Splunk Enterprise Security Reviews

We are using Splunk Enterprise Security for collecting and analyzing logs. We are keeping up with the SLAs with Splunk Enterprise Security.

Splunk Enterprise Security has helped reduce our alert volume. There is about 30% reduction.

Splunk Enterprise Security improves our organization’s ability to ingest and normalize data, but it requires lots of effort from our side. Splunk Enterprise Security can do that, but we also need to put effort into it. It is good enough to achieve that.

Splunk Enterprise Security has helped reduce our mean time to resolve. We have seen a reduction because doing this manually through queries is crazy. It helps to find out the root cause and things like that. It is helpful. 

We have an on-prem environment. Our information security team is using the data security features. Its security features are satisfactory.

It is pretty good. We can extract the metrics we want on the dashboards. We are able to react to the incidents. We are also able to monitor the service. In addition to the incident response, we can also do investigations, fraud detection, and other things like that.

We have this issue of data versus pricing. Its pricing can be better. There should also be a more flexible licensing model.

There is a learning curve in order to start using machine learning. We have been trying to do it for three years, and we have not managed anything. It is too complex.

Its ability to identify and solve problems in real-time could be better. We would like to have pattern recognition. There should be some kind of pre-made model to help detect something. For example, at the time of the incident investigation, there should be an option to ask questions, such as if anything changed. It is pretty hard to find out the patterns that are occurring currently because you have to have deep knowledge about your log content. There should be an option to ask a question like, "What has changed as compared to a week ago?" We should be able to specify a time frame and compare.

We have been using Splunk altogether for probably five years.

It has not failed over the last year. There were no failures, so it is pretty good.

Its scalability is quite good if you are willing to invest in the new design and do the manual work. You have to deploy new servers and things like that. In terms of architecture, it is scalable.

Based on the few problems that we have had, I would rate them a seven out of ten. For an issue, we did not get the answer we needed within the timeframe we were expecting. They took more time, and some IT guys were disappointed. The experience varies from case to case.

We were not using any similar solution previously. We were only collecting logs through open-source means. We went for Splunk Enterprise Security because we needed visibility into the logs. It was the primary requirement.

We are also using Elasticsearch. We have two parallel systems.

Splunk Enterprise Security is better in terms of query language and the capability to do great searches, whereas Elasticsearch has a little bit less functionality. It is more complicated for end-users to use. However, Elasticsearch is better in terms of pricing because they do not charge based on the daily ingestion amount. You can put whatever amount into the system. Elasticsearch also has lots of additional logging capabilities. It has file beats and metrics beats capabilities, so you can use it more widely. You can also get end-to-end visibility because you can make integrity checks with it. It helps with IT operations as well. They can include these capabilities in Splunk Enterprise Security.

Its deployment was not very complicated. It was easy.

The hard part comes after you have deployed it. You have to educate people to start using it and understand the relevant information in your logs. The configuration itself is pretty simple, but field extractions and tagging are complex.

We are just using it and doing our queries and dashboards. We have not been calculating the ROI. It has been quite easy. We invest and create our dashboards and reports. Sometimes, when a dashboard becomes too complex or too expensive, we start to think about alternatives. Other than that, we have not thought of ROI.

The pricing can be better. We are already considering Elastic because Splunk is too expensive. 

You have to pay based on per-day ingestion. There should be a more flexible model for the use cases where one day you have a huge amount, and on other days, it is quite less.

Splunk Enterprise Security provides end-to-end visibility into an environment, but it is not our use case currently.

Splunk Enterprise Security does not really provide the relevant context to help guide our investigations because, in our country, Splunk is not represented, so it is pretty hard to get the relevant information.

Overall, I would rate Splunk Enterprise Security a seven out of ten. Its pricing is not good, and the learning curve for machine learning is not good. However, the parts that are working are working very well.

I use the solution for data analysis and log collection. 

Splunk Enterprise Security helps with advanced reports and keeps the system scalable and flexible. It provides a clear picture of the current status of any incidents. As a CISO, I see a lot of potential for future innovation, which is interesting. I've noticed better performance, especially with the reports.

