Splunk Enterprise Security Reviews

My main use cases for Splunk Enterprise Security include extensive security operations.

Splunk Enterprise Security has helped improve my organization's business resilience. The more I know, the more I can see, and the better my security stance becomes due to inherent visibility.

We did use risk-based alerting in Splunk Enterprise Security. We had to refine the data model based on the initial risk-based alerting model as, when we fed it raw data, the data models built, and there were many endpoints and network devices that had a high-risk score just because the data was new. Those risk scores carried over with weights, so we had to go back in and cleanse the risk score model and rebuild it once we had good data and logs going into the ES platform.

If they could implement an out-of-the-box solution, it would be almost an AI data onboarding system that automatically identifies the fields that are SIM compliant, Common Information Model compliant, and then immediately applies those to a data model, builds a data model, and starts the SIM searches against those data models. A lot of the work for Splunk Enterprise Security happens on the back end, not the front end, so that's where you can really trim down your resource need and expertise if you supplement that with automated or artificial intelligence.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat protection are integration with other platforms and noise. Alerts from Splunk Enterprise Security generate many alerts, which take time to move through, assess, analyze, and determine whether they are true or false positives, and then go back and redundantly tune.

I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security to be cumbersome. Custom use cases are also cumbersome. You need someone very skilled at Splunk and data modeling to get to a point where you create something inside SPL that allows you to detect what you want.

There is not much predictive analysis happening in Splunk, and I hope that with the new AI toolkit allowing for the deployment of custom AI models and large language models within Splunk, along with additional advanced mathematical capabilities for vector analysis, the prediction and ability for Splunk Enterprise Security to add value to detections will increase.

I have a lot of experience using Splunk Enterprise Security.

I would assess the stability and reliability of Splunk Enterprise Security as typically very good, with minimal downtime or crashes.

We haven't expanded our usage of Splunk Enterprise Security; we used it by default from the start. The expanded usage is simply adding more information and logging to gain better insights.

I evaluate customer service and technical support as normally very good. When it's not, I reach out to my sales representative and my SE. I have a great SE, Jonathan Wilson, who jumps right in to solve issues when we need help or engagement.

Customer support has room for improvement, particularly in terms of speed and the ability to escalate issues to more senior personnel. I understand the need for a tiered approach, but I believe some issues should move more rapidly to a senior person.

Positive

Prior to adopting Splunk Enterprise Security, we were not using any other solution to address similar needs.

It's the human element there. It's helpful to have the expertise and the people to really take those data models and build them, refine them, get everything into the common information model on the back end so that, on the front end, you're getting the best data possible and you don't have to rebuild those models like we had to do with the risk score.

I have seen a return on investment with Splunk Enterprise Security. We went from almost no visibility to significant visibility across the enterprise, allowing us to see threats that were previously unknown or unregistered, which increased our security stance and made us understand we needed to look beyond the perimeter for internal threats and for lateral movement, east-west versus just north-south.

I helped negotiate the cost. Our sales rep is is really good, and we had a good understanding. The more you know about the product, the easier it is to negotiate. If you're not aware of how the product works, what the ingestion's like, especially Splunk Cloud with the SBC units and AWS, and how impactful that can be to queries and optimization and just general operations, it becomes very difficult if you're trying to maintain a certain price point for cost effectiveness. It it can be difficult to get an optimum amount of credits and SBCs in order to run what you need to run.

My advice to other organizations considering Splunk Enterprise Security is that while not everyone needs the top breed, ensure you have the resources and time to invest in it if you decide to use it. Anything off the shelf won't be as valuable as something you invest in and put time into, so the more you put in, the more you get out.

I would rate Splunk Enterprise Security overall as probably an eight out of ten; it is industry-leading.

Public Cloud

Amazon Web Services (AWS)

My main use cases for Splunk Enterprise Security include supporting production changes, which helps us ensure that we are not going to break the business from a DLP engineer standpoint. From an investigations and operations perspective, it allows us to look into all activities done by any individual, such as which emails they sent or what kind of data they have in their folders. We have logs coming from data at rest and data in motion channels, and all this combined is quite helpful for insider threat and data loss prevention activities.

