Splunk Enterprise Security Reviews

We currently use Splunk Enterprise Security for security monitoring. Previously, we relied on AWS native monitoring tools. In that setup, logs were forwarded to a Splunk dashboard which was also used by our L1 and L2 support teams to evaluate incoming support cases.

CloudWatch, the native AWS monitoring tool, offers limited metric detail and a complex navigation experience across different data streams. In contrast, Splunk empowers us to create custom dashboards. This allows our team to quickly access the relevant dashboard and perform root cause analysis during an incident, streamlining our response process. This is how Splunk has been instrumental in enhancing our efficiency.

Splunk dashboards significantly improved our incident response by providing a single view of all relevant information. This allowed us to quickly identify and address issues. Additionally, Splunk's customization capabilities enabled us to tailor dashboards to focus on the specific metrics most critical to our operations. As a result, we could easily create dashboards highlighting high-priority metrics. Splunk's real-time data ingestion allowed for near-instantaneous monitoring. Logs generated in AWS were pushed to Splunk almost immediately through a collector. This enabled us to use the dashboard to investigate these logs in real-time. Furthermore, integrated identity and access management facilitated easy sharing of dashboards with other users.

Splunk itself may not have directly improved collaboration on security issues. However, in the event of an incident requiring investigation by a senior security professional, Splunk simplifies the process. L1/L2 teams and support engineers can easily point to the relevant dashboard connected to the issue. Additionally, these dashboards provide valuable features for further investigation, post-mortem analysis, or what they might call building the analysis or post-mortem report.

Splunk has been helpful for customers in resolving a wide range of issues. Whenever a problem arises, IT staff can quickly identify the root cause using Splunk. This allows for faster issue resolution, which in turn helps businesses retain customers and maintain their overall value.

The most valuable feature is the custom dashboard feature.

Splunk is robust and user-friendly.

Splunk's ability to analyze malicious activities scores an 8 out of 10, but there's room for improvement. By analyzing emerging patterns, Splunk could identify and predict potential threats more effectively.

I have been using Splunk Enterprise Security for three years.

I would rate Splunk Enterprise Security's stability 9 out of 10. 

Splunk Enterprise Security was able to meet our scalability needs.

We previously used native cloud monitoring. Now, we supplement it with Splunk to benefit from its additional features.

While the initial deployment was simplified by the availability of Splunk connectors in the public cloud, additional effort was required. We had to write the infrastructure as code, build the connector itself, pull the logs, and push them to the Splunk endpoint. These steps, including connection and configuration integration, would equate to moderate effort for a single person.

For those considering a SIEM solution but prioritizing affordability, Splunk is a strong contender. My experience using Splunk for several years has been positive, with minimal glitches. Additionally, its user-friendly GUI allows new users to contribute immediately. Splunk is also feature-rich, offering a wide range of functionalities out-of-the-box. However, remember that quality often comes at a cost. Considering these factors, Splunk emerges as a cost-effective solution.

I would rate Splunk Enterprise Security 8 out of 10.

Splunk did not help us reduce our alert volume because it was not integrated directly for alerting. It was integrated for monitoring. The alerting happened from our native cloud.

Splunk is self-sustainable and doesn't require maintenance.

We have never needed to contact Splunk support because their documentation is good enough for us to resolve the issues ourselves.

Splunk Enterprise Security is a stable, feature-rich, and user-friendly product with a well-designed graphical user interface.

We use Splunk Enterprise Security for monitoring. We've been using it for monitoring our network. We've created some rules and use cases and we get alerts based on rules. 

It’s helpful in relation to the security perspective. With it, we can monitor all log sources and it helps us to reduce risks to our enterprise from a security perspective.

We can monitor all of our digital assets and reduce threats via constant monitoring. Using Splunk, we can mitigate malicious activities on the spot. 

The solution offers a variety of good features. It has a simple user interface where we can find various options easily. The search functionality is great.

Integrations can be done easily. It’s not complex like other solutions, like Radar or Azure. Everything is easy to manage, including the low sources.

The visibility is continuous. We have different web servers, databases, routers, endpoints, et cetera, and we gain visibility from a security perspective to all of them. We can generate different types of dashboards to visualize traffic from various resources.

We can see user behavior and have access to user behavior analytics. We also are able to have some custom rules that allow us to effectively continuously monitor the activities of our users. We use a third-party solution for that.

Splunk Enterprise Security is helpful for analyzing malicious activities and detecting breaches. I can take various logs from log sources and centrally manage everything via custom rules. We have been satisfied with the capability to analyze malicious activities and detect breaches.

