Splunk Enterprise Security Reviews

We are using it for our SOC. We integrated it with our SOC.

We have had a couple of benefits. We are using it as a SIEM. We do log extraction and analyze them. We also use reporting and dashboards. We are using it for security assessment. It is very helpful for us to be able to see what it has been like. Based on the incidents, we can take measures to cover any gaps.

Our security posture has definitely improved since we started using Splunk Enterprise Security. We are scaling it in stages. We are not yet using it at an optimum level. We are using 50% to 60% of it. Based on the analysis that we are doing, our security posture has definitely improved.

The end-to-end visibility that it provides is very important for any organization. It is the right tool to get end-to-end visibility. We get 360-degree visibility.

Like most organizations, we are moving to the cloud. We have a hybrid environment. We have a SaaS, PaaS, and on-prem environment. It is a very good tool for identifying security incidents. There are statistics, and we can go back and forth to see exactly what happened.

Splunk Enterprise Security has improved our organization’s ability to ingest and normalize data.

It is a real-time tool. What I like about it is how they are able to bring all the logs into a single dashboard. We can quickly get what we are looking for. We have queries. That is amazing.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. We are not using it completely, but based on our usage, it is up to our expectations.

Splunk Enterprise Security has helped reduce our mean time to resolve. Previously, if an incident used to take us an hour, it now takes us a few minutes.

The dashboard is amazing. Out-of-the-box dashboard is very good. It is very user-friendly. It is out of the box. With a few clicks, the dashboard is there.

Its performance can be better. Sometimes, it takes longer when we do queries.

Their support can also be better.

We have been using Splunk Enterprise Security for the last seven or eight years.

It is very stable. I would rate it a ten out of ten for stability.

Scalability is there. I would rate it a ten out of ten for scalability.

As we are increasing our cloud and on-prem infrastructure, logs are increasing. We have to come up with policies on our side for log retention and other things, but we are able to collect logs from multiple sources.

I would rate their support a seven out of ten. Its implementation was a big challenge, and sometimes, the ticket went from one person to another person.

Neutral

We were using Alert Logic. It is good, but there are performance issues with the dashboard and other things. At times, it takes ages, whereas Splunk Enterprise Security is real-time.

Its deployment is not easy. It is difficult. It is a one-time job, and once it is done, you get the benefits. 

We had to engage a third party or a channel partner. It was the right choice.

Application-wise, we have seen a lot of improvement in our application delivery. On the security side, we are still learning.

It is pretty straightforward and based on the sizing. If I compare it with other competitors, it makes sense.

We looked at LogRhythm, but Splunk is more mature.

I would rate Splunk Enterprise Security a nine out of ten. It is not a ten because of the support.

We use Splunk Enterprise Security for security log investigation. It is a SIEM platform. Many cybersecurity and technical alerts generated by Splunk turn out to be false positives. We then analyze these alerts to determine if they indicate a genuine security threat.

We will be ingesting logs from various sources, including firewalls, databases, Windows devices, and Linux devices. These logs will be used to investigate security incidents and troubleshoot system issues. Our use cases will be brief and focused, allowing us to leverage pre-defined queries in Splunk for efficient analysis. These queries will trigger alerts based on specific security or operational criteria within the predefined use cases. We will then investigate the triggered alerts by further analyzing the corresponding logs.

Splunk Enterprise has improved our incident response time. For instance, if an end user attempts to log in to a system with an invalid password from a device using an unusual port number, we will receive an immediate alert. This could be indicative of a brute-force attack aimed at stealing credentials, making it a suspicious activity. This is just one example of how Splunk Enterprise enhances our security posture.

Splunk's threat detection capabilities are strong, and Splunk is a leading platform for SoC monitoring. To maximize effectiveness, we need to develop strong query-building skills. Additionally, we have the flexibility to fine-tune existing queries or remove them altogether once an issue is resolved.

The customizable dashboards of Splunk are good for visualization. It gives a better understanding, and the graph is highly customizable.

I would rate Splunk Enterprise Security a nine out of ten for analyzing malicious activities.

Splunk Enterprise Security helped the organization control suspicious and malicious activities.

Splunk Enterprise Security has helped speed up our security investigations.

Splunk Enterprise Security's customization capabilities enable integration with other tools like EDRs, providing real-time event insights.

I like the Splunk dashboard and search engine.

Although the technical support is adequate, there is still room for improvement.

I have been using Splunk Enterprise Security for 2 years.

I would rate the stability of Splunk Enterprise Security 9 out of 10.

I would rate the scalability of Splunk Enterprise Security 9 out of 10.

The technical support is adequate.