One of the use cases I leverage Splunk Enterprise Security's dashboards and visualizations for is looking into risky applications. Since we manage the web side, we look into emerging AI applications in the market. Splunk Enterprise Security provides access to logs that show which category of websites are being accessed and what those are. We can see that in a search, yet visualizations dashboards enhance this representation. Instead of writing an SPL every time, any team member can go into a dashboard, input the application name they're interested in, and access all relevant details. These are some use cases, and you can continually build your own with Splunk Enterprise Security providing the platform for those developments while limiting access to only those who need to see the information.

Splunk Enterprise Security plays a role in our organization's strategy to combat insider threats and advanced persistent threats by allowing us to examine how users are affected and the various egress points they are hitting. From my perspective, this is essential as I work in a specific area within cybersecurity.

As a DLP Engineer and Assistant Vice President at a US bank with about 50,000+ employees, I manage the Data Loss Prevention tool, configurations, and deployments. We work across the globe in multiple regions and work on multiple different kinds of tools. Splunk Enterprise Security is leveraged quite heavily to support our DLP functions by creating SPLs for our DLP operations. We also create dashboards and reports that are required, where Splunk Enterprise Security is the single point of connection that allows us to send all the logs across and use the data as we need and see fit.

Due to my role, I have limitations on what I can do in Splunk Enterprise Security, yet for whatever access I have, it's been a very useful tool for detections and investigations. From a DLP standpoint, we look into enabling blocking, and we want to make sure that we are looking into what's happening there and how many people would be affected. Splunk Enterprise Security gives us access to that data, while the DLP platforms themselves provide data too, however, Splunk Enterprise Security's integrations with various inputs from identity and asset management create a single point for all information.

I appreciate the statistics feature of Splunk Enterprise Security since it helps showcase numbers to management. While we can share a long spreadsheet, that's not a good way of sharing data. Although we still share spreadsheets, having statistics, visualizations, and dashboards to showcase security benefits is much more effective.

Any new tooling we bring in and adding that data set helps create much richer data. Different integrations enhance our ability to find the right context for threat analysis and insider threat analysis.

I don't have any metrics regarding how Splunk Enterprise Security has helped reduce our team's average mean time to detect. However, I can think of the practical aspect: we have four different tools with their alerts. When we go into each of those tools, we can see what a user has done. With Splunk Enterprise Security, we can just pop in an SPL, search for the user, and find all the details from different sources in one spot, making it much easier to dive into investigations.

I have many good ideas for how Splunk Enterprise Security can be improved. Our Splunk team attended a session, and it was really good. I see that AI integration would assist analysts in seamlessly looking into data without relying on engineers to write an SPL. With AI integration, they can search different kinds of data that they have access to. The UEBA side looks good, and the Splunk Enterprise Security UI indicates that we are on the right path. I look forward to using and sharing what I've learned with my team regarding different tools in Splunk Enterprise Security that we can leverage to improve processes, provided they are not already using them.

One major return on investment for using Splunk Enterprise Security, from my perspective, is the feedback I provided to the product research team about creating a UI that helps specific team members extract value from the platform. For instance, if a DLP operations analyst accesses the platform, it should guide them to navigate predefined content for their role. That's something I've already mentioned to them, and I'm eager to see what happens next. Currently, it's a blank slate where users can explore, which is good, however, some people might need a push. Training can either be done from start to finish, or with AI integrating everywhere, users could ask questions that would return answers, from creating an SPL to providing results.

I have about ten plus years of experience in IT and security. The last seven years, I've been focused on data security. I've worked on probably more than seven DLP platforms, data loss prevention platforms. And from what I've seen, almost all these companies that I work with, a lot of them leverage Splunk.

I am happy with Splunk Enterprise Security's stability and reliability so far. I haven't seen any drawbacks, although sometimes the search takes a while to return results. That's often due to how I design the search, not the platform's fault. I have fantastic team members who assist me with specific SPLs, which makes it easier. It's just about navigating and understanding the right way to do it.

Splunk Enterprise Security scales well with the growing needs of our company. We have a massive team that supports this, with an amazing team managing all the work around Splunk Enterprise Security ingestions. I keep hearing that the use cases are increasing, and we look forward to what more comes in.

Before adopting Splunk Enterprise Security, we did not use any other solution to address similar needs in our company.

I know that our SOC team does use Splunk Enterprise Security to prioritize and investigate high-fidelity alerts, however, I'm not sure how it helps them specifically. I can say that many different teams in the business use it very heavily.

