Splunk Enterprise Security Reviews

Splunk Enterprise Security has given me quite a context of how I will approach deploying use cases. I'm also using other tools that Splunk sells. The query-based Splunk deployment certainly needs a specific knowledge requirement because knowledge transfer has to be there. There has to be practice on the query side because the query is the main part of understanding Splunk.

In other tools, it's just click and drag where you take the fields from one place and copy-paste them. There is a learning curve in the context of understanding Splunk, which is difficult for every user to grasp within a short time. It is easy to use the solution after having that knowledge. There is a certain learning curve to learn Splunk query language.

With Sentinel, you can click on the field and select it, but with Splunk, we have to write queries to understand what is in the logs and understand certain fields from the logs that are visible to us. We need to know what kind of fields we need, how to create statistics or tables through it, and how to create visibility of reports through query because everything is through query. A query is the main thing for Splunk. There is a learning timeline that users will have to cover to benefit from Splunk because that is something that a user has to be careful about.

We use Splunk Enterprise Security to serve our clients. Our clients from the financial and health sectors deploy the solution in their environment for cloud visibility. Our clients use the solution to find any threats or vulnerabilities inside their environment. We use the solution to get use cases, reports, dashboards, or visibility onto their environment. We use the solution to detect any attack or malicious intent of users inside the environment. We try to create use cases specific to their environment through Splunk Enterprise Security.

Splunk Enterprise Security has a learning curve that needs to be improved. I have seen users struggle with Splunk just because of the language they've used to create it. I've recently started working for the past three months on Sentinel. The same thing happens with Sentinel, where you select certain things, and it will create a query for you.

It would be great if I could have a certain dialogue box in Splunk that uses innovative AI tools like ChatGPT, which are available now in the tech department. If a user is struggling, they can just ask an AI tool what they are trying to do with a query, and then it can suggest how a query can be written for a particular user. It can help in a way to understand the context of what the user is trying to write, which will be very helpful for ongoing operations.

Even if users have zero knowledge, they can get comfortable with Splunk much more easily if an AI tool helps them write a query or search for any indexes or data models. It will be able to give more context to the user regarding how they should approach the query. This can be done using AI tools like ChatGPT, which will understand the context of what the user is trying to approve and give suggestions based on it.

I have been regularly using Splunk Enterprise Security for the last seven months.

Splunk Enterprise Security is stable 70 or 80% of the time. However, the query gets slow whenever a large number of people are working on Splunk.

Splunk Enterprise Security is a scalable solution, but the scalability part impacts the solution's performance.

We have not yet contacted Splunk's technical support, but we do get regular emails from them providing some context of updating something or threats and vulnerabilities. They do provide a certain kind of visibility, which I do like. They provide their clients with insights into what kind of threats might be present or what kind of composition they're trying to resolve. They give quite a library of expertise and particular emails.

The documentation side of Splunk is something that I appreciate as a Splunk user. This is something that is not visible in other environments. Splunk has taken a step ahead compared to other SIEM tools in providing context for understanding the documentation of how the tools work and how you can utilize the tools.

There is a great learning website for Splunk users, where they provide sets of videos. A small environment will be deployed for users to test and understand the queries. That is something which Splunk has invested quite heavily in, which is very much appreciated by the users. We can easily learn Splunk from their environment and understand any attacks happening because they've already provided so much of the content library. That is great from Splunk's perspective.

Our client already had Splunk working for them for the past six to seven years. The earlier version of Splunk was not reliable and stable to deploy because it used to take so many resources. Even though it has decreased now, the resource requirement is much greater than other tools. Certain organizations or start-ups feel a little bit restricted because, despite being a great tool, they can't use Splunk because of its cost features.

Some organizations use basic SIEM tools like QRadar, which is a great tool. Some organizations use LogRhythm. LogRhythm has a market presence since it also writes great insights into the dashboard. Splunk has certain tools that precede other SIEM tools. QRadar and LogRhythm are used because they are very intuitive and don't require any previous knowledge of using those tools. With Splunk, you will have to understand the context of using a particular field or setting and what it provides you.

The ease of deploying Splunk Enterprise Security is very good. You can get visibility on which particular device you are receiving logs from, give them an index name, and give them a field where you want the logs to go. That is something good that we can understand directly from Splunk. We don't have to go and do that manually from different tools. That was one of the good things while implementing the solution.

From the client team, two people were involved in the deployment process. One person was from their implementation team to understand how the tool is deployed. Another person was from the admin team of engineering, where they were trying to understand what resources they needed to deploy to get usability of plans. A third person was there to understand the context of how the log will be initiated into Splunk.

That is something that was required from their environment. From our side, there were three resources with expertise in Splunk. They were the first hands-on people who were working on the implementation side. Later on, I came into the picture so that implementation could be done to create visibility in the client's environment. Before passing and giving them indexes, the context was taken from us by giving us visibility into the environment and how we want to approach it.

US customers or customers with a bigger cybersecurity budget have seen a return on investment with Splunk Enterprise Security because their internal team is using it. They have seen much more return on investment regarding how their environment is visible. However, the majority of Splunk users have faced issues because of licensing purposes.

Companies cut out budgets to include a reasonable SIEM tool rather than having the costliest solution. For certain markets, it serves a purpose and gives a great ROI. One of our customers has said that it's a good investment tool. They have been using it, and they have been getting great insight. It is certainly serving them a purpose, and that's why they are using Splunk Enterprise Security.

Splunk Enterprise Security is a very good tool, but it uses many resources and comes at a very particular cost, while other tools can easily do the work. There are certain pros and cons to using Splunk Enterprise Security.

The solution's pricing will depend on enterprise to enterprise. For a small enterprise, the solution's cost of ingestion to the cloud will be very high compared to other tools. The licensing cost of data usage is much higher for Splunk than any other tool. Splunk Enterprise Security is not at all cost-friendly to be deployed in very small enterprises like start-ups. Using Splunk for small enterprises is unreliable, and I rate the solution two or three out of ten for its pricing in small enterprises.

