Splunk Enterprise Security Reviews

My main use cases for Splunk Enterprise Security are cloud-based use cases.

The features I appreciate the most are the content. I use the content, enable, and see how that works. They give me ideas on how to tune something or determine if that use case is proper for us, or I can take the idea of that use case and customize it based on our needs. 

Splunk Enterprise Security has helped improve my organization's business resilience.

I do use disparate security solutions that integrate or import data into Splunk Enterprise Security. The integration of these solutions supports our security operations. That's the part I work on with the architect. I'm not fully familiar with that, but when we talk, he mentions those integrations and that seems to be good from that perspective because we are separate. We have separation of duty between the architect, security engineer, and analyst.

I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security to be good. My organization uses risk-based alerting in Splunk Enterprise Security for three or four use cases. We have one active for user, cloud users, with data from Microsoft 365. We elevate the risk of users based on behavior and conditional access. It gives us visibility of which users are at real risk based on the configuration we have.

My security ops team takes around 30 minutes to one hour to remediate security incidents with Splunk Enterprise Security compared to a previous solution. They previously did everything manually with the last solution, opening tickets manually and jumping between platforms, the ITSM platform, the same platform. Now with Splunk Enterprise Security, we have everything in one place. The notables are created automatically, but they can also create their own notables based on the investigation. That improved and reduced about 50% of the manual work that was done before versus what we are doing now.

In terms of how Splunk Enterprise Security can be improved, based on the last version I'm seeing here, as we are a bit behind,is the Mission Control. It is something that I have heard and tested on a couple of labs that is very good for unifying everything. There are additional features I would want to see included in the next release. We're planning to incorporate UBA and SOAR. It would be good to have everything in one place.

I have been using Splunk Enterprise Security for two years.

The stability and reliability of Splunk Enterprise Security that I would assess depend on our on-premises setup.

Splunk Enterprise Security scales with the growing needs of my organization; however, that's more the architect's domain. We had licensing for 500 gigabytes, then we extended it to 1 terabyte. Now we have 1.5, and we are going to extend to 2.5.

I would evaluate customer service and technical support as good, rating them a nine out of ten. I'm usually not the one who opens tickets. The couple of times that I have opened tickets with Splunk, they were very good. The only thing I was expecting is that they would follow up with me.

Positive

Prior to adopting Splunk Enterprise Security, I was using Microsoft Sentinel to address similar needs.

The initial setup process was good.

I have not seen ROI with Splunk Enterprise Security. 

I don't work with the numbers, licensing, and related aspects. The architect handles that part.

I wasn't in the organization when they made the decision, however, based on what I heard, the factors that led to the change were all the detection capabilities, and at that time, they were looking for a solution that was mature enough to implement. At that time, Microsoft Sentinel was not the right solution.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection are related to the data. Onboarding the data, trying to get only what we want and what matters for security is a challenge every day. We're trying to onboard what matters and what is significant for security. We use Splunk solely for security purposes. Some people see Splunk as a data analytics tool, which it is, but changing people's minds that we use Splunk for security is an everyday challenge.

I am not using any new threat detection features in Splunk Enterprise Security currently. My impressions of its ability to predict, identify, and solve problems in real time are good, even though we don't use many things out of the box. We use most of the out-of-the-box features and customize them. We have just a few out-of-the-box use cases in place.

The advice I would give to other organizations considering it is to send people to training before getting Splunk Enterprise Security. You can use my real name when publishing my review.

On a scale of one to ten, I would rate Splunk Enterprise Security a nine.

The business case we use Splunk Enterprise Security for is internal security and organizational security purposes. We use it for all kinds of use cases, depending on the project.

We are satisfied with Splunk Enterprise Security, and it comes with a wide number of out-of-the-box applications which do help us to fix the problems. The out-of-the-box applications are majorly important for any log source onboarding. When you bring in log sources, you can do anything with it. It has inbuilt Security Essentials, which is the application that helps when you get a lot of log types onboarded, enhancing the use cases based on what you need. For example, after onboarding XYZ log sources, you can develop use cases based on that, such as security contents on that, then you can take it ahead. Those features are the best which we have.

After that, you can develop advanced dashboards or use the new AI feature that can translate something you say into SPL language, making it easy for us. Those features are better right now.