We do utilize UEBA in our company, yet not Splunk Enterprise Security UEBA from my understanding. I'm not part of those teams, so I wouldn't have an answer for how it specifically functions.

I would rate Splunk Enterprise Security a ten out of ten.

I advise other companies considering Splunk Enterprise Security to recognize that it is utilized by massive companies and is more practical. I would suggest finding what works for their environment and evaluating all related costs as those are important factors. Overall, Splunk Enterprise Security delivers, which is what truly matters.

On-premises

As a security analyst, my main use cases for Splunk Enterprise Security involve reviewing notables. I receive all the alerts and notables in my queue, review them, ensure they're not actual security incidents, and triage them as either true positives, false positives, and so on. I then investigate the true positives.

The features of Splunk Enterprise Security that I appreciate the most include the SPL search. It allows me to get all the data I need, make it beautiful, show it to my boss, and show it to less technical people. It's easy to display the data.

When we have a major incident, we need to move fast and answer quickly. Also, we need to inform non-technical people, so it's easier to show them.

Instead of showing them a raw log that's ugly and hard to read, we can show them a very concise point such as 'This insider threat with this IP address accesses this system,' and pivot wherever needed. It's really useful for data presentation.

Dealing with incidents depends on the type of incident; a major incident can take a few months, while a smaller incident can take from five minutes to five hours. We use Splunk SOAR, and we're starting to use that in Splunk Enterprise Security to automate our response. It's made my life easier because repetitive tasks can be automated with a playbook, and everything gets done in the background without manual triage.

Splunk Enterprise Security helps improve my business's resilience by protecting our enterprise. Every time there's something not working, it's our central log space. Every incident and everything that's not working is in Splunk. The factors that led to adding Splunk involve our relationship with the sales team and our technical contact. We have a very good relationship with them, which helps considerably.

The integration of these security solutions supports my security operations by providing us with better visibility into various types of endpoints. We have custom detections that we make on Splunk, and we also integrate Microsoft Defender alerts into Splunk. I have one place to investigate them all instead of going from product to product.

Splunk Enterprise Security can be improved mainly regarding the UI, which can be daunting at first for newer employees. It's hard to find everything, such as menu locations, dashboard access, and dashboard creation. It's still very complicated and takes a few weeks to understand. The UI could be more user-friendly.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection include skills. I've been using it for four years and I don't know everything yet. Finding information and writing complex SPL queries can be challenging. I tried to use external AI, ChatGPT, but they're not very good with it. I know now there's SPL with AI, and we're going to test that.

I have been using Splunk Enterprise Security for about four years.

I would assess the stability and reliability of Splunk Enterprise Security as generally good. We had a few performance issue bugs with very specific use cases, and they were handled quite fast. We reported them to our technical contact, and within a week, it was fixed.

Splunk Enterprise Security scales effectively with the growing needs of our organization. We expand continuously, always adding new detection, new logs, and new systems. In Splunk Cloud, it's very scalable. We never have an issue with that, and we have terabytes of data coming in.

I would evaluate customer service and technical support for Splunk Enterprise Security as very good. This is probably one of the reasons why we have a good relationship and we keep Splunk around.

Positive

Prior to adopting Splunk Enterprise Security, I always used Splunk. At the same time, we use Microsoft Defender Endpoint, however, we don't use their SIEM solution. I use MD alerting too.

I use disparate security solutions that integrate or import data into Splunk Enterprise Security.

I am not directly involved in pushing new detection in Splunk Enterprise Security. However, I do tune detections; if a detection is firing too much or I feel we could edit the detection, I find it quite easy to do. My organization does not use risk-based alerting in Splunk Enterprise Security yet; we're working on it.

The advice I would give to other organizations considering Splunk Enterprise Security is to contact them, contact the sales rep, the tech rep, and ask them for a PoC trial. They're very open with this and even with new features. Before we buy anything new, such as SOAR, Splunk offers us to do a PoC. They give us a license to try it for free for a few months and give feedback if interested or not. For any enterprise thinking about it, I would contact them and get them to do a free trial for a while.

On a scale of one to ten, I rate Splunk Enterprise Security a nine.

