Splunk Enterprise Security Reviews

As a security analyst, my main use cases for Splunk Enterprise Security involve reviewing notables. I receive all the alerts and notables in my queue, review them, ensure they're not actual security incidents, and triage them as either true positives, false positives, and so on. I then investigate the true positives.

The features of Splunk Enterprise Security that I appreciate the most include the SPL search. It allows me to get all the data I need, make it beautiful, show it to my boss, and show it to less technical people. It's easy to display the data.

When we have a major incident, we need to move fast and answer quickly. Also, we need to inform non-technical people, so it's easier to show them.

Instead of showing them a raw log that's ugly and hard to read, we can show them a very concise point such as 'This insider threat with this IP address accesses this system,' and pivot wherever needed. It's really useful for data presentation.

Dealing with incidents depends on the type of incident; a major incident can take a few months, while a smaller incident can take from five minutes to five hours. We use Splunk SOAR, and we're starting to use that in Splunk Enterprise Security to automate our response. It's made my life easier because repetitive tasks can be automated with a playbook, and everything gets done in the background without manual triage.

Splunk Enterprise Security helps improve my business's resilience by protecting our enterprise. Every time there's something not working, it's our central log space. Every incident and everything that's not working is in Splunk. The factors that led to adding Splunk involve our relationship with the sales team and our technical contact. We have a very good relationship with them, which helps considerably.

The integration of these security solutions supports my security operations by providing us with better visibility into various types of endpoints. We have custom detections that we make on Splunk, and we also integrate Microsoft Defender alerts into Splunk. I have one place to investigate them all instead of going from product to product.

Splunk Enterprise Security can be improved mainly regarding the UI, which can be daunting at first for newer employees. It's hard to find everything, such as menu locations, dashboard access, and dashboard creation. It's still very complicated and takes a few weeks to understand. The UI could be more user-friendly.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection include skills. I've been using it for four years and I don't know everything yet. Finding information and writing complex SPL queries can be challenging. I tried to use external AI, ChatGPT, but they're not very good with it. I know now there's SPL with AI, and we're going to test that.

I have been using Splunk Enterprise Security for about four years.

I would assess the stability and reliability of Splunk Enterprise Security as generally good. We had a few performance issue bugs with very specific use cases, and they were handled quite fast. We reported them to our technical contact, and within a week, it was fixed.

Splunk Enterprise Security scales effectively with the growing needs of our organization. We expand continuously, always adding new detection, new logs, and new systems. In Splunk Cloud, it's very scalable. We never have an issue with that, and we have terabytes of data coming in.

I would evaluate customer service and technical support for Splunk Enterprise Security as very good. This is probably one of the reasons why we have a good relationship and we keep Splunk around.

Positive

Prior to adopting Splunk Enterprise Security, I always used Splunk. At the same time, we use Microsoft Defender Endpoint, however, we don't use their SIEM solution. I use MD alerting too.

I use disparate security solutions that integrate or import data into Splunk Enterprise Security.

I am not directly involved in pushing new detection in Splunk Enterprise Security. However, I do tune detections; if a detection is firing too much or I feel we could edit the detection, I find it quite easy to do. My organization does not use risk-based alerting in Splunk Enterprise Security yet; we're working on it.

The advice I would give to other organizations considering Splunk Enterprise Security is to contact them, contact the sales rep, the tech rep, and ask them for a PoC trial. They're very open with this and even with new features. Before we buy anything new, such as SOAR, Splunk offers us to do a PoC. They give us a license to try it for free for a few months and give feedback if interested or not. For any enterprise thinking about it, I would contact them and get them to do a free trial for a while.

On a scale of one to ten, I rate Splunk Enterprise Security a nine.

My main use cases for Splunk Enterprise Security are security operation center and incident response.

The Mission Control feature of Splunk Enterprise Security benefits my organization by providing quick alerts, making it easy for the SOC team to navigate events and find threats quickly.

I use disparate security solutions that integrate or import data into Splunk Enterprise Security. This integration supports our security operations effectively because we work with different tools, and Splunk apps support many integrations, so we don't need to write custom ones; it's available by default.

It has supported our SOC by improving it; in looking through many alerts, we can look at only the critical alerts, and the number of alerts investigated by SOC has changed drastically. Currently, my security ops team remediates security incidents with Splunk Enterprise Security within 45 minutes compared to our previous solution.

