that. We had done pilots and buildout but a hardware refresh cycle was coming up, we had to justify whether or not it was in the cards.

I've been working with Splunk for several years now, and I've always found them very responsive and supportive in a variety of technologies around core functionality like Enterprise Security and ITSI. 

I would rate them an eight out of ten. They have a strong team through and through from the pre-presales all the way through architectural changes and shifts that we need to do to address the customer.

Positive

We've had numerous implementations of SIEM solutions over the years. Splunk offered a lot of capabilities on top of some of our old antiquated Sentinel and Azure. We had many other products before we pursued Enterprise Security. But we weren't in a position to really go down the Enterprise Security route because we hadn't quite fleshed out what our end goal was.

We're still in the evaluation stages. Looking at Enterprise Security, given the fact that we already have an investment in Splunk, it makes sense. We would like to see it grow beyond just Enterprise Security to more of not just observability, but pro actions to utilize the source of that nature. 

We had great success potentially going into a SOAR from Enterprise Security. We hadn't quite evolved to that point yet. At this stage, it's just not really in our pipeline to pursue Enterprise Security until we get a better understanding of our requirements.

Refining those playbooks and so forth also is going to take time. We have customers who have categorically unique requirements. From a security standpoint, one group's security requirements are going to be different from some of the other teams that we have. We are trying to find that uniformity across the board. We may have to entertain multiple security solutions to meet their needs.

My role was to support a lot of the backend and the configuration of the platform as it was being established.

The level of difficulty was on par with the Splunk Enterprise core. My team was involved with a lot of the provisioning from the virtual environment and on-prem to support it. It wasn't overly complicated. Once it was up it took a lot of resources. Evaluating and seeing whether or not we could actually move it to the cloud when the core functionality still existed on-prem, we weren't willing to split them at this stage.

We would almost always have Splunk support through the deployment and configuration stages of it. It was always solid. Once we had the platform up and running, we had to consider general operations and maintenance. While the Splunk team was great and the resources are available, there is a finite amount of resources on-site.

Splunk is not cheap. That's definitely a consideration as we look at other products.

We haven't seen much time to value using the solution system but it wasn't necessarily a fault of the product. It was the cycles to maintain it and support it, to make sure it's growing correctly. We hadn't gotten to that stage. Our ROI and TCO, given the fact that its footprint is being looked at because of what it takes to maintain it in terms of resources. We have the core platform, and then we have a growing license. We're looking at how we can efficiently use Enterprise Security. It's just not there at this point.

I would rate Splunk Enterprise Security an eight out of ten. I think the rating has the potential to be higher. If we had time to flesh it out and vet some of the core capabilities of Enterprise Security and how it could benefit us over the core. Getting to that stage requires a lot more customer engagement on our side that we weren't really prepared to do because of budgetary constraints, hardware refresh cycles, and so forth. Overall, we dropped the product not necessarily because of a lack of capability, it was more along the lines that the timing wasn't appropriate for our security teams.

The biggest value I get from attending a Splunk conference is knowledge transfer. I work in the public so it's valuable having a lot of conversations with fellow colleagues who are in the public sector and hearing their hurdles. We don't want to reinvent the wheel every time, and we don't want to hit obstacles that could have been lessons learned. The conference is a really good opportunity to see what's new, what's out there, and how it can blend in with our current architecture and designs. It also helps to understand what's not going to work to be able to get ahead of it before questions come up. We can properly equip our customers and answer their questions. The Splunk conference is a good brain dump.

The network department, for example, has improved its efficiency by 30%. Security relies on this for event correlation and alerts.

• The speed of the search engine

• All the types of data sources that you configure can be forwarded to Splunk.
• The ease-of-use

Cluster management can only be done via a command line. I would like them to add some GUI options for that. Permissions are not very flexible, so it would be nice to have more granular options, such as double factor authentication.

The administration of the cluster and app deployment to indexers or search
heads can be done only using ssh access and command line, there is no GUI
tools for that.

Permissions in the other hand could be improved by adding for example the
deny option to groups to see and index, etc. Also the authentication method
is just LDAP or spkunk, so some more security layers could be added as
second factor, etc

It is very stable.

It scales out horizontally.

The quality of support depends on the support and license. On the average, I would give them a rating of 6/10.

We previously used ArcSight. Splunk is at another level. It is easier, more stable, and faster.

It is very easy to set up on a standalone server. Of course, if you want a cluster, it is more complicated. In order to manage it, you need skilled people.

It is not cheap :-)

We were using ArcSight before.

My advice is to go ahead with it.

The administration of the cluster and app deployment to indexers or search
heads can be done only using ssh access and command line, there is no GUI
tools for that.

Permissions in the other hand could be improved by adding for example the
deny option to groups to see and index, etc. Also the authentication method
is just LDAP or spkunk, so some more security layers could be added as
second factor, etc

We use Splunk to monitor unusual user behaviors. For example, if any user onboards from a different domain, it will trigger an alert. We also get alerts and high traffic when the ADI server is down. Splunk will monitor that behavior or when users make repeated wrong login attempts.

