Splunk Enterprise Security Reviews

We provide services to our clients as a security operations center and we utilize Splunk Enterprise Security for enterprise security purposes, encompassing various use cases based on client requirements. These include network attacks, malware-related attacks, inbound traffic-related attacks, recurrent activities, web-related detections, internal detections related to root flows, and service account-related use cases.

We are working to secure the enterprise's networks, devices, and infrastructure, as well as enhance overall security. Our goal is to monitor and protect against all types of external cyber-attacks. We will diligently monitor the systems and address any issues at the earliest stage possible.

Splunk Enterprise Security can be deployed both on-premises and in the cloud. We have primarily deployed the solution on Splunk Cloud.

We utilize Splunk Enterprise Security for monitoring multiple cloud environments. By employing an API, we can deploy various forwarders within Splunk. These forwarders gather logs from diverse cloud sources and other types of sources. Consequently, we have the ability to install an API from the Splunk store, enabling us to seamlessly connect with cloud sources such as CloudWatch, AWS, and other similar platforms. Splunk Enterprise Security offers comprehensive visibility across numerous environments.

Splunk Enterprise Security offers excellent threat detection capabilities to help our organization identify unknown threats. Additionally, we utilize threat feeds that index various anomalies. We have integrated threat intelligence platforms, which provide indicators such as advisories and engagement in case of compromises and attacks. This integration assists us in preventing attacks within our environment. Initially, we can obtain this information through the threat feeds. Consequently, we can restrict and block operating systems either within Splunk itself or through other security tools.

We also utilize threat intelligence. We have access to threat feeds from various sources, such as VPN. The threat intelligence management feature allows us to collect detailed information in the event of a data breach affecting an organization on other websites or within the dark web itself. We receive such information, along with details of any attacks or incidents occurring in different environments worldwide. We can obtain these threat feeds instantly through the cyber news channel mentioned.

The threat topology and MITRE ATT&CK features are integrated, allowing us to obtain the tactics, techniques, and processes necessary to solve any remediation process. By deploying the TTP MITRE ATT&CK framework in any use case, we can acquire a detailed explanation and determine the appropriate course of action to follow. Checking the MITRE enables us to easily resolve and remediate any issues. This helps us address any errors or crashes effectively, by following the simple steps outlined by MITRE. It allows us to easily identify and rectify issues, without the need to involve a senior person if they are unfamiliar with the specific use case. Additionally, it enables us to quickly verify and provide remediation, specifically tailored to the respective team that needs to take action.

Splunk Enterprise Security's ability to analyze malicious activities and detect breaches is advantageous to me. When compared to other tools I have used previously, it involves a straightforward SQL query, allowing me to quickly modify the reports in less than five minutes.

Splunk Enterprise Security has helped us detect threats faster. We can integrate multiple security tools, and we can retrieve logs at any time using simple queries, utilizing various indexes and forwarders. These components handle log parsing and aggregation, enabling us to easily identify all the security rules detected using Splunk. For instance, if we provide a hostname or IP source, we can obtain a list of the security details detected in that specific instance.

Splunk Enterprise Security has helped our organization reduce the threats and breaches from security attacks across various threat factors.

Our clients quickly realize the benefits of Splunk Enterprise Security, which is why they have continued to use it for so many years.

Splunk Enterprise Security has helped us reduce our alert volume. The total reduction in volume depends on the new use cases or devices that are onboarded. Initially, there may be a high alert volume, but we will analyze and work based on those alerts. Through this process, we cannot definitively state the exact percentage reduction, but it does significantly reduce the number of false positives in the environment, thanks to fine-tuning the use cases.

Splunk Enterprise Security has helped accelerate our security investigations. Splunk also offers the Phantom SOAR, although I am not currently utilizing it. However, I am familiar with the Splunk platform, which can automate the process and promptly detect and block various types of actions. We can also easily analyze the Splunk programming language.

Splunk can save our analysts ten minutes of additional time compared to our previous solution when resolving alerts, provided that we have the necessary query knowledge. 

Recently, Splunk upgraded to version 9.0.02, which includes excellent data dashboards and visualization effects. This upgrade makes it easier for me to implement all the dashboards. I have created a dashboard that showcases all the VPN monthly data in one place, which is a beneficial feature of the new visualization effects.

There are deployment servers and other servers, and sometimes Splunk may encounter issues if there are non-reporting devices. We will receive alerts only for the administrators and deployment servers, but not for all servers.

When upgrading Splunk, we encounter certain issues. For instance, it does not accept older versions of the other tools we use. This is the main problem. For example, if we are using a ticketing tool or any other XDR or EDR solutions, we need to upgrade them when we upgrade Splunk. During this process, we will encounter some difficulties, resulting in delays. Ideally, the upgrade process should first accept the current versions and then prompt for an upgrade, allowing us sufficient time to upgrade the other solutions. This helps ensure business continuity, although it may introduce some delays in upgrading all these processes.

I have been using Splunk Enterprise Security for five years.

Splunk Enterprise Security is stable.

We are satisfied with the scalability of Splunk Enterprise Security. It can increase its capacity and functionality based on our demands.

Splunk technical support is good.

Positive

I used ArcSight for Level 1 monitoring in my previous company, and my current company was using Splunk Enterprise Security when I joined.

We have witnessed a 60 percent return on investment due to the security that the solution offers to our organization.