I rate the solution five out of ten for its small to medium-enterprise pricing. If they deploy it and have expertise, Splunk Enterprise Security will give them more visibility into their environment. This tool will require licensing costs. If they don't have more environments from where they ingest logs, their data licenses will also be less.

If large enterprises can afford Splunk Enterprise Security, they must select it since the experts working on Splunk can give much more complex insight than any other tool. For large enterprises, it's a great tool for visibility because it can create complex queries, including two different indexes. That is something quite unique about Splunk Enterprise Security.

I am working with the cloud version of Splunk Enterprise Security.

Splunk has certain kinds of health issues that usually get reported. If the search query is lagging, we do check where the query is lagging. That is something that we have to refine. It's a hectic activity, which requires the workforce to understand the context because not every user with a simple understanding of Splunk will be able to do it. It requires understanding how the queries are running, how it is scheduled, and how it uses the resources.

Two sets of people work on it: the analyst from our side and those directly using resources from the client side, who work in their security department. They might have some precedence in the environment, which we might not have. We may face lagging of query and, sometimes, queuing of the query, even though we have run it. It will be the first query we are running, but it will be skewed since we don't have the precedence of running a query.

It will give precedence to other queries over ours. It's a thing that we have to manage. This usually doesn't happen with other SIEM tools. That is something where Splunk has to be less expensive or less maintenance. We are struggling because we only identify after the query has gone rogue to invest in it and spend more time resolving issues.

Until now, I haven't used the threat intelligence management feature or even the data model. I use the documentation provided by Splunk on different attacks, which we can view on their site. They already provide insight into attacks on Active Directory or AWS in their documentation library. That gives a good context of how I can search for the different kinds of attacks.

I'm also automating some of the reports on how I challenge threat intelligence. I'm also doing threat hunting in their environment for some of our clients. I'm trying to find any anomalies with the configuration in their environment, which they are unaware of.

Suppose someone gets a response from their environment regarding weak encryption or a configuration that provides certain privileges to certain users, like any query or command line. We find great visibility from their documentation side. We will need time to get acquainted with Splunk threat intelligence management.

Earlier, I started using Splunk Enterprise Security in 2021. I had a trial with Splunk Enterprise Security and contacted the Singapore team to understand the solution. I was working in a startup and wanted to integrate this solution. I was able to get a trial period for three months. I was able to deploy it on the whole server and learn about the Splunk query language. After the trial, we couldn't purchase Splunk as it's a costly tool.

I initiate use cases, analyze the logs, and implement new logs. Since Splunk supports add-ons specifically for different services, we have created plug-ins to integrate any new AWS logs. Implementation of logs also falls under our category. My main job is cybersecurity. I need to understand all the logs to create use cases that cannot be specifically created by a single person who only understands the injection. The context is important to create the use cases.

We use Splunk Enterprise Security to create visibility into the client's environment and research the threats or vulnerabilities inside their servers. We're trying to detect any vulnerabilities regularly by creating specific reports for our purposes for some exploitation, which can happen if you get certain kinds of privileges. Whenever something malicious happens, Splunk Enterprise Security will send us a report containing that specific activity's data.

I can create specific queries to get reports, which I have not observed in other tools. The same can be replicated for the dashboard or vice versa. Splunk already provides a library of use cases regarding attacks. Their website also has a great amount of documentation on how to search for different kinds of attacks in an environment using certain scripts.

It's very good for users to go through their documentation. Users need not purchase a second solution or outside inventory to get visibility about the kind of attacks they can see. That is something Splunk has already prepared for its clients or users.

Everything concerning Splunk Enterprise Security is quite different from other tools. Splunk Enterprise Security has features that are very different from other vendors. These features include viewing correlation or drill-down searches of specific use cases, mapping those comments, and closing any alerts triggering the incident review.

The solution gives us some visibility on the use cases directly. Query is one of the strongest things that Splunk has. With the respective data models, we can create queries running much faster than other environments.

Splunk Enterprise Security gives certain advantages of deploying and automating some of the things we usually do manually in other tools. One of the biggest advantages of the solution is that we can detect threats and vulnerabilities in the environment by creating certain dashboards that give visibility. We can create certain reports, giving us continuous activity reports of anything malicious. We can schedule it at a specific time and send it as a mail.

That gives Splunk a greater advantage of providing insight to the person trying to see any kind of threats or visibility. The solution is intuitive because it lets you choose how you want to be notified regarding any kind of threat. I can correlate from one index to another by correlating searches by stretching one of the fields from one index and then searching for that information in another index. That is not quite possible in other tools and is unique to Splunk Enterprise Security.

With Splunk, we can correlate between any kind of endpoint device, what IP they are mapping through, and search the firewall in the same query whether that IP was allowed or not. It's a very intuitive tool that allows us to create multiple complex queries to solve a problem in a single go rather than opening different instances of different devices and then comparing them manually.

We deploy all of our use cases and reports with respect to the MITRE ATT&CK framework. We write the tactics and techniques of the MITRE ATT&CK framework inside the use cases because there are fields we can fill in about the MITRE ATT&CK framework. It is very useful for us to monitor what kind of MITRE tactics and techniques we have already covered. For anything missing out, visibility is also great so that we can monitor all the users with respect to the MITRE ATT&CK framework.

In our organization, rather than using only the field change, which covers only some parts, we always deploy use cases with respect to the MITRE ATT&CK framework. We have assessed specific use cases for every environment, whether Windows or AWS. We cover certain default use cases, which we want to create in the environment for covering the MITRE so that those are crucial for discoverability whenever something triggers.