Public Cloud

Other

My main use cases for Splunk Enterprise Security are basically triage, ensuring cyber threat defence, and improving speed when defending the organization. Since I am the only one currently in the security team, we are growing this year and next, and we're expanding. Splunk Enterprise Security is improving the process to defend, basically.

The features of Splunk Enterprise Security benefit the organization. You can see threats much faster, helping detect something that the antivirus may miss. Splunk Enterprise Security can work with this, and when the antivirus has a hard position, by using proper detection rules that are well-configured, you can see what's going on in real-time, both endpoint-based and network-based.

The features of Splunk Enterprise Security that I find most valuable include Mission Control, which I really appreciate, the way accelerated data functions, making it really fast to see, the integration with SOAR, which is something really cool and integrates with automated processes, and the way to ingest threat intelligence feeds, which is an amazing feature as well.

Splunk Enterprise Security has helped improve my organization's business resilience, as we were able to detect an attack that was happening after hours and prevent it thanks to the detections. We stopped it immediately in a matter of about 30 minutes. Splunk Enterprise Security has improved my ability to predict, identify, and solve problems in real-time; it's not just proactive, but also really predictive. My organization uses Risk-Based Alerting in Splunk Enterprise Security, which speeds up our process to detect and our mean time to respond. It's very helpful, and after we improved the configurations, we have RBA working fine, something that will always be maintained; it may not be perfect, but we do our best to maintain it.

On average, my security ops team takes less than five minutes to remediate security incidents with Splunk Enterprise Security compared to our previous solution, which used to take hours because we needed to see different sites. We are using new threat detection features in Splunk Enterprise Security by ingesting a lot of threat intelligence feeds from our main vendor, which has significantly improved the indicator of compromise, the IOCs detections. We also use Sigma detections and adapt to Splunk.

The on-premise integration with SOAR could be more simple; the cloud version integrates with SOAR very easily, but the on-premise SOAR and on-premise Splunk Enterprise Security are really not that easy, so I would appreciate if that could be improved. 

Additional features that should be included in the next release of Splunk Enterprise Security are the ability to integrate with other software and tool frameworks, beyond Sysmon, to avoid ingesting Sysmon logs from the endpoint, which can be very noisy at times, resulting in more straightforward detection and less resource-intensive licensing.

I have been using Splunk Enterprise Security for four years.

I have experienced downtime, crashes, and performance issues with Splunk Enterprise Security due to a hardware issue, which we were able to quickly fix thanks to the backup recovery. However, it took about one day, and it highlights the need to move to clustering, which I've discussed with my leadership team.

I would assess the stability and reliability of Splunk Enterprise Security as needing clustering. It ensures it remains operational all the time, which means you can see cyber attacks. When it's down, you can't see anything. 

We currently rely on disaster recovery and backup recovery, which takes time to recover, during which you're basically blind, so I'm pushing my leadership team to switch over to a clustering environment for constant availability. Right now, the server we have meets the hardware requirements, and we have moved to new hardware. 

We're considering moving to cluster environments to scale in the future, probably in a couple of years.

I would evaluate customer service and technical support for Splunk Enterprise Security as excellent; when we open tickets for troubleshooting, 99% of the time, it relates to our Linux environment. I have no personal complaints about the support.

Positive

Prior to adopting Splunk Enterprise Security, Splunk was already in place when I came on board at Educational Federal Credit Union.

In the beginning, we were using disparate security solutions that integrate or import data into Splunk Enterprise Security. Now we are adapting to completely switch to the Splunk Enterprise Security side to have a single-pane-of-glass view of everything, minimizing the integrations with the vendors such as EDR, DLP, and the firewall.

I have seen a return on investment with Splunk Enterprise Security. My executive team has noticed improvements; we were able to save on other solutions, which increased budgeting for future projects thanks to Splunk Enterprise Security and the licensing optimization, allowing us to invest in other tools.

My experience with pricing, setup costs, and licensing with Splunk Enterprise Security has been challenging in the past due to the expensive licensing model, which was driven by Sysmon delivering a lot of unnecessary noise. We don't use Splunk just for security; we also use it for other departments. 

We have shared the license between security and development departments, making sure to minimize ingestion logs from the endpoints, including workstations and servers. We are currently leveraging EDR telemetry ingested to Splunk, which saved a lot of licensing money while allowing us to see what we're looking for.