Splunk Enterprise Security has achieved a high level of product functionality. Improvements can focus on bringing various features together for easier use and potentially addressing human versus machine threats with AI-based detection, along with educating organizations about compliance.

I have been working with Splunk Enterprise Security for almost four years now.

Data ingestion is crucial, and I have mentioned this feedback in previous calls. Splunk Enterprise Security is stable and provides a good infrastructure for large organizations. For a Splunk Enterprise Security product in organizations with 20,000 to 80,000 people, it is very stable. However, for smaller organizations, the deployment and management can be expensive, leading them to choose other SIEM tools. For mid-sized organizations, Splunk Enterprise Security is indeed the best option, especially when ingesting a lot of data.

Data ingestion is crucial, and I have mentioned this feedback in previous calls. Splunk Enterprise Security is stable and provides a good infrastructure for large organizations. For a Splunk Enterprise Security product in organizations with 20,000 to 80,000 people, it is very stable. However, for smaller organizations, the deployment and management can be expensive, leading them to choose other SIEM tools. For mid-sized organizations, Splunk Enterprise Security is indeed the best option, especially when ingesting a lot of data.

We were previously using IBM QRadar and McAfee products, but right now we haven't explored that part because for a few years, I am working for an organization where we only explore Splunk Enterprise Security or Azure Sentinel or any freeware market SIEM solution. That is the kind of project I am doing right now, but I am not working with IBM QRadar.

The setup process for Splunk Enterprise Security is simple. An experienced technician can complete a systematic installation within a few weeks. Splunk Enterprise Security offers success partner provisioning for additional support and implementation.

We usually use Splunk Enterprise Security and Azure Sentinel, and we are researching Wazuh EDR and solution.

Right now we are working on Tines and Scramble, and there are few SOARs which we are looking at like LogRhythm and Sumo Logic source. We are assessing the products right now. We haven't adopted any of them right away.

There is integration between third parties with Splunk Enterprise Security. For example, we can connect a Tenable vulnerability assessment tool. It has inbuilt features to trigger automation actions. We have integrated a lot of products, and when you want to trigger SOAR or something of that nature, third-party applications are already available. For instance, when you integrate Tines, there are extensions available, making it a more powerful tool. This systematic integration is beneficial to us.

Regarding risk-based alerting in Splunk Enterprise Security, there are a lot of contents available from Splunk used as rules or searches. If we design systematic inputs and use cases, it does provide a lot of threat-based detection, showing what detection is happening right now and how advanced automation is expected to happen. Those visibilities are available with Security Essentials.

The resolution of security incidents using Splunk Enterprise Security is quite faster. However, faster remediation ultimately depends on the security operations. The detection with Splunk Enterprise Security is effective, but the story starts afterward. In the actual products, such as Splunk Enterprise Security, 20 to 30% of the time is spent on detection and investigation for incidents. The combination of Splunk Enterprise Security, ITSM tools, and SOAR on a single platform provides a value-add, allowing for a more efficient resolution process while considering costs for security teams.

For threat detection features in Splunk Enterprise Security, it is necessary to build use cases. SIEM tools are not purely threat detection tools; they are notification tools for threats detected elsewhere. We can do anomaly detection, but detecting actual threats requires specific signatures that we haven't explored yet in depth.

For threat detection features, it is vital to build use cases and compare anomalies such as a significant increase in login attempts. Anomalies can be detected in Splunk Enterprise Security, but defining signatures for threats is a task we still need to explore.

We work in both cloud and on-premises models, with our on-premises being integrated with cloud services from certain vendors. I would rate this product overall a 9 out of 10.

My main use cases for Splunk Enterprise Security include supporting production changes, which helps us ensure that we are not going to break the business from a DLP engineer standpoint. From an investigations and operations perspective, it allows us to look into all activities done by any individual, such as which emails they sent or what kind of data they have in their folders. We have logs coming from data at rest and data in motion channels, and all this combined is quite helpful for insider threat and data loss prevention activities.

One of the use cases I leverage Splunk Enterprise Security's dashboards and visualizations for is looking into risky applications. Since we manage the web side, we look into emerging AI applications in the market. Splunk Enterprise Security provides access to logs that show which category of websites are being accessed and what those are. We can see that in a search, yet visualizations dashboards enhance this representation. Instead of writing an SPL every time, any team member can go into a dashboard, input the application name they're interested in, and access all relevant details. These are some use cases, and you can continually build your own with Splunk Enterprise Security providing the platform for those developments while limiting access to only those who need to see the information.

