Splunk Enterprise Security Reviews

As a Splunk engineer, I collect data from various sources, including Universal Forwarder, Heavy Forwarder, DB Connect, and Syslog to monitor application logs. This data is used to create dashboards that visualize application health and identify potential security incidents. Additionally, I configure alerts to notify teams via Slack or email when CPU or memory usage reaches critical thresholds, allowing for prompt resolution. Furthermore, I use Splunk to create KPIs and NDDs for various aspects of the organization, including a custom ITSI service for Microsoft 365. This service monitors child entities like Teams, Outlook, and Edge within a parent application, tracking metrics like team member logins and meetings, CPU usage, and memory usage. All this information is consolidated into a three-page ITSI report.

Splunk Enterprise Security helps us detect malicious activity, such as failed login attempts by unauthorized users. These attempts, whether brute-force attacks or phishing attempts, trigger alerts with detailed information about the incident mapped to the MITRE ATT&CK framework. This allows our security team to investigate and take appropriate action quickly.

We managed Splunk's large clustered environments, I oversaw data collection from roughly 750 applications via universal deployment clients. This experience, coupled with my nearly six years of Splunk expertise, made monitoring application logs and creating Splunk knowledge bases straightforward tasks. While processing task cut-off tickets from the application team could be time-consuming, the actual monitoring itself was easy to manage.

The end-to-end visibility provided by Splunk is important because our company uses applications like K-Connect and Splunk to monitor user activity across different sectors. Having previously worked in both healthcare and finance, I'm familiar with how this process works. We access user information including personal data to track their activity from start to finish within our systems. Splunk allows us to mark specific user data points for further analysis, ensuring we have a full view of user or patient activity within each organization we serve.

Splunk helps me find security events across multi-cloud and on-prem platforms. I would identify missing data by checking the last hour's timeframe (span=1h). If on-prem or cloud data was missing, I'd investigate which logs weren't being ingested, whether an indexer was down, or if a forwarder wasn't sending data. Additionally, I'd check if the application or event log volume was overwhelming the universal forwarder, requiring a queue to process the data effectively.

Splunk improves our ability to handle data from applications. This data is often unstructured or unavailable in a usable format. To make it usable, we used to normalize the logs manually through back-end commands and edit various Splunk consoles and platforms. This process transformed the data into a structured, human-readable event format, allowing us to extract the information we needed.

We can identify potential malicious activity through Splunk by analyzing database logs with SQL queries. For instance, a high number of failed login attempts within a short timeframe could indicate unauthorized access attempts. Additionally, with multi-factor authentication systems like Duo, a user logging in from two geographically distant countries within a short period might be suspicious. To address this, I've developed SQL queries that check for logins within a one-hour timeframe across different countries. These queries trigger alerts on a dashboard, allowing IT to investigate the user's IP address and determine if the login is legitimate.

Splunk has significantly improved our business resilience by providing a single pane of view for all our data. This visualization allows us to monitor for anomalies, including unusual application activity, unauthorized executables, and suspicious shell scripts running on both Linux and Windows servers. By triggering alerts for these events, Splunk empowers our organization to proactively identify and address potential threats, ultimately improving overall stability.

Splunk allows us to easily check the data for malicious activity. It also helps reduce the alert volume by allowing us to set thresholds for alerts. For example, we only receive an alert when the CPU usage exceeds 90 percent or the number of failed logs is more than 15.

Splunk helps us investigate by providing relevant context from system logs. We can search the Splunk logs for specific applications and timeframes, and then examine all the data fields for suspicious activity, failed login attempts, or any other anomalies.

It helps security teams investigate threats faster by providing a central platform to collect and analyze data from various security applications. This focus on enterprise security allows teams to identify and respond to threats across the organization, leveraging frameworks like MITRE ATT&CK to match attacker techniques and tactics.

Splunk's strength lies in its single-page view. This interface allows us to explore all our data, build dashboards with alerts, and visualize real-time information through various charts like column, bar, and pie formats, providing a full user experience.

Due to its high licensing cost, Splunk is out of reach for many organizations. Making their licensing more affordable would open up Splunk's solution to a wider range of users.

I have been using Splunk Enterprise Security for six years.