Unlike other security tools, Splunk provides a fixed amount of gigabytes per day, and we are required to pay for any additional usage beyond that limit, in addition to our monthly cost. I believe this pricing structure is reasonable for medium and large organizations.

I rate Splunk Enterprise Security nine out of ten.

An organization that wants a CM solution but prefers to go with the cheapest option may work for a small organization, but not for medium and large ones. Splunk Enterprise Security is worth the cost for larger organizations.

Splunk Enterprise Security is deployed in a single location where it collects logs from various assets, infrastructure, and security tools. It serves as a monitoring tool, allowing us to view all the logs in a unified platform, including security tools, network scanners, portability management tools, and other infrastructure components such as Windows servers, Mission servers, and devices. Integration of these components occurs through different platforms like SCM or other platforms, enabling us to monitor everything in a single user interface using Splunk.

Maintenance is necessary for updates and patches. Additionally, we must be prompt with deployments as we need to monitor the health checks of the devices reporting to Splunk. It's crucial to remain active in this process to avoid any potential impact, so we should be mindful of that. Two admins are usually enough for maintenance, and if we encounter any issues, we can contact Splunk client support.

Resilience is important to capture all threat activities and threat speeds, such as IOCs, but we primarily focus on the ESF application. We integrate various threat intelligence platforms, including Splunk, which provides threats from different sources.

I recommend Splunk Enterprise Security as long as it fits within the budget.

Splunk Enterprise Security's single pane of glass enables us to easily monitor everything from one centralized location. Additionally, with its simple query language, we can retrieve all the logs in one place and generate reports quickly. This is exactly what security personnel require: fast reports and comprehensive log monitoring. It allows us to efficiently check all the security tools simultaneously. 

There are a lot of use cases for Splunk Enterprise Security. The main one is when you are trying to detect an authentication attack. There are lots of people trying to get access to a system, so they are constantly trying to authenticate. Splunk Enterprise Security can quickly detect that through its correlation engine. If there is a specific attack of the anomalous amount of users trying to log into a system, it generates an alert. Our SOC is then able to analyze that alert and determine whether it is a false positive or a true event. If it is a true event, they can work towards containing that attack. If anything is a success, they can quickly provide that information to our incident response team.

The benefits that we have seen from using Splunk Enterprise Security have been faster response time and faster enrichment of information so that the analyst can act and respond in a more timely and efficient manner, which then provides more information to leadership, such as myself. We are then able to respond. We know how to present risks and how efficiently our SOC is doing to our senior leaders. There is a 30% to 40% improvement because, with the system we had before, the capability of figuring out what was going on to analyze the event was cumbersome. Splunk Enterprise Security has driven and given analysts the ability to analyze a lot more efficiently.

Splunk Enterprise Security provides end-to-end visibility into our environment. It is very critical for us.

Splunk Enterprise Security helps us find any security event across multi-cloud, on-premises, or hybrid environments. It helps in all of this. We have multi-cloud environments. We have all four main cloud environments. We also have our on-prem environments. We have also set up a hybrid environment. It has improved our ability to detect and find needles in the haystack that we were not able to see before. There are lots of things they have been able to detect. People were installing things and misusing AUP violations that we were not able to see before.

Splunk Enterprise Security helped reduce our alert volume with the implementation of risk-based learning. When you are doing risk-based learning, you can definitely reduce the volume, but initially, when you move from one SIEM to Splunk Enterprise Security, you do not really reduce volume. You are generating more. Because you are getting better visibility, you are generating more information for the analysts to look at, and then over time, as Splunk Enterprise Security and the team learn the environment, you are able to tune down and then use the risk-based alerting to help reduce a lot of false positives.

Splunk Enterprise Security provides us with the relevant context to help guide our investigation. There are limitations, which is where Splunk SOAR helps with the enrichment of the information, but it definitely provides good context. In the notable alerts, it provides a lot of key information that you need, and then there is the ability to drill in to see what the actual events were, so it really helps.

Splunk Enterprise Security is efficient at predicting, identifying, and solving problems in real time. With the correlation rules, the ability to have adaptive responses, and the ability to tie in even machine learning into that, we are able to do real-time analysis and quickly gather and detect.

Splunk's unified platform helps consolidate networking and security tools, but sadly, our organization does not use IT observability tools. We are purely from a security perspective.

It has so many features. The incident review pane is the best part of it because that is where the SOC lives. It is the heartbeat of what the SOC needs to do. You are able to start the investigative process. As you are sitting in the incident review pane, you see the alert, and from that one alert, which is called a notable alert, you can drill in and see all the different specific details that are tied to that. You then have adaptive response action that can be taken automatically on that, or you can even drill in to look at what events drove that alert to be created. You can then start doing more hunting and querying that way. There is so much information contained in the notable alert itself in that panel. It helps to drive the direction of where the engineer should go.

I am looking forward to seeing what is coming out in the new release that was announced, but case management is an important thing. Being able to have a one-stop shop where you have the alert, but then you can generate the case right there from Splunk Enterprise Security instead of having to pivot to another tool such as Mission Control. You do not have to keep bouncing between them, so if you could do it all in one place, that would be great. The new release is supposed to start getting in that direction.

I have one environment that has been using Splunk Enterprise Security for two years in the Splunk Cloud. I am currently in the process of migrating my on-premise corporate environment to Splunk.

At this point, Splunk Enterprise Security is very stable.