Splunk Enterprise Security can provide more details and help CISOs resolve vulnerability situations better. The reason is that the tools we choose for data analysis and log collection cannot collect all the data and logs. Splunk Enterprise Security should help me with this, but it cannot.

I have been working with the product for four years. 

Splunk Enterprise Security's stability is very good. The system consistently performs well, and we don't encounter many issues. Ticketing problems are minimal, which is significant because it handles a lot of logs and data persistently without causing frustration.

The tool's customer support is good. 

Positive

We chose Splunk Enterprise Security because it was simple and had better data analysis capabilities. 

A reseller helped us with the deployment. 

The tool's licensing is good and we haven't received any complaints from the team handling it. 

I haven't used it for multi-cloud environments. As for on-premise, it's meeting my current needs quite well. When it comes to identifying and solving problems in real time, sometimes it's challenging to understand the situation, and generating reports can be difficult. But overall, it's good for monitoring activities like endpoint and authentication incidents and normalizing.

The solution has helped us reduce alerts by five to ten percent. It processes data and allows us to look back at incidents to see what happened and where they occurred.

I rate the overall product a nine out of ten. 

We employed Splunk Enterprise Security for one of our projects. Integrating it into our environment involved opening network ports and making necessary connections.

We had the opportunity to assess visibility in various environments, including on-premises. On-premises visibility has proven to be both satisfactory and advantageous.

We use the threat intelligence management feature. 

We have been considering implementing certain frameworks, such as MITRE ATT&CK or threat topology features.

It contributes value by enhancing resilience, crucial for adopting a Security Information and Event Management solution. Site resilience is imperative for our organization, meeting a key security requirement.

I have been working with it for three years.

It provides good scalability capabilities.

The technical support is among the best in the market. While we didn't have extensive interactions with the support team, we are satisfied with it. It offers support services locally in my country. I would rate it ten out of ten.

Positive

The initial setup was straightforward.

The integration and initial setup of Splunk were managed with the assistance of local support.

Overall, I would rate it eight out of ten.

The features are fine; they aren't exceptional in any way.

We are using Microsoft 365 and we're using the Exchange Mail Service. It's good for monitoring that in particular. 

The visibility we get has been good. 

Inside threat detection capabilities are good. 

It's helped us to reduce our alert volume a little. I haven't properly calculated it fully so it's hard to lay out a percentage. 

We'd like to have customer service in Hong Kong. I tend to wait a while for their response. We'd like to have more best-practice rules and instructions on how to create a dashboard.

I've only been using Splunk for two years. I make use of it to incorporate other solutions. I need to spend more time mastering Splunk. Sometimes it's a little bit difficult to use. I'd like to get more certificates, et cetera, and have spoken to their main office about that. It's got a high learning curve.

It hasn't helped us speed up security investigations. 

I've been using the solution for about two years. 

I've never had any issues with Splunk's stability.

The solution does not lack scalability. 

I haven't had any communication with Splunk's technical team.

I did not previously use a different solution. 

The setup time is quite long. To this point, I haven't deployed it to all servers and devices. I'm still in the process of deploying. 

I have not evaluated other options. 

We are Splunk customers. 

We do not use it in multiple environments. We just use it on-premises. 

I'm not yet using the threat intelligence features. 

We do not use the mission control feature. 

I have not created any customized dashboards as of now. At some point, I will create one for, for example, Windows Security.

I'm still in the process of mastering threat detection and XDR. 

I'd rate the solution eight out of ten. I haven't used it for such a long time, so it's hard to give comprehensive details about the solution. 

I used Splunk ES when I worked for a retail company. I worked mainly in the security operations center. I have also worked in healthcare and federal spaces.

Splunk ES provided the organization with overall visibility.

Incident Review and correlation search are valuable features. These features help us create correlations and have good actions afterward. The product provides visibility and enables us to correlate data and generate alerts.

The product could be cheaper.

I have been using the solution since 2014.

The tool is very stable. Once we set it up properly, it's reliable.

The solution's scalability is good. When we started, we had two servers and two indexers. By the time I left, it was up to 11 or more. It's not very hard to add additional components.

The support team is usually very receptive and answers quickly.

Positive

The initial setup was easy because I had done it many times before.