Those are also crucial whenever we want to see how much coverage we have according to one device, like Windows log, Linux log, or AWS or Azure environment. If there is any scope of vulnerability present, someone might be trying to attack AD, and the MITRE ATT&CK framework covers it. On the MITRE ATT&CK framework side, I can put a technique they're using for a threat that might be present for initiating the attack. That gives us great visibility of providing threats.

When we are filling out the MITRE ATT&CK framework, any person from cybersecurity will be directly able to copy-paste any technique onto their Google search. They will be able to know what kind of MITRE technique we are trying to cover and how the use case will help them. That can already be done from a use-case perspective. We don't have to go to the library to know how we deployed the use case. That can be done from every different alert.

There are glitches and notes, and it gives more context with respect to the sensing tool. The main field is the activity field, where jobs are there. The usability of that particular feature, where I can see which particular job they're running, gives context to us on how the query is being run in the back end and how they are scheduling it.

If I don't have certain admin privileges, I might not be able to schedule my query. It will certainly give precedence to the admin account, and if I want to see great visibility into the search I'm doing, it will take a certain time.

Only after a certain privilege query is being run will it give precedence to my query. That is something where the distribution of resources can be separate. A separate tool can also be created for giving certain privileges to temporary users so that they can run their queries to find any threats or vulnerabilities. Also, not every query for admin needs to be run at certain privileges. It can be asked during the time of deploying whether this query requires a certain precedence.

Splunk already has specific definitions for finding threats. It can be through a network or a signature. They already have different kinds of internal assessments of how we're deploying use cases and how Splunk understands it. The same can be given to users because sometimes when we try to search for any threats, it gives precedence to other things. Even though the tool is good, it takes time to give us visibility because of the involvement of so many resources.

On the admin side, if I have certain privileges and everything is running fine, I have great visibility on understanding the use cases and deploying correlation between two different indexes to find any threat. That is great because I don't have to manually create ten use cases, where I can create five and cover both the indexes from which I want to get a query. If I want to search a user's active directory for the kind of privileges they have, I can only create a single use case and cover both.

I don't have to search for it on different use cases manually. Splunk gives great visibility into the dependents of both indexes' coverage in one field. It gives much more context. I can get output from both indexes and correlate what has happened in the user's environment much more quickly rather than using other tools.

Compared to other tools, Splunk Enterprise Security has helped us reduce the volume of alerts and visibility of fine-tuning because it provides many different aspects. I can reduce the volume of alerts by helping users. If they have certain kinds of IPs or exceptions to the rule, I can create a macro. If they have a list of things, they can directly include another macro to make it an exception.

I can create a local file, which is a very good thing for them. They can provide insight on the local file, and I can create a specific query if they want insights on that particular local file whenever something is happening. This useful feature that Splunk provides allows users to have visibility because these are the things users might have done manually on other tools.

Since some dependencies or add-ons for visibility are already inside Splunk, it gives a lot of insight into threats. It reduces threats and gives more context to what we are trying to search for. It automatically gives us a report rather than manually checking for every other field.

Compared to other tools, Splunk Enterprise Security gives context into the raw logs, which are present in my environment, and also what are the fields I'm trying to see. It gives visibility rather than showing all the empty fields, usually presented in other tools, whenever I open any alert.

There are certain fields that are empty and others that are filled. With Splunk Enterprise Security, I can directly check which particular fields I want to see. I don't have to manually go through the whole logs page and select whatever field I'm trying to see. That is a feature in Splunk for investigation purposes.

The time taken by our analyst to resolve alerts compared to other solutions is less. Other tools provide all the available fields, and a person has to decide which field they require for a particular use case.

In Splunk, you can directly point out all the necessary fields required for a particular query you are trying to run. Then, the user can easily assess which particular field they want to investigate more. This great feature from Splunk gives an analyst less time to wait for the alert and more time to do an analysis.

The recent CrowdStrike report reported that the majority of the cyber attacks are from active directories and from the carelessness of users through phishing emails. Even though the visibility needs to be there in cyber security, organizations still usually use SIEM tools, which are much cheaper. For such cheaper tools, they have to hire many analysts, and every analyst has to be on the same page to understand the context of what is going on in their environment.

If they already have a small team, they can do this work easily in Splunk. An organization needs to understand how complex their environment is. If their environment needs a certain kind of visibility, they need to go for a tool that serves their purpose of providing insight rather than going for the cheapest solution. Also, it will be much more beneficial for their hiring purposes. Relatively fewer people will be required if they can closely monitor Splunk and create queries. If certain users have already used Splunk, it will be great for them to deploy the solution.

Splunk provides much more insight concerning the closeness of understanding everything going on in their environment. A certain group of people can get the context of what is working in their environment and how they're approaching it. This is less of a hassle in other tools where every use case will be deployed irrespective of dependency on one use case.

One field or one endpoint solution will be different from an authentication tool, and they won't be correlating as such. We will have to do that manually and search for any similar field manually. Whereas in Splunk Enterprise Security, you can deploy it at once. So, less workforce will be required for deploying, understanding, and giving context to the users working on the environment inside their organization.

Our US customer has more than 15,000 to 20,000 devices deployed since it's a hospital. They have ingestion of data from every side from where logs can be ingested. Every employee working in the environment will be interacting with the internal sources. So, we see logs in every device, including laptops, desktops, medical devices, firewalls, and mobile devices. Usually, doctors get updates and visibility on their mobile devices. These mobile devices should not be attacked as they are the ones where the user data or the patient's data is exchanged very informally.

They have deployed specifically Armis to get visibility onto their network communication, which is a very good tool. They have invested in automating the resources, creating visibility onto their environment, and blocking certain communication. They can create specific playbooks with respect to it. It has given them a much more context. The same thing is not necessarily happening with other clients because they have deployed very few devices.

