Splunk Enterprise Security Reviews

Our primary use cases are for detection and remediation.

The benefits we've seen from Splunk is that we can promote it to our customers. The second benefit is that it works. It does what it's purported to do, and the support is more than adequate. 

The most valuable feature is that it brings all of the components necessary to identify, analyze, and respond together.

It's pretty important that Splunk provides end-to-end visibility into your environment. As in any product that one purchases to fulfill a function, we want to recognize where it came in, who it affected, and what the challenges are that need to be met in order to resolve something, both immediately and also to make sure that it doesn't replicate in the future. Splunk does a good job of being able to do the former half. Dealing with issues requires tier-three support and above and it takes time. You can work through it with the help of your vendor team.

I would rate them an eight out of ten. It's not so much the problem of the application itself, although there are always improvements that can be done. There are a lot of moving parts that need to be added in and if you don't have the information that you need, especially within identity and inventory, then that can be an added challenge when you have to start making imprints based on what you do know.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. There are a number of different standards that can be presented, which is beneficial. Some customers like to have the information that they receive in one format. The driving factor is that when you work with federal customers, some of them want it in one format. The response will be in one format as opposed to another. 

Splunk has helped to improve my company's business resilience. It's an active component in ensuring that we are vigilant against intrusion and detecting it.

Splunk is such a large product. Allowing it to be more easily used by people who have not had a lot of training on it would be an improvement. That's something that they're accomplishing with their current version, although I haven't had an opportunity to learn much about it. With AI capabilities coming on board, a lot of that will alleviate the minutiae that people need to know in order to resolve problems as they come up.

Splunk's ability to predict, identify, and solve problems in real-time is a work in progress.

I have been using Splunk Enterprise Security for the past four years.

Aside from the fact that it can be a resource hog, I'm satisfied with the stability. I don't have too many problems except for a few occasions when we have a threat intelligence file blow up a drive because there's not enough room. It might be because a complete configuration has not been implemented. 

I like the fact that it can be tweaked, but a lot of the various configurations for how long data is held or how long particular components of investigation are held. 

I encourage users to use the vendor management team and cultivate a relationship with them. I have worked with companies who had support that I would rate 11 out of 10. I would rate Splunk an eight out of ten because as any large growing company, they have challenges with keeping the talent necessary, who are not only educated to evaluate a problem and pass it on or solve it themselves.

Positive

The largest challenge with the setup is that it has so many different components. The environment that we're in is a multi-tenant. Enterprise Security with all of its components is huge. If you're using something like a deployment server you can't break it up. It makes it rather unwieldy. I'm sure that there are workarounds that have not been implemented in-house.

Splunk provides more than the people who pay for it realize. I had a few exercises in presenting ROI and benefit-cost analysis and I have been able to demonstrate where it has performed superior to other options.

I was deeply distressed when they went away from their perpetual license.

We evaluated Splunk's typical competitors. We went with Splunk because Splunk has the underlying capability of not only ingesting anything and storing it using their bloom filters and whatnot in order so that you can do sparse and large searches relatively quickly. It also has a wonderful presentation layer, which can basically plug into many other systems. I find Splunk to be a veritable Swiss Grey knife of capabilities.

I would rate Splunk Enterprise Security an eight out of ten because there's always room for improvement and because it can be difficult to learn.

There is a lot that we monitor with it. We monitor outbound URLs. We monitor unusual traffic, unusual user logins, and excessive user logins. We monitor whether or not users are logging in from VPN or not, what IPs they are accessing, or whether a user is signing in from multiple IP addresses minus the VPN. 

My organization was already using Splunk Enterprise Security when I was brought in, so I cannot say how it has improved the organization, but I can see that if they did not have Splunk Enterprise Security, there would be a significantly more workload. They would definitely need more manpower. Splunk Enterprise Security definitely helps with a lot of the prebuilt dashboards and other things that come with it out of the box.

Splunk Enterprise Security has reduced our mean time to resolve by 50% to 75%.

Being able to track impossible travel logins and things of that nature is valuable. We can track user logins from various IPs, various countries, and at various times to see if everything adds up. We can check to see if it makes sense that someone logged in from China and in the US within an hour.

