Splunk Enterprise Security Reviews

We use it for application log monitoring.

It is a logging product. Our application generates log files, then we upload them to Splunk. We run their agent on our EC2 instances in AWS, then we view the logs through their product, and it is all stored on their infrastructure.

We have used the alerts for a lot of things. They gave us the ability to kind of make an alert simply. So, we did one for SQL injection. We also had some services which were problematic that would fail, but we figured out what log line that we could look for, so it was easy to make an alert for that.

Its usability is the best part. It is easy for our developers to use if they want to search their logs, etc.

A problem that we had recently had was we licensed it based on how much data you upload to them every day. Something changed in one our applications, and it started generating three to four times as many logs and. So now, we are trying to assemble something with parts of the Splunk API to warn ourselves, then turn it off and throttle it back more. However it would be better if they had something systematically built into the product that if you're getting close to your license, then to shut things down. This sort of thing would help out a lot. It would help them out too, because then they wouldn't be hollering at us for going over our license.

Stability has been great. I don't think we have ever had an outage from it.

We don't do a lot of searching. If there is somewhere with problems, it will probably have to be with a lot of searches, and we don't have that. We don't have many developers searching every day. It is mostly when there is a problem, then we use it for diagnostics. So, we don't put a large search load on it. However, the reliability of it has been great. It hasn't been down for us at any point.

It seems to have worked out great. We haven't had any problems yet.

I haven't used the technical support.

Before Splunk, we used Kibana and Elasticsearch. Sometimes, with them, logs wouldn't even be there. We have received an infinite time reduction there. We couldn't use what we had before, so Splunk being there and working does a lot.

The integration and configuration with the AWS environment was easy. They had the documentation. All we had to do was get their agent running on our EC2 instance, and their documentation was good for that. It worked, which was great.

The product is also integrated with PagerDuty, Slack, and AWS. Those integrations are good and seamless.

It has made life easier for us through use, then by troubleshooting problems. It reduces the cost of the intangibles.

The pricing seems good relative to the other vendors that we have had here. However, they need to find ways to be more flexible with the licensing and be able to deal with situations where we start generating more logs. Maybe having some controls in the Splunk interface to turn it off, so we don't have to change anything in our application.

We have an existing contract with Splunk, so it makes sense to stay with them for now. Our license is for a 100 GB/logs a day.

There are a lot of vendors in the space at the conference this year. Therefore, we probably talked to six or seven different ones, and the market seems to be consolidating. The market's metrics and log monitoring all seem to be rolling up into a single provider. It looks like that is what will be happening in the next few years.

Right now, there are a ton of different smaller providers doing little pieces of this and that. All the big players, like Splunk, New Relic, and Datadog, seem to be rolling them all up into one offering. 

Implement something and watch how much data you are sending to it, then have some way to shut it off without redeploying your app in case things get hairy.

We use the cloud version of the product.

I use Splunk Enterprise Security for threat hunting.

The end-to-end visibility provided in the dashboards is great for our needs.

Splunk Enterprise Security allows monitoring across multi-cloud, on-prem, and hybrid environments.

Splunk does a good job of ingesting and correlating data.

Splunk provides real-time monitoring.

 The framework's features, such as the MITRE ATT&CK framework, are great.

Our MTTR has improved with Splunk. It has improved our investigation time.

The most valuable features of Splunk Enterprise Security are the enterprise search bar and the dashboards.

The threat intelligence management feature would benefit from a broader range of APIs for enhanced integration. This would facilitate seamless connection with various threat intelligence platforms, as some currently are missing APIs, making integration difficult.

The high cost of Splunk Enterprise Security prevented us from using its full capabilities. 

I have been using Splunk Enterprise Security for one year.

Splunk Enterprise Security has been largely stable, experiencing only a few brief periods of downtime.

We use Splunk and Sentinel for different purposes mainly due to cost factors not because one is better. For example, we use Splunk more for network traffic.

The price of Splunk Enterprise Security fluctuates based on the customer, but I believe it's quite costly, especially for our clientele. Furthermore, to access the full range of features, it's exceedingly expensive to have comprehensive log data.