Splunk Enterprise Security plays a role in our organization's strategy to combat insider threats and advanced persistent threats by allowing us to examine how users are affected and the various egress points they are hitting. From my perspective, this is essential as I work in a specific area within cybersecurity.

As a DLP Engineer and Assistant Vice President at a US bank with about 50,000+ employees, I manage the Data Loss Prevention tool, configurations, and deployments. We work across the globe in multiple regions and work on multiple different kinds of tools. Splunk Enterprise Security is leveraged quite heavily to support our DLP functions by creating SPLs for our DLP operations. We also create dashboards and reports that are required, where Splunk Enterprise Security is the single point of connection that allows us to send all the logs across and use the data as we need and see fit.

Due to my role, I have limitations on what I can do in Splunk Enterprise Security, yet for whatever access I have, it's been a very useful tool for detections and investigations. From a DLP standpoint, we look into enabling blocking, and we want to make sure that we are looking into what's happening there and how many people would be affected. Splunk Enterprise Security gives us access to that data, while the DLP platforms themselves provide data too, however, Splunk Enterprise Security's integrations with various inputs from identity and asset management create a single point for all information.

I appreciate the statistics feature of Splunk Enterprise Security since it helps showcase numbers to management. While we can share a long spreadsheet, that's not a good way of sharing data. Although we still share spreadsheets, having statistics, visualizations, and dashboards to showcase security benefits is much more effective.

Any new tooling we bring in and adding that data set helps create much richer data. Different integrations enhance our ability to find the right context for threat analysis and insider threat analysis.

I don't have any metrics regarding how Splunk Enterprise Security has helped reduce our team's average mean time to detect. However, I can think of the practical aspect: we have four different tools with their alerts. When we go into each of those tools, we can see what a user has done. With Splunk Enterprise Security, we can just pop in an SPL, search for the user, and find all the details from different sources in one spot, making it much easier to dive into investigations.

I have many good ideas for how Splunk Enterprise Security can be improved. Our Splunk team attended a session, and it was really good. I see that AI integration would assist analysts in seamlessly looking into data without relying on engineers to write an SPL. With AI integration, they can search different kinds of data that they have access to. The UEBA side looks good, and the Splunk Enterprise Security UI indicates that we are on the right path. I look forward to using and sharing what I've learned with my team regarding different tools in Splunk Enterprise Security that we can leverage to improve processes, provided they are not already using them.

One major return on investment for using Splunk Enterprise Security, from my perspective, is the feedback I provided to the product research team about creating a UI that helps specific team members extract value from the platform. For instance, if a DLP operations analyst accesses the platform, it should guide them to navigate predefined content for their role. That's something I've already mentioned to them, and I'm eager to see what happens next. Currently, it's a blank slate where users can explore, which is good, however, some people might need a push. Training can either be done from start to finish, or with AI integrating everywhere, users could ask questions that would return answers, from creating an SPL to providing results.

I have about ten plus years of experience in IT and security. The last seven years, I've been focused on data security. I've worked on probably more than seven DLP platforms, data loss prevention platforms. And from what I've seen, almost all these companies that I work with, a lot of them leverage Splunk.

I am happy with Splunk Enterprise Security's stability and reliability so far. I haven't seen any drawbacks, although sometimes the search takes a while to return results. That's often due to how I design the search, not the platform's fault. I have fantastic team members who assist me with specific SPLs, which makes it easier. It's just about navigating and understanding the right way to do it.

Splunk Enterprise Security scales well with the growing needs of our company. We have a massive team that supports this, with an amazing team managing all the work around Splunk Enterprise Security ingestions. I keep hearing that the use cases are increasing, and we look forward to what more comes in.

Before adopting Splunk Enterprise Security, we did not use any other solution to address similar needs in our company.

I know that our SOC team does use Splunk Enterprise Security to prioritize and investigate high-fidelity alerts, however, I'm not sure how it helps them specifically. I can say that many different teams in the business use it very heavily.