There is machine learning with Splunk Enterprise Security, and based on the keynotes at the Splunk conference, there is going to be some AI involved as well. My biggest struggle with Splunk, in general, is memorizing all the commands. If I want to know which users have logged in between certain hours, I cannot write that query out. It would be helpful to have AI so that I can explain in simple terms what I want and then the search gives that back to me. I am waiting for that. That is going to be my bread and butter because my big thing is that I just cannot remember all those commands.

If you have a dashboard that is too large with too many searches, it tends to get bogged down. If you create various different dashboards, you can bypass the issue of not having enough resources to load all the things you need to load.

I was brought onto the team recently. They have been using it for about two years, so I am just catching up in learning as I go. All in all, my experience with Splunk and AWS is about ten months to a year.

It is very scalable.

I have not had to interact with Splunk support. Most of the issues that I ran into can be solved by reaching out to a team member.

I have not used any other similar solution previously. Prior to working with Splunk, it was just basic IT administration work involving monitoring with different tools, such as Trellix FireEye. I am not sure how to compare them with Splunk.

My organization had Splunk Enterprise Security before I got in.

I have not seen an ROI because I am not at level two, but I am sure my bosses have seen an ROI.

We have definitely seen a time to value in terms of being able to take what Splunk Enterprise gives us and view it. It gives us more information in an easier way versus us doing everything ourselves. That alone saves time. If we save one second a day over a year, we are going to save minutes, so these little bits of time add up.

The price can always be lower, but it is fair at the moment.

The cost efficiencies depend on the licensing and how much data we are bringing in. We have a fairly large footprint, so it is cost-effective.

Being at the Splunk conference and seeing all the ways in which Splunk can be used versus the way that I use Splunk is mind-blowing. It is a Pandora's box of tools. One of the things I saw today was manufacturing and the types of data that manufacturers can receive from Splunk within the technologies that they have. It is mind-blowing. Splunk is awesome.

Overall, I would rate Splunk Enterprise Security a nine out of ten.

The network department, for example, has improved its efficiency by 30%. Security relies on this for event correlation and alerts.

• The speed of the search engine

• All the types of data sources that you configure can be forwarded to Splunk.
• The ease-of-use

Cluster management can only be done via a command line. I would like them to add some GUI options for that. Permissions are not very flexible, so it would be nice to have more granular options, such as double factor authentication.

The administration of the cluster and app deployment to indexers or search
heads can be done only using ssh access and command line, there is no GUI
tools for that.

Permissions in the other hand could be improved by adding for example the
deny option to groups to see and index, etc. Also the authentication method
is just LDAP or spkunk, so some more security layers could be added as
second factor, etc

It is very stable.

It scales out horizontally.

The quality of support depends on the support and license. On the average, I would give them a rating of 6/10.

We previously used ArcSight. Splunk is at another level. It is easier, more stable, and faster.

It is very easy to set up on a standalone server. Of course, if you want a cluster, it is more complicated. In order to manage it, you need skilled people.

It is not cheap :-)

We were using ArcSight before.

My advice is to go ahead with it.

The administration of the cluster and app deployment to indexers or search
heads can be done only using ssh access and command line, there is no GUI
tools for that.

Permissions in the other hand could be improved by adding for example the
deny option to groups to see and index, etc. Also the authentication method
is just LDAP or spkunk, so some more security layers could be added as
second factor, etc

We use Splunk to monitor unusual user behaviors. For example, if any user onboards from a different domain, it will trigger an alert. We also get alerts and high traffic when the ADI server is down. Splunk will monitor that behavior or when users make repeated wrong login attempts.

My full-time job is managing the IAM product. Splunk is one of our security monitoring tools. Most of my work is on IAM tools like CyberArk and SailPoint, etc. 

Splunk manages all of our security and maintains a hundred percent availability. It improves business while securing the entire cloud environment. In terms of business, we don't need manual monitoring. It automatically monitors and notifies an administrator, so we can easily track and identify the particular issue. It saves our employees' time, and we can manage the environment without any impact on business service.

