Splunk Enterprise Security Reviews

As a Splunk engineer, I collect data from various sources, including Universal Forwarder, Heavy Forwarder, DB Connect, and Syslog to monitor application logs. This data is used to create dashboards that visualize application health and identify potential security incidents. Additionally, I configure alerts to notify teams via Slack or email when CPU or memory usage reaches critical thresholds, allowing for prompt resolution. Furthermore, I use Splunk to create KPIs and NDDs for various aspects of the organization, including a custom ITSI service for Microsoft 365. This service monitors child entities like Teams, Outlook, and Edge within a parent application, tracking metrics like team member logins and meetings, CPU usage, and memory usage. All this information is consolidated into a three-page ITSI report.

Splunk Enterprise Security helps us detect malicious activity, such as failed login attempts by unauthorized users. These attempts, whether brute-force attacks or phishing attempts, trigger alerts with detailed information about the incident mapped to the MITRE ATT&CK framework. This allows our security team to investigate and take appropriate action quickly.

We managed Splunk's large clustered environments, I oversaw data collection from roughly 750 applications via universal deployment clients. This experience, coupled with my nearly six years of Splunk expertise, made monitoring application logs and creating Splunk knowledge bases straightforward tasks. While processing task cut-off tickets from the application team could be time-consuming, the actual monitoring itself was easy to manage.

The end-to-end visibility provided by Splunk is important because our company uses applications like K-Connect and Splunk to monitor user activity across different sectors. Having previously worked in both healthcare and finance, I'm familiar with how this process works. We access user information including personal data to track their activity from start to finish within our systems. Splunk allows us to mark specific user data points for further analysis, ensuring we have a full view of user or patient activity within each organization we serve.

Splunk helps me find security events across multi-cloud and on-prem platforms. I would identify missing data by checking the last hour's timeframe (span=1h). If on-prem or cloud data was missing, I'd investigate which logs weren't being ingested, whether an indexer was down, or if a forwarder wasn't sending data. Additionally, I'd check if the application or event log volume was overwhelming the universal forwarder, requiring a queue to process the data effectively.

Splunk improves our ability to handle data from applications. This data is often unstructured or unavailable in a usable format. To make it usable, we used to normalize the logs manually through back-end commands and edit various Splunk consoles and platforms. This process transformed the data into a structured, human-readable event format, allowing us to extract the information we needed.

We can identify potential malicious activity through Splunk by analyzing database logs with SQL queries. For instance, a high number of failed login attempts within a short timeframe could indicate unauthorized access attempts. Additionally, with multi-factor authentication systems like Duo, a user logging in from two geographically distant countries within a short period might be suspicious. To address this, I've developed SQL queries that check for logins within a one-hour timeframe across different countries. These queries trigger alerts on a dashboard, allowing IT to investigate the user's IP address and determine if the login is legitimate.

Splunk has significantly improved our business resilience by providing a single pane of view for all our data. This visualization allows us to monitor for anomalies, including unusual application activity, unauthorized executables, and suspicious shell scripts running on both Linux and Windows servers. By triggering alerts for these events, Splunk empowers our organization to proactively identify and address potential threats, ultimately improving overall stability.

Splunk allows us to easily check the data for malicious activity. It also helps reduce the alert volume by allowing us to set thresholds for alerts. For example, we only receive an alert when the CPU usage exceeds 90 percent or the number of failed logs is more than 15.

Splunk helps us investigate by providing relevant context from system logs. We can search the Splunk logs for specific applications and timeframes, and then examine all the data fields for suspicious activity, failed login attempts, or any other anomalies.

It helps security teams investigate threats faster by providing a central platform to collect and analyze data from various security applications. This focus on enterprise security allows teams to identify and respond to threats across the organization, leveraging frameworks like MITRE ATT&CK to match attacker techniques and tactics.

Splunk's strength lies in its single-page view. This interface allows us to explore all our data, build dashboards with alerts, and visualize real-time information through various charts like column, bar, and pie formats, providing a full user experience.

Due to its high licensing cost, Splunk is out of reach for many organizations. Making their licensing more affordable would open up Splunk's solution to a wider range of users.

I have been using Splunk Enterprise Security for six years.

Splunk Enterprise Security is a stable solution.

Splunk Enterprise Security has excellent scalability.

The technical support is good.

Positive

The deployment is complicated  because our organization works with on-prem servers. All the data needs to be duplicated and all the searches and indexes need to happen properly.

The Splunk licensing is high.

While more affordable, alternative SIEM solutions lack the flexibility and in-depth visualization capabilities offered by Splunk.

I would rate Splunk Enterprise Security nine out of ten.

While Splunk Enterprise Security offers a user-friendly interface, its true power lies in its ability to create highly customized dashboards that streamline investigations and reporting.

The solution is used in my company to help the security operation center in work areas like detection, response, and investigation while maintaining cybersecurity standards.

My company has benefited from using Splunk Enterprise Security, which has helped us stay out of the headlines in newspapers. The tool helps detect threats early and respond to them effectively.

The solution's most valuable feature is that it helps with our use cases to detect anomalies in our data and it is important to my company since we have a lot of data on different logs on the systems. We need to be able to create insights that are indicative of malicious activities, which is one of the main purposes of having Splunk Enterprise Security in our company.

The product lacks cross-cutting capabilities. The features in Splunk Enterprise Security that were initially promised to our company are still not available. My company has been asking Splunk for some of these features to be provided in the product for years, and we have been promised that they will be introduced soon in the solution and be part of the product's next release.

I believe that the contract and the terms and conditions mentioned in it are areas where improvements are required.