Splunk Enterprise Security is a stable solution.

Splunk Enterprise Security has excellent scalability.

The technical support is good.

Positive

The deployment is complicated  because our organization works with on-prem servers. All the data needs to be duplicated and all the searches and indexes need to happen properly.

The Splunk licensing is high.

While more affordable, alternative SIEM solutions lack the flexibility and in-depth visualization capabilities offered by Splunk.

I would rate Splunk Enterprise Security nine out of ten.

While Splunk Enterprise Security offers a user-friendly interface, its true power lies in its ability to create highly customized dashboards that streamline investigations and reporting.

We use Splunk Enterprise Security to secure our client's network and provide clear visibility.

Our client lacked an SIEM solution to comply with regulations, so we recommended Splunk Enterprise Security, and they agreed to implement it.

Splunk Enterprise Security provides complete visibility into the environment. We can add any data to the indexer, and it will begin to be displayed. All we need to do is create use cases tailored to the client's needs.

Splunk's threat intelligence management capabilities are strong, thanks to its user-friendly interface and ability to correlate data from various sources. While it competes favorably with other SIEM tools, its effectiveness ultimately depends on how it's configured.

The actionable intelligence from Splunk's threat intelligence management feature helps us understand what's happening in our environment, enabling further investigation.

We updated the IOCs within the MITRE ATT&CK framework indexing for Splunk. This allows us to compare all received alerts against the MITRE ATT&CK categories. By using the MITRE ATT&CK framework, I can identify the potential type of threat, its mitigation strategies, and the overall attack behavior. Furthermore, I can use the framework to investigate the affected hosts, their origin, and the attack vector.

Splunk Enterprise Security does a good job analyzing malicious activities and detecting breaches.

Splunk Enterprise Security has improved our detection time.

Splunk Enterprise Security has improved our clients' security posture by providing them with better visibility into vulnerabilities, along with proper mitigation strategies and clear explanations. The benefits are apparent within the first month.

Splunk Enterprise Security helped us reduce our alert volume. Initially, the high number of alerts was overwhelming because we were in a new environment, but the volume gradually leveled off and decreased by 50 percent.

Splunk Enterprise Security has accelerated our security investigations by 30 percent. It integrates seamlessly with our EDR solution, providing a single pane of glass view for all security logs.

Splunk Enterprise Security offers valuable features like seamless integration and a SQL-standard Structured Query Language for easy searching. Additionally, implementing devices is straightforward, similar to a plug-and-play process.

Splunk's insider threat detection capabilities have limitations. While it offers customization, pre-configured rules for common threats are scarce. This means we need to create our own rules, which can be effective if we have the expertise and understand our specific needs. However, behavior analytics seem less useful and have room for improvement.

Splunk's implementation process for managing multiple indexes can be complex, especially when dealing with a large number of components.

Splunk could benefit from a feature that allows users to indicate they are working on an alert or incident. This would prevent other users from wasting time investigating the same issue. Ideally, this wouldn't involve a formal assignment, but rather a temporary indication that someone is currently looking into it.

I have been using Splunk Enterprise Security for 9 months.

Splunk Enterprise Security is reliable and the stability is a ten out of ten.

Splunk Enterprise Security offers good resilience. Even for unsupported tools, simple integrations can be customized. Splunk is constantly improving.

I would rate the scalability of Splunk Enterprise Security ten out of ten.

The technical support team is excellent. They proactively identify and inform clients about any vulnerabilities or security gaps in their environment.

Positive

The initial deployment of Splunk Enterprise Security was fairly straightforward. While the documentation is comprehensive, fully deploying the solution can be time-consuming. The timeframe can vary depending on your environment's complexity. For instance, a company with 1500 to 2000 employees and a large number of systems and servers might require a month for complete deployment.

I collect the client's requirements and then open a support ticket with Splunk. The ticket will address configuration assistance and, if the deployment is in the cloud, will inquire about the client's storage needs. After I submit the ticket, Splunk will communicate directly with the client.

The deployment involves several teams, and I lead the oversight of both the deployment itself and the analytics function, ensuring a seamless process.

While some clients find the cost of Splunk Enterprise Security to be on the higher end, its pricing is comparable to other SIEM solutions. Ultimately, the value it delivers justifies the investment.