I would be using Detection Studio, which is one of the new threat detection features in Splunk Enterprise Security that I'm interested in. Splunk Enterprise Security has definitely helped improve my organization's business resilience; it has helped us to pass our SOC 2 audit, and we have good monitoring about security alerts and threats happening.

I assess Splunk's ability to predict, identify, and solve problems in real time as very good.

I would definitely improve the risk-based alerts in Splunk Enterprise Security, helping SOC analysts to get to the drill-down searches.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection include writing detection rules for new threats, finding out about the SPL logic, and writing correlation rules. In ES8, we are experiencing some issues with crashes, and whenever we open the correlation rule, it gives a Java error requiring a refresh. We had not seen that error before, however, we are seeing it more frequently in ES 8.1.

I have been using Splunk Enterprise Security for five years.

Splunk Enterprise Security scales absolutely with the growing needs of my organization; it has caught up with our needs, and we use the tool without any pain.

On a scale of one to ten, I would rate Splunk Enterprise Security overall as eight.

We have definitely expanded our usage over the five years; our utilization of Splunk has totally changed.

I would evaluate customer service and technical support as good and satisfactory because it was not satisfactory a few years back, however, now I see some positive changes, which is good.

Positive

I used IBM QRadar.

I would describe my experience with deploying Splunk Enterprise Security as easy thanks to the cloud.

I have seen a return on investment; though it is an expensive tool, we did see return on investment. The integration is a specific example where we see value; the basic integration with different data is easy and more adaptable. As we use more different tools, Splunk Enterprise Security is able to integrate all those things without needing to create custom integration.

My experience with pricing, setup cost, and licensing for Splunk Enterprise Security is that it is expensive.

I made a change because IBM QRadar was on-premises, and we were transitioning; we had many challenges with the tool when dealing with big data, and it was not able to catch up, which is why we moved to Splunk Enterprise Security.

I would advise other organizations considering Splunk Enterprise Security to use it and also utilize the built-in ES Content Pack, where you have many rules ready, instead of trying to figure everything out. Use that content pack to start, and once you have the basic fundamental detection rules, then you can expand on it.

On a scale of one to ten, I rate Splunk Enterprise Security an eight.

I'm an end user, admin, and consultant. We use Splunk Enterprise Security internally in our organization, and I also use it for my personal studies. My usual use cases for Splunk Enterprise Security include monitoring several kinds of exchange server logs and Office 365 logs, among others, as we have multiple monitoring use cases based on our requirements in our environment. We were trying to solve multiple things by implementing Splunk Enterprise Security, particularly for monitoring our applications based on the insurance business, so we use Splunk Enterprise Security logs for security purposes and internal infrastructure monitoring, including logs matching security purposes in our Office 365 and exchange servers.

The most valuable features of Splunk Enterprise Security are several add-ons and TAs, while the lack of a DB requirement is a significant advantage for the business, allowing easier management without needing in-depth DB knowledge. I find that Splunk Enterprise Security's ability to import data from various sources, including looking up Excel files, is quite effective, providing a good way for management.

We import data from several unique data sources into Splunk Enterprise Security, possibly more than a hundred because we have AWS and multiple servers. We have disparate security solutions that integrate data into Splunk Enterprise Security. I can still query data in Splunk Enterprise Security regardless of where it resides, and in my perspective, the query provides data quickly.

Splunk Enterprise Security has improved our organization's ability to ingest and normalize data compared to before using Splunk Enterprise Security. The unified platform helps consolidate networking, security, and IT observability tools, which is very relevant to our internal needs. Using Splunk Enterprise Security, our focus was not on reducing alert volume but on properly finding and handling alerts; we've managed to capture 100% of them effectively.

Splunk Enterprise Security provides the relevant context to help guide investigations by allowing us to share application logs and details with clients efficiently. We utilize out-of-the-box detections in Splunk Enterprise Security, and we have created dashboards that add value to our monitoring efforts. Customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security is easy; it has been a good experience without significant difficulties.

We upgraded to Splunk Enterprise Security from version 8.0.4 to 9.0.6, and also from 8.1.4 to 9.0.6; it worked well with the support we received from the team, and it has proven to be very useful. Splunk Enterprise Security provides the foundation for unified threat detection, investigation, and response, enabling fast identification of critical issues.

The solution could be improved by integrating more application monitoring features and possibly incorporating AI capabilities to enhance its functionality.