It helped us with faster detection of threats. If we compare it with other solutions, it is much faster. For big organizations that have their logs and terabytes, working with something like QRadar takes lots of time. Splunk is much faster.

Since the time of deployment, we've been able to use all of the features and integrate rules and use cases with threat intelligence. We've reduced false positives by 90%. Between the first and sixth months, we reduced our alert volume by 50% to 60%.

Splunk Enterprise Security helped speed up our security investigations. We now have an in-depth insight into endpoint usage. We've saved about 60% of our time if you compare Splunk to how we were operating before in terms of monitoring. 

We'd like to have the number of devices covered under the license to be increased. 

I've been using the solution for seven months.

I'd rate the ability eight out of ten. 

The solution is mostly scalable. The ability to scale is related to storage. If you want to expand storage, it can be quite difficult. 

At this point, we do not have plans to increase our usage.

I'm satisfied with the level of service technical support provides. 

Positive

Previously, I have used QRadar. My current company uses Splunk. 

I was not involved in the deployment of the solution. 

There is some maintenance required. Users need to do some administration around storage and monitoring. 

I'm not sure how much the solution costs, or how much my company pays for it. 

If a company needs something cheaper than Splunk, there are some open-source solutions available to them. 

The resilience of the solution is good. It's quite scalable, however, it does depend on the license. If you want more sources or logs you need to increase your license.  

I'd advise users to evaluate the solution to see if it meets their personal requirements.

I would rate the solution eight out of ten. 

Our primary use case is for security but we also use it as a soft tool. It gives us an advantage over traditional SOC or security tools. We get to use the existing data in Splunk to make use of the security. 

It definitely does help with both auditing and as well as regular monitoring. SOC does more monitoring, but ES also gives you other features that are auditing-related. The dashboards are also beneficial. 

Our auditing team gets benefits from Splunk, not just ES but also from general Splunk Enterprise. It's cross-functional. 

Enterprise Security has helped us reduce our mean time to resolution by 50%. Without it, there are many manual steps. You have to go to different products to see specific things. With Splunk, you have the benefit of seeing them together in one place.

The notable events and the incident review features are the most valuable. It gives you an overall idea of what's going on in terms of security in the environment. 

I also like the automation. We write custom scripts and automate certain tasks. That's also interesting. This feature saves us time.

Splunk is capable of doing a lot in real-time with data coming in that is a terabyte in size, you can still do searches in real-time. We have correlation searches that do similar functions.

It has a lot of the features we're looking for. 

I have been using Splunk Enterprise Security for a year and a half.

It's quite stable. It's a mature product. 

We can make it as scalable as we want. We can scale it horizontally as much as we want on our cluster.

We get support when we need it. I would rate support an eight or nine out of ten. There's always learning and improvement to do. Sometimes the communication with support happens with multiple staff. They should reduce the time to resolution.

Positive

I would rate Enterprise Security a nine out of ten. Not a ten because everything has room for improvement. 

The biggest value of the Splunk conference is meeting people.

As there is no SIEM solution here at present, we are building it up through the assistance of a vendor. In the past I worked in the Splunk Cloud, which was seven-point something. With QRadar I worked on version 7.3. 

We use Splunk Cloud as a SIEM solution and to monitor traffic and the network for detection purposes. We can create use cases so that if the solution picks up on anything entering our organization, the malicious IP can be blocked. 

In respect of ones which are suspicious, based on the logs we pull from the data source, we can build the use cases accordingly and have our analysts work on these. 

In the several years I have worked with the solution, I have felt there to be a need for practice of queries and understanding. As with other areas needing practice, the more one learns and practices, the easier things become. 

While this is not terribly difficult, it is so when compared with QRadar. This holds true when we don't know the queries at all. Other than this, it is a great tool. 

The solution should also have more advanced capabilities in comparison with QRadar, which offers Watson. The product should have add-ons. 

The solution is stable and reliable. 

The solution is easy to scale, to add on and to integrate with other solutions. I am familiar with app integrations. Many solutions can be integrated with Splunk Cloud, such as CrowdStrike or Symantec. 

The solution's response time is not that fast. The experience of some of my peers is that the vendors have actively offered help. By contrast, when I tried Splunk Cloud's technical support I did not receive a response. 

We have not yet undertaken deployment. For the moment, we are on the EPS and discussing the proposed structure with the vendors. Our team is conducting talks with the vendors of QRadar. 

We are exploring multiple avenues in search of a one-SIEM solution. 

I am not in a position to comment on the pricing. 

By comparison, I feel QRadar to be better than Splunk Cloud, since it comes with Watson. 