Don't simply choose the cheapest SIEM solution. Consider your organization's specific needs and environment. Even if you prioritize affordability right now, I can offer more powerful tools. However, the best solution isn't just about price. It depends entirely on your environment. Therefore, you need to establish a budget based on your specific requirements. Ultimately, the ideal SIEM solution aligns with your organization's needs.

I would rate Splunk Enterprise Security 8 out of 10.

Splunk Enterprise Security requires maintenance for new onboarding, log management, and archiving. A maximum of two people are required for the maintenance.

Splunk Enterprise Security is a robust security solution that's easy to manage after initial configuration.

We essentially use Splunk for our Security Operations Center (SOC). All of the notables that we create for the SOC are done in Splunk Enterprise Security. It is our SIEM.

I cannot put a value on it, but it has been pretty good. Previously, we used to use ArcSight. I used to do incident response when I first joined the SOC, and there were times when I used to sit down and run a search right at the start of my shift, which is at 7 AM, and I used to hope that it would be run by the end of the shift at 7 PM. I used to hope that it would run in 12 hours and not time out. When we got Splunk, it was a game changer. It took seconds to a minute depending on how intense the search was.

We monitor multiple cloud environments. It is easy to ingest data in Splunk. Based on what I hear from our customer success manager, he has customers who have issues ingesting logs, but for me, it is one of the easiest things ever. Their documentation is fantastic.

Splunk Enterprise Security has end-to-end visibility into our cloud-native environments. It is very important for us. When we first got cloud, it was like the Wild West. Anyone could spin up their own cloud infrastructure, and we would not know about it. It was public. We did not know what they were doing with it. Now, we have a better grasp and understanding of what is out there, so Splunk makes it easy for us to keep track of our endpoints that are public-facing.

Splunk Enterprise Security has helped reduce our mean time to resolve. As compared to ArcSight, it has saved at least three to four hours per incident. We utilize a SOAR platform. We do not use Splunk SOAR. We use a different SOAR platform, but with the combination of Splunk Enterprise Security and our SOAR platform, we are able to cut down our mean time to resolve. The time saved varies depending on the case. A normal case would probably take less than ten minutes per investigation. A critical P1 case would take more time, but a normal day-to-day case would take less than ten minutes for our analysts to do their work. A normal case is where a user clicks on a phishing link in an email, or your EDR solution says something happened and there is a threat actor in your environment moving laterally trying to access data.

The correlation searches are most valuable just because we are able to do things like RBA. One of the things that we started pretty recently is our insider threat program, and it has been pretty good, especially using RBAs as our framework for the insider threat.

The UI could be better. This is applicable to Splunk in general. I know that a lot of people who get their hands on Splunk are hesitant to use it just because they find it overwhelming. There are a lot of options. If you open Google.com, you just have a search bar. You just search and hit "go," but when people look at Splunk, they are just overwhelmed. I see that with our analysts. Even after training, if they do not use it every day, which they should be doing, they kind of lose it.

Its learning curve is a bit steep. It is hard for users to use it. For individuals who know how to use it, it is fantastic. It is great. For example, if you are a Splunk Cloud customer, and you had an outage or there is a maintenance window, those individuals who are power users would know immediately when it happens or they would know that there is a maintenance window coming up because they are the experts. They are the SMEs on their teams, and they are the ones creating value using Splunk. Individuals who do not know how to use it are intimidated.

We have been using Splunk Enterprise Security since 2017. It has been about six years.

Its stability is amazing. It is always up. It is fantastic.

It is awesome. When we first purchased Splunk Cloud, our ingest rate was about one terabyte or one and a half terabyte. We moved from the ingest-based license to the workload-based license three or four years ago, and now, we ingest about 10 to 12 terabytes. It is handling that just fine as if nothing has changed.

I would rate their support a six out of ten because there are times when someone picks up a support case, but they do not know what they are doing. I have to guide them. It is like, "I have already done the research. This is what needs to be done. There you go. Do it." I expect a little bit more from support in terms of having the knowledge upfront.