It is very scalable. Particularly, when you do search and clustering, you are able to scale rapidly to be able to meet the demands of what is needed for your SOC. The data model setup helps to quickly drive and get rules created without having to need a new data source or a new rule. You just send that new data source to one of the data models, and you already have the rules there, and it automatically starts generating alerts based on those existing rules.

I would rate their support a seven out of ten. Sometimes, you get some solid people, but other times, it takes a bit of effort to get across what the actual issue or situation is. This is a challenge for any help desk organization particularly when you have lots of customers calling in and all of them with unique situations.

Neutral

We were using another tool previously. There were many reasons for switching. One big reason was the ease of integration of data into the tool. With the previous tool, to integrate a normal log source, such as an identity access tool, into the SIEM, we had to pay for PS engagement in order to even get the information in. Splunk has native integration with all these different apps. It is natively tied to all the different IDAM and ID tools out there. It is very easy for the team to implement it themselves. They do not have to go and get extra help to do it. They can install the app, get the keys and authentication set up between the two new tools, and then it just works.

Our deployment experience was just fine. I deployed Splunk at other companies before, so it was not new to me to do it with this company. The pricing and everything else went smoothly. The Splunk team was super helpful. They were very engaging. They helped to build it. We were able to get access to Splunk engineers who worked for Splunk, and they helped define the sizing. They went through and evaluated what our current solution was and helped us build out what we needed in order to meet and exceed that capability. Splunk has been super helpful.

For one environment, I am using the public cloud, and then for my other environment, I am using an on-premise setup. We have the AWS cloud.

We did use professional services to help with this. At my previous company, I would not have used professional services because I had a team of Splunk architects who knew what they were doing and knew how to do it. In this company, we were moving from a different technology to Splunk. My teams were not as familiar with Splunk, so I needed the extra help. We had the help of Splunk professional services and third-party professional services. We used Verizon.

The environment that we had set up has been running for two years. I had planned that initially for a certain amount of growth, but within the first year, we had already doubled the size of the data. It was able to handle the information so much more efficiently that a lot of the groups that were not integrated into the SIEM before started saying that they needed their data monitored as well, so we started growing quite quickly. It has helped us exponentially.

I evaluated several SIEM solutions before choosing Splunk. With Splunk, we had the ease of integration of data because getting the data in as quickly as possible and making use of it is important. Another area is that in certain tools, you have to generate one rule per data source, whereas Splunk has the data modeling capability where you have all the data sources going into the data model, and then you create one rule per data model instead of per data source. It helps reduce the workload for the system, so there was that aspect of more performance than any other solution.

I would rate Splunk Enterprise Security a nine out of ten. It is a market leader from an SIEM perspective. It has bells and whistles, but it does not let you get lost in those bells and whistles. It helps drive the analyst into what is the most important thing that they need to focus on, and that is protecting the company. They are able to be more efficient. They are able to help do what the mission of the company is, and that has enabled the company to not worry about the security part. Without a risk, they are able to do their business and help their customers.

My role is to design and implement and manage a strong environment. I need to ensure the available insights can be extracted efficiently and I use the solution for that. I also configure the Splunk custom dashboard and optimize searches to meet specific business needs. We also do a lot of troubleshooting and upgrading.

The security part is useful as it helps secure the entire environment. I designed the security aspect of it for a lot of applications in my company. It's the security thread within the application that we build. I'm able to use Splunk to secure the applications. 

We use the solution to monitor multiple cloud environments. We can monitor even on Amazon products. It's a good source for monitoring all types of applications. 

I can manage and correlate different kinds of searches within my environment. It's good for performance monitoring as well. I can do auditing and reporting through Enterprise Security.

The solution gives us visibility into multiple types of environments. There's a good level of cost optimization as well. It's good for end detection and prevention. I can identify anomalies and get a data view of fraudulent activities. You can uncover the source type and the IP address from where things originate.

Splunk gives us the capability to handle insider threat detection. I'm able to create my own dashboard that will visualize the information. It does depend on how you handle the configuration and permissions. 

We do use the MITRE ATT&CK framework. It helps us discover the scope of the incidents. It helps us to target incidents immediately. We're able to quickly resolve it and stop it. We get data visibility to see what's coming in, which helps us act fast. 

We can work with data from any source as long as you configure it correctly.

The solution has helped us to reduce our alert volume. You can tune your alert thresholds. You can also create rules to define your alerts. It gives you the capacity to optimize queries as well. 

They didn't use to be able to integrate with Cisco. However, this has changed now. 

Some minor features could be added. However, I need to do more research. 

The user experience could be improved. It could be more intuitive.

There should be a way to do bulk visualization reporting. 

I've been using Splunk for 7 years. 

We haven't had any downtime. The only issues come up is if there is an extension of limits. If you extend beyond your license, you may get downtime. 

The solution is scalable. It's easy to manage. 

We have contacted technical support for troubleshooting. No solution or machine is perfect. We had an issue where a new hire misconfigured some servers and they were able to offer us support. They are helpful, however, they do need to be faster in response. They do provide a to of documentation that can be helpful. 

Neutral

I'm also familiar with CloudWorks. However, Enterprise Security has more features and can provide more insights. 

I'm familiar with Dynatrace.

Splunk was already in place when I arrived. I simply tried to implement different strategies in multiple environments. 

Splunk is pay-as-you-go. The pricing depends on your use case. You only really pay for the amount of data you are dealing with. 

I'm a Splunk customer. 