So, there was no complexity in understanding the environment as such. For them, Splunk provides the same insight as any other tool. For them, it's not serving the same purpose. For them, the deployment of use cases is good and not that complex. Besides that, Splunk is not serving this client's purpose because they already have fewer resources deployed. For them, Splunk does not provide any visibility or context that could not have been filled out with any other SIEM application.

I will certainly say that Splunk Enterprise Security is a great tool if you have the context and patience to learn it. It can also serve a great purpose of understanding the environment much more clearly and easily than other tools. Users will have to compare the pros and cons if they can afford it because it will be expensive for any organization.

Overall, I rate Splunk Enterprise Security an eight out of ten.

Splunk Enterprise Security provides us with both log monitoring and alerting capabilities from a centralized interface.

Splunk Enterprise Security's detection capability is good. Real-time alerts are crucial for threat detection. When unknown traffic is identified, incidents are automatically created and alerts are sent to the monitoring team for prompt action.

Our mobile device ordering website experienced a fraud attempt. We identified a surge in traffic originating from the same IP address through Splunk Enterprise Security. This allowed us to swiftly block the suspicious activity, potentially saving millions of dollars.

Integrating Splunk Enterprise Security with other tools is easy.

It is easy for us to monitor our multiple cloud environments using Splunk.

Splunk offers good visibility across our multiple environments. We can monitor roughly 80 percent of our environment through Splunk.

Splunk is our primary tool for analyzing real-time logs to detect malicious activity. These logs are then used to create security incidents and trigger alerts for further action.

We can see the benefits of Splunk Enterprise Security quickly after deployment.

Splunk Enterprise Security reduces our alert volume because it is precise and customizable.

Splunk Enterprise Security helps us speed up our security investigations by sending alerts and providing a deep dive into the logs.

Splunk's visualizations make it easy for users to understand the data. Additionally, Splunk can ingest all our data, creating a centralized and informative platform. This combination is a powerful asset for data analysis.

Splunk Enterprise Security's pricing structure could be more accessible for smaller organizations. Licensing costs can be a barrier for those with limited budgets.

I have been using Splunk Enterprise Security for 5 years.

I would rate the stability a 9 out of 10. With a stable environment, we may encounter issues 2 percent of the time.

I would rate the scalability an 8 out of 10. 

Splunk now offers SmartStore, which automatically scales storage capacity without sacrificing performance.

The support team is supportive and quick to respond.

Splunk offers Platinum, Gold, and Silver support. With the Platinum package, they respond within two hours.

Positive

We transitioned from AppDynamics to Splunk Enterprise Security, which provides a valuable single pane of glass for managing and viewing security metrics.

The initial deployment is easy. The deployment for Splunk Enterprise Security is quick.

By automating our monitoring and alerting with Splunk Enterprise Security, we've achieved a significant return on investment. This has freed up over 190 days of manual monitoring effort by our team, resulting in overall cost savings of around 30 million dollars.

The licensing costs are high for Splunk Enterprise Security.

I would rate Splunk Enterprise Security 8 out of 10.

I highly recommend Splunk Enterprise Security to anyone looking for a comprehensive security solution. It's a single tool that can monitor and manage our entire security posture, including business metrics, IT infrastructure, and security alerts. Splunk also simplifies incident creation and log management, providing a central location for all your security data.

Splunk Enterprise Security is used by 30,000 people across multiple locations in our organization.

The widespread adoption of Splunk Enterprise Security requires regular maintenance to ensure optimal performance.

Organizations with low logging volumes can benefit from using the open-source ELK Stack.

The resilience Splunk Enterprise Security offers is good.

As a Splunk engineer, I collect data from various sources, including Universal Forwarder, Heavy Forwarder, DB Connect, and Syslog to monitor application logs. This data is used to create dashboards that visualize application health and identify potential security incidents. Additionally, I configure alerts to notify teams via Slack or email when CPU or memory usage reaches critical thresholds, allowing for prompt resolution. Furthermore, I use Splunk to create KPIs and NDDs for various aspects of the organization, including a custom ITSI service for Microsoft 365. This service monitors child entities like Teams, Outlook, and Edge within a parent application, tracking metrics like team member logins and meetings, CPU usage, and memory usage. All this information is consolidated into a three-page ITSI report.

Splunk Enterprise Security helps us detect malicious activity, such as failed login attempts by unauthorized users. These attempts, whether brute-force attacks or phishing attempts, trigger alerts with detailed information about the incident mapped to the MITRE ATT&CK framework. This allows our security team to investigate and take appropriate action quickly.

We managed Splunk's large clustered environments, I oversaw data collection from roughly 750 applications via universal deployment clients. This experience, coupled with my nearly six years of Splunk expertise, made monitoring application logs and creating Splunk knowledge bases straightforward tasks. While processing task cut-off tickets from the application team could be time-consuming, the actual monitoring itself was easy to manage.

The end-to-end visibility provided by Splunk is important because our company uses applications like K-Connect and Splunk to monitor user activity across different sectors. Having previously worked in both healthcare and finance, I'm familiar with how this process works. We access user information including personal data to track their activity from start to finish within our systems. Splunk allows us to mark specific user data points for further analysis, ensuring we have a full view of user or patient activity within each organization we serve.

Splunk helps me find security events across multi-cloud and on-prem platforms. I would identify missing data by checking the last hour's timeframe (span=1h). If on-prem or cloud data was missing, I'd investigate which logs weren't being ingested, whether an indexer was down, or if a forwarder wasn't sending data. Additionally, I'd check if the application or event log volume was overwhelming the universal forwarder, requiring a queue to process the data effectively.

Splunk improves our ability to handle data from applications. This data is often unstructured or unavailable in a usable format. To make it usable, we used to normalize the logs manually through back-end commands and edit various Splunk consoles and platforms. This process transformed the data into a structured, human-readable event format, allowing us to extract the information we needed.