Neutral

We had on-premises ArcSight. We had one guy run it for our enterprise. Our enterprise has roughly over 130,000 people. We are a global company, and we had one guy run the entire infrastructure. We could tell when he took days off because it would not work. When we moved to Splunk, we went to Splunk Cloud immediately. We were one of the first Splunk Cloud customers or one of the bigger ones. That is what I was told when we made the switch.

I do not know whether we have seen any cost efficiencies by switching to Splunk Enterprise Security because I was not there during the ArcSight days per se. I was there at the very tail end, but I would assume that we have seen cost efficiencies just because ArcSight was only used by the security team, whereas Splunk is used enterprise-wide, not just by the security team. It should be cheaper for us. The value is there. It is cross-functional.

I was not involved in its deployment.

Its time to value was about a year. It took us about a year because back in 2017, we were making that conversion from an on-premise ArcSight deployment to a Splunk Cloud deployment. We had to make sure that everything that was being sent to ArcSight was sent correctly to Splunk. We had to make sure that everything was in a common information model format and that we could rebuild the content.

Splunk Enterprise Security is cheaper than competitors, but I do not know whether it is just our contract. 

Everyone says that Splunk, in general, is expensive. I have talked to many peers within our industry, and I know a lot of individuals who are moving away from Splunk just because of the price. That is one of the reasons why we are looking at other competitors to see if anyone is doing something better than Splunk and has a cheaper rate.

I have looked at other competitors. We recently looked at CrowdStrike's LogScale solution. It feels like Splunk to me. I cannot say how we would reproduce what we have done in Splunk on the infrastructure side or backend. Our environment is uniquely different. Technically, I am the only person who runs Splunk for our entire organization, similar to the way the previous person ran ArcSight for the organization. If I were to compare apples to apples, Splunk to me is still number one in that category.

Splunk's community is the biggest benefit. It is so easy to go to Slack and hit someone up. There is a good chance that you will find someone out there who has run into the exact same issue that you are having. Their documentation is fantastic. Because I am the only one who runs it for our organization, it is easy for me just to Google it, find the document, and just follow it. It is as simple as that. It gets a little dicey with XDR and all the other things that are happening in the market, such as using a data lake. Instead of putting our eggs in one basket or using Splunk, we might use something like Snowflake.

I get introduced to new ideas by attending the Splunk Conference. In the year before last, someone did a talk about business email compromises. Within our company, we did something similar, and we did it about nine to ten months before the talk. I listened to the talk to see if we were doing anything different from what they were doing. I found out that we were doing the exact same thing essentially. I thought, "We could have done a talk like this too." These talks are very helpful. For example, they showcased the attack analyzer, and currently, we are looking for an automated online sandbox, just like the attack analyzer. We have been looking at cloud-based sandboxes that are out there. Being able to see it hands-on and how it interacts with Splunk makes it much easier for us to make that decision.

Overall, I would rate Splunk Enterprise Security a nine out of ten.

We use Splunk Enterprise Security to analyze log data for log monitoring, creating use cases, onboarding, and incident response.

We wanted a single security tool that could immediately identify notable events that could be reported as security breaches, and then enable us to take intelligent action without having to purchase additional security tools.

We have two customers with hybrid cloud solutions. Neither customer is fully cloud-based. Our implementation is based on the customer's requirements, such as compliance, data ownership, and administration. We plan the implementation of Splunk cloud or hybrid models based on these requirements. We discuss the benefits and solutions with the customer to ensure that we are not breaching any compliance policies and that we are selecting the right model for their needs. Because we have multiple customers, we must also consider how to manage this process effectively.

We use multiple cloud environments for our clients, including AWS, Azure, GCP, and private cloud. We can easily integrate Splunk Enterprise Security and segregate the logs based on the type of index we create for each customer. When we create different indexes, we can segregate the types of logs based on the device type. This makes it easy to separate logs from different universal providers, different machines, and specific types of indexes dedicated to particular customers or groups.

We use threat topology and MITRE ATT&CK to create and integrate use cases for network framework detection and visualization in Splunk. Splunk helps us segregate and integrate use cases based on different threat detections and provides a complete dashboard view of how use cases match with detected threats.