In the UK, hackers use automated software to make repeated login attempts. Splunk immediately identified these attempts and notified the admins, so the red team suddenly took action to block them.

It's nonstop monitoring that isn't affected by business hours. You don't need a manual administrator. Splunk will monitor everything, and a single administrator can monitor the alerts. Splunk will notify us if any unusual behavior happens, allowing us to take immediate action. There's no need for any further investigation and log analysis. It provides the exact result, what happened, and where it happened. 

Splunk helps us reduce alert volume. Whenever the same type of attack occurs repeatedly, we can change the environment and improve the security so the attack won't repeat. 

It speeds up our investigations through automation. Investigating manually takes a long time, and we sometimes cannot identify the exact issue. Splunk monitors the data and events, so we configured a range. If it triggers that area, it will provide the exact result. We can immediately identify and fix it. There's no need to investigate. It reduces the mean time to resolve by 80 percent. 

Splunk is user-friendly. We can easily customize the monitoring script. We support a multi-cloud environment covering Windows Server, AWS, and Google Cloud. We also use ForgeRock to monitor Linux machines. It sends us alerts when the disk size gets full. When an employee logs in from a different region, it triggers an alert. 

Splunk isn't appropriate for smaller companies. It's too expensive.

I have used Splunk for two years.

Splunk is a highly stable product. 

I rate Splunk nine out of 10. When we have any questions, we raise a ticket and they respond in two or three hours. 

Positive

Splunk provides the tenant, and we can directly integrate it into the cloud URL. For the hosting, we can deploy it to the EC2 instance. Splunk is integrated with Cypress, CyberArk, and Fastdesk. Splunk also supports SAML integration. Splunk is a SAML application, so we can use SAML protocol to enable it. 

I rate Splunk Enterprise Security nine out of 10. 

We use Splunk Enterprise Security for insider risk and security operations centers.

Splunk Enterprise Security primarily reduces our lead time for identifying risks and threats. Since a lot of the work is being outsourced or we depend on those new threat intelligence feeds, we're able to identify and triage them quicker. So, it leads to a quicker incident response.

The solution's most valuable feature is threat intelligence correlations. It's too hard to stay up-to-date on all the different data feeds yourself. So, having a tool that does it for you is very beneficial.

Splunk Enterprise Security has increased our alert volume because we now have new data to work with, and we're writing more alerts. We don't use the solution a lot for observability. Usually, our primary use case for Splunk Enterprise Security is cybersecurity.

It is extremely important to our organization that Splunk Enterprise Security provides end-to-end visibility into our environment. That's the primary reason we use it. We want the ability to do everything from one tool without having to trash back and forth and take that precious time.

Splunk Enterprise Security has helped reduce our mean time to resolve. We're at least twice as efficient with Splunk Enterprise Security at identifying risk, following up, tracing it throughout the chain, and resolving it. We still have various toolings, but over time, the goal is to nest everything into Splunk Enterprise Security to make it cohesive from end to end.

I'd love to see more integrations, which is one of the primary points of the key node with Splunk Enterprise Security. I would also like to see more admin capability to enable the health of Splunk Enterprise Security because, a lot of times, it's difficult to know when and why things are failing, especially for on-premises customers.

Splunk Cloud is a little clearer because it has more integrated support. For on-premises, it feels like sometimes you have to guess and then hope for the best. Troubleshooting some things related to Splunk Enterprise Security takes a lot of time.

I have been using Splunk Enterprise Security for five years.

The solution's clustering is great, but it could have easier containerization where it's more dynamic, and you can spin up and scale down as needed. Right now, Splunk is a very large expense for us as far as our cloud environment is concerned. Anything we can do to cut costs would be great.

Right now, we run the servers 24/7 and never change the size unless they're underpowered. We're spending a lot of money on off-hours to keep it alive, which is not ideal.

We've got a lot of experience on our team solving Splunk, but the few times we used Splunk's technical support, we found them to be very effective and efficient. Occasionally, we'll forget to respond to them, and they'll follow up with us, which is usually the opposite of what you see. So, I've got nothing but good things to say about Splunk support.