We can identify potential malicious activity through Splunk by analyzing database logs with SQL queries. For instance, a high number of failed login attempts within a short timeframe could indicate unauthorized access attempts. Additionally, with multi-factor authentication systems like Duo, a user logging in from two geographically distant countries within a short period might be suspicious. To address this, I've developed SQL queries that check for logins within a one-hour timeframe across different countries. These queries trigger alerts on a dashboard, allowing IT to investigate the user's IP address and determine if the login is legitimate.

Splunk has significantly improved our business resilience by providing a single pane of view for all our data. This visualization allows us to monitor for anomalies, including unusual application activity, unauthorized executables, and suspicious shell scripts running on both Linux and Windows servers. By triggering alerts for these events, Splunk empowers our organization to proactively identify and address potential threats, ultimately improving overall stability.

Splunk allows us to easily check the data for malicious activity. It also helps reduce the alert volume by allowing us to set thresholds for alerts. For example, we only receive an alert when the CPU usage exceeds 90 percent or the number of failed logs is more than 15.

Splunk helps us investigate by providing relevant context from system logs. We can search the Splunk logs for specific applications and timeframes, and then examine all the data fields for suspicious activity, failed login attempts, or any other anomalies.

It helps security teams investigate threats faster by providing a central platform to collect and analyze data from various security applications. This focus on enterprise security allows teams to identify and respond to threats across the organization, leveraging frameworks like MITRE ATT&CK to match attacker techniques and tactics.

Splunk's strength lies in its single-page view. This interface allows us to explore all our data, build dashboards with alerts, and visualize real-time information through various charts like column, bar, and pie formats, providing a full user experience.

Due to its high licensing cost, Splunk is out of reach for many organizations. Making their licensing more affordable would open up Splunk's solution to a wider range of users.

I have been using Splunk Enterprise Security for six years.

Splunk Enterprise Security is a stable solution.

Splunk Enterprise Security has excellent scalability.

The technical support is good.

Positive

The deployment is complicated  because our organization works with on-prem servers. All the data needs to be duplicated and all the searches and indexes need to happen properly.

The Splunk licensing is high.

While more affordable, alternative SIEM solutions lack the flexibility and in-depth visualization capabilities offered by Splunk.

I would rate Splunk Enterprise Security nine out of ten.

While Splunk Enterprise Security offers a user-friendly interface, its true power lies in its ability to create highly customized dashboards that streamline investigations and reporting.

We use Splunk Enterprise Security to secure our client's network and provide clear visibility.

Our client lacked an SIEM solution to comply with regulations, so we recommended Splunk Enterprise Security, and they agreed to implement it.

Splunk Enterprise Security provides complete visibility into the environment. We can add any data to the indexer, and it will begin to be displayed. All we need to do is create use cases tailored to the client's needs.

Splunk's threat intelligence management capabilities are strong, thanks to its user-friendly interface and ability to correlate data from various sources. While it competes favorably with other SIEM tools, its effectiveness ultimately depends on how it's configured.

The actionable intelligence from Splunk's threat intelligence management feature helps us understand what's happening in our environment, enabling further investigation.

We updated the IOCs within the MITRE ATT&CK framework indexing for Splunk. This allows us to compare all received alerts against the MITRE ATT&CK categories. By using the MITRE ATT&CK framework, I can identify the potential type of threat, its mitigation strategies, and the overall attack behavior. Furthermore, I can use the framework to investigate the affected hosts, their origin, and the attack vector.

Splunk Enterprise Security does a good job analyzing malicious activities and detecting breaches.

Splunk Enterprise Security has improved our detection time.

Splunk Enterprise Security has improved our clients' security posture by providing them with better visibility into vulnerabilities, along with proper mitigation strategies and clear explanations. The benefits are apparent within the first month.

Splunk Enterprise Security helped us reduce our alert volume. Initially, the high number of alerts was overwhelming because we were in a new environment, but the volume gradually leveled off and decreased by 50 percent.

Splunk Enterprise Security has accelerated our security investigations by 30 percent. It integrates seamlessly with our EDR solution, providing a single pane of glass view for all security logs.

Splunk Enterprise Security offers valuable features like seamless integration and a SQL-standard Structured Query Language for easy searching. Additionally, implementing devices is straightforward, similar to a plug-and-play process.

Splunk's insider threat detection capabilities have limitations. While it offers customization, pre-configured rules for common threats are scarce. This means we need to create our own rules, which can be effective if we have the expertise and understand our specific needs. However, behavior analytics seem less useful and have room for improvement.

Splunk's implementation process for managing multiple indexes can be complex, especially when dealing with a large number of components.

Splunk could benefit from a feature that allows users to indicate they are working on an alert or incident. This would prevent other users from wasting time investigating the same issue. Ideally, this wouldn't involve a formal assignment, but rather a temporary indication that someone is currently looking into it.

I have been using Splunk Enterprise Security for 9 months.

Splunk Enterprise Security is reliable and the stability is a ten out of ten.

Splunk Enterprise Security offers good resilience. Even for unsupported tools, simple integrations can be customized. Splunk is constantly improving.

I would rate the scalability of Splunk Enterprise Security ten out of ten.

The technical support team is excellent. They proactively identify and inform clients about any vulnerabilities or security gaps in their environment.

Positive

The initial deployment of Splunk Enterprise Security was fairly straightforward. While the documentation is comprehensive, fully deploying the solution can be time-consuming. The timeframe can vary depending on your environment's complexity. For instance, a company with 1500 to 2000 employees and a large number of systems and servers might require a month for complete deployment.

I collect the client's requirements and then open a support ticket with Splunk. The ticket will address configuration assistance and, if the deployment is in the cloud, will inquire about the client's storage needs. After I submit the ticket, Splunk will communicate directly with the client.

The deployment involves several teams, and I lead the oversight of both the deployment itself and the analytics function, ensuring a seamless process.