When discussing MITRE ATT&CK and topology, we sometimes encounter use cases where we must ensure the logic is properly implemented to detect the threat and trigger the alert. This is because log access may involve specific teams and their associated MITRE ATT&CK tactics and techniques. We must be very specific about the information we are observing in order to derive the correct information and framework topology.

Splunk is one of the easiest solutions for analyzing malicious activities and detecting breaches. It is flexible enough to work with small teams, and it provides a broad view of the data, allowing us to segregate and fine-tune the analysis based on the customer's requirements.

Splunk Enterprise Security can help us detect threats faster when it is properly configured. We have implemented over 400 use cases for specific types of malware and other threat detection. In over 70 percent of environments, Splunk is able to detect threats faster than other solutions.

It has helped our organization improve by integrating with cloud providers. Splunk enables us to blacklist specific data types and ranges to reduce our losses, based on our requirements.

We have reduced our alert volume by around 50 percent with Splunk. When we first started creating and using Splunk use cases, we received around 700 alerts. Splunk can merge different sources of use cases into one to identify false positives, which has been very helpful for us.

Splunk has helped speed up our security investigations by almost 70 percent. We have a dedicated incident response team. They use the Splunk incident reports to help with their investigations. 

Splunk Enterprise Security comes with 300 pre-deployed use cases that can be easily customized to meet the specific needs of our organization, without the need to purchase additional tools.

We can easily identify the number of security devices and users that are authenticated on the network and present the information to the executive team.

Splunk can improve its third-party device application plugins.

I have been using Splunk Enterprise Security for five years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is scalable.

The Splunk technical support is good but their call times differ.

Positive

I previously used IBM Security QRadar, Azure Sentinel, and McAfee Network Security Platform. Splunk Enterprise Security is designed for multiple platforms and is easier to implement.

Splunk is much faster when used correctly and has many tools. With the exception of Sentinel, the other solutions do not have many tools. With Sentinel, we have to define the indexes and all those things, such as the aggregation of logs. It is easy to do searches in Splunk, even in a large environment. I find Splunk to be more efficient than the other solutions I have used in the past.

The initial deployment is straightforward. We install the solution and define the roles of each server and the data it will store. The deployment in our test environment took 13 hours.

We have seen a return on our investment in Splunk. The variety of options that Splunk provides is a great selling point for our customers.

While Splunk is more expensive than other solutions, we would still choose it because of its capabilities. Splunk is a leader in the field and provides a wider range of data and security features than other SIEM solutions.

I would recommend Splunk over any of the less expensive SIEM products. I recommend the license-based solution over the user-based solution that Splunk offers. If I had to recommend any other SIEM other than Splunk, it would be Microsoft Sentinel.

I would rate Splunk Enterprise Security seven out of ten.

The threat detection capabilities that we get by default are very basic. However, if we want to implement the most effective threat protection on the internet, we need to purchase a relevant solution for intelligent threat protection. This will provide us with more feeds for enterprise security and help us to integrate data by matching the data to the target and to the security with our Splunk.

We have 60 percent of our customers using Splunk Enterprise Security in their environments.

Splunk maintenance is required for updates. 

Splunk provides a centralized monitoring platform, eliminating the need to switch between different platforms to monitor security. Splunk provides a clear view of different security losses and incidents, and we can onboard any number of devices as needed. We can monitor our entire environment from one place, requiring only one team to monitor it. Splunk adds a lot of value currently.

I'm part of the Splunk operations team, which means I support Splunk functionality and occasionally conduct threat management onboarding. We assist various teams with threat-related tasks. If they need help bringing log sources into Splunk, we guide them through the process. Once the logs are onboarded, we create correlations to identify threats, troubleshoot issues, and help mitigate potential risks.

We handle incidents through a queue configured in our event management system. This includes automated incidents for our Splunk infrastructure, like server health checks, and user-reported issues where functionalities like the fetch score aren't working. We address all incidents, whether automated or user-raised, through this system.

We've made significant improvements to our Splunk infrastructure to support our internal teams. This ongoing effort focuses on helping application teams onboard logs from various applications for their review and troubleshooting. We've streamlined the onboarding process, improved data quality, and ensured smooth data consumption for our internal users.

Splunk Enterprise Security offers multi-cloud environment monitoring capabilities that we can utilize for our users if they require it.