I've been working with Splunk Enterprise Security for six years.

Splunk Enterprise Security is stable and scalable, making it a good tool that is beneficial for our needs.

Splunk Enterprise Security is stable and scalable, making it a good tool that is beneficial for our needs.

I participated in the deployment process of Splunk Enterprise Security, and we performed UAT before moving it to production. It's not the most affordable solution, as I've witnessed several companies considering leaving due to cost factors. The pricing of Splunk Enterprise Security is not very affordable, and I have seen many companies planning to leave because of cost concerns.

My main use cases for Splunk Enterprise Security are threat detection use cases.

The biggest advantage I can see in Splunk Enterprise Security is the big data analytics. The simple search query with faster responding results is also appealing. My team handles large volumes of cybersecurity data. To be able to search against such a big amount of data with efficiency is the key driver for my team to do threat detection and data analytics.

Splunk Enterprise Security can be improved in many ways. I am very happy to experience the AI-powered security platform they are going to show us in the new version. Better identification of true positives and false positives should be included in future releases.

There is another new term called benign positives. It is better to clearly identify each definition of those terms since it has not been popular in the industry, and everyone needs to be aware of those things.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection are the false positive alerts. As mentioned in the keynote, there is a lot of noise. Reducing the noise to make sure the SOC is operating more efficiently is one of the challenges my team is having. The process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security is not the easiest, however, it is not the most difficult one, so I would say it is medium.

I have been using Splunk Enterprise Security for seven years.

I have experienced downtime, crashes, and performance issues, with the most recent one being a data ingestion issue from another security platform. This key data source is not being ingested, causing some downtime.

Splunk Enterprise Security does not scale efficiently with the growing needs of my organization. Since it is on-premises, we have some scalability issues, and there are other new players coming up.

We have expanded the usage of Splunk Enterprise Security several times.

I would evaluate customer service and technical support as adequate since my team does not deal with it directly. Another team dealt with them, and I found it to be acceptable as they have 24/7 support all over the world. 

They hand over to the next team in another country, but sometimes it takes time to do the transfer, and we have to explain all the problem issues again, which can be frustrating. For that, I would rate it a five.

Positive

Prior to adopting Splunk Enterprise Security, I was not using another solution to address similar needs.

My experience with deploying Splunk Enterprise Security is actually another team's job, however, they are doing adequately.

My organization is moving towards risk-based alerting in Splunk Enterprise Security. My team actually built our own risk-based alerting before they released it; however, we are looking forward to integrating both.

Splunk Enterprise Security is doing its job in helping improve my organization's business resilience. There are other competitors in the same field, so I find it neither particularly good nor bad.

I don't directly deal with pricing.

I would advise other organizations considering Splunk Enterprise Security that the new version looks impressive. If organizations want the new, complete package, I would recommend ES Premier, as it combines ES with TIM, UEBA, and SOAR. 

On a scale of one to ten, I would rate Splunk Enterprise Security a seven. I believe ES is doing its job, but it is slightly behind its competitors. 

Other competitor platforms already have AI integrated, and they just announced it today, so it feels somewhat behind. However, I am looking forward to this new feature.

My main use cases for Splunk Enterprise Security are log management and enterprise security. Those are the key.

Splunk Enterprise Security has helped improve my organization's business resilience. We load much of our data and information that we use. It's really helping us in our log management solution, and also for forensics and alert triaging purposes. Forensics is one of the big pieces, along with incident management, IRP, and data management. It's fulfilling all those gaps and helping us mature our security operations.

The features of Splunk Enterprise Security that I enjoy the most include reporting, dashboards, and RBA. These features have benefited my organization since the dashboards and reports help us review security alerts and events in a timely manner. The RBA is what we are currently working on to develop and have some early detection on security alerts and notifications.

Currently, I am using disparate security solutions that integrate or import data into Splunk Enterprise Security. This integration supports my security operations by providing some visibility into security. Yet we have many basic issues where we need to fix the log sources, integration, and quality of the content that's going into Splunk Enterprise Security.

I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security quite basic. We don't have any sophisticated process. We have contractors and MSSP who are timely filling those gaps, going through the rule review process, going through regular security testing, and prioritizing what is more important as an organization.

Though we have not completely explored the product functionality, Splunk Enterprise Security itself has many features. This morning I was reviewing all the AI capabilities, such as version 8.2 which has included incident triaging and process. That's probably a very good feature. Our organization has very limited resources, so we would want to expand some of those automation and AI capabilities to fill those gaps.