While some clients find the cost of Splunk Enterprise Security to be on the higher end, its pricing is comparable to other SIEM solutions. Ultimately, the value it delivers justifies the investment.

Don't simply choose the cheapest SIEM solution. Consider your organization's specific needs and environment. Even if you prioritize affordability right now, I can offer more powerful tools. However, the best solution isn't just about price. It depends entirely on your environment. Therefore, you need to establish a budget based on your specific requirements. Ultimately, the ideal SIEM solution aligns with your organization's needs.

I would rate Splunk Enterprise Security 8 out of 10.

Splunk Enterprise Security requires maintenance for new onboarding, log management, and archiving. A maximum of two people are required for the maintenance.

Splunk Enterprise Security is a robust security solution that's easy to manage after initial configuration.

We essentially use Splunk for our Security Operations Center (SOC). All of the notables that we create for the SOC are done in Splunk Enterprise Security. It is our SIEM.

I cannot put a value on it, but it has been pretty good. Previously, we used to use ArcSight. I used to do incident response when I first joined the SOC, and there were times when I used to sit down and run a search right at the start of my shift, which is at 7 AM, and I used to hope that it would be run by the end of the shift at 7 PM. I used to hope that it would run in 12 hours and not time out. When we got Splunk, it was a game changer. It took seconds to a minute depending on how intense the search was.

We monitor multiple cloud environments. It is easy to ingest data in Splunk. Based on what I hear from our customer success manager, he has customers who have issues ingesting logs, but for me, it is one of the easiest things ever. Their documentation is fantastic.

Splunk Enterprise Security has end-to-end visibility into our cloud-native environments. It is very important for us. When we first got cloud, it was like the Wild West. Anyone could spin up their own cloud infrastructure, and we would not know about it. It was public. We did not know what they were doing with it. Now, we have a better grasp and understanding of what is out there, so Splunk makes it easy for us to keep track of our endpoints that are public-facing.

Splunk Enterprise Security has helped reduce our mean time to resolve. As compared to ArcSight, it has saved at least three to four hours per incident. We utilize a SOAR platform. We do not use Splunk SOAR. We use a different SOAR platform, but with the combination of Splunk Enterprise Security and our SOAR platform, we are able to cut down our mean time to resolve. The time saved varies depending on the case. A normal case would probably take less than ten minutes per investigation. A critical P1 case would take more time, but a normal day-to-day case would take less than ten minutes for our analysts to do their work. A normal case is where a user clicks on a phishing link in an email, or your EDR solution says something happened and there is a threat actor in your environment moving laterally trying to access data.

The correlation searches are most valuable just because we are able to do things like RBA. One of the things that we started pretty recently is our insider threat program, and it has been pretty good, especially using RBAs as our framework for the insider threat.

The UI could be better. This is applicable to Splunk in general. I know that a lot of people who get their hands on Splunk are hesitant to use it just because they find it overwhelming. There are a lot of options. If you open Google.com, you just have a search bar. You just search and hit "go," but when people look at Splunk, they are just overwhelmed. I see that with our analysts. Even after training, if they do not use it every day, which they should be doing, they kind of lose it.

Its learning curve is a bit steep. It is hard for users to use it. For individuals who know how to use it, it is fantastic. It is great. For example, if you are a Splunk Cloud customer, and you had an outage or there is a maintenance window, those individuals who are power users would know immediately when it happens or they would know that there is a maintenance window coming up because they are the experts. They are the SMEs on their teams, and they are the ones creating value using Splunk. Individuals who do not know how to use it are intimidated.

We have been using Splunk Enterprise Security since 2017. It has been about six years.

Its stability is amazing. It is always up. It is fantastic.

It is awesome. When we first purchased Splunk Cloud, our ingest rate was about one terabyte or one and a half terabyte. We moved from the ingest-based license to the workload-based license three or four years ago, and now, we ingest about 10 to 12 terabytes. It is handling that just fine as if nothing has changed.

I would rate their support a six out of ten because there are times when someone picks up a support case, but they do not know what they are doing. I have to guide them. It is like, "I have already done the research. This is what needs to be done. There you go. Do it." I expect a little bit more from support in terms of having the knowledge upfront.

Neutral

We had on-premises ArcSight. We had one guy run it for our enterprise. Our enterprise has roughly over 130,000 people. We are a global company, and we had one guy run the entire infrastructure. We could tell when he took days off because it would not work. When we moved to Splunk, we went to Splunk Cloud immediately. We were one of the first Splunk Cloud customers or one of the bigger ones. That is what I was told when we made the switch.

I do not know whether we have seen any cost efficiencies by switching to Splunk Enterprise Security because I was not there during the ArcSight days per se. I was there at the very tail end, but I would assume that we have seen cost efficiencies just because ArcSight was only used by the security team, whereas Splunk is used enterprise-wide, not just by the security team. It should be cheaper for us. The value is there. It is cross-functional.

I was not involved in its deployment.

Its time to value was about a year. It took us about a year because back in 2017, we were making that conversion from an on-premise ArcSight deployment to a Splunk Cloud deployment. We had to make sure that everything that was being sent to ArcSight was sent correctly to Splunk. We had to make sure that everything was in a common information model format and that we could rebuild the content.

Splunk Enterprise Security is cheaper than competitors, but I do not know whether it is just our contract. 

Everyone says that Splunk, in general, is expensive. I have talked to many peers within our industry, and I know a lot of individuals who are moving away from Splunk just because of the price. That is one of the reasons why we are looking at other competitors to see if anyone is doing something better than Splunk and has a cheaper rate.

I have looked at other competitors. We recently looked at CrowdStrike's LogScale solution. It feels like Splunk to me. I cannot say how we would reproduce what we have done in Splunk on the infrastructure side or backend. Our environment is uniquely different. Technically, I am the only person who runs Splunk for our entire organization, similar to the way the previous person ran ArcSight for the organization. If I were to compare apples to apples, Splunk to me is still number one in that category.