People shouldn't necessarily look for the cheapest pricing. You need to look at what will optimize costs and the time it takes to secure the data. The most important thing, before cost, is being able to successfully secure your data. You should choose your solution based on your use case as well. 

I'd rate the solution 8 out of 10. 

We typically suggest Splunk IT builds for customers with significant EPS requirements and large-scale data environments. While other solutions like Foundry and IBM QRadar may be popular, they often have limitations in handling big data effectively.

It offers visibility across various environments, encompassing diverse infrastructures such as multiple firewalls. Some environments are entirely cloud-based, while others follow a hybrid model with services both on-premises and in the cloud. The infrastructure setup varies depending on the organization's specific model and needs.

We are highly satisfied with the level of visibility provided by Splunk.

It offers advanced threat detection capabilities to assist organizations in uncovering unknown threats and anomalous user behaviors. Splunk is utilized for integrating various devices including firewalls and other security controls, enabling coordination of logs and the creation of use cases. Analysts investigate alerts generated by these use cases, identifying and mitigating potential threats. Additionally, Splunk provides built-in and customizable use cases to enhance security measures.

We utilize the threat intelligence management feature in Splunk, which includes the provision of IOCs. Additionally, we have third-party intelligence services integrated into Splunk, which alert us whenever any related feature is triggered.

The effectiveness of the actionable intelligence offered by the threat intelligence management feature hinges on the third-party engines integrated or enabled within it. While false positives are common and require investigation, there are instances where identified IOCs are indeed malicious. In such cases, actions like reporting or following a predefined playbook can be taken.

We leverage the Splunk Mission Control feature, and I have hands-on experience with it. Typically, I manage it through Splunk, where I create rules, reports, and dashboards. Enabling third-party intelligence and other features involves a thorough review process, particularly when onboarding new clients. Once set up, we regularly review our baseline configuration and make adjustments as needed to ensure optimal performance. The Splunk Mission Control feature aids our organization in centralizing our threat intelligence and ticketing system data management. We integrate third-party intelligence services along with our company's proprietary advisories, particularly in the retail sector. This integration enables us to maintain a comprehensive reference set within Splunk.

We utilize the Threat Topology and Mitre ATT&CK Framework features to enhance our understanding of threats. These features offer micro-mapping visibility, allowing us to align identified needs with specific techniques.

The purpose of the Mitre ATT&CK Framework is to aid in discovering and understanding the full scope of an incident. Using the micro-hypotheses, we assess whether our subcontractors are adequately covered. We evaluate our rules to determine whether we have sufficient use cases for tactics and techniques, such as initial access. This process helps us identify any gaps in coverage within the Mitre ATT&CK Framework and address them accordingly.

Splunk is a valuable service for analyzing malicious activities and detecting breaches. However, I recommend ensuring comprehensive coverage of threats by integrating all relevant devices and maximizing visibility into logs. For instance, leveraging firewall logs enables the detection of anomalies at the network level, while logs from EDR solutions can identify malicious activities on endpoints.

Splunk has significantly improved our threat detection speed. Comparatively, when working with other teams, I've found Splunk to be more efficient due to its big data capabilities, allowing for faster analysis compared to IBM QRadar and similar tools.

The primary benefits our customers experience from utilizing Splunk in their organization are significant. While Splunk may be more costly compared to other machine solutions, its effectiveness shines in handling large volumes of data, making it ideal for organizations with extensive data needs. Unlike solutions like IBM QRadar, which may struggle with processing large amounts of data efficiently, Splunk's big data capabilities enable it to excel in such scenarios.

Splunk Enterprise has effectively decreased our alert volume across various use cases. Whenever we develop a new use case, we carefully analyze it, occasionally encountering false positives. In such instances, we collaborate with IT to whitelist these cases. Over time, as we accumulate a robust whitelist, the ratio of false positives diminishes, resulting in a higher rate of true positive alerts.

It has significantly accelerated our security investigations, proving to be immensely helpful. We can efficiently track and analyze user activities with most devices integrated into the Splunk environment. The visibility provided by Splunk allows us to coordinate activities seamlessly and thoroughly investigate any detected incidents. Whether it's identifying the origin of an activity or uncovering correlations between events, Splunk enables us to piece together the entire user activity chain swiftly and effectively.

Compared to other SIEM products, I've found that Splunk offers quicker alert resolution times. Its ability to efficiently handle large data volumes contributes to this advantage. Analysts typically have predefined playbooks and investigation checklists for when alerts are triggered, which Splunk supports well. Additionally, we've customized dashboards and reports to further streamline our detection process, ultimately reducing our response time.

For those seeking cost-effective solutions, Elastic Stack stands out as a popular choice due to its single-source administration and competitive pricing. Many industries, recognizing its affordability and robust services, are swiftly adopting Elastic and other similar solutions like Wazuh.

The value of resilience in a SIEM solution varies depending on the organization's preferences and requirements. Some organizations prioritize high availability and disaster recovery capabilities, which contribute to resilience.

As an analyst, I've observed that Splunk offers a variety of rule sets, along with built-in and customizable use cases. We have the flexibility to create dashboards and expand reports for management visibility. One key advantage of Splunk over competitors like IBM QRadar is its superior device integration capabilities. With Splunk, we can seamlessly integrate and coordinate data from various sources, enhancing our analytical capabilities.