My advice to other organizations considering Splunk Enterprise Security is that it's the leader in SIEM globally. You have a lot of customization and data normalization, meaning you can detect anything you want compared to other SIEMs. Splunk Enterprise Security is worth the investment because it provides exactly what you need if you are a true cyber defender. I also network with friends from a company, Next-Gen Systems, which is leading in detection and investing in developments and integrations with Splunk due to its scalability. 

On a scale of one to ten, I rate Splunk Enterprise Security a ten.

On-premises

My main use cases for Splunk Enterprise Security are security operation center and incident response.

The Mission Control feature of Splunk Enterprise Security benefits my organization by providing quick alerts, making it easy for the SOC team to navigate events and find threats quickly.

I use disparate security solutions that integrate or import data into Splunk Enterprise Security. This integration supports our security operations effectively because we work with different tools, and Splunk apps support many integrations, so we don't need to write custom ones; it's available by default.

It has supported our SOC by improving it; in looking through many alerts, we can look at only the critical alerts, and the number of alerts investigated by SOC has changed drastically. Currently, my security ops team remediates security incidents with Splunk Enterprise Security within 45 minutes compared to our previous solution.

I would be using Detection Studio, which is one of the new threat detection features in Splunk Enterprise Security that I'm interested in. Splunk Enterprise Security has definitely helped improve my organization's business resilience; it has helped us to pass our SOC 2 audit, and we have good monitoring about security alerts and threats happening.

I assess Splunk's ability to predict, identify, and solve problems in real time as very good.

I would definitely improve the risk-based alerts in Splunk Enterprise Security, helping SOC analysts to get to the drill-down searches.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection include writing detection rules for new threats, finding out about the SPL logic, and writing correlation rules. In ES8, we are experiencing some issues with crashes, and whenever we open the correlation rule, it gives a Java error requiring a refresh. We had not seen that error before, however, we are seeing it more frequently in ES 8.1.

I have been using Splunk Enterprise Security for five years.

Splunk Enterprise Security scales absolutely with the growing needs of my organization; it has caught up with our needs, and we use the tool without any pain.

On a scale of one to ten, I would rate Splunk Enterprise Security overall as eight.

We have definitely expanded our usage over the five years; our utilization of Splunk has totally changed.

I would evaluate customer service and technical support as good and satisfactory because it was not satisfactory a few years back, however, now I see some positive changes, which is good.

Positive

I used IBM QRadar.

I would describe my experience with deploying Splunk Enterprise Security as easy thanks to the cloud.

I have seen a return on investment; though it is an expensive tool, we did see return on investment. The integration is a specific example where we see value; the basic integration with different data is easy and more adaptable. As we use more different tools, Splunk Enterprise Security is able to integrate all those things without needing to create custom integration.

My experience with pricing, setup cost, and licensing for Splunk Enterprise Security is that it is expensive.

I made a change because IBM QRadar was on-premises, and we were transitioning; we had many challenges with the tool when dealing with big data, and it was not able to catch up, which is why we moved to Splunk Enterprise Security.

I would advise other organizations considering Splunk Enterprise Security to use it and also utilize the built-in ES Content Pack, where you have many rules ready, instead of trying to figure everything out. Use that content pack to start, and once you have the basic fundamental detection rules, then you can expand on it.

On a scale of one to ten, I rate Splunk Enterprise Security an eight.

Public Cloud

Amazon Web Services (AWS)

I'm an end user, admin, and consultant. We use Splunk Enterprise Security internally in our organization, and I also use it for my personal studies. My usual use cases for Splunk Enterprise Security include monitoring several kinds of exchange server logs and Office 365 logs, among others, as we have multiple monitoring use cases based on our requirements in our environment. We were trying to solve multiple things by implementing Splunk Enterprise Security, particularly for monitoring our applications based on the insurance business, so we use Splunk Enterprise Security logs for security purposes and internal infrastructure monitoring, including logs matching security purposes in our Office 365 and exchange servers.

The most valuable features of Splunk Enterprise Security are several add-ons and TAs, while the lack of a DB requirement is a significant advantage for the business, allowing easier management without needing in-depth DB knowledge. I find that Splunk Enterprise Security's ability to import data from various sources, including looking up Excel files, is quite effective, providing a good way for management.