We do utilize UEBA in our company, yet not Splunk Enterprise Security UEBA from my understanding. I'm not part of those teams, so I wouldn't have an answer for how it specifically functions.

I would rate Splunk Enterprise Security a ten out of ten.

I advise other companies considering Splunk Enterprise Security to recognize that it is utilized by massive companies and is more practical. I would suggest finding what works for their environment and evaluating all related costs as those are important factors. Overall, Splunk Enterprise Security delivers, which is what truly matters.

As a security analyst, my main use cases for Splunk Enterprise Security involve reviewing notables. I receive all the alerts and notables in my queue, review them, ensure they're not actual security incidents, and triage them as either true positives, false positives, and so on. I then investigate the true positives.

The features of Splunk Enterprise Security that I appreciate the most include the SPL search. It allows me to get all the data I need, make it beautiful, show it to my boss, and show it to less technical people. It's easy to display the data.

When we have a major incident, we need to move fast and answer quickly. Also, we need to inform non-technical people, so it's easier to show them.

Instead of showing them a raw log that's ugly and hard to read, we can show them a very concise point such as 'This insider threat with this IP address accesses this system,' and pivot wherever needed. It's really useful for data presentation.

Dealing with incidents depends on the type of incident; a major incident can take a few months, while a smaller incident can take from five minutes to five hours. We use Splunk SOAR, and we're starting to use that in Splunk Enterprise Security to automate our response. It's made my life easier because repetitive tasks can be automated with a playbook, and everything gets done in the background without manual triage.

Splunk Enterprise Security helps improve my business's resilience by protecting our enterprise. Every time there's something not working, it's our central log space. Every incident and everything that's not working is in Splunk. The factors that led to adding Splunk involve our relationship with the sales team and our technical contact. We have a very good relationship with them, which helps considerably.

The integration of these security solutions supports my security operations by providing us with better visibility into various types of endpoints. We have custom detections that we make on Splunk, and we also integrate Microsoft Defender alerts into Splunk. I have one place to investigate them all instead of going from product to product.

Splunk Enterprise Security can be improved mainly regarding the UI, which can be daunting at first for newer employees. It's hard to find everything, such as menu locations, dashboard access, and dashboard creation. It's still very complicated and takes a few weeks to understand. The UI could be more user-friendly.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection include skills. I've been using it for four years and I don't know everything yet. Finding information and writing complex SPL queries can be challenging. I tried to use external AI, ChatGPT, but they're not very good with it. I know now there's SPL with AI, and we're going to test that.

I have been using Splunk Enterprise Security for about four years.

I would assess the stability and reliability of Splunk Enterprise Security as generally good. We had a few performance issue bugs with very specific use cases, and they were handled quite fast. We reported them to our technical contact, and within a week, it was fixed.

Splunk Enterprise Security scales effectively with the growing needs of our organization. We expand continuously, always adding new detection, new logs, and new systems. In Splunk Cloud, it's very scalable. We never have an issue with that, and we have terabytes of data coming in.

I would evaluate customer service and technical support for Splunk Enterprise Security as very good. This is probably one of the reasons why we have a good relationship and we keep Splunk around.

Positive

Prior to adopting Splunk Enterprise Security, I always used Splunk. At the same time, we use Microsoft Defender Endpoint, however, we don't use their SIEM solution. I use MD alerting too.

I use disparate security solutions that integrate or import data into Splunk Enterprise Security.

I am not directly involved in pushing new detection in Splunk Enterprise Security. However, I do tune detections; if a detection is firing too much or I feel we could edit the detection, I find it quite easy to do. My organization does not use risk-based alerting in Splunk Enterprise Security yet; we're working on it.

The advice I would give to other organizations considering Splunk Enterprise Security is to contact them, contact the sales rep, the tech rep, and ask them for a PoC trial. They're very open with this and even with new features. Before we buy anything new, such as SOAR, Splunk offers us to do a PoC. They give us a license to try it for free for a few months and give feedback if interested or not. For any enterprise thinking about it, I would contact them and get them to do a free trial for a while.

On a scale of one to ten, I rate Splunk Enterprise Security a nine.

My main use cases for Splunk Enterprise Security are basically triage, ensuring cyber threat defence, and improving speed when defending the organization. Since I am the only one currently in the security team, we are growing this year and next, and we're expanding. Splunk Enterprise Security is improving the process to defend, basically.