I believe there is room for improvement in reducing costs, particularly in the financial aspect, as Splunk tends to be pricier compared to other options. Additionally, enhancing support services with more technical personnel is essential. Delays in responses from the technical team can pose challenges for both vendors and clients, especially considering that Splunk applications and machine solutions are critical assets. Splunk's pricing may pose a barrier for some users, but if it becomes more competitive, it could attract those currently using IBM QRadar or similar solutions. Additionally, considering the trend towards migration to Microsoft Sentinel, which offers a comprehensive suite including identity management and EDR coverage with Microsoft Defender, Splunk could benefit from offering similar modules. In Microsoft Sentinel, they offer a separate identity management module, which I find particularly valuable. Any anomalies detected within identity management trigger alerts, providing enhanced security.

I have been working with it for two years.

It provides good stability capabilities.

The scalability of Splunk, particularly when implemented as an enterprise solution, is notable. While we work with a limited number of clients, typically five to six, they are spread across various locations, including the US and Pakistan. From a maintenance perspective, our operations are based in Pakistan. Our clientele predominantly consists of customers from Gulf countries, and we also extend our services to clients in the US.

There have been instances where the response time from Splunk's support team has been slower in comparison to others. I find IBM QRadar and similar solutions to have more efficient support teams. I would rate it five out of ten.

Neutral

Our deployment team handles both deployment and support services, including maintenance responsibilities.

It offers a return on investment for our company.

Overall, I would rate it eight out of ten.

I'm part of the Splunk operations team, which means I support Splunk functionality and occasionally conduct threat management onboarding. We assist various teams with threat-related tasks. If they need help bringing log sources into Splunk, we guide them through the process. Once the logs are onboarded, we create correlations to identify threats, troubleshoot issues, and help mitigate potential risks.

We handle incidents through a queue configured in our event management system. This includes automated incidents for our Splunk infrastructure, like server health checks, and user-reported issues where functionalities like the fetch score aren't working. We address all incidents, whether automated or user-raised, through this system.

We've made significant improvements to our Splunk infrastructure to support our internal teams. This ongoing effort focuses on helping application teams onboard logs from various applications for their review and troubleshooting. We've streamlined the onboarding process, improved data quality, and ensured smooth data consumption for our internal users.

Splunk Enterprise Security offers multi-cloud environment monitoring capabilities that we can utilize for our users if they require it.

We can build a dashboard in Splunk to centralize the monitoring of critical information. This dashboard can display key metrics for onboarding methods and LogSources we actively track, providing a clear view of our entire monitoring environment.

While Splunk Enterprise Security offers good threat detection capabilities, our current process limits visibility into user activity. When users request correlations, we create the code and configure everything on our end, and then they test and work on it from theirs. This lack of transparency extends to threat management, as we can't directly see tickets in their separate ServiceNow system. If they encounter issues, they share details in a document for us to review and address.

It comes with a large collection of correlation searches, but we'll need to review them to find the ones that match our specific needs for monitoring malicious activity. Once we've identified the relevant searches, we can customize or recreate them within the correlation settings to best suit our environment.

Splunk Enterprise Security helps us detect threats faster.

Splunk Enterprise Security is a good monitoring tool that allows us to track specific details by creating custom queries. For instance, to monitor a particular organization's infrastructure, we would first onboard their logs and then create queries to capture relevant information. This way, any suspicious activity, attacks, or other events would be easily identified within the infrastructure. Additionally, Splunk's checkup operation minimizes the chance of missed alerts by automatically identifying detections, ensuring near-complete coverage of around 99 percent unless there are outages or limitations with global agents.

Splunk Enterprise Security helps us speed up our security investigations.

The customizable dashboard for our security operations is a good feature.

The most valuable features in Splunk Enterprise Security are the cluster capabilities.

The licensing price is high and has room for improvement.

I have been using Splunk Enterprise Security for four years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security can scale according to our needs.

The technical support has been successful in resolving the majority of our cases.

Positive

While the deployment process itself is simple, the number of personnel needed varies depending on the infrastructure size and user base. A small deployment for 50 users can be completed by two people, while larger deployments supporting over 500 users may require up to 15 people.

The Splunk Enterprise Security license is expensive.

I would rate Splunk Enterprise Security eight out of ten. Splunk improves user efficiency by streamlining workflows and enabling the detection of anomalies within data.

Splunk Enterprise Security is deployed across multiple locations in our organization.

To ensure our data remains secure, Splunk servers require monthly maintenance. This maintenance includes installing security patches that address vulnerabilities and prevent unauthorized access to our information.

I use the solution in my company to deal with certain migrations from a legacy SIEM solution to a new product like Splunk Enterprise Security or from on-prem to cloud migrations. Another use case involves implementing a new SIEM solution like Splunk Enterprise Security from scratch.

The most valuable features are its ability to transact in the cloud and its ability to onboard data easily with minimal connectors. Some of the new players in the market need to build new connectors to bring data into the SIEM solution. With Splunk Enterprise Security, you get built-in connectors, as it is a major platform.

The product's price may be an area of concern where improvements are required.

The metrics that I or my company's clients see in terms of the improvements from the use of Splunk stem from the fact that some of the metrics that the tool provides for senior leadership, specifically in the area of visibility when it comes to organizational split, considering that there are multiple lines of business. It would be a good feature in the tool if it could provide dashboarding for different lines of business in the product's next release.

One of the key areas where Splunk Enterprise Security can do better is if it integrates with AI solutions.

I have been using Splunk Enterprise Security for five years.