Positive

I would rate Splunk Enterprise Security nine out of ten.

While I understand the desire for a cost-effective SIEM solution, prioritizing security over budget is crucial. In cybersecurity, even a seemingly minor breach can have significant consequences. Therefore, choosing the best SIEM for your needs, even if it has a higher upfront cost, can ultimately save money and protect your organization.

We have Splunk Enterprise Security deployed in four locations in one country.

Splunk takes care of the maintenance of the solution.

I recommend Splunk Enterprise Security to others.

We use it in our company to log everything. We use tools like XSOAR to take appropriate actions to mitigate threats.

Splunk Enterprise Security has aided our organization in the way it provides great visibility and helps with what our company's users do with it.

I like how easy it is to integrate the logging of all of the various nodes. The product also offers nice connectors. Other features include the product's ability to allow users to customize their dashboards, signatures, metrics, and other elements, making it a very valuable and reliable tool for my organization.

I don't know if there is a need for any improvements in the product since it is one of my peers and not me who is directly responsible for Splunk Enterprise Security in our company, so I will have to ask him if there are any requirements associated with the product.

The price may be an area of concern where improvements are required. Splunk Enterprise Security doesn't indulge in whitewashing, but Cisco does it too much.

I have been using Splunk Enterprise Security for two years.

I have not seen any outages in the product in the past two years that it has been running in our company, so I think it is good when it comes to the stability part. I have had an experience with the vendor during which there were two products, one from the vendor and the other from Splunk Enterprise Security, and we saw that one of them was not able to capture all the logs appropriately, after which our company had to figure out whether it was Splunk API or the vendor's tool.

I have never used the product's customer support. My peer has contacted the product's technical support team, and it has worked very well for him.

My company used to use one of the spin-offs from IBM. My organization has used IBM QRadar.

Though I am not sure about the deployment model, I feel that since it may not be on Azure, the product must be deployed with the help of AWS.

I have experienced an ROI revolving around the product's dashboards, metrics, and other such related stuff, but I don't know how to quantify them. My peer would be the best person to speak about the product's ROI.

My peer would be aware of the product's pricing part.

There was a pre-vendor selection approach my company followed, but I don't remember the names of the products involved.

It is pretty important how the solution provides end-to-end visibility in our company's environment because it provides opportunities for shadow IT and for people to do things that they should be doing. If one is appropriately logging in, the product gives us a view and helps our company discover things that we didn't know about.

In terms of Splunk Enterprise Security's ability to help our company find any security events across multi-cloud, on-prem, or hybrid environments, I will have to say that since we are still using it, it has to be effective. If it wasn't effective in the aforementioned area, my peer would have found something else in the product. I don't have enough personal insight into Splunk Enterprise Security's ability to help our company find any security events across multi-cloud, on-prem, or hybrid environments.

Splunk Enterprise Security has helped to reduce my company's alert volume. Our organization does get alerts, and we are trained for them. I will have to ask my peer to give me the exact number associated with the alerts my company receives.

The solution provides the relevant context that helps guide our company's investigations. The context information has impacted our company's investigation process as it definitely speeds it up because we have only a single source from which we can get that, and it helps us understand what may have taken place in a particular incident that we are looking at in our organization. In our company, if we look at any of the other services, we can see whether a particular or specific user touched just a single system or ten different systems.

The solution has helped reduce my company's mean time to resolve, but I don't have numbers to explain it.

The reason why I rate the tool a nine is because of the flexibility it provides to go back to the dashboards. The flexibility to be able to customize standard dashboards and other standard things that I want to be able to grab and have them pop out and then be able to create some sort of an action against those kinds of things that I want, of which the first is the standard reporting part, which is very valuable.

To those planning to use the solution, I would suggest that they need to get Splunk to work hard on the pricing part. People also need to encourage Splunk to stay true to its roots because I have seen what has happened to some of the other tools in the market. Splunk has been acquired by Cisco. You want Splunk because of its capabilities, not because of what Cisco wants to give you.

If I consider my company's needs, I rate the overall product a nine out of ten.

We are using the solution for security. We can use it to track what has happened in our network. We can check via dashboards and alerts. We can use it for load balancing and high-performance tasks. We use it to analyze data and logs. It normalizes logs and we can detect attacks, such as brute-force attacks. We can receive information from our firewall, our Fortigate. Since we receive a lot of traffic, we have to investigate events using the solution. It provides updates on attacks. The solution helps us report on what happens in our network.

We use Splunk for security and tracking what happens on our network and it is effective at that.

We like the big data analyzer.