When evaluating SIM tools and considering the cheapest option, Splunk Enterprise Security might be worth considering, especially for larger organizations. While cost is a factor, Splunk offers significant value, and I recommend it over focusing solely on price.

I would rate Splunk Enterprise Security seven out of ten.

We mainly use the solution as a reseller. We give our users the latest version of the product. 

The solution is the market leader.

Our customers are always looking to partner with market leaders as you can't go wrong with them.

Customers can monitor cloud environments. 

The threat detection capabilities are quite fast and efficient based on my customer's feedback. 

We've used the MITRE ATT&CK feature and it's good. It's pretty standard and comparable to IBM. Most products offer this as well. 

It's good for analyzing malicious activities. It's good as an overall platform. It's good at detecting threats. It's a basic feature that is quite effective.

Splunk can help to reduce alert volume if you configure it properly.

They are a market leader in a lot of areas in terms of features and functions. 

It helped us speed up security investigations. I'm not sure of the exact percentage it helped us speed up by, however.

It has a lot of basic and standard features. 

It is a full-fledged solution that provides everything a company needs.

When it comes to malicious activities, however, it's rather overpriced. There are cheaper ways to detect.

There are quite a lot of security platforms on the market that do the same thing in a similar way at a cheaper rate. 

The pricing could be a lot lower. I'm from Asia, and they need to provide Asian pricing. They should price better for the region they are in. Once companies see the price, it puts them off. 

The integration could be a bit better. They charge for certain integrations. 

I've used the solution for about a year or more. 

It is a stable product.

The solution is used across multiple departments, not locations. That said, it would support multiple locations. 

We've had no issues with scalability. We usually have a solution that lasts three to five years and have had no issues scaling in that time.

I do not directly deal with technical support. 

We previously used many solutions, such as IBM. The implementation times are about the same. There are some ways that IBM is faster and other ways Splunk is faster. However, Splunk offers a more modern look.

The initial setup is very easy. It's quite straightforward. The process is similar to IBM. The deployment takes less than one day. It is done by a different team. I don't handle the initial implementation process.

The maintenance needed is very minimal. We have at least ten people that can handle deployment and maintenance. 

The solution is quite expensive compared to the competition. It's considered a premiere security option. 

We also looked at Dynatrace before choosing Splunk. 

I'm a registered partner of Splunk. 

We are using the latest version of the solution. 

We haven't used the threat intelligence management feature. We usually use another product.

The mission control feature hasn't been used. I'm not familiar with it.

For those looking for a cheaper product, I'd suggest, if they had a limited budget, to go cheaper. Likely a cheaper option that can do the same work as Splunk. At the end of the day, whether you choose a Toyota or a Rolls Royce, you get from A to B the same. The price is the differentiation. 

I'd rate the solution eight out of ten. It's a good product overall. 

I used Splunk ES when I worked for a retail company. I worked mainly in the security operations center. I have also worked in healthcare and federal spaces.

Splunk ES provided the organization with overall visibility.

Incident Review and correlation search are valuable features. These features help us create correlations and have good actions afterward. The product provides visibility and enables us to correlate data and generate alerts.

The product could be cheaper.

I have been using the solution since 2014.

The tool is very stable. Once we set it up properly, it's reliable.

The solution's scalability is good. When we started, we had two servers and two indexers. By the time I left, it was up to 11 or more. It's not very hard to add additional components.

The support team is usually very receptive and answers quickly.

Positive

The initial setup was easy because I had done it many times before.

I used the solution until December last year. It was not very hard to monitor multiple cloud environments using the product because getting data into Splunk is not very hard. It also provides add-ons that we can use to pull data from other places.

Splunk was the brain of the whole process in our organization's security operations center. Without Splunk, we wouldn't have had any way of seeing what was going on. The tool helped reduce our mean time to resolve. We got alerts faster and responded to them faster.

The biggest value of the conference is the community. The conferences help me interact with people, get insights and up-to-date information, and also get opportunities to present my work. There's always room for change.

Overall, I rate the tool a nine out of ten.