Our company's clients who use the solution like the fact that they can rely on Splunk Enterprise Security as a product, especially since it is not a new entrant in the market. Though the tool has moved from on-prem to the cloud, I feel that the fundamentals of Splunk Enterprise Security are strong. The support structure available for Splunk is good.

Scalability is of paramount importance to a lot of clients. Some of the clients value the scalability feature of the product, and they are also willing to pay more to use such features. There are some pharmaceutical clients my company deals with who like the scalability feature but do not like the increase in the price attached to the scalability part.

To be very fair, I have not been directly exposed to Splunk's support team since I deal with our company's clients. I have not heard any major complaint from our company's client regarding Splunk's support team, so I assume that it is pretty good.

Deployment of the product is easier than migration. It is always better to write on a clean board than write on a board where someone has already written something. If you migrate from one solution to another, you also have to migrate some of the use cases, and you need to fine-tune them. If you are deploying a product from scratch, it is easier. My company also recently dealt with one of the clients, and we had to onboard 28 log sources in ten weeks with no issues. We also had to deal with heavy forwarders, syslog, universal forwarders, and everything under the sun, which was a big mix, making it a difficult environment. There were no issues during the onboarding process. In general, I am happy with the product.

ROI depends on a lot of calculations, so my company does not consider it. Most of the complaints from our clients are related to the cost of the product. Our company's clients are happy with the features and reliability of the product. Cost is one of the major factors that companies are migrating from Splunk Enterprise Security to some other solution. I don't know if it is relevant or not, but I feel that the acquisition of Splunk by Cisco has spooked a few of the clients since they are unsure if they will receive any support if they don't have a Cisco-based infrastructure and instead have some other company like HP supporting their infrastructure.

Splunk is really expensive compared to all the other tools on the market, including Microsoft Sentinel. Some of the clients prefer to go for a data lake kind of solution because of Splunk Enterprise Security's prices. Some of the clients have also mentioned that the pricing of Splunk Enterprise Security is not visible for them and it is based on storage because of which they are not able to control various aspects associated with the pricing part.

In cases where I see the replacement of existing SIEM solutions from my company's customers' end, I have dealt with scenarios where Microsoft Sentinel replaces Splunk Enterprise Security. I have also dealt with implementations associated with Splunk Enterprise Security from scratch. I have managed migrations of Splunk Enterprise Security from on-prem to the cloud.

The primary reason customers are moving to a cloud-based solution is that products like QRadar and LogRhythm did not initially offer cloud versions. The other reasons why customers are moving to cloud-based solutions are the difficulty of configuring their use cases and the problem of finding the right resources to support them. With Splunk and Microsoft Sentinel, resources will be much more available to users in the market, but for LogRhythm, the market is going down. Training opportunities, the building of accelerators, available information in the outside world, and a lot of reasons have prompted customers to move to cloud-based products.

I would say that it is easy to configure the use cases, and also to correlate use cases, which in turn helps reduce alert volume. More importantly the product can provide good visibility in the area of dashboarding, metrics and security events.

Splunk Enterprise Security helps me find any security event across multi-cloud, on-premises, or hybrid environments.

Visibility across multiple environments or varied environments is absolutely important to our company's clients, and it is one of the key areas because most clients do not want to go and see multiple tools like CrowdStrike for endpoint protection. Our company's clients want to be able to see one dashboard with all the feeds coming in, along with all the alerts correlated to it.

The product provides relevant context to guide our company in the investigation. When you have more context, L1 or L2 support finds it easier to investigate. I don't know if Splunk already has an AI-based plugin tool or not. If AI is present in the product, it would help L1 and L2 support resolving tickets in a much faster manner, and it is also an area where context helps.

I have seen a reduction in the mean time to resolve from the use of Splunk Enterprise Security by around 30 to 40 percent if it is able to deal with contextualization. L1 and L2 support teams look at a particular incident, and if they end up spending more time adding the context or going through multiple tickets, it adds up the time needed to resolve an issue.

The product helps speed up security investigations by around 30 to 40 percent. Collecting the context is the key step for resolving or investigating purposes.

It is not fair to state why a certain rating is being given to a product since a person rates a solution on certain aspects, and it could be in terms of the migration part. If I speak in terms of the performance and support parts of the solution, I would rate the product a nine. If I consider the cost of implementing and maintaining the product, I would rate other products much better than Splunk Enterprise Security. As a company, we have implemented Splunk Enterprise Security multiple times, and we see the business associated with the product growing higher. My company also provides training to people in relation to Splunk Enterprise Security. My company hopes to do more business with Splunk Enterprise Security. My company has 3,00,000 employees.

I rate the overall tool an eight out of ten.

I've been building SOCs for multinational banks across Asia and Australia, the Middle East, and right now in the United States.

It's the tool that we use to build SIEMs to meet logging requirements and to identify security issues across larger states of data sets.

We wanted to give our analysts visibility in near real-time to problems as they occur. That's the goal. 

By using the frameworks that we've adopted, like MITRE ATT&CK and the coverage mapping, we're able to show the divisions that we have in our detection environment. And we map that across with our prevention layers just to describe to the business the deficiencies we have. We can show, for example, these are the areas we can't see since we don't have logging for them, and or these are the areas we can spend more time on to draw down risk due to the fact that, while we have the logging, we haven't got the searches and correlation searches in place. That would perform detection behind the preventative controls. So it gives us a guide as to where we can spend time better.