The dashboard and alerts are good. We can use them for monitoring to see what’s happening on our network. It’s centralized. It gives us good visibility into multiple environments. We can use it in Windows, Linux, et cetera.

We can use platforms and integrate everything together. We can see multiple environments on-premises.

When something happens, we get alerts via SMS or email. 

We use the MTTR attack feature and it is very effective to use for detecting threats.

We can also schedule reports on a monthly or weekly basis.

It’s very useful for tracking. If you can look at the steps and see what happens, you can investigate effectively, and so on.

Splunk Enterprise Security is excellent for analyzing malicious activities and detecting breaches. We can see, step by step, what happened. We can escalate and investigate and so on.

Splunk has helped us detect threats faster. The alerts are very effective.

It helped to reduce alert volume. I’m not sure precisely how much, however, it depends on how many client devices you are tracking and analyzing.

Splunk is a suitable resource for collecting logs. 

The threat intelligence management feature is something we cannot use.

We'd like Splunk to reduce false positives. 

It would be helpful to be able to configure everything a bit more. If your network is very big, it's important to customize.

The dashboard could be improved so that tracking and analysis could be better visualized.

I've been using the solution for two years. 

The solution is stable. If you have suitable resources and buy and use the correct license, you'll get fine performance. 

The ability to scale Splunk depends on your network. If it is big, you can add more resources easily. You can use a cluster and several servers. 

When you work on Splunk, it's very easy. However, when you need to reach out to support, it could be better. It would be helpful if they could respond faster. 

Neutral

I have experience with another solution called ELK; I find Splunk better, even though it is not free to use.

I've done one implementation. I installed it across several servers. How long it takes depends on the project. It also depends on how many resources you have. If it's just a small setup it might take two hours. 

The product is easy to maintain. 

I'm a customer. We cannot use the cloud versions as we are based in Iran.

I don’t have experience with the Spunk Mission Control feature.

I've worked with Splunk so far and while it's very easy to use it's not free. There are other solutions that are open-source that you could use, however, I find Splunk to be worth the price and I'd recommend it to others. 

I'd rate the solution ten out of ten. I would recommend Splunk to others.

Our customers utilize Splunk Enterprise Security for either their cybersecurity program or their data warehouse program.

Splunk Enterprise Security's threat detection capabilities are effective in assisting organizations to uncover unknown threats and identify anonymous user behavior. However, this effectiveness is dependent on using the UBA modules and having the proper infrastructure in place.

MITRE ATT&CK is the framework that we use to detect and track well-known threats. When there are well-known threats, we can utilize the MITRE ATT&CK to identify any anomalies.

Splunk Enterprise Security has its own routine and process defined for analyzing malicious activities and detecting breaches. Mainly, we baseline the client's business process and day-to-day activity and then use it to detect malicious activity through various scenarios.

Splunk Enterprise Security assists us in detecting threats more quickly. We have an abundance of unrelated and meaningless data from the raw logs, and the solution aids us in organizing and correlating this data so that we can extract meaningful events and take appropriate action. This is the primary objective for the majority of our clients. 

In most cases, we provide monitoring and intelligence to our customers based on how they use the solution. This allows other technical teams, such as PC, system support, and other tech units, to take appropriate actions. Our main role is to provide them with alerts and use case scenarios, while the detection and actions are primarily related to other aspects.

When we initially implement Splunk Enterprise Security, there are many alerts and false positives. However, with time, we are able to align our configuration with the client's requirements and do more baselining, reducing such issues.

Splunk Enterprise Security helps to expedite security investigations. Without a security solution, our security team is unable to identify threats because the log and auditing data are unrelated and uncategorized. Consequently, we cannot access them promptly. Therefore, having a solution like Splunk Enterprise Security is crucial for our cybersecurity program. For certain clients' needs, we prefer using open-source applications like ELK and ESK. However, if they opt for an enterprise and commercial product, Splunk is among the top three choices.

The most valuable feature is the DSS, also known as SPL, because it allows users to script advanced queries with limited knowledge.

The CIM model is the method Splunk uses to normalize data and categorize its important parts, but it is quite complex. Simplifying this process would assist security officers in assessing threats and using the system more efficiently.

I would appreciate it if Splunk could add the feature of importing and exporting from web servers and third-party devices during project and process development. This addition would greatly enhance the value of the solution making the maintenance for the security officer easier. 

I have been using Splunk Enterprise Security for six years.

I rate the stability of Splunk Enterprise Security an eight out of ten.

Splunk Enterprise Security can be easily scaled once it has been installed and deployed.

Cyber threat levels are increasing every day, especially during the pandemic when most employees needed remote access to their business services. As a result, many organizations experienced a surge in attacks and required a resilient SIEM and cybersecurity solution.