Another advantage is that QRadar works like a threat intelligence tool. It, also, does not require queries, which Splunk Cloud does. It is important that we have an understanding of the queries for the purpose of pulling the logs which we seek. I feel QRadar to be better than Splunk Cloud, as it does not require us to work on the queries. 

I have worked on Splunk Cloud in the past, as well as on QRadar. As there is no SIEM solution in my current organization, we have plans to build it up. This is an ongoing process. I have suggested QRadar to my team and others are considering Sentinel. 

The solution is deployed on-cloud. 

I would recommend the solution to others since there are a couple of companies with many clients that are looking for Splunk Cloud, with which they are familiar. We must consider client demands when it comes to attracting projects. 

Even in India, most of the companies employ Splunk Cloud as the most prevalently used SIEM solution. Then comes QRadar, which is easier. So too, Splunk is less cost-effective than QRadar, although it is more in demand. There are a couple of companies with call centers that request Splunk Cloud. 

I rate Splunk Cloud as a seven out of ten. 

We started using Splunk to serve as a SIEM. In addition to correlating security information, we have begun to use it as a developer and customer advocate by analyzing user behaviors and system response times. 

Log files which were previously either not reviewed or reviewed incompletely are now being used in operations daily. Security and operational events are discovered and resolved with greater efficiency than we have ever before. The way Splunk allows for data to be correlated together has given our organization a more complete picture of our system security status and how users organically move through our applications. This information has allowed us to focus development efforts which will directly benefit our customers the most. 

The ability to manipulate data in Splunk is unparalleled. Splunk’s powerful, flexible query language can morph difficult to understand log formats into usable data. 

Correlating data across different systems via one interface will allow you to know your environment or identify incident data in ways you never imagined.

There is a definite learning curve to starting out. However, there is quite a bit of documentation out there to help you get started. 

The community (Splunk Answers/Slack Channel/User Groups) can help get you started. 

We previously used ArcSight, but found Splunk to be more cloud capable.  

Truly evaluate the data you want to ingest and go slow. Pulling in data that can provide no use to your mission only wastes data against your license.  

Other options were evaluated, such as ELK, but Splunk was identified to be more feature rich out-of-the-box.

Pick it up and jump into the community!  It can help get you started a lot faster.

We are using it for logging and monitoring.

Splunk Enterprise Security helps with application events. It provides end-to-end visibility into our environment which is most important for us. It reduces the time to react to an event.

Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data. It can help identify and solve problems in real-time, but we have mainly utilized it for post-identification correction.

It provides us with the relevant context to help guide our investigations. It is easier for developers to take action once an anomaly is detected. We have been leveraging Splunk dashboards for that.

Splunk Enterprise Security has helped speed up our security investigations, but I do not have the metrics.

They are a good partner for Google Cloud. It provides great visibility, threat detection, and proactive mitigation of risks for our mutual consumers.

We have been selling Splunk Enterprise Security along with Google Cloud for about two years.

We had a very bespoke solution. It was a shared model. The scalability was good.

Their technical support has been good. I would rate them an eight out of ten.

Positive

We have not used any other solution previously.

Our customers have seen an ROI, but I do not have the metrics.

The variables and the flexibility that Splunk provides are helpful, especially in a hybrid and multi-cloud environment.

I would advise others to start early.

Overall, I would rate Splunk Enterprise Security a ten out of ten.

As a software analyst, I utilize Splunk Enterprise Security for security purposes, including threat hunting on developed and customized applications for vulnerability management. I also use it to display dashboards, analyze data, and address alerts.

We implemented Splunk Enterprise Security to consolidate all our security data into a single platform. This has enhanced our visibility into our security posture and the potential threats we face.

Splunk Enterprise Security enables us to monitor multiple cloud environments, which is crucial for receiving real-time email alerts in the event of critical incidents. However, directing me to the source can be time-consuming compared to the verified swim methodology used by SIEMs. For my application, I have approximately ten million records. Directing me to the service code takes two minutes to instruct them to view the file using VLOOKUP. However, sending it to the capital takes about half an hour.

The ability to monitor multiple environments is excellent. We have customers who use Splunk Enterprise Security both on-premises and in the cloud. Both options have their merits, depending on the specific needs of the customer. If a customer has the required resources, the cloud is often the most suitable solution.

The robust threat detection capabilities of Splunk are essential for our project. However, it's crucial to manage user access carefully. While we need to grant access to certain users, we must not provide them with unrestricted capabilities. Splunk's granular access control feature empowers administrators to customize user permissions, ensuring that only authorized users have access to the necessary features.