The feature that we use the most is the correlation search engine within ES. That is the one we use. Absolutely the most. There are a lot of other features in there, however, that's the one we use.

Our organization does monitor multiple cloud environments. It's not "easy" per se. I'm a Splunk-certified architect. I've got 30 years of experience. If you've got 30 years of experience and you're a Splunk-certified architect, it's easy. If you haven't, you've got no chance.

Splunk Enterprise Security's visibility into multiple environments, for example, cloud, on-prem, and hybrid is good. Splunk doesn't care. It's as easy on-prem as it is on the cloud, as it is hybrid. I've built up all three individually and separately depending on the environment.

The insider threat detection capabilities for helping our organization find unknown threats and anonymous user behavior are okay. It can do it, however, it is not out of the box a UEBA. It doesn't pretend to be. Splunk has a separate product for that which is not the enterprise security suite. That said, if you enable the access domain correctly within ES, it gives you really good insight into what your Insight users are doing. That's what the access domain is. However, it doesn't have the advanced features that you would expect from your UEBA product as it is not one.

We use the threat intelligence management feature. My impressions of the actionable intelligence provided by the threat intelligence management feature are mixed. We import anomaly threat intel into the Splunk ecosystem to do that. We use the framework that Splunk provides, and we supplement it with the threat intel from a third party, and that works really well.

We use the MITRE ATT&CK Framework. We’ve mapped all of our detections around that Miter framework. There's there's four frameworks built in, and we chose Miter. It just makes more sense. You only pick one. There’s no sense in picking more than one.

It’s helpful to uncover the overall scope of an incident. If you've done the work to map your MITRE ATT&CK Framework into the product, then you have a hit against a MITRE ATT&CK technique. Then at least you know where it is in the MITRE ATT&CK framework so that you can describe it as a common frame of reference with a third party. However, it doesn't necessarily give you an idea of the scope. It requires more effort. That said, it's certainly a really good starting guide as to where you are.

Splunk Enterprise Security is okay for analyzing malicious activities and detecting breaches. It's only as good as the operators that use it. Out of the box, it doesn't do anything. You have to put the work in to make it do that. I can't begin to say how useful it is when it's first configured. You need to spend a lot of time working on your environment to make it do that.

It helped us detect threats faster. Without it, you can't check anything. It's too complicated.

The solution has helped us speed up our security investigations. Without it, you don't have investigations. Also, with the alerting itself, Splunk becomes best of breed.

Enterprise Security hasn’t helped us reduce our alert volume. The analysts have, however.

We do all of our enterprise security on-prem. We avoid the Splunk Cloud solution since we want the flexibility to build our own. It is a hugely complicated product. Obviously, anything that they could do to make it easier would be ideal. 

I've used the solution for over ten years. 

It's rock solid. It never failed. Having resilience in our organization is fundamental to our security position. 

We're a multinational and have Splunk in the UK and US. We have 2,000 employees, and 2,000 endpoints, at the employee level. We also have around 12,000 production endpoints and it runs across a multi-cloud hybrid that includes GCP and AWS. It also has a tiny on-prem footprint.

You can horizontally scale someone instantly. I've never been afraid we would exceed horizontal requirements. 

We don't use technical support. 

I did not previously use a different solution in this company. 

A long time ago, the company replaced ArcSight with Splunk. 

The initial deployment was complex. 

Our strategy has been to avoid clustering for searching and to build a significantly larger virtual machine for running the ES environment as a stand-alone. It's got 128 cords and 256 Giga RAM so that it can run inside itself and not have to cluster since a cluster adds too much complexity.

We only need one person, myself, to deploy the solution. I'm a Splunk certified architect and I have 15 years of experience doing nothing but Splunk. 

The solution does require some maintenance. We have seven people in total handling maintenance. 

I have witnessed ROI. However, luckily, our center does not have to pay for the license. 

We get enterprise licensing via Intuit, our parent company. The licensing is horrendously expensive. 

I did not evaluate other options. This solution was in place when I arrived. 

I'm an end-user.

If you are looking for a cheaper option, you probably don't have a focus on security or have a risk that you care about enough to purchase a premium solution. If you look at the Gartner roadmap, Splunk is a clear leader, and it's always at the top right quadrant. Everything else is attempting to catch up to Splunk. There's no one else in front of it. If you choose something like Elastic or Sumo, your company doesn't place an emphasis on security. 

I'd rate the solution nine out of ten. It's a lot of work. Almost nothing works out of the box. You have to invest in it for three to five years at a minimum. 

I have created various correlation searches to develop use cases for detecting security threats. For example, I have created use cases to identify brute force attacks, unauthorized access, denial of service attacks, and distributed denial of service attacks. To date, I have developed a total of 190 use cases for our environment using Splunk Enterprise Security.

The end-to-end visibility provided by Splunk Enterprise Security is crucial. Its user-friendly interface makes it easy to navigate and configure. The intuitive options allow for simple customization, enabling users to easily select and configure settings. This feature, combined with the excellent support from the Splunk team, makes it a valuable tool for addressing enterprise security issues and creating or modifying use cases.

Splunk's website provides a variety of simple commands for identifying security events. These commands and pre-built security fields make it easy to detect real-time attacks, monitor environments, and identify security threats. Splunk offers a more straightforward and efficient approach than other monitoring tools.

Splunk automatically ingests and normalizes data, eliminating the need for human intervention. When data is ingested, it is automatically converted into index-friendly formats within most source pipes.