I have used ELK, ESK, QRadar, Graylog, and LogRhythm in the past. One of Splunk's strengths over its competitors is its dedicated DSS called SPL.

The drawback of Splunk Enterprise Security is that upon initial installation, we need to do a lot of customization in order to have an effective cybersecurity program and deliver quality service to the client.

The initial setup is straightforward, but we need to make some configurations afterward that can be a bit complex. The deployment time depends on the size, but it usually takes several months to ensure stability and requires two SIEM engineers.

Splunk Enterprise Security is hardly affordable for most of our clients, causing many of them to resort to using open source solutions instead.

In addition to the licensing fee, there is also a support and maintenance charge.

I would rate Splunk Enterprise Security an eight out of ten due to its high total cost of ownership, difficulties in maintenance, and the complexity of configuration immediately after deployment. 

Splunk Enterprise Security may not be cost-effective for small and even some medium-sized companies. While each organization has different requirements, we do recommend Splunk for medium and large organizations.

Organizations should take into account the complexity of their environment. For instance, if they have a purely vendor-based environment for their network security appliance, it may be easier for them to handle security, fabric, and architecture requirements. However, if they operate in a multi-vendor and mixed environment, they need to conduct more research on how to integrate various components. Often, they rush into negotiating their cybersecurity program without sufficient research, leading to potential problems for clients.

The primary use case is security and data analytics. In general, we manage and maintain it for our customers.

Application-wise, it's good. Searching and reporting of data analytics is also fine. The dashboard presentations are also a good feature. Overall, its functionality is great and that's why we use it.

I would like additional support for custom add-ons, as well as cloud integration. Right now we have concerns because we have to customize applications for direct integration. But on-prem, it is all functional. We have to build it on our own. Previously, they developed custom connectors or add-ons for a lot of applications. But that number can be upgraded still. There are a lot of applications in the world that are not supported.

I have been using Splunk Enterprise Security for over two years. I received Splunk certification six years ago.

The stability of the functionality is good, but there are still bugs that keep hindering things. I am waiting but they are there and that is quite common. I think they have not yet been resolved from the older versions. The stability is a seven-plus out of 10.

It's scalable for all environments. Splunk Cloud can be scaled to a small or medium company, depending on their inputs or log resources. Businesses at the high end of medium-sized, and large companies, can go with the on-prem solution.

The technical support is good. 

However, there is a lot of delay nowadays. The last time we raised a case, it took quite a long for them to come back with their first response. That's not for a P1 or P2, but if it is a P3, they don't respond at the earliest. When they respond, it is quite late and we have to ask again. The first response is never an answer. It's always a query.

Still, the people I have worked with there are all an eight-plus out of 10.

Positive

It can be deployed on-prem or in the cloud. With the latter, it is Splunk's own cloud. 

The deployment of the solution is straightforward, but there is a lot of engineering activity involved in designing the architecture. Architecture-wise, it is fine, and bringing things together is not that tough, but maintaining and managing it is a tough job because we don't work in a normal environment. We work on something that is very defined to the network. That means we have to build everything from scratch and deploy it.

The implementation strategy depends on how the customer wants things done. But in general, I go through research and then develop and design. I ask the client what sort of environment is flexible or cost-effective for them. It's done in stages. It's a matter of understanding the infrastructure and then implementing,  or designing and handing it over to them.

If there are 1,000 log sources, it takes six months to a year to deploy, depending on how the customer is supporting the process.

Every on-prem solution involves maintenance, including keeping things upgraded, whereas Splunk Cloud is managed by the vendor. The number of people involved in on-prem maintenance depends on the size of the environment and how long our update window is. For example, if we have a green zone at midnight for three hours, and we want to upgrade at least 20 to 30 servers, it will take eight to 10 people working in parallel. But for a very small environment of 10 servers, it will take four people to manage it, or if we have a large window, even three people can do it.

We do it ourselves.

The pricing depends on the bandwidth of an organization and is good compared to some SIEM tools. IBM, for example, is quite costly. But Microsoft Sentinel is notably cheaper. I have seen a lot of organizations running on Sentinel.

IBM is for quite large organizations that don't want to have their data on the cloud. Splunk has both on-prem and cloud modules and, cost-wise, Splunk is better. Internally, we cannot push everything to the cloud. That would become too expensive for us. So we have it sitting in our data center and that is good.

I have worked with a number of other solutions including RSA enVision, IBM QRadar, as well as Microsoft, McAfee, and LogRhythm. 