Enterprise security is the solution’s most valuable feature.

Its reporting functionality is excellent.

I really like the user interface and how it works.

It’s scalable.

The solution is stable.

You can integrate any other tool or any other solution, including existing solutions, with Splunk. They have a good setup.

The log analysis is something that is good. In general, data analysis is something you can do in Splunk in various ways. You can leverage it as per your requirements or as per your investigations. You can write your own queries and complicated queries, and you can have your own alerts. You can correlate events. It’s very flexible.

It is one of the best tools that I'm using. I don't have any feedback as such right now regarding improvements. I'm not also an expert, so maybe I'm missing something.

Writing queries is a bit complicated sometimes. If they could provide some building queries, that would be great.

It's been a while. For maybe four years, I've used Splunk, however, I'm not an expert on it.

It's a stable solution. We are not going to get rid of it anytime soon. It’s reliable. There are no bugs or glitches and it doesn’t crash or freeze. The performance is good.

The solution scales very well.

I wasn't part of the engineering side, so I never got a chance to contact the support team directly.

We have a SIEM solution, however, now the company is also trying to move to an Excel solution since the automation is better on their side. We aren't going to get rid of it or did not have any other SIEM solution in their mind when they were acquiring it. However, if any XOR solution works perfectly for us, the company might consider moving out of Splunk.

A different organization would have a different setup of Splunk. If you ask me, mostly, it is a simple setup. However, here in my current organization, it is mostly on the cloud, and a lot of things are integrated in a bit of a complex manner. I also understand that this changes from organization to organization in terms of how they will leverage it.

I’ve never looked into ROI and have not been a part of conversations concerning ROI.

I don’t have any idea what the cost of the solution is. I don’t handle the licensing.

A company that wants to leverage Splunk should understand its environment first - including the organization, the network infrastructure, and the overall infrastructure. Then, based on requirements, they should go ahead with any SIEM solution. Splunk is kind of an expensive tool to have. Therefore, the company should be clear about what requirements they have, what they need, and whether they want to use Splunk. It is very crucial to understand your requirements and your network or your environment first before going ahead.

I’d rate the solution eight out of ten.

Overall, it's a good tool. It's a very intelligent tool. It definitely depends on how you are going to use it. However, I love the product. I love Splunk. I want to learn more about it as much as I can.

I have some experience with the solution, since I am working with customers who are interested in part time help monitoring their network and have been helping them fine-tune the rules in the solution's platform. The way the primary task works is to watch for and then respond to the threat. Should there be a need, I usually work with a team in fine-tuning the rules on this platform. We are providing the products.

I recently started working primarily on the Playbooks of the Splunk Phantom, so I've been creating some of these to help the customer automate the process of responding to the threats.

What is nice about the solution is that it makes it easy to build the queries, search for the events and then do analysis. I recently have become involved in the Playbooks, since it is painful for the client to respond to the threat, be it positive or negative. As such, I currently see the Phantom component of the solution to be of great value. Otherwise, most other features seem to be similar to Netwitness, such as the monitor log, network, and endpoint capabilities. Importantly, the solution lacks endpoint options, as these are currently deployed on Cisco, which is okay, as it works fine with that bad side of the endpoint security. This translates into them building queries, rules and then Playbooks. 

The main advantage of the solution is that it provides an easy setup platform in the new environment. When set up afresh, it is also easy to build queries. Historical queries can be used to site for a new event, which makes it easy to use, deploy and understand.

Endpoint access is the only issue I can think to mention, even though the endpoint access we have with Cisco is fine. 

I have been engaged in the production environment of Splunk for around a year and have been reading up on it for a long time.

I would rate Splunk as one of the big five platforms. I would give it a high rating based on the efficiency of the platform. 

Splunk allows one to easily scale up this platform. One can add more interfaces to that platform if he gets more data. 

I usually rely on the Splunk community for information, such as discussions of incidents and other issues which others are facing. I feel the Splunk community to be an excellent source of information for me.