My full-time job is managing the IAM product. Splunk is one of our security monitoring tools. Most of my work is on IAM tools like CyberArk and SailPoint, etc. 

Splunk manages all of our security and maintains a hundred percent availability. It improves business while securing the entire cloud environment. In terms of business, we don't need manual monitoring. It automatically monitors and notifies an administrator, so we can easily track and identify the particular issue. It saves our employees' time, and we can manage the environment without any impact on business service.

In the UK, hackers use automated software to make repeated login attempts. Splunk immediately identified these attempts and notified the admins, so the red team suddenly took action to block them.

It's nonstop monitoring that isn't affected by business hours. You don't need a manual administrator. Splunk will monitor everything, and a single administrator can monitor the alerts. Splunk will notify us if any unusual behavior happens, allowing us to take immediate action. There's no need for any further investigation and log analysis. It provides the exact result, what happened, and where it happened. 

Splunk helps us reduce alert volume. Whenever the same type of attack occurs repeatedly, we can change the environment and improve the security so the attack won't repeat. 

It speeds up our investigations through automation. Investigating manually takes a long time, and we sometimes cannot identify the exact issue. Splunk monitors the data and events, so we configured a range. If it triggers that area, it will provide the exact result. We can immediately identify and fix it. There's no need to investigate. It reduces the mean time to resolve by 80 percent. 

Splunk is user-friendly. We can easily customize the monitoring script. We support a multi-cloud environment covering Windows Server, AWS, and Google Cloud. We also use ForgeRock to monitor Linux machines. It sends us alerts when the disk size gets full. When an employee logs in from a different region, it triggers an alert. 

Splunk isn't appropriate for smaller companies. It's too expensive.

I have used Splunk for two years.

Splunk is a highly stable product. 

I rate Splunk nine out of 10. When we have any questions, we raise a ticket and they respond in two or three hours. 

Positive

Splunk provides the tenant, and we can directly integrate it into the cloud URL. For the hosting, we can deploy it to the EC2 instance. Splunk is integrated with Cypress, CyberArk, and Fastdesk. Splunk also supports SAML integration. Splunk is a SAML application, so we can use SAML protocol to enable it. 

I rate Splunk Enterprise Security nine out of 10. 

We use Splunk Enterprise Security for insider risk and security operations centers.

Splunk Enterprise Security primarily reduces our lead time for identifying risks and threats. Since a lot of the work is being outsourced or we depend on those new threat intelligence feeds, we're able to identify and triage them quicker. So, it leads to a quicker incident response.

The solution's most valuable feature is threat intelligence correlations. It's too hard to stay up-to-date on all the different data feeds yourself. So, having a tool that does it for you is very beneficial.

Splunk Enterprise Security has increased our alert volume because we now have new data to work with, and we're writing more alerts. We don't use the solution a lot for observability. Usually, our primary use case for Splunk Enterprise Security is cybersecurity.

It is extremely important to our organization that Splunk Enterprise Security provides end-to-end visibility into our environment. That's the primary reason we use it. We want the ability to do everything from one tool without having to trash back and forth and take that precious time.

Splunk Enterprise Security has helped reduce our mean time to resolve. We're at least twice as efficient with Splunk Enterprise Security at identifying risk, following up, tracing it throughout the chain, and resolving it. We still have various toolings, but over time, the goal is to nest everything into Splunk Enterprise Security to make it cohesive from end to end.

I'd love to see more integrations, which is one of the primary points of the key node with Splunk Enterprise Security. I would also like to see more admin capability to enable the health of Splunk Enterprise Security because, a lot of times, it's difficult to know when and why things are failing, especially for on-premises customers.

Splunk Cloud is a little clearer because it has more integrated support. For on-premises, it feels like sometimes you have to guess and then hope for the best. Troubleshooting some things related to Splunk Enterprise Security takes a lot of time.

I have been using Splunk Enterprise Security for five years.

The solution's clustering is great, but it could have easier containerization where it's more dynamic, and you can spin up and scale down as needed. Right now, Splunk is a very large expense for us as far as our cloud environment is concerned. Anything we can do to cut costs would be great.

Right now, we run the servers 24/7 and never change the size unless they're underpowered. We're spending a lot of money on off-hours to keep it alive, which is not ideal.

We've got a lot of experience on our team solving Splunk, but the few times we used Splunk's technical support, we found them to be very effective and efficient. Occasionally, we'll forget to respond to them, and they'll follow up with us, which is usually the opposite of what you see. So, I've got nothing but good things to say about Splunk support.

The solution's deployment was difficult because we were going through admin changes right as we were installing it. It took three admins over the course of five years to get it set up. I think if we had one dedicated admin from the start and kept them on the job until the job was done, we wouldn't have had nearly as much trouble.

We used a reseller to implement the solution.

We have seen a return on investment with the solution.

Splunk Enterprise Security is really strong, capable, and great at what it does. There are obvious areas of improvement, but it looks like Splunk has already identified them and is working on road maps to enhance SOAR integration and AI digital assistance for Splunk Enterprise Security. Once those are fully implemented, the product will further improve.

Overall, I rate the solution an eight out of ten.