I used the solution until December last year. It was not very hard to monitor multiple cloud environments using the product because getting data into Splunk is not very hard. It also provides add-ons that we can use to pull data from other places.

Splunk was the brain of the whole process in our organization's security operations center. Without Splunk, we wouldn't have had any way of seeing what was going on. The tool helped reduce our mean time to resolve. We got alerts faster and responded to them faster.

The biggest value of the conference is the community. The conferences help me interact with people, get insights and up-to-date information, and also get opportunities to present my work. There's always room for change.

Overall, I rate the tool a nine out of ten.

There is a lot that we monitor with it. We monitor outbound URLs. We monitor unusual traffic, unusual user logins, and excessive user logins. We monitor whether or not users are logging in from VPN or not, what IPs they are accessing, or whether a user is signing in from multiple IP addresses minus the VPN. 

My organization was already using Splunk Enterprise Security when I was brought in, so I cannot say how it has improved the organization, but I can see that if they did not have Splunk Enterprise Security, there would be a significantly more workload. They would definitely need more manpower. Splunk Enterprise Security definitely helps with a lot of the prebuilt dashboards and other things that come with it out of the box.

Splunk Enterprise Security has reduced our mean time to resolve by 50% to 75%.

Being able to track impossible travel logins and things of that nature is valuable. We can track user logins from various IPs, various countries, and at various times to see if everything adds up. We can check to see if it makes sense that someone logged in from China and in the US within an hour.

There is machine learning with Splunk Enterprise Security, and based on the keynotes at the Splunk conference, there is going to be some AI involved as well. My biggest struggle with Splunk, in general, is memorizing all the commands. If I want to know which users have logged in between certain hours, I cannot write that query out. It would be helpful to have AI so that I can explain in simple terms what I want and then the search gives that back to me. I am waiting for that. That is going to be my bread and butter because my big thing is that I just cannot remember all those commands.

If you have a dashboard that is too large with too many searches, it tends to get bogged down. If you create various different dashboards, you can bypass the issue of not having enough resources to load all the things you need to load.

I was brought onto the team recently. They have been using it for about two years, so I am just catching up in learning as I go. All in all, my experience with Splunk and AWS is about ten months to a year.

It is very scalable.

I have not had to interact with Splunk support. Most of the issues that I ran into can be solved by reaching out to a team member.

I have not used any other similar solution previously. Prior to working with Splunk, it was just basic IT administration work involving monitoring with different tools, such as Trellix FireEye. I am not sure how to compare them with Splunk.

My organization had Splunk Enterprise Security before I got in.

I have not seen an ROI because I am not at level two, but I am sure my bosses have seen an ROI.

We have definitely seen a time to value in terms of being able to take what Splunk Enterprise gives us and view it. It gives us more information in an easier way versus us doing everything ourselves. That alone saves time. If we save one second a day over a year, we are going to save minutes, so these little bits of time add up.

The price can always be lower, but it is fair at the moment.

The cost efficiencies depend on the licensing and how much data we are bringing in. We have a fairly large footprint, so it is cost-effective.

Being at the Splunk conference and seeing all the ways in which Splunk can be used versus the way that I use Splunk is mind-blowing. It is a Pandora's box of tools. One of the things I saw today was manufacturing and the types of data that manufacturers can receive from Splunk within the technologies that they have. It is mind-blowing. Splunk is awesome.

Overall, I would rate Splunk Enterprise Security a nine out of ten.

Our primary use case is for security but we also use it as a soft tool. It gives us an advantage over traditional SOC or security tools. We get to use the existing data in Splunk to make use of the security. 

It definitely does help with both auditing and as well as regular monitoring. SOC does more monitoring, but ES also gives you other features that are auditing-related. The dashboards are also beneficial. 

Our auditing team gets benefits from Splunk, not just ES but also from general Splunk Enterprise. It's cross-functional. 

Enterprise Security has helped us reduce our mean time to resolution by 50%. Without it, there are many manual steps. You have to go to different products to see specific things. With Splunk, you have the benefit of seeing them together in one place.

The notable events and the incident review features are the most valuable. It gives you an overall idea of what's going on in terms of security in the environment. 