Out of the three platforms I have been dealing with, I feel the initial setup of Splunk to be the easiest. I found it a bit difficult to set up a new environment with RSA Netwitness. Splunk, on the other hand, I have found to be very straightforward and an uncomplex platform. 

I have been proposing to management to take the solution to be a primary product in our dealings with it. We do not encounter many issues involving the solution. One of the problems I have with the RSA Netwitness platform is its complexity. Splunk is straightforward for us when it comes to views and it provides us the network security posture.

The ability for the solution to work with Cisco shows that the solution can work with other products. The only thing is that when the solution is compared with other vendors, one sees that there is only a single other vendor that has endpoint security like this one, Netwitness platform having its component for the endpoint. This is why an integrated endpoint would be a nice feature, even though the solution works on Cisco. 

The main advantage of the solution is that it provides an easy setup platform in the new environment. When set up afresh, it is also easy to build queries. Historical queries can be used to site for a new event, which makes it easy to use, deploy and understand. 

When it comes to a data platform, there is RSA NetWitness, which may also be a good platform. I have not done much training of my own on Splunk, but have gained much experience through learning and working with clients that I support. This is because the platform is understandable. 

I would rate Splunk as one of the big five platforms. I would give it a high rating based on the efficiency of the platform. Clearly, I cannot include Wazuh in the top five categories, as its rating is not up there with Splunk, Qradar and LogRythm.

I cannot think of anything disadvantageous about Splunk, as we are talking about a product that I like. I feel the solution has beautiful features. 

The decision to go with Splunk would depend on the business needs of the individual. I know that Splunk has both a cloud and an on-premises option. Sometimes, such as when it comes to conferences, there is no need to move some of the data to the cloud for the purpose of complying with regional requirements. There may be a need to retain some of it and a person might wish for a mixture of on-cloud and on-premises capabilities.

I rate Splunk as an eight out of ten. It is a robust platform and easy to use. 

I use Splunk on-and-off — I started with in-house projects, then moved up to commercial projects. 

Splunk can extract all kinds of data. There's no limitation on what kind of structured and unstructured data one needs to extract — it can access any kind of data, including machine-generated data. 

The ease of deploying the agent is great in Splunk. One can easily deploy the Universal Forwarder which can extract any amount of information and put it into an indexer. The flexibility of ingesting any kind of data is good with Splunk.

In regards to action-oriented tasks, If an alert is triggered where I have to perform a certain action in the form of executing a Python script or invigorating a PowerShell script — this is easy to do with Splunk. 

The Splunkbase is great. There are thousands of apps that are already available, I can install those apps with full-connectivity and use them to extract any form of data. The community in the Splunkbase is also really strong. 

The ease of integration with third-party tools is great. In the Splunkbase, there are so many apps that are easy to integrate with. 

The user interface is really good. There is a machine learning toolkit — I like it a lot. They have use cases in place so that people with little experience in machine learning can go through these examples of use cases and gain a better understanding. 

Sometimes we experience issues when formatting and configuring files; however, this is a very technical issue that's hard to explain.

When extracting the data or structuring the data in the right format, sometimes it becomes challenging. It's up to the user to understand the regex commands. 

Our customers often complain that the price of Splunk is too high.

When Splunk is deployed on the cloud, there are certain considerations that cannot be met. Cloud-based configuration cannot be done by our Splunk admin team. It needs to be routed via a ticket. You don't have more control on the cloud from a configuration point of view, whereas, with on-premise, you are in control — you can define any configuration settings. 

When you install on-premise, many types of configurations can be done but when Splunk is on the cloud, you're dependent on their specific configurations.

I started using Splunk in 2018.

The scalability is good. If you have the money, you can expand — it's volume-based, not instance-based. 

I'd say I am happy with the technical support, not elated. They provide great support, but sometimes they don't have the answers that I need. I've only ever raised two big support issues, and both times they haven't been about to fully resolve the issue. In the end, I had to figure it out myself.

We have one or two engineers that take care of all maintenance-related issues. It really depends on the scale of your project. One of our projects required a huge deployment — we needed a huge team to match. If it's a small deployment, then two people are enough.