Splunk's community is the biggest benefit. It is so easy to go to Slack and hit someone up. There is a good chance that you will find someone out there who has run into the exact same issue that you are having. Their documentation is fantastic. Because I am the only one who runs it for our organization, it is easy for me just to Google it, find the document, and just follow it. It is as simple as that. It gets a little dicey with XDR and all the other things that are happening in the market, such as using a data lake. Instead of putting our eggs in one basket or using Splunk, we might use something like Snowflake.

I get introduced to new ideas by attending the Splunk Conference. In the year before last, someone did a talk about business email compromises. Within our company, we did something similar, and we did it about nine to ten months before the talk. I listened to the talk to see if we were doing anything different from what they were doing. I found out that we were doing the exact same thing essentially. I thought, "We could have done a talk like this too." These talks are very helpful. For example, they showcased the attack analyzer, and currently, we are looking for an automated online sandbox, just like the attack analyzer. We have been looking at cloud-based sandboxes that are out there. Being able to see it hands-on and how it interacts with Splunk makes it much easier for us to make that decision.

Overall, I would rate Splunk Enterprise Security a nine out of ten.

We use Splunk Enterprise Security to analyze log data for log monitoring, creating use cases, onboarding, and incident response.

We wanted a single security tool that could immediately identify notable events that could be reported as security breaches, and then enable us to take intelligent action without having to purchase additional security tools.

We have two customers with hybrid cloud solutions. Neither customer is fully cloud-based. Our implementation is based on the customer's requirements, such as compliance, data ownership, and administration. We plan the implementation of Splunk cloud or hybrid models based on these requirements. We discuss the benefits and solutions with the customer to ensure that we are not breaching any compliance policies and that we are selecting the right model for their needs. Because we have multiple customers, we must also consider how to manage this process effectively.

We use multiple cloud environments for our clients, including AWS, Azure, GCP, and private cloud. We can easily integrate Splunk Enterprise Security and segregate the logs based on the type of index we create for each customer. When we create different indexes, we can segregate the types of logs based on the device type. This makes it easy to separate logs from different universal providers, different machines, and specific types of indexes dedicated to particular customers or groups.

We use threat topology and MITRE ATT&CK to create and integrate use cases for network framework detection and visualization in Splunk. Splunk helps us segregate and integrate use cases based on different threat detections and provides a complete dashboard view of how use cases match with detected threats.

When discussing MITRE ATT&CK and topology, we sometimes encounter use cases where we must ensure the logic is properly implemented to detect the threat and trigger the alert. This is because log access may involve specific teams and their associated MITRE ATT&CK tactics and techniques. We must be very specific about the information we are observing in order to derive the correct information and framework topology.

Splunk is one of the easiest solutions for analyzing malicious activities and detecting breaches. It is flexible enough to work with small teams, and it provides a broad view of the data, allowing us to segregate and fine-tune the analysis based on the customer's requirements.

Splunk Enterprise Security can help us detect threats faster when it is properly configured. We have implemented over 400 use cases for specific types of malware and other threat detection. In over 70 percent of environments, Splunk is able to detect threats faster than other solutions.

It has helped our organization improve by integrating with cloud providers. Splunk enables us to blacklist specific data types and ranges to reduce our losses, based on our requirements.

We have reduced our alert volume by around 50 percent with Splunk. When we first started creating and using Splunk use cases, we received around 700 alerts. Splunk can merge different sources of use cases into one to identify false positives, which has been very helpful for us.

Splunk has helped speed up our security investigations by almost 70 percent. We have a dedicated incident response team. They use the Splunk incident reports to help with their investigations. 

Splunk Enterprise Security comes with 300 pre-deployed use cases that can be easily customized to meet the specific needs of our organization, without the need to purchase additional tools.

We can easily identify the number of security devices and users that are authenticated on the network and present the information to the executive team.

Splunk can improve its third-party device application plugins.

I have been using Splunk Enterprise Security for five years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is scalable.

The Splunk technical support is good but their call times differ.

Positive

I previously used IBM Security QRadar, Azure Sentinel, and McAfee Network Security Platform. Splunk Enterprise Security is designed for multiple platforms and is easier to implement.

Splunk is much faster when used correctly and has many tools. With the exception of Sentinel, the other solutions do not have many tools. With Sentinel, we have to define the indexes and all those things, such as the aggregation of logs. It is easy to do searches in Splunk, even in a large environment. I find Splunk to be more efficient than the other solutions I have used in the past.

The initial deployment is straightforward. We install the solution and define the roles of each server and the data it will store. The deployment in our test environment took 13 hours.

We have seen a return on our investment in Splunk. The variety of options that Splunk provides is a great selling point for our customers.

While Splunk is more expensive than other solutions, we would still choose it because of its capabilities. Splunk is a leader in the field and provides a wider range of data and security features than other SIEM solutions.

I would recommend Splunk over any of the less expensive SIEM products. I recommend the license-based solution over the user-based solution that Splunk offers. If I had to recommend any other SIEM other than Splunk, it would be Microsoft Sentinel.

I would rate Splunk Enterprise Security seven out of ten.

The threat detection capabilities that we get by default are very basic. However, if we want to implement the most effective threat protection on the internet, we need to purchase a relevant solution for intelligent threat protection. This will provide us with more feeds for enterprise security and help us to integrate data by matching the data to the target and to the security with our Splunk.

We have 60 percent of our customers using Splunk Enterprise Security in their environments.

Splunk maintenance is required for updates. 

Splunk provides a centralized monitoring platform, eliminating the need to switch between different platforms to monitor security. Splunk provides a clear view of different security losses and incidents, and we can onboard any number of devices as needed. We can monitor our entire environment from one place, requiring only one team to monitor it. Splunk adds a lot of value currently.