The features of Splunk Enterprise Security benefit the organization. You can see threats much faster, helping detect something that the antivirus may miss. Splunk Enterprise Security can work with this, and when the antivirus has a hard position, by using proper detection rules that are well-configured, you can see what's going on in real-time, both endpoint-based and network-based.

The features of Splunk Enterprise Security that I find most valuable include Mission Control, which I really appreciate, the way accelerated data functions, making it really fast to see, the integration with SOAR, which is something really cool and integrates with automated processes, and the way to ingest threat intelligence feeds, which is an amazing feature as well.

Splunk Enterprise Security has helped improve my organization's business resilience, as we were able to detect an attack that was happening after hours and prevent it thanks to the detections. We stopped it immediately in a matter of about 30 minutes. Splunk Enterprise Security has improved my ability to predict, identify, and solve problems in real-time; it's not just proactive, but also really predictive. My organization uses Risk-Based Alerting in Splunk Enterprise Security, which speeds up our process to detect and our mean time to respond. It's very helpful, and after we improved the configurations, we have RBA working fine, something that will always be maintained; it may not be perfect, but we do our best to maintain it.

On average, my security ops team takes less than five minutes to remediate security incidents with Splunk Enterprise Security compared to our previous solution, which used to take hours because we needed to see different sites. We are using new threat detection features in Splunk Enterprise Security by ingesting a lot of threat intelligence feeds from our main vendor, which has significantly improved the indicator of compromise, the IOCs detections. We also use Sigma detections and adapt to Splunk.

The on-premise integration with SOAR could be more simple; the cloud version integrates with SOAR very easily, but the on-premise SOAR and on-premise Splunk Enterprise Security are really not that easy, so I would appreciate if that could be improved. 

Additional features that should be included in the next release of Splunk Enterprise Security are the ability to integrate with other software and tool frameworks, beyond Sysmon, to avoid ingesting Sysmon logs from the endpoint, which can be very noisy at times, resulting in more straightforward detection and less resource-intensive licensing.

I have been using Splunk Enterprise Security for four years.

I have experienced downtime, crashes, and performance issues with Splunk Enterprise Security due to a hardware issue, which we were able to quickly fix thanks to the backup recovery. However, it took about one day, and it highlights the need to move to clustering, which I've discussed with my leadership team.

I would assess the stability and reliability of Splunk Enterprise Security as needing clustering. It ensures it remains operational all the time, which means you can see cyber attacks. When it's down, you can't see anything. 

We currently rely on disaster recovery and backup recovery, which takes time to recover, during which you're basically blind, so I'm pushing my leadership team to switch over to a clustering environment for constant availability. Right now, the server we have meets the hardware requirements, and we have moved to new hardware. 

We're considering moving to cluster environments to scale in the future, probably in a couple of years.

I would evaluate customer service and technical support for Splunk Enterprise Security as excellent; when we open tickets for troubleshooting, 99% of the time, it relates to our Linux environment. I have no personal complaints about the support.

Positive

Prior to adopting Splunk Enterprise Security, Splunk was already in place when I came on board at Educational Federal Credit Union.

In the beginning, we were using disparate security solutions that integrate or import data into Splunk Enterprise Security. Now we are adapting to completely switch to the Splunk Enterprise Security side to have a single-pane-of-glass view of everything, minimizing the integrations with the vendors such as EDR, DLP, and the firewall.

I have seen a return on investment with Splunk Enterprise Security. My executive team has noticed improvements; we were able to save on other solutions, which increased budgeting for future projects thanks to Splunk Enterprise Security and the licensing optimization, allowing us to invest in other tools.

My experience with pricing, setup costs, and licensing with Splunk Enterprise Security has been challenging in the past due to the expensive licensing model, which was driven by Sysmon delivering a lot of unnecessary noise. We don't use Splunk just for security; we also use it for other departments. 

We have shared the license between security and development departments, making sure to minimize ingestion logs from the endpoints, including workstations and servers. We are currently leveraging EDR telemetry ingested to Splunk, which saved a lot of licensing money while allowing us to see what we're looking for.