We import data from several unique data sources into Splunk Enterprise Security, possibly more than a hundred because we have AWS and multiple servers. We have disparate security solutions that integrate data into Splunk Enterprise Security. I can still query data in Splunk Enterprise Security regardless of where it resides, and in my perspective, the query provides data quickly.

Splunk Enterprise Security has improved our organization's ability to ingest and normalize data compared to before using Splunk Enterprise Security. The unified platform helps consolidate networking, security, and IT observability tools, which is very relevant to our internal needs. Using Splunk Enterprise Security, our focus was not on reducing alert volume but on properly finding and handling alerts; we've managed to capture 100% of them effectively.

Splunk Enterprise Security provides the relevant context to help guide investigations by allowing us to share application logs and details with clients efficiently. We utilize out-of-the-box detections in Splunk Enterprise Security, and we have created dashboards that add value to our monitoring efforts. Customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security is easy; it has been a good experience without significant difficulties.

We upgraded to Splunk Enterprise Security from version 8.0.4 to 9.0.6, and also from 8.1.4 to 9.0.6; it worked well with the support we received from the team, and it has proven to be very useful. Splunk Enterprise Security provides the foundation for unified threat detection, investigation, and response, enabling fast identification of critical issues.

The solution could be improved by integrating more application monitoring features and possibly incorporating AI capabilities to enhance its functionality.

I've been working with Splunk Enterprise Security for six years.

Splunk Enterprise Security is stable and scalable, making it a good tool that is beneficial for our needs.

Splunk Enterprise Security is stable and scalable, making it a good tool that is beneficial for our needs.

I participated in the deployment process of Splunk Enterprise Security, and we performed UAT before moving it to production. It's not the most affordable solution, as I've witnessed several companies considering leaving due to cost factors. The pricing of Splunk Enterprise Security is not very affordable, and I have seen many companies planning to leave because of cost concerns.

Amazon Web Services (AWS)

Splunk Enterprise Security is used for many different things. Primarily, it is used to create alerts for different use cases that need to be monitored, and then investigations can be created. At a high level, that is where many investigations start from.

Business resilience is valuable, though I am not completely certain about Splunk Enterprise Security in that regard. Visibility would be considered a valuable feature. The more I think about it, business resilience is probably valuable as well.

The pricing of Splunk Enterprise Security is probably one of the main pain point areas. It is probably the only area that has us looking elsewhere for other options, just to see what is available even just because of the price. While it is a good product, the huge price increases that have been experienced over the last couple of years do not appear to be justified by new features or items in general. Pricing is the area that has everyone looking elsewhere to see what other options exist. The prices definitely make your eyes water when you see them.

Splunk Enterprise Security could improve its pricing. This seems to have been a theme across the board at the Splunk conference this year. The general consensus is that pricing continues to increase significantly every year, not just by a couple of dollars.

Splunk Enterprise Security has been used in my career overall for about six years.

The only instability that has been experienced with Splunk Enterprise Security is from inefficient searches and things configured incorrectly. Stability is ranked pretty high for the product.

Scalability for Splunk Enterprise Security is ranked pretty high.

I have tried contacting Splunk Enterprise Security support, and I am currently dealing with some technical support items. Technical support is relied upon pretty regularly. Generally speaking, their support is pretty good and their response time is pretty good. The caveat to that is that recently, there are some pretty interesting issues that seem to take a long time and a lot of back and forth just to get to the right people for some advanced challenging issues. When you open up a support case, you are assigned somebody at tier one support. There is no way to bypass that or indicate that this is a more advanced issue. Everything goes through the same process, and there is no way to really get advanced technical support from the beginning. You have to start at level one, and they set up a meeting and a call to explain the issue and show what is being experienced. There is a lot of back and forth, and then maybe if you are fortunate, you get assigned a more senior person after a week or two. For some cases, it takes maybe three or four weeks before you are actually in touch with people who can actually help with the issue. There is a lot of back and forth, a lot of emails, and a lot of troubleshooting and screenshots and communication for three to four weeks later before you can finally get a hold of somebody who is actually able to point you in the right direction.

Splunk Enterprise Security would be given a score of eight or nine overall for support. It is just the amount of time that it takes to get support for some advanced issues. You have to start at the bottom and keep communicating and working your way up that chain. Overall, it is a solid eight or nine, but sometimes it takes a decent amount of effort and time to get there.