Its cost model is dependent upon the amount of data used — how many GBs we extract in a day determines our price. The price is not dependent upon how many instances we installed in Splunk. I can install thousands of instances, but it will only charge me according to how many GBs I extract per day. 

Overall, our customers complain that the price is too high.

I would definitely recommend using Splunk. They have free learning models available. There are models available on their learning page where you can gain a better understanding of how to use Splunk. Within one month alone, you can at least understand how to operate Splunk, whereas, with other tools, it can take a lot of time to understand.

On a scale from one to ten, I would give Splunk a rating of nine. The only downside is the cost. Price is the only factor; sometimes, companies shy away from Splunk because of the price.

Our primary use case of Splunk has been on the implementation side for clients. Splunk has proven, on multiple occasions, to be extremely useful in the proactive monitoring of clients' hardware, networking, and security operations. Some use cases that we have implemented include, but are not limited to, proactive account lockouts based on machine learning of a typical person's average number of failed login attempts, aggregation of a servers logs in order to predict downtime/maintenance/hardware failures quite accurately, as well as helping administrators of all sorts to gain a full picture of their environments under a single screen.

Splunk has helped our organization mainly on our increased use of the security side. We use Splunk to monitor all machine logins (both successful and unsuccessful) and actions taken on those machines under each user. We have set up some predictive and proactive models, which are programmed to take action on anything outside of the normal usage. These actions range from alerts being sent to the Splunk page, administrators being notified, and if escalated enough, automatic account locks.

The ability to view all of these different logs, then drilling down into specific times or into specific data sources, has proved to be the greatest aspect in decreasing our troubleshooting overhead time. The added security has proven effective as well, but given that we have not yet created the perfect model, we still find ourselves striving to develop a more efficient and predictive security analysis and action plan within Splunk.

Splunk has continually been increasing its features and also expanding and perfecting its core functionality. I would like to see it to continue to improve its predictive analytics and machine learning tools. It is not to be said that they are currently lacking, I don't believe it is, but given the current state and direction of the Information Technology world, I feel as though a major focus of upcoming releases should be set on Machine Learning, Predictive Analytics, and I would enjoy to see more security focused add-ons and apps developed by the vendor.

We did about a year and a half ago. The implementation was able to notify me 34 seconds after the initial breach had happened, but our implementation was already configured to auto-logout any "suspicious" users (our internal networking team had set this detection code up) which alleviated the problem, before it really became a problem for us.

Immensely, I cannot stress enough the positive impact this has had on our security team.

Our personal implementation brings in only around 48GB to 48.5GB of events per day. Depending on the amount of remote workers in the office, it averages around 50 million events daily.

We did not encounter any issues with stability.

We did not encounter any issues with scalability. It is almost seamless to add new index (storage) or search (used to analyze the data) nodes to the cluster.

I have not personally dealt with customer service/technical support.

We did not use a different solution before. The closest thing that we would have done to this would have been personally scraping logs reactively, which cost us roughly two to three hours per issue that arose purely through log searching and remediation.

The initial setup is very straightforward, unzipping a tar, creating a service, starting the service.

My team was the team who had set up this implementation. I would be remiss if I didn't say that our level of expertise is quite high with an average of 4 Splunk certifications per person on my team.

ROI is estimated at saving my team roughly 10 to 12 man hours per week in troubleshooting for our company as well as what our profits had been from our services of installing, configuring, and supporting other clients with the product.

Setup cost is cheap: It is free, it is user-friendly, and it is fast. 

I would highly recommend anyone evaluating this option to download the free trial which allows for the ingestion of 500MB of data per day in order to get a feel for what Splunk does at its core. It will get pricey once your ingestion rates start to sky rocket, but I would consider it expensive given the amount of information that it allows you to analyze and react on straight out-of-the-box.

We evaluated the ELK Stack, of which recently we have implemented with a customer who was looking for a more lightweight, cheaper alternative that would work "Good Enough". They felt they did not need all of the bells and whistles that came with Splunk.

If you have an R&D department within your company that is looking for something new to increase the efficiencies and effectiveness of your company's operations, I would highly recommend having them get the free trial to test out.