My advice to other organizations considering Splunk Enterprise Security is that it's the leader in SIEM globally. You have a lot of customization and data normalization, meaning you can detect anything you want compared to other SIEMs. Splunk Enterprise Security is worth the investment because it provides exactly what you need if you are a true cyber defender. I also network with friends from a company, Next-Gen Systems, which is leading in detection and investing in developments and integrations with Splunk due to its scalability. 

On a scale of one to ten, I rate Splunk Enterprise Security a ten.

My main use cases for Splunk Enterprise Security are security operation center and incident response.

The Mission Control feature of Splunk Enterprise Security benefits my organization by providing quick alerts, making it easy for the SOC team to navigate events and find threats quickly.

I use disparate security solutions that integrate or import data into Splunk Enterprise Security. This integration supports our security operations effectively because we work with different tools, and Splunk apps support many integrations, so we don't need to write custom ones; it's available by default.

It has supported our SOC by improving it; in looking through many alerts, we can look at only the critical alerts, and the number of alerts investigated by SOC has changed drastically. Currently, my security ops team remediates security incidents with Splunk Enterprise Security within 45 minutes compared to our previous solution.

I would be using Detection Studio, which is one of the new threat detection features in Splunk Enterprise Security that I'm interested in. Splunk Enterprise Security has definitely helped improve my organization's business resilience; it has helped us to pass our SOC 2 audit, and we have good monitoring about security alerts and threats happening.

I assess Splunk's ability to predict, identify, and solve problems in real time as very good.

I would definitely improve the risk-based alerts in Splunk Enterprise Security, helping SOC analysts to get to the drill-down searches.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection include writing detection rules for new threats, finding out about the SPL logic, and writing correlation rules. In ES8, we are experiencing some issues with crashes, and whenever we open the correlation rule, it gives a Java error requiring a refresh. We had not seen that error before, however, we are seeing it more frequently in ES 8.1.

I have been using Splunk Enterprise Security for five years.

Splunk Enterprise Security scales absolutely with the growing needs of my organization; it has caught up with our needs, and we use the tool without any pain.

On a scale of one to ten, I would rate Splunk Enterprise Security overall as eight.

We have definitely expanded our usage over the five years; our utilization of Splunk has totally changed.

I would evaluate customer service and technical support as good and satisfactory because it was not satisfactory a few years back, however, now I see some positive changes, which is good.

Positive

I used IBM QRadar.

I would describe my experience with deploying Splunk Enterprise Security as easy thanks to the cloud.

I have seen a return on investment; though it is an expensive tool, we did see return on investment. The integration is a specific example where we see value; the basic integration with different data is easy and more adaptable. As we use more different tools, Splunk Enterprise Security is able to integrate all those things without needing to create custom integration.

My experience with pricing, setup cost, and licensing for Splunk Enterprise Security is that it is expensive.

I made a change because IBM QRadar was on-premises, and we were transitioning; we had many challenges with the tool when dealing with big data, and it was not able to catch up, which is why we moved to Splunk Enterprise Security.

I would advise other organizations considering Splunk Enterprise Security to use it and also utilize the built-in ES Content Pack, where you have many rules ready, instead of trying to figure everything out. Use that content pack to start, and once you have the basic fundamental detection rules, then you can expand on it.

On a scale of one to ten, I rate Splunk Enterprise Security an eight.

I'm an end user, admin, and consultant. We use Splunk Enterprise Security internally in our organization, and I also use it for my personal studies. My usual use cases for Splunk Enterprise Security include monitoring several kinds of exchange server logs and Office 365 logs, among others, as we have multiple monitoring use cases based on our requirements in our environment. We were trying to solve multiple things by implementing Splunk Enterprise Security, particularly for monitoring our applications based on the insurance business, so we use Splunk Enterprise Security logs for security purposes and internal infrastructure monitoring, including logs matching security purposes in our Office 365 and exchange servers.

The most valuable features of Splunk Enterprise Security are several add-ons and TAs, while the lack of a DB requirement is a significant advantage for the business, allowing easier management without needing in-depth DB knowledge. I find that Splunk Enterprise Security's ability to import data from various sources, including looking up Excel files, is quite effective, providing a good way for management.

We import data from several unique data sources into Splunk Enterprise Security, possibly more than a hundred because we have AWS and multiple servers. We have disparate security solutions that integrate data into Splunk Enterprise Security. I can still query data in Splunk Enterprise Security regardless of where it resides, and in my perspective, the query provides data quickly.