The MITRE ATT&CK framework is a valuable tool for security teams, and its integration with Splunk Enterprise Security offers significant benefits. By mapping specific MITRE ATT&CK tactics to Splunk use cases, analysts can quickly identify the root cause of security incidents and access relevant information for remediation. For example, if a brute force attack occurs, an analyst reviewing the incident can quickly determine the corresponding MITRE ATT&CK tactic and access detailed information about the attack, including potential solutions, mitigation strategies, and potential future actions. This seamless integration between MITRE ATT&CK and Splunk empowers security teams to respond to threats more effectively and efficiently.

Splunk has significantly enhanced my business resilience and problem-solving capabilities. Due to the urgency of different issues, there are four types of Splunk support cases: P1, P2, P3, and P4. P1 cases are incredibly critical and require immediate attention. If a business-critical issue arises, I can open a P1 case, and the Splunk support team will respond within 15 minutes. This rapid response has enabled me to resolve critical issues promptly. For P2 cases, the support team typically connects within two to three hours. P3 cases receive a response within 24 hours. Overall, the Splunk support team consistently resolves issues efficiently.

After deploying the use case, we immediately observed the benefits of Splunk Enterprise Security. We can instantly monitor enterprise security use cases in our environment without delay. However, as a precautionary measure, we deploy use cases and monitor them for seven days. If the use case does not generate excessive noise within this period, we deploy it to the final environment. Otherwise, we refrain from deployment. Splunk's capability allows us to deploy use cases within seconds.

Splunk helps me consolidate all the data, such as networking and cyber security data. If there are other types, such as behaviour analysis, we can perform them with the help of Splunk. But I'm mainly in the cyber security field, so I am more concerned with Splunk for cyber security data only. For example, in my PhD, I created my thesis based on medical performance monitoring. I monitor the performance health condition of one million people with the help of Splunk. So, this is not a cybersecurity use case I'm creating there. I monitor the health condition with the help of a Splunk Enterprise. If a health condition is significant, the alert immediately goes to the doctor, physician, and their relative.

My alert volume has decreased significantly. Splunk is a machine that generates alerts based on specific use cases or service queries. Before implementing a new use case or alert, we must analyze how many alerts it will trigger. If it generates fewer than one alert per day, it's acceptable. However, I will only deploy it if it generates one daily alert. This approach allows me to reduce the alert volume effectively using Splunk Enterprise Security.

Splunk streamlined my security investigations by consolidating logs into a single repository. The Splunk community provided invaluable assistance, enabling me to quickly find answers to my security-related questions and address concerns promptly. By leveraging the collective knowledge of the global community, I expedited my security processes and enhanced overall security measures.

Splunk reduces the mean time to resolve because it enables L1 SOC analysts to view relevant data in the power role field directly. For example, when a brute force attack alert triggers, analysts can easily see the source IP, time of the alert, user, destination IP, and other critical fields. This immediate access to information allows for swift preventive measures, countermeasures, and efficient resolution of cybersecurity issues. Splunk's clear and intuitive interface empowers even junior analysts with only one year of experience to effectively apply their knowledge and address security challenges.

The two features I like most in Splunk Enterprise Security are the content management system and the inter-incident review dashboard. The incident review dashboard allows us to directly view significant events triggered by the use cases I've configured within the content management system.

I suggest that Splunk provide the same resources on its platform, as on other websites through Google. For instance, they could offer pre-built search queries for everyday use cases like brute force attacks, DDoS attacks, and other security threats. These queries would be generated based on my specific data, saving me the time and effort of creating them manually. This would be incredibly beneficial and align with the AI capabilities already present in Splunk Enterprise Security.

I have been using Splunk Enterprise Security for eight years.

In the eight years I have used Splunk Enterprise Security, I have experienced no stability issues. There has been no downtime or crashing. The only problems I have encountered were temporary interruptions in some features, lasting approximately 15 minutes.

Splunk Enterprise Security is highly scalable. For example, I currently have one terabyte of data to deploy, and tomorrow, I need to deploy ten terabytes. In that case, the system can easily accommodate the increased load without compromising performance. It is extremely fast and efficient, ensuring no issues even as the input data volume grows. The system adjusts quickly to meet the demands of expanding data requirements.

I have contacted Splunk technical support three times in the past fifteen days due to various issues encountered while using Splunk. Each time I reached out, they responded promptly and assisted me in resolving the problems.

Positive

I have used several alternatives to Splunk, such as AppDynamics, Dynatrace, and Oracle Enterprise Manager. However, I have found Splunk Enterprise and Splunk Enterprise Security the most effective tools for my needs. These platforms are easy to use, allowing for flexible parameter customization and dynamic adjustments to meet specific requirements.

The initial deployment of Splunk Enterprise Security was straightforward due to my prior experience learning and using various tools. I found it to be significantly easier to implement than similar software.

I set up my lab independently, being new to the environment at the time and eager to learn. I visited the Splunk website and discovered the free courses they offer. Using these courses, I successfully configured my lab. Splunk provides valuable assistance for setting up personal labs and offers a 60-day trial version. This version allows for direct log setup and hands-on practice of Splunk skills without cost.

Splunk Enterprise Security's pricing is competitive. For instance, the cost typically increases proportionally with the daily license volume. For example, purchasing a 100 GB license per day is less expensive than buying one GB per day. A discount is offered for larger volume purchases.

I would rate Splunk Enterprise Security eight out of ten.