Positive

Nothing has been used before Splunk Enterprise Security.

When first starting to use Splunk Enterprise Security, the initial deployment was already stood up, so much of it was personal learning. I cannot really speak on behalf of other people who have stood Splunk Enterprise Security up.

Splunk Enterprise Security is a pretty complex tool, and it is always changing. There are always new things, even with 8.0 to 8.2. There are always things that are being renamed and moved around and called different things and the UI is changing. That has definitely added to the learning curve. It is a pretty complex tool, so there is a pretty steep learning curve personally just because there are so many things that it does and controls and a lot of things to consider.

Splunk Enterprise Security has not helped to reduce the team's mean time to detect, the MTDD metric. A service provider, managed service provider, is utilized for items like that.

Splunk Enterprise Security is not being used with the observability platform at this point.

Splunk Enterprise Security has not been upgraded to 8.0. The upgrade to 8.2 is in the works, probably in the next two months or less.

Risk-based Alerting, as Splunk Enterprise Security calls it, is being used. There are some pros and cons associated with it. The organization is not mature enough for Risk-based Alerting to speak on any pros or cons too much because of how Risk-based Alerting works. Many of the underlying fundamental pieces have not been built or are not mature enough to really calculate the risk scores correctly. While Risk-based Alerting is enabled and turned on and some risk-based alerts have been created, generally speaking, the organization is not mature enough in some of the other areas to really use a lot of the granular details of what Risk-based Alerting is for. However, it is on the path for progression. The overall review rating for Splunk Enterprise Security is nine.

On-premises

Other

My main use cases for Splunk Enterprise Security are threat detection use cases.

The biggest advantage I can see in Splunk Enterprise Security is the big data analytics. The simple search query with faster responding results is also appealing. My team handles large volumes of cybersecurity data. To be able to search against such a big amount of data with efficiency is the key driver for my team to do threat detection and data analytics.

Splunk Enterprise Security can be improved in many ways. I am very happy to experience the AI-powered security platform they are going to show us in the new version. Better identification of true positives and false positives should be included in future releases.

There is another new term called benign positives. It is better to clearly identify each definition of those terms since it has not been popular in the industry, and everyone needs to be aware of those things.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection are the false positive alerts. As mentioned in the keynote, there is a lot of noise. Reducing the noise to make sure the SOC is operating more efficiently is one of the challenges my team is having. The process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security is not the easiest, however, it is not the most difficult one, so I would say it is medium.

I have been using Splunk Enterprise Security for seven years.

I have experienced downtime, crashes, and performance issues, with the most recent one being a data ingestion issue from another security platform. This key data source is not being ingested, causing some downtime.

Splunk Enterprise Security does not scale efficiently with the growing needs of my organization. Since it is on-premises, we have some scalability issues, and there are other new players coming up.

We have expanded the usage of Splunk Enterprise Security several times.

I would evaluate customer service and technical support as adequate since my team does not deal with it directly. Another team dealt with them, and I found it to be acceptable as they have 24/7 support all over the world. 

They hand over to the next team in another country, but sometimes it takes time to do the transfer, and we have to explain all the problem issues again, which can be frustrating. For that, I would rate it a five.

Positive

Prior to adopting Splunk Enterprise Security, I was not using another solution to address similar needs.

My experience with deploying Splunk Enterprise Security is actually another team's job, however, they are doing adequately.

My organization is moving towards risk-based alerting in Splunk Enterprise Security. My team actually built our own risk-based alerting before they released it; however, we are looking forward to integrating both.

Splunk Enterprise Security is doing its job in helping improve my organization's business resilience. There are other competitors in the same field, so I find it neither particularly good nor bad.

I don't directly deal with pricing.

I would advise other organizations considering Splunk Enterprise Security that the new version looks impressive. If organizations want the new, complete package, I would recommend ES Premier, as it combines ES with TIM, UEBA, and SOAR. 

On a scale of one to ten, I would rate Splunk Enterprise Security a seven. I believe ES is doing its job, but it is slightly behind its competitors. 

Other competitor platforms already have AI integrated, and they just announced it today, so it feels somewhat behind. However, I am looking forward to this new feature.

On-premises