I have been using Splunk Enterprise Security for two years.

I would assess the stability and reliability of Splunk Enterprise Security as generally good, with very few downtime, crashes, and performance issues. I've been with the organization for a little over a year. I have seen one or two occasions where the enterprise resources crashed. I haven't really seen any significant issues.

Splunk Enterprise Security works efficiently with scaling growing needs since the distributed architecture is very well planned and easily scalable. All you need is to spin up a few additional resources and you can build your collectors, forwarders, and indexers. It's quite easy. At the same time, it comes with its own complexities since it's an on-premises solution. 

Overall, it performs well. I haven't seen any outages or resource challenges while using it.

I would evaluate customer service and technical support as very responsible. Anytime that we have issues or challenges, I could see they were helping us behind the scenes and going through all these improvements. They were excellent.

Positive

In previous organizations, I have been well-versed with many other SIM tools. QRadar is one prominent tool I used. The McAfee Nitro, which isn't available anymore, was another. RSA NetWitness, RSA enVision, ArcSight were among the many tools I've used. In modern SIM tools, I am more familiar with Sentinel and Google Chronicle. I would say Splunk Enterprise Security has more capabilities, and maturity-wise and roadmap-wise, this product has become much more mature than the other two products I could compare.

I was not present for the deployment.

I have definitely seen a return on investment with Splunk Enterprise Security.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection relate to the RBA, which is something that we were struggling with. We are working with the SIM and our reseller to streamline that process. That's something that's not easy for every organization. We are going through the same turbulence.

My organization does not completely utilize risk-based alerting in Splunk Enterprise Security as it's not fully mature. It is supporting our SOC in a limited way. We still have a long way to go. The product is not completely mature. We are a unique organization, so it requires additional resources to get that work done.

My organization is in the process of expanding our security use cases. It's a multi-year model where we are strategizing and exploring all our security needs. I would say we are still in the early phase. Although we have the product in place, it was not yet mature due to some resource issues.

My advice to other organizations considering Splunk Enterprise Security is that it's a good product. It's definitely helpful. If somebody is looking for security and log management, investigations, incident, and IRP, then they can look into this product and explore it. It's one of the market-leading products. It definitely stays up to the mark. 

On a scale of one to ten, I rate this solution an eight.

My main use cases for Splunk Enterprise Security are basically triage, ensuring cyber threat defence, and improving speed when defending the organization. Since I am the only one currently in the security team, we are growing this year and next, and we're expanding. Splunk Enterprise Security is improving the process to defend, basically.

The features of Splunk Enterprise Security benefit the organization. You can see threats much faster, helping detect something that the antivirus may miss. Splunk Enterprise Security can work with this, and when the antivirus has a hard position, by using proper detection rules that are well-configured, you can see what's going on in real-time, both endpoint-based and network-based.

The features of Splunk Enterprise Security that I find most valuable include Mission Control, which I really appreciate, the way accelerated data functions, making it really fast to see, the integration with SOAR, which is something really cool and integrates with automated processes, and the way to ingest threat intelligence feeds, which is an amazing feature as well.

Splunk Enterprise Security has helped improve my organization's business resilience, as we were able to detect an attack that was happening after hours and prevent it thanks to the detections. We stopped it immediately in a matter of about 30 minutes. Splunk Enterprise Security has improved my ability to predict, identify, and solve problems in real-time; it's not just proactive, but also really predictive. My organization uses Risk-Based Alerting in Splunk Enterprise Security, which speeds up our process to detect and our mean time to respond. It's very helpful, and after we improved the configurations, we have RBA working fine, something that will always be maintained; it may not be perfect, but we do our best to maintain it.

On average, my security ops team takes less than five minutes to remediate security incidents with Splunk Enterprise Security compared to our previous solution, which used to take hours because we needed to see different sites. We are using new threat detection features in Splunk Enterprise Security by ingesting a lot of threat intelligence feeds from our main vendor, which has significantly improved the indicator of compromise, the IOCs detections. We also use Sigma detections and adapt to Splunk.

The on-premise integration with SOAR could be more simple; the cloud version integrates with SOAR very easily, but the on-premise SOAR and on-premise Splunk Enterprise Security are really not that easy, so I would appreciate if that could be improved. 