We can build a dashboard in Splunk to centralize the monitoring of critical information. This dashboard can display key metrics for onboarding methods and LogSources we actively track, providing a clear view of our entire monitoring environment.

While Splunk Enterprise Security offers good threat detection capabilities, our current process limits visibility into user activity. When users request correlations, we create the code and configure everything on our end, and then they test and work on it from theirs. This lack of transparency extends to threat management, as we can't directly see tickets in their separate ServiceNow system. If they encounter issues, they share details in a document for us to review and address.

It comes with a large collection of correlation searches, but we'll need to review them to find the ones that match our specific needs for monitoring malicious activity. Once we've identified the relevant searches, we can customize or recreate them within the correlation settings to best suit our environment.

Splunk Enterprise Security helps us detect threats faster.

Splunk Enterprise Security is a good monitoring tool that allows us to track specific details by creating custom queries. For instance, to monitor a particular organization's infrastructure, we would first onboard their logs and then create queries to capture relevant information. This way, any suspicious activity, attacks, or other events would be easily identified within the infrastructure. Additionally, Splunk's checkup operation minimizes the chance of missed alerts by automatically identifying detections, ensuring near-complete coverage of around 99 percent unless there are outages or limitations with global agents.

Splunk Enterprise Security helps us speed up our security investigations.

The customizable dashboard for our security operations is a good feature.

The most valuable features in Splunk Enterprise Security are the cluster capabilities.

The licensing price is high and has room for improvement.

I have been using Splunk Enterprise Security for four years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security can scale according to our needs.

The technical support has been successful in resolving the majority of our cases.

Positive

While the deployment process itself is simple, the number of personnel needed varies depending on the infrastructure size and user base. A small deployment for 50 users can be completed by two people, while larger deployments supporting over 500 users may require up to 15 people.

The Splunk Enterprise Security license is expensive.

I would rate Splunk Enterprise Security eight out of ten. Splunk improves user efficiency by streamlining workflows and enabling the detection of anomalies within data.

Splunk Enterprise Security is deployed across multiple locations in our organization.

To ensure our data remains secure, Splunk servers require monthly maintenance. This maintenance includes installing security patches that address vulnerabilities and prevent unauthorized access to our information.

My role is to design and implement and manage a strong environment. I need to ensure the available insights can be extracted efficiently and I use the solution for that. I also configure the Splunk custom dashboard and optimize searches to meet specific business needs. We also do a lot of troubleshooting and upgrading.

The security part is useful as it helps secure the entire environment. I designed the security aspect of it for a lot of applications in my company. It's the security thread within the application that we build. I'm able to use Splunk to secure the applications. 

We use the solution to monitor multiple cloud environments. We can monitor even on Amazon products. It's a good source for monitoring all types of applications. 

I can manage and correlate different kinds of searches within my environment. It's good for performance monitoring as well. I can do auditing and reporting through Enterprise Security.

The solution gives us visibility into multiple types of environments. There's a good level of cost optimization as well. It's good for end detection and prevention. I can identify anomalies and get a data view of fraudulent activities. You can uncover the source type and the IP address from where things originate.

Splunk gives us the capability to handle insider threat detection. I'm able to create my own dashboard that will visualize the information. It does depend on how you handle the configuration and permissions. 

We do use the MITRE ATT&CK framework. It helps us discover the scope of the incidents. It helps us to target incidents immediately. We're able to quickly resolve it and stop it. We get data visibility to see what's coming in, which helps us act fast. 

We can work with data from any source as long as you configure it correctly.

The solution has helped us to reduce our alert volume. You can tune your alert thresholds. You can also create rules to define your alerts. It gives you the capacity to optimize queries as well. 

They didn't use to be able to integrate with Cisco. However, this has changed now. 

Some minor features could be added. However, I need to do more research. 

The user experience could be improved. It could be more intuitive.

There should be a way to do bulk visualization reporting. 

I've been using Splunk for 7 years. 

We haven't had any downtime. The only issues come up is if there is an extension of limits. If you extend beyond your license, you may get downtime. 

The solution is scalable. It's easy to manage. 