Splunk Enterprise Security has improved our organization's ability to ingest and normalize data compared to before using Splunk Enterprise Security. The unified platform helps consolidate networking, security, and IT observability tools, which is very relevant to our internal needs. Using Splunk Enterprise Security, our focus was not on reducing alert volume but on properly finding and handling alerts; we've managed to capture 100% of them effectively.

Splunk Enterprise Security provides the relevant context to help guide investigations by allowing us to share application logs and details with clients efficiently. We utilize out-of-the-box detections in Splunk Enterprise Security, and we have created dashboards that add value to our monitoring efforts. Customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security is easy; it has been a good experience without significant difficulties.

We upgraded to Splunk Enterprise Security from version 8.0.4 to 9.0.6, and also from 8.1.4 to 9.0.6; it worked well with the support we received from the team, and it has proven to be very useful. Splunk Enterprise Security provides the foundation for unified threat detection, investigation, and response, enabling fast identification of critical issues.

The solution could be improved by integrating more application monitoring features and possibly incorporating AI capabilities to enhance its functionality.

I've been working with Splunk Enterprise Security for six years.

Splunk Enterprise Security is stable and scalable, making it a good tool that is beneficial for our needs.

Splunk Enterprise Security is stable and scalable, making it a good tool that is beneficial for our needs.

I participated in the deployment process of Splunk Enterprise Security, and we performed UAT before moving it to production. It's not the most affordable solution, as I've witnessed several companies considering leaving due to cost factors. The pricing of Splunk Enterprise Security is not very affordable, and I have seen many companies planning to leave because of cost concerns.

My main use cases for Splunk Enterprise Security are threat detection use cases.

The biggest advantage I can see in Splunk Enterprise Security is the big data analytics. The simple search query with faster responding results is also appealing. My team handles large volumes of cybersecurity data. To be able to search against such a big amount of data with efficiency is the key driver for my team to do threat detection and data analytics.

Splunk Enterprise Security can be improved in many ways. I am very happy to experience the AI-powered security platform they are going to show us in the new version. Better identification of true positives and false positives should be included in future releases.

There is another new term called benign positives. It is better to clearly identify each definition of those terms since it has not been popular in the industry, and everyone needs to be aware of those things.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection are the false positive alerts. As mentioned in the keynote, there is a lot of noise. Reducing the noise to make sure the SOC is operating more efficiently is one of the challenges my team is having. The process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security is not the easiest, however, it is not the most difficult one, so I would say it is medium.

I have been using Splunk Enterprise Security for seven years.

I have experienced downtime, crashes, and performance issues, with the most recent one being a data ingestion issue from another security platform. This key data source is not being ingested, causing some downtime.

Splunk Enterprise Security does not scale efficiently with the growing needs of my organization. Since it is on-premises, we have some scalability issues, and there are other new players coming up.

We have expanded the usage of Splunk Enterprise Security several times.

I would evaluate customer service and technical support as adequate since my team does not deal with it directly. Another team dealt with them, and I found it to be acceptable as they have 24/7 support all over the world. 

They hand over to the next team in another country, but sometimes it takes time to do the transfer, and we have to explain all the problem issues again, which can be frustrating. For that, I would rate it a five.

Positive

Prior to adopting Splunk Enterprise Security, I was not using another solution to address similar needs.

My experience with deploying Splunk Enterprise Security is actually another team's job, however, they are doing adequately.

My organization is moving towards risk-based alerting in Splunk Enterprise Security. My team actually built our own risk-based alerting before they released it; however, we are looking forward to integrating both.

Splunk Enterprise Security is doing its job in helping improve my organization's business resilience. There are other competitors in the same field, so I find it neither particularly good nor bad.

I don't directly deal with pricing.

I would advise other organizations considering Splunk Enterprise Security that the new version looks impressive. If organizations want the new, complete package, I would recommend ES Premier, as it combines ES with TIM, UEBA, and SOAR. 

On a scale of one to ten, I would rate Splunk Enterprise Security a seven. I believe ES is doing its job, but it is slightly behind its competitors. 

Other competitor platforms already have AI integrated, and they just announced it today, so it feels somewhat behind. However, I am looking forward to this new feature.