Splunk's threat topology helps us identify the scope of an incident. This is crucial due to the high likelihood of unauthorized data being compromised, necessitating prompt incident detection.

Splunk Enterprise Security has facilitated the timely detection of threats, enabling us to swiftly customize it to identify a wider range of threats and potential risks. We can incorporate external scripts for enhanced threat intelligence and threat-hunting capabilities.

Before implementing Splunk Enterprise Security, we relied on a patchwork of other tools, each requiring manual implementation for data collection, rule definition, and threat identification. This approach was not optimized and occasionally resulted in delayed threat detection. Limiting our focus to device security alone proved insufficient, as it lacked the real-time threat actor intelligence and activity insights provided by Splunk Enterprise Security. Our reliance on licensed development restricted us to pre-built alerts or manually uploaded scripts for mitigation and response.

Splunk Enterprise Security has helped reduce our alert volume.

Splunk Enterprise Security has helped speed up our security investigation time.

Three features stand out for me: the SDK for writing Python, the customizable and adaptable diagnostic dashboard, and the optimizer for collecting data.

The threat detection system has room for improvement. The critical aspect for an organization is the timely detection of incidents. If the rules are not defined correctly, threats may not be detected in real-time, resulting in incidents being detected months or even years after they occur.

I have been using Splunk Enterprise Security for almost seven years.

I would rate the scalability of the solution eight out of ten.

I would rate the resilience an eight out of ten.

I contacted Splunk support once for a separate product.

Positive

The initial deployment was straightforward for me, likely due to my extensive experience using Splunk. When implementing the solution, we begin by defining customer needs and requirements to optimize Splunk. This involves identifying the systems necessary for daily use and ensuring the protection of the integrated licenses and external apps in the Splunk environment. This protection encompasses program security, cloud-based security, and data analysis for specific apps. Additionally, we configure personal authentication for private applications.

The deployment time is dependent on the specific requirements and can range from two to ten days.

The implementation was completed in-house.

Splunk Enterprise Security has delivered a return on investment through its effective threat detection and vulnerability response capabilities. We have successfully demonstrated this positive impact on our customers through comprehensive reports.

I would rate Splunk Enterprise Security nine out of ten.

While there may be cheaper solutions available, they lack the optimizer, dynamic dashboard, and security APIs that Splunk offers. These capabilities are not found in other solutions.

Maintenance is minimal for updates only.

When using Splunk Enterprise Security, ensure that optimization is performed correctly to minimize response times and resource consumption.

Our initial use case was for security investigation, with the intention of creating some use cases. We ended up adding operational aspects, monitoring certain operational activities, such as high CPU utilization or any other applicational basis. 

This is obviously a cloud solution, but it does have some presence on-premises as well, so it's hybrid. 

One of the most valuable features is threat hunting. We can do threat hunting and identify if there is any malicious activity happening within our environment, which is a key feature for us. 

Splunk could be improved by reducing the cost. The cost is one of the biggest challenges for us in keeping to our production requirements. 

As for additional features, I think they need to refine their AI capability. I know that everyone is talking about artificial intelligence and threat hunting, so I guess one of the key requirements for us is for the solution to automatically provide us some kind of indication and then mitigate any risk. So automation should be a feature. 

I have been using Splunk for two years. 

This solution is excellent from a performance and stability perspective. There's very minimal maintenance required. Basically the only aspect we need to maintain is the one we have on-prem. So patching up everything and making sure it has the required updates. 

There are no issues at all in terms of scalability, since this is a cloud-based solution. There are around 25 to 30 users in my company accessing Splunk. 

Splunk's support is good. The process was smooth and they provided sufficient support, so there was no need to escalate anything. Also, they provide training on a regular basis, which is good. 

I have never worked with other similar products. I've worked for three companies, all of which use Splunk. 

The initial setup was very smooth. I think we got some support from the Splunk team. Since it's a cloud-based solution, it took us probably three or four weeks to actually start working. But deploying agents, configuration, refining, fine tuning, and other ongoing activities went on for about a month. 

We implemented through an in-house team with some support from the Splunk team. It was a very smooth process, from our perspective. 

This solution is costly. Splunk is obviously a great product, but you should only choose this product if you need all the features provided. Otherwise, if you don't need all the features to meet your requirements, there are probably other products that will be more cost-effective. It's cost versus the functionality requirement. 

I also evaluated IBM QRadar and LogRhythm NextGen SIEM. 

I work in security architectures, not operations, so I don't actually work with Splunk on a regular basis, but the team that does is working on threat hunting and incident management. 

I rate Splunk an eight out of ten.