We have contacted technical support for troubleshooting. No solution or machine is perfect. We had an issue where a new hire misconfigured some servers and they were able to offer us support. They are helpful, however, they do need to be faster in response. They do provide a to of documentation that can be helpful. 

Neutral

I'm also familiar with CloudWorks. However, Enterprise Security has more features and can provide more insights. 

I'm familiar with Dynatrace.

Splunk was already in place when I arrived. I simply tried to implement different strategies in multiple environments. 

Splunk is pay-as-you-go. The pricing depends on your use case. You only really pay for the amount of data you are dealing with. 

I'm a Splunk customer. 

People shouldn't necessarily look for the cheapest pricing. You need to look at what will optimize costs and the time it takes to secure the data. The most important thing, before cost, is being able to successfully secure your data. You should choose your solution based on your use case as well. 

I'd rate the solution 8 out of 10. 

I work in security and use Splunk for endpoint and application security, use case development reports, etc. I haven't used Splunk much for threat intelligence. We have a threat intel feed configured, and we create use cases based on those and the recommendations by the threat intel team. If something isn't covered, we create a use case for it. For example, if an application has an authentication interface enabled, we check all their authentication mechanisms and all the login policies. 

Splunk speeds up our incident response by enabling us to automate some of the investigation steps, such as finding information about the user or the source of the incident on machines. We can then move directly into the remediation phase and assign those tickets to the remediation team. It also triggers automatic email alerts to the recipient user. If our security analyst wants to see the alert logs or anything, they can easily drill down to identify any information required.

It allows us to configure use cases involving our machine-learning toolkit, and we have an adaptive threshold in ITSI. Using these tools, we can eliminate false positives and do some whitelisting to weed out users who are performing benign activities. Removing the false positives reduces the incident response time.

We can start to see results immediately once we have achieved a steady state. For instance, we can easily show how much our mean resolution time for incidents has fallen and provide metrics in a way that is easy for our clients to understand. 

Splunk's interface is user-friendly, and it has apps and add-ons for most applications. We can easily normalize the data to make it readable and understand the logs. We easily get all the field extractions and enrichment done by using the apps and add-ons. This helps us understand the application logs because the raw data is useless unless we extract some useful information from it. These add-ons make it so much easier.

Dashboards are useful when we present things to management. They want the numbers and the results. The leaders aren't interested in what we are working on. We need some visualization for our presentations. Splunk has beautiful and useful visualization and dashboard alerts. We can easily create visualizations using the available options and create different types of charts, reports, and graphs that are easy for management to understand. We can also provide our leaders direct access to the dashboards, so they don't need to reach out to our team to get this data or we can automatically send them the reports via email. 

Splunk has several useful features, like asset and identity management. If we integrate our asset and identity management properly in this log, it's effortless to identify the user, device, or asset. We can get all the details if we integrate those things into the lookup engine.

It would be nice if Splunk reduced the cost of training. Their training sessions are way too costly.

We have used Splunk for around seven years.

Splunk is highly stable if you meet all the prerequisites and have enough physical memory for your local storage. 

If you use the cloud version you can scale as much as your licensing allows. It's easy to scale, upgrade, or add instances according to your needs. 

I rate Splunk support 8 out of 10. They're good, but I think there is room to improve because Splunk is the market leader, and they should strive to provide the best possible support. 

Positive

I previously used QRadar and ArcSight. Splunk is one of the top products. Compared to Sentinel or QRadar, Splunk is the market leader in features and security. You can integrate application, physical, or cloud security and onboard those logs into Splunk, then tailor it to your requirements. 

I've worked on multiple deployment models for Splunk, including hybrid, cloud, and on-prem. The deployment is straightforward. We do a POC and then scale it based on our requirements. 

I feel like Splunk is worth our investment. 

The cloud version of Splunk is somewhat expensive, but it does provide some flexibility because you do not need engineers to manage the system. Everything is hosted in the cloud because it is a SaaS service. It depends on the usage. It is costly, but everything good thing comes at a price.

I rate Splunk Enterprise Security 9 out of 10. 

We mainly use the Splunk Enterprise Security app to use Splunk as a SIEM. I have worked with Splunk on-premises, which is Splunk Enterprise, and I have worked with Splunk Cloud as well. 