The solution's deployment was difficult because we were going through admin changes right as we were installing it. It took three admins over the course of five years to get it set up. I think if we had one dedicated admin from the start and kept them on the job until the job was done, we wouldn't have had nearly as much trouble.

We used a reseller to implement the solution.

We have seen a return on investment with the solution.

Splunk Enterprise Security is really strong, capable, and great at what it does. There are obvious areas of improvement, but it looks like Splunk has already identified them and is working on road maps to enhance SOAR integration and AI digital assistance for Splunk Enterprise Security. Once those are fully implemented, the product will further improve.

Overall, I rate the solution an eight out of ten.

We currently use Splunk Enterprise Security for security monitoring. Previously, we relied on AWS native monitoring tools. In that setup, logs were forwarded to a Splunk dashboard which was also used by our L1 and L2 support teams to evaluate incoming support cases.

CloudWatch, the native AWS monitoring tool, offers limited metric detail and a complex navigation experience across different data streams. In contrast, Splunk empowers us to create custom dashboards. This allows our team to quickly access the relevant dashboard and perform root cause analysis during an incident, streamlining our response process. This is how Splunk has been instrumental in enhancing our efficiency.

Splunk dashboards significantly improved our incident response by providing a single view of all relevant information. This allowed us to quickly identify and address issues. Additionally, Splunk's customization capabilities enabled us to tailor dashboards to focus on the specific metrics most critical to our operations. As a result, we could easily create dashboards highlighting high-priority metrics. Splunk's real-time data ingestion allowed for near-instantaneous monitoring. Logs generated in AWS were pushed to Splunk almost immediately through a collector. This enabled us to use the dashboard to investigate these logs in real-time. Furthermore, integrated identity and access management facilitated easy sharing of dashboards with other users.

Splunk itself may not have directly improved collaboration on security issues. However, in the event of an incident requiring investigation by a senior security professional, Splunk simplifies the process. L1/L2 teams and support engineers can easily point to the relevant dashboard connected to the issue. Additionally, these dashboards provide valuable features for further investigation, post-mortem analysis, or what they might call building the analysis or post-mortem report.

Splunk has been helpful for customers in resolving a wide range of issues. Whenever a problem arises, IT staff can quickly identify the root cause using Splunk. This allows for faster issue resolution, which in turn helps businesses retain customers and maintain their overall value.

The most valuable feature is the custom dashboard feature.

Splunk is robust and user-friendly.

Splunk's ability to analyze malicious activities scores an 8 out of 10, but there's room for improvement. By analyzing emerging patterns, Splunk could identify and predict potential threats more effectively.

I have been using Splunk Enterprise Security for three years.

I would rate Splunk Enterprise Security's stability 9 out of 10. 

Splunk Enterprise Security was able to meet our scalability needs.

We previously used native cloud monitoring. Now, we supplement it with Splunk to benefit from its additional features.

While the initial deployment was simplified by the availability of Splunk connectors in the public cloud, additional effort was required. We had to write the infrastructure as code, build the connector itself, pull the logs, and push them to the Splunk endpoint. These steps, including connection and configuration integration, would equate to moderate effort for a single person.

For those considering a SIEM solution but prioritizing affordability, Splunk is a strong contender. My experience using Splunk for several years has been positive, with minimal glitches. Additionally, its user-friendly GUI allows new users to contribute immediately. Splunk is also feature-rich, offering a wide range of functionalities out-of-the-box. However, remember that quality often comes at a cost. Considering these factors, Splunk emerges as a cost-effective solution.

I would rate Splunk Enterprise Security 8 out of 10.

Splunk did not help us reduce our alert volume because it was not integrated directly for alerting. It was integrated for monitoring. The alerting happened from our native cloud.

Splunk is self-sustainable and doesn't require maintenance.

We have never needed to contact Splunk support because their documentation is good enough for us to resolve the issues ourselves.

Splunk Enterprise Security is a stable, feature-rich, and user-friendly product with a well-designed graphical user interface.

We use Splunk Enterprise Security for monitoring. We've been using it for monitoring our network. We've created some rules and use cases and we get alerts based on rules. 