I also like the automation. We write custom scripts and automate certain tasks. That's also interesting. This feature saves us time.

Splunk is capable of doing a lot in real-time with data coming in that is a terabyte in size, you can still do searches in real-time. We have correlation searches that do similar functions.

It has a lot of the features we're looking for. 

I have been using Splunk Enterprise Security for a year and a half.

It's quite stable. It's a mature product. 

We can make it as scalable as we want. We can scale it horizontally as much as we want on our cluster.

We get support when we need it. I would rate support an eight or nine out of ten. There's always learning and improvement to do. Sometimes the communication with support happens with multiple staff. They should reduce the time to resolution.

Positive

I would rate Enterprise Security a nine out of ten. Not a ten because everything has room for improvement. 

The biggest value of the Splunk conference is meeting people.

Splunk helps us to be proactive and it integrates with many devices. It offers visibility from many different levels, areas, zones, and devices rather than from a single system. We can use this intelligence to create correlations, system solutions, etc. Splunk reduces the risk factors and helps us in many ways beyond just collecting logs. Though Splunk is costly, it has many features like threat intelligence which is very useful. It helps us be proactive about reducing risks.

Splunk incorporates a lot of elements that help to reduce security risks. For it to reach certain compliance, we need to have some security insight. Splunk is a very good SIEM, it’s a top solution, but the best feature is its cost of visibility. We have all the most important features to detect vulnerabilities or risks.

Customers cannot manage or maintain the servers on the cloud since they are all deployed. Since there are platforms, they can become a little bit hectic. One of my other observations is that the applications that are available on the store are not updated as much as those available on on-prem.

Moreover, I have had issues with the Splunk store. I believe that the developers in the Splunk store are external and I can see that the level of maturity of these developers ranges between low and medium. I have never seen the maturity go up higher. The applications are not maintained regularly and it can cause issues in the visibility dashboard. I would suggest to Splunk's tech team to keep the store private, so that Splunk creates its own applications without the interference of external developers.

I have concerns about the architecture as well since I can see it is not very well defined. However, this is not the case with on-prem. We were able to manage and do whatever we wanted on the server level without opening a case or anything else. Moreover, the applications are updated every six months.

Splunk is a stable solution.

Splunk is a scalable solution. I am also impressed with the integrity of the solution. It is very good at collecting logs.

To resolve issues in the Splunk platform, you need to wait in a queue and then open a ticket with the support team. I find it a bit time-consuming since it takes time to call tech support and get what you need.

I have used Wazuh. From my point of view, Wazuh is a simple and basic SIEM solution compared to Splunk in terms of features. I don’t see Wazuh as a competitor to Splunk. Wazuh relies greatly on human tactics. It is best suited for cloud environments and maybe smaller ones. I have issues with Wazuh’s stability as well because I have found scenarios where it was working for one instance and not for another. These issues might be because it is open-source.

Wazuh is not actively working on their platform. I opine that they need to integrate many components and have many aspects automated so that the solution does not depend on its users. I have found issues with the language of Wazuh as well. It requires a lot of resources and time to learn the language. These issues make me think that Splunk is better than Wazuh.

The initial setup process for Splunk was simple. The language used in Splunk is very easy to pick up and you can rely on any person using it to be able to learn it quickly. The language and picking up logs are easier with Splunk.

I implemented Splunk through a POC.

Splunk is costly but it’s worth it due to the high-end features.

I have worked with Wazuh and ManageEngine Endpoint Central.

I would rate Splunk Cloud a 6.5 out of 10, but plugged on time, I would give it 8.8 out of 10. The maintenance of Splunk is a bit difficult due to the time-consuming tech support.

I would recommend Splunk. I cannot compare Splunk with any other SIEM solution because I have worked with many different solutions and logarithms, like the ManageEngine Endpoint Central, and Wazuh. I have used Splunk for two years and I can see Splunk as really the best SIEM solution that can be used for work. I totally recommend it even though I gave some negative feedback, it's because I am coming from a product perspective. We have to also take into consideration the security perspective. I am not talking about only visibility in which they should take a lot of care, but the way the solution is handling and even manipulating the data. This is the most valuable thing.