Additional features that should be included in the next release of Splunk Enterprise Security are the ability to integrate with other software and tool frameworks, beyond Sysmon, to avoid ingesting Sysmon logs from the endpoint, which can be very noisy at times, resulting in more straightforward detection and less resource-intensive licensing.

I have been using Splunk Enterprise Security for four years.

I have experienced downtime, crashes, and performance issues with Splunk Enterprise Security due to a hardware issue, which we were able to quickly fix thanks to the backup recovery. However, it took about one day, and it highlights the need to move to clustering, which I've discussed with my leadership team.

I would assess the stability and reliability of Splunk Enterprise Security as needing clustering. It ensures it remains operational all the time, which means you can see cyber attacks. When it's down, you can't see anything. 

We currently rely on disaster recovery and backup recovery, which takes time to recover, during which you're basically blind, so I'm pushing my leadership team to switch over to a clustering environment for constant availability. Right now, the server we have meets the hardware requirements, and we have moved to new hardware. 

We're considering moving to cluster environments to scale in the future, probably in a couple of years.

I would evaluate customer service and technical support for Splunk Enterprise Security as excellent; when we open tickets for troubleshooting, 99% of the time, it relates to our Linux environment. I have no personal complaints about the support.

Positive

Prior to adopting Splunk Enterprise Security, Splunk was already in place when I came on board at Educational Federal Credit Union.

In the beginning, we were using disparate security solutions that integrate or import data into Splunk Enterprise Security. Now we are adapting to completely switch to the Splunk Enterprise Security side to have a single-pane-of-glass view of everything, minimizing the integrations with the vendors such as EDR, DLP, and the firewall.

I have seen a return on investment with Splunk Enterprise Security. My executive team has noticed improvements; we were able to save on other solutions, which increased budgeting for future projects thanks to Splunk Enterprise Security and the licensing optimization, allowing us to invest in other tools.

My experience with pricing, setup costs, and licensing with Splunk Enterprise Security has been challenging in the past due to the expensive licensing model, which was driven by Sysmon delivering a lot of unnecessary noise. We don't use Splunk just for security; we also use it for other departments. 

We have shared the license between security and development departments, making sure to minimize ingestion logs from the endpoints, including workstations and servers. We are currently leveraging EDR telemetry ingested to Splunk, which saved a lot of licensing money while allowing us to see what we're looking for.

My advice to other organizations considering Splunk Enterprise Security is that it's the leader in SIEM globally. You have a lot of customization and data normalization, meaning you can detect anything you want compared to other SIEMs. Splunk Enterprise Security is worth the investment because it provides exactly what you need if you are a true cyber defender. I also network with friends from a company, Next-Gen Systems, which is leading in detection and investing in developments and integrations with Splunk due to its scalability. 

On a scale of one to ten, I rate Splunk Enterprise Security a ten.

My primary use cases for Splunk Enterprise Security are correlation searches and the workflow that enables our SOC analysts to work through an entire incident from start to finish.

An example of how these features benefited my organization is that the mean time to detect compromised accounts from the time that we're able to detect that account and then launch some automation to actually disable the account and work with the end user to fix the issue has gone from taking a couple of days to literally taking two to three minutes.

The features of Splunk Enterprise Security that I value most are the correlation searches, being able to bring multiple things together and to have one result to look at in a single pane of glass. 

I'm not sure how Splunk Enterprise Security can be improved, but I'm sure it will be improved; the features that they add, I constantly never even think of. One of the big things is making it a little easier for the intro analyst to be able to understand and work through without a lot of dedicated training.

I've been using Splunk Enterprise Security for probably about the last two years.

I would assess the stability and reliability of Splunk Enterprise Security as having not experienced any issues that would be in the realm of Splunk's.

Splunk Enterprise Security has scaled very well with the growing needs of my organization. We started out with a smaller deployment and now we're ingesting multiple terabytes of data a day and being able to scale as much hardware as we can throw at it.

I evaluate customer service and technical support as excellent. Anytime that we've had an issue, we've been able to engage with Splunk support, and we also have agreements with some other folks that help us out, some private organizations that we leverage.

Positive

Prior to adopting Splunk Enterprise Security, we were just using Splunk Enterprise and formulating our own searches and finding stuff ourselves.

I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security to be challenging at times. It takes some of our more advanced engineers to be able to work through a lot of those processes.

The challenges with deploying something like Splunk Enterprise Security are getting the data in, knowing what data you need, and trying just to find it and normalize it. It's such a vast area and we're such a distributed organization, trying to get all that information in one place has been a challenge. 