It’s helpful in relation to the security perspective. With it, we can monitor all log sources and it helps us to reduce risks to our enterprise from a security perspective.

We can monitor all of our digital assets and reduce threats via constant monitoring. Using Splunk, we can mitigate malicious activities on the spot. 

The solution offers a variety of good features. It has a simple user interface where we can find various options easily. The search functionality is great.

Integrations can be done easily. It’s not complex like other solutions, like Radar or Azure. Everything is easy to manage, including the low sources.

The visibility is continuous. We have different web servers, databases, routers, endpoints, et cetera, and we gain visibility from a security perspective to all of them. We can generate different types of dashboards to visualize traffic from various resources.

We can see user behavior and have access to user behavior analytics. We also are able to have some custom rules that allow us to effectively continuously monitor the activities of our users. We use a third-party solution for that.

Splunk Enterprise Security is helpful for analyzing malicious activities and detecting breaches. I can take various logs from log sources and centrally manage everything via custom rules. We have been satisfied with the capability to analyze malicious activities and detect breaches.

It helped us with faster detection of threats. If we compare it with other solutions, it is much faster. For big organizations that have their logs and terabytes, working with something like QRadar takes lots of time. Splunk is much faster.

Since the time of deployment, we've been able to use all of the features and integrate rules and use cases with threat intelligence. We've reduced false positives by 90%. Between the first and sixth months, we reduced our alert volume by 50% to 60%.

Splunk Enterprise Security helped speed up our security investigations. We now have an in-depth insight into endpoint usage. We've saved about 60% of our time if you compare Splunk to how we were operating before in terms of monitoring. 

We'd like to have the number of devices covered under the license to be increased. 

I've been using the solution for seven months.

I'd rate the ability eight out of ten. 

The solution is mostly scalable. The ability to scale is related to storage. If you want to expand storage, it can be quite difficult. 

At this point, we do not have plans to increase our usage.

I'm satisfied with the level of service technical support provides. 

Positive

Previously, I have used QRadar. My current company uses Splunk. 

I was not involved in the deployment of the solution. 

There is some maintenance required. Users need to do some administration around storage and monitoring. 

I'm not sure how much the solution costs, or how much my company pays for it. 

If a company needs something cheaper than Splunk, there are some open-source solutions available to them. 

The resilience of the solution is good. It's quite scalable, however, it does depend on the license. If you want more sources or logs you need to increase your license.  

I'd advise users to evaluate the solution to see if it meets their personal requirements.

I would rate the solution eight out of ten. 

Our primary use case is for security but we also use it as a soft tool. It gives us an advantage over traditional SOC or security tools. We get to use the existing data in Splunk to make use of the security. 

It definitely does help with both auditing and as well as regular monitoring. SOC does more monitoring, but ES also gives you other features that are auditing-related. The dashboards are also beneficial. 

Our auditing team gets benefits from Splunk, not just ES but also from general Splunk Enterprise. It's cross-functional. 

Enterprise Security has helped us reduce our mean time to resolution by 50%. Without it, there are many manual steps. You have to go to different products to see specific things. With Splunk, you have the benefit of seeing them together in one place.

The notable events and the incident review features are the most valuable. It gives you an overall idea of what's going on in terms of security in the environment. 

I also like the automation. We write custom scripts and automate certain tasks. That's also interesting. This feature saves us time.

Splunk is capable of doing a lot in real-time with data coming in that is a terabyte in size, you can still do searches in real-time. We have correlation searches that do similar functions.

It has a lot of the features we're looking for. 

I have been using Splunk Enterprise Security for a year and a half.

It's quite stable. It's a mature product. 

We can make it as scalable as we want. We can scale it horizontally as much as we want on our cluster.

We get support when we need it. I would rate support an eight or nine out of ten. There's always learning and improvement to do. Sometimes the communication with support happens with multiple staff. They should reduce the time to resolution.

Positive

I would rate Enterprise Security a nine out of ten. Not a ten because everything has room for improvement. 

The biggest value of the Splunk conference is meeting people.