I'm part of the Splunk operations team, which means I support Splunk functionality and occasionally conduct threat management onboarding. We assist various teams with threat-related tasks. If they need help bringing log sources into Splunk, we guide them through the process. Once the logs are onboarded, we create correlations to identify threats, troubleshoot issues, and help mitigate potential risks.

We handle incidents through a queue configured in our event management system. This includes automated incidents for our Splunk infrastructure, like server health checks, and user-reported issues where functionalities like the fetch score aren't working. We address all incidents, whether automated or user-raised, through this system.

We've made significant improvements to our Splunk infrastructure to support our internal teams. This ongoing effort focuses on helping application teams onboard logs from various applications for their review and troubleshooting. We've streamlined the onboarding process, improved data quality, and ensured smooth data consumption for our internal users.

Splunk Enterprise Security offers multi-cloud environment monitoring capabilities that we can utilize for our users if they require it.

We can build a dashboard in Splunk to centralize the monitoring of critical information. This dashboard can display key metrics for onboarding methods and LogSources we actively track, providing a clear view of our entire monitoring environment.

While Splunk Enterprise Security offers good threat detection capabilities, our current process limits visibility into user activity. When users request correlations, we create the code and configure everything on our end, and then they test and work on it from theirs. This lack of transparency extends to threat management, as we can't directly see tickets in their separate ServiceNow system. If they encounter issues, they share details in a document for us to review and address.

It comes with a large collection of correlation searches, but we'll need to review them to find the ones that match our specific needs for monitoring malicious activity. Once we've identified the relevant searches, we can customize or recreate them within the correlation settings to best suit our environment.

Splunk Enterprise Security helps us detect threats faster.

Splunk Enterprise Security is a good monitoring tool that allows us to track specific details by creating custom queries. For instance, to monitor a particular organization's infrastructure, we would first onboard their logs and then create queries to capture relevant information. This way, any suspicious activity, attacks, or other events would be easily identified within the infrastructure. Additionally, Splunk's checkup operation minimizes the chance of missed alerts by automatically identifying detections, ensuring near-complete coverage of around 99 percent unless there are outages or limitations with global agents.

Splunk Enterprise Security helps us speed up our security investigations.

The customizable dashboard for our security operations is a good feature.

The most valuable features in Splunk Enterprise Security are the cluster capabilities.

The licensing price is high and has room for improvement.

I have been using Splunk Enterprise Security for four years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security can scale according to our needs.

The technical support has been successful in resolving the majority of our cases.

Positive

While the deployment process itself is simple, the number of personnel needed varies depending on the infrastructure size and user base. A small deployment for 50 users can be completed by two people, while larger deployments supporting over 500 users may require up to 15 people.

The Splunk Enterprise Security license is expensive.

I would rate Splunk Enterprise Security eight out of ten. Splunk improves user efficiency by streamlining workflows and enabling the detection of anomalies within data.

Splunk Enterprise Security is deployed across multiple locations in our organization.

To ensure our data remains secure, Splunk servers require monthly maintenance. This maintenance includes installing security patches that address vulnerabilities and prevent unauthorized access to our information.

My role is to design and implement and manage a strong environment. I need to ensure the available insights can be extracted efficiently and I use the solution for that. I also configure the Splunk custom dashboard and optimize searches to meet specific business needs. We also do a lot of troubleshooting and upgrading.

The security part is useful as it helps secure the entire environment. I designed the security aspect of it for a lot of applications in my company. It's the security thread within the application that we build. I'm able to use Splunk to secure the applications. 

We use the solution to monitor multiple cloud environments. We can monitor even on Amazon products. It's a good source for monitoring all types of applications. 

I can manage and correlate different kinds of searches within my environment. It's good for performance monitoring as well. I can do auditing and reporting through Enterprise Security.

The solution gives us visibility into multiple types of environments. There's a good level of cost optimization as well. It's good for end detection and prevention. I can identify anomalies and get a data view of fraudulent activities. You can uncover the source type and the IP address from where things originate.

Splunk gives us the capability to handle insider threat detection. I'm able to create my own dashboard that will visualize the information. It does depend on how you handle the configuration and permissions. 

We do use the MITRE ATT&CK framework. It helps us discover the scope of the incidents. It helps us to target incidents immediately. We're able to quickly resolve it and stop it. We get data visibility to see what's coming in, which helps us act fast. 

We can work with data from any source as long as you configure it correctly.

The solution has helped us to reduce our alert volume. You can tune your alert thresholds. You can also create rules to define your alerts. It gives you the capacity to optimize queries as well. 

They didn't use to be able to integrate with Cisco. However, this has changed now. 

Some minor features could be added. However, I need to do more research. 

The user experience could be improved. It could be more intuitive.

There should be a way to do bulk visualization reporting. 

I've been using Splunk for 7 years. 

We haven't had any downtime. The only issues come up is if there is an extension of limits. If you extend beyond your license, you may get downtime. 

The solution is scalable. It's easy to manage. 

We have contacted technical support for troubleshooting. No solution or machine is perfect. We had an issue where a new hire misconfigured some servers and they were able to offer us support. They are helpful, however, they do need to be faster in response. They do provide a to of documentation that can be helpful. 

Neutral

I'm also familiar with CloudWorks. However, Enterprise Security has more features and can provide more insights. 

I'm familiar with Dynatrace.

Splunk was already in place when I arrived. I simply tried to implement different strategies in multiple environments. 

Splunk is pay-as-you-go. The pricing depends on your use case. You only really pay for the amount of data you are dealing with. 

I'm a Splunk customer. 

People shouldn't necessarily look for the cheapest pricing. You need to look at what will optimize costs and the time it takes to secure the data. The most important thing, before cost, is being able to successfully secure your data. You should choose your solution based on your use case as well. 

I'd rate the solution 8 out of 10.