The process to expand usage has been smooth.

I have absolutely seen a return on investment with Splunk Enterprise Security. I can say that just because of the time that the analysts would take, and I can say that we have saved man-hours, which in the end is money. On average, my SecOps team takes probably at least a quarter of the time, if not more, to remediate security incidents with Splunk Enterprise Security compared to our previous solution.

Now that we can show that we're able to reduce that mean time to detection, we're getting a lot more buy in. So a lot more people are interested in that, and they're excited about that. So that really helps out.

I'm not familiar with the setup costs.

The advice I would give to other organizations considering Splunk Enterprise Security is to work with professional services. It's a large undertaking for your SOC, so work with professional services that have seen different examples and situations and lean on their expertise to help you develop the right solution. 

I would rate Splunk Enterprise Security overall on a scale of one to ten as probably about an eight; there's still some work to be done, however, it's the best that we can do right now.

My main use cases for Splunk Enterprise Security are mainly building SIEM for our customers, implementing it at customer sites, and using it for our own developments.

I really appreciate the all-integrated SIEM feature of Splunk Enterprise Security, which serves as a one-stop shop to get all security tasks done. It actually helps us by not having to develop all the use cases ourselves, providing an integrated product that has everything in one place. 

It has integrated threat intelligence and an integrated use case library, so it requires only one installation and configuration. This specifically benefits my organization by reducing the implementation time at our customers, getting faster time to value with a better turnover rate for our customers.

We are using disparate security solutions that integrate or import data into Splunk Enterprise Security. We are implementing all data sources that are somehow possible, so there's no limitation to that.

The process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security is pretty straightforward. Developing our own solutions is pretty good, and even though we are using the Security Essentials and the Enterprise Security content libraries, that's a very good way to progress.

Splunk Enterprise Security can be improved with more ease of configuration. It is pretty straightforward to get it started, however, to really check if my data is all available and how to activate the right use case and the right correlations is still sometimes a hassle. A guided mode to help us understand how to get started, improve data quality, and prepare data more efficiently for use cases would be highly beneficial for us.

I have been using Splunk Enterprise Security for the best of seven or eight years now.

I have experienced downtime, however, it's very little. The downtimes are mostly hardware issues such as network downtimes, which is nothing that Splunk has a say in. If you deploy a multi-site architecture and make it fail-safe, downtime isn't an issue.

I have expanded usage a lot. This expansion has improved the process as scalability and scaling volume-wise and usage-wise with Splunk Enterprise Security was never a problem for me nor our customers.

I evaluate customer service and technical support from Splunk as perfect. I'm very confident in what the partner SEs and the Splunk Professional Service team can do. If I need to reach out to them, I get instant replies, and the Splunk community itself is very helpful as well. On a scale of one to ten, I would give it a ten.

Positive

Prior to adopting Splunk Enterprise Security, I was using another solution to address similar needs. We were using Splunk Core with our own developments and helped several customers migrate away from products QRadar and FortiSIEM, however, our main go-to platform is still Splunk Enterprise Security.

My experience deploying Splunk Enterprise Security is all in all pretty straightforward. If you are used to how to set it up, it's very good.

I have seen ROI with Splunk Enterprise Security. 

One example is a situation with a customer where we started installing it and actually found active breaches that were short of being used and leveraged for maybe blackmailing or compromising the customer. We couldn't calculate what would have been the cost if they had actually gotten compromised; however, they were in the process, so every investment was returned immediately. It was definitely significant.

My experience with pricing, setup costs, and licensing is a bit difficult. There are competitors that are more cost-effective. That said, for the feature set that Splunk offers, it's okay. It is on a solid foundation, so there could be more rebates and opportunities for us as a partner to offer it to our customers. Still, it's competitive.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection are primarily related to customer pricing concerns. I find it's okay for a premium product on top of the Splunk base, however, the pricing is one thing, and I don't know if it's the same for all regions. We specifically sometimes have difficulties getting a smaller license than the Splunk Core one if we don't want to ingest all the data into Splunk Enterprise Security.

My advice to other organizations considering Splunk Enterprise Security is to try it if you don't know about it yet.

On a scale of one to ten, I would rate Splunk Enterprise Security overall as an eight. Sometimes it is a bit hard to get the searches and the data done, but all in all, it's a great product.