If we want to build an add-on feature in Splunk, we have to build an application and then integrate it. But in other applications, there is a direct integration that only requires partial development and it will start functioning.

Also, there is something called correlation in a lot of other tools. Splunk also has it but it consumes a lot of memory. If we tag all the data, it is better, but tagging consumes storage and it makes it a little tough for us to run a search. 

If we want to work towards SOAR, if there were a little bit more integration so that our customers could taste SOAR, they could then move to Splunk Phantom or other tools. Right now, people are not using automation. Everything is done manually. Hopefully, that's the next goal. Security operations will surely use SOAR and, once they start tasting it, they'll get to know how it works. They can design playbooks and start using it. That's an additional feature I would like Splunk to bring in. 

Splunk's advantage is its search capability. Its search is notably faster. With Splunk, I can search easily on keywords. That is great. It also has something called "stats" and it runs much faster. Within minutes, it gives the data from a very large set. Spunk's dashboards are also a very good thing. No other application or tool is as versatile in presenting the dashboard. It all comes down to presentation. It may take a little bit of engineering work to develop and customize, to parse the fields and fetch the data, but the presentation is good.

We use it alongside some endpoints to detect log ins outside of scheduled work hours. If someone logs in outside of that range, we generate an alert for the security team to review.

I can use the MITRE ATT&CK framework. With the data that I ingest into ES, the MITRE app gives me visibility into what I'm covering from the techniques and tactics in the framework, which is pretty cool and convenient.

At the end of the day, it's the platform receiving the logs from all the other apps. You're watching all the information in just one place, so it's basically the core tool in the company. So, it is really important that Splunk Enterprise Security provides end-to-end visibility into our environment. 

In a way, Splunk Enterprise Security helped improve our organization's ability to ingest and normalize data. However, there are a few tools that are hard to normalize or use data models. And some of the add-ons don't work properly sometimes. Not all of them, but a few.

Splunk Enterprise Security helped us reduce our alert volume by 30%.

Moreover, Splunk Enterprise Security provides us with the relevant context to help guide our investigations. And it's important because we need to set up the basis of the context of what we want to see.

Splunk Enterprise Security helped improve my organization's business resilience. It's a pretty powerful tool. We can monitor and ingest all the data, only if it's not encrypted.

Splunk platform helps consolidate networking, security, and IT observability tools. We watch all that information on just one platform, so that's pretty cool. 

The risk-based alerting (RBA) is one of the valuable features. It's a really cool concept to explain and see the impact that you're having on the company.

Splunk Enterprise Security's ability to find security events across different environments, whether in the cloud, on-premise, or hybrid, is really good. Because it gives me a lot of content out of the box, the only thing I need to do is ingest the data, and I'm good to go.

I would like to see the asset and identity lookups be more automatic and less manual. I have to search everything and type it. So it should be more user-friendly.

I have been using it for six months. 

The stability is really good. It's very accessible.

Most of the time, some docs are not available. When you see the documents, they add a link, we go to the link but it's not available. 

Also, the customer service and support have a lot of old questions that are not updated.

Neutral

It's pretty easy. The first thing you need to do is the onboarding phase. After that, you need to review that the logs that you're receiving are good. And after that, you need to start working with the correlation searches and setting up everything.

The deployment was done internally. 

We have definitely seen an ROI. It is worth it!

The pricing is always going to be different because it depends on the project you are working on and how much data you are going to ingest. But it's definitely worth it.

We directly chose Splunk to begin with.

Overall, I would rate it a nine out of ten. There are a few things that need to be more automatic because there's still a lot of manual work to use it.

We develop use cases for Splunk Enterprise Security all the time. I mostly work with the SOAR platform to ingest those use cases.

Splunk Enterprise Security helps our organization because we use it daily to solve our security use cases. We have incidents every day.

The most valuable feature is the incident review, which gives a good overview of our security incidents. I also like the solution's search functionality, which makes it easy to find things.

Splunk Enterprise Security generates our alerts, and we would have to refine the searches if we want to reduce them.

It's very important to our organization that Splunk Enterprise Security provides end-to-end visibility into our environment.

Splunk Enterprise Security has helped reduce our mean time to resolve and helped improve our organization’s business resilience.

The incident review could definitely be improved in many ways. It should be easier to run integrations from it. You can run a script from an event, but it needs many clicks to run that integration, which could be made easier.

I have been using Splunk Enterprise Security for five years.

The solution’s stability is very good, and we haven’t had any stability issues with Splunk Enterprise Security.

The solution’s scalability could have been better.

The solution's technical support is very good, and I'm very happy with the support.

The solution’s initial setup is easy.

Overall, I rate the solution an eight out of ten.