We mostly use Splunk for the SOC environment. We use Splunk for security incident monitoring.

Splunk Enterprise Security fastens our security investigations.

Our organization monitors multiple cloud environments. We have more than 50 customers. Customers have their own licenses, and for some customers, they are shared. We have a single Splunk console. We have customized Splunk, and we have onboarded multiple customers. For some customers, we have integrated Splunk with SOAR. There is a single console to monitor SIEM and other devices. It saves the analysis work. It provides good visibility as compared to the other SIEM products I have worked with. 

We use the Threat Topology and MITRE ATT&CK framework features. You can map your use cases with the MITER ATT&CK framework. It is common in all SIEMs nowadays. It is good. It gives a good mapping of the use case and a better understanding.

Splunk Enterprise Security has not helped reduce our alert volume. It behaves as we configure it. The engineer handles the fine-tuning of the use case and reduction in the alerts.

The fast search is valuable. As compared to other SIEMs, Splunk is very fast in terms of the search and providing data.

The customization of the use cases is another valuable feature. It is query-based, and now, there is a feature to have machine learning as well. We can write advanced-level use cases, which is a limitation of other SIEMs.

The third point is the device integration. It is very smooth. If I need to integrate devices for logs, it is easier with Splunk. We can integrate different applications, network devices, and databases. It is also very rich in documents. It is the best.

Splunk does not provide any default threat intelligence like Microsoft Sentinel, but you can integrate any third-party threat intelligence with Splunk. By default, no threat intelligence suite is there, whereas, with IBM QRadar or Microsoft Sentinel, the default feature of threat intelligence is there. It is free. It would be better if Splunk could provide a default threat intelligence suite.

The second issue is that Splunk is expensive compared to many other SIEM tools in the market. A competitive price will work better.

The third issue is that Splunk Cloud is sometimes slow. If I create more use cases, Splunk will be slow because they provide limited resources in Splunk Cloud. They can do some optimization there.

The last issue is that they used to give a trial version of the Splunk Enterprise Security app that we could showcase to customers for demonstration, but they have stopped that free trial version. If they can start that again, it will be better. It will help to showcase the capability of Splunk.

I have been using Splunk Enterprise Security for seven years.

It is sometimes slow. It also depends on the number of use cases or queries. You need to optimize the use cases or queries that are running and consuming a lot of resources. I have also seen Splunk Cloud hanging a bit. I would rate it a seven out of ten in terms of stability.

We have contacted their support many times. Their support is average. We sometimes have a hard time with their support. They are not very reliable, but this is the case with all SIEM products.

Neutral

We are also using Microsoft Sentinel and IBM QRadar. We have also used ArcSight. For some customers, we are using LogRhythm and the RSA solution. Different customers have different SIEM tools, but I find Microsoft Sentinel and Splunk better than the others in the market. I feel Splunk is the most mature tool at this time. It is very easy to customize. You can do whatever you want.

IBM QRadar is the cheapest option available in the market. It is a traditional SIEM tool. It is not as fast as Splunk or Microsoft Sentinel, but from a costing perspective, it is convenient. There are also a few open-source SIEM tools. Many companies are using those, but if you go with a commercial tool, IBM QRadar is very good in terms of cost value. When it comes to customization and maturity, Splunk Enterprise Security is definitely number one. Microsoft Sentinel comes second, and IBM QRadar comes third.

It is easier than other tools.

We implement it for our clients. The number of people involved depends on the license utilization, the number of devices, and the time frame. Two to three months are normally required for the full integration of a customer environment, and a minimum of two people are required for the integration.

It is expensive. That is why many customers have moved to IBM QRadar. The price is definitely a challenge for customers.

If budget is not an issue, you can go ahead with Splunk Enterprise Security. Nowadays, Splunk is ready to negotiate. With good negotiation, you might get a good deal. If you are a large organization with more than 2,000 devices or more than 500 licenses, Splunk is the best choice. If price is not an issue, you can blindly go with Splunk because it is the most mature tool in the market at this time. Microsoft Sentinel is scaling up, but it is still not there where Splunk Enterprise Security is.

Overall, I would rate Splunk Enterprise Security a nine out of ten.