I have experience with Splunk Enterprise Security.

When it comes to the on-premises version, the stability of the product was quite reliable. When my company moved to the product's cloud version, we faced some major issues related to availability and dealing with events like data corruption.

The product's scalability is okay. I do not think my company faced issues in the area of scalability.

The product's support services were not great initially, but now they are in really good shape. Whenever my company connects with the product's support team, they listen to our questions and queries, so I feel that we are in a much better place now. I rate the technical support as eight out of ten.

Positive

My company has experience with ArcSight. We switched to Splunk Enterprise Security because we couldn't get good answers to our questions from ArcSight, and it was just not functional.

The solution is deployed using the cloud services offered by Splunk. Recently, my company also deployed the tool on an on-premises model. In our company, we monitor both, cloud and on-premises, with our cloud instance.

In the beginning phase, I would describe the deployment experience as a costly and hard process. The migration process from on-premises to cloud was hard and took our company a year to complete. There were different kinds of roadblocks on our company's and Splunk's end. My company worked directly with the migration process associated with the product.

It is difficult to say whether I have seen an ROI since it is like trying to figure out how much an insurance policy works. I think that our company will receive a return on investment from the use of the solution since it helps the organization's cybersecurity team stay out of the newspapers. My company has always been able to deal with threats quickly with the product.

Regarding the product's pricing, I think it has always been difficult to have a conversation with Splunk. Considering the contract thing and the whole legal area, it takes forever to get the contracts signed and to be able to agree to the terms and conditions for my company as well as for Splunk's team. I like the direction Splunk stays in by thinking with the customers about how to reduce costs and only have that data searchable or available, which you need at a particular time. I like the path Splunk is going on, specifically its current trajectory. I appreciate the efforts put in by Splunk in the area partnership, which is what my company expects.

My company uses Microsoft Sentinel. A multi-SIEM environment provides my company with the best of both worlds. Sentinel has some good features, like Microsoft Graph Security, that the tool uses for the whole Microsoft ecosystem. Microsoft Sentinel is a good option for my organization.

In my company, Splunk acts as a product that complements Sentinel because the former lacks some features. I think Microsoft is strong in the area of service delivery. Microsoft's EDR tools, like Microsoft Defender, use Servers from Microsoft Graph Security, and my company benefits from such a type of integration, and we are able to send alerts to Splunk. In our company, if we start to ingest all the data we usually ingest in Splunk by moving to Sentinel, it will become too expensive, so we have to choose where to keep our data.

My company has been able to reduce the mean time to resolve with Splunk Enterprise Security as it went down from a couple of days to hours.

My company has seen a significant reduction in alert volume. It was very noisy earlier, but lately, my company hardly sees any false positives.

It is super important that the solution provides end-to-end visibility of our company's environment because you can never know from where threats can materialize. The fact that users can correlate and ingest data makes sense and is crucial, considering the massive amounts of data.

Splunk Enterprise Security has helped improve our company's ability to ingest and normalize data, which is one of the tool's key benefits.

I would not say that Splunk Enterprise Security has helped solve problems in real-time scenarios, but it has helped solve problems on a near real-time basis. In my company, there is always some lag between the data that comes in and the ones being ingested and correlated. Splunk Enterprise Security aids in solving problems in a matter of minutes.

Splunk Enterprise Security provides relevant context to help guide our company's investigations, and it is very important and can be considered everything for our organization. In our company, we pull in data from assets and registries to give index-based alerts and be able to find owners quickly to notify them and respond to threats.

Splunk Enterprise Security's ability to help our company find any security events across environments is excellent. My company is really happy with Splunk Enterprise Security. The product helps our company find bad stuff when needed.

The truth is that it is very hard to deliver solutions that work at a certain scale. I think that one of the things I could say is that it is a solution that scales up at work. There are many organizations where solutions fail, and I can say that since I have been a part of the deployment of many other tools, it is hard to get many products to work. Splunk Enterprise Security works, and our company's analysts rely on it and trust it. I can only see improvements considering the strategies in terms of where the product's management team is going, and I believe that I will be able to rate the tool a nine out of ten pretty soon.

I rate the overall solution an eight out of ten.

We use the solution to find systems acting strange or having strange services and security attacks.

Splunk Enterprise Security helps us sift through tons of data to find relevant information we're looking for as far as activity goes.

The solution's most valuable feature is the aggregation of all the logs in one place, using enterprise securities built-in or ESCU use cases to find them.

The end-to-end visibility Splunk Enterprise Security provides in our environment is very important because we might not see everything or miss something without it.

Once you have it set up correctly, Splunk Enterprise Security works great for helping us find any security event across multi-cloud, on-premises, or hybrid environments.

Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data. The ability to identify and solve problems in real-time is pretty robust.

Splunk Enterprise Security has helped reduce our alert volume with RBA and has helped reduce our mean time to resolve. With correlation searches in risk-based alerting, you don't have to sift through information; it is presented to you.

The solution's case management system could be further improved to make it easier for analysts to manage cases. The only limiting factor is the amount of data you're sifting through and the overall size of the number of correlations you're looking for.

I have been using Splunk Enterprise Security for seven to eight years.

I rate the solution’s stability an eight out of ten.

I rate the solution ten out of ten for scalability.

The solution's technical support is awesome, and I love it.

Positive

I've deployed the solution a few times. The deployment is very labor-intensive and takes a lot of work.

Splunk Enterprise Security is an expensive solution.

I would recommend the solution to other users.

Overall, I rate the solution a nine out of ten.

Our SOC is using Splunk Enterprise Security as a SIEM. There are multiple use cases because it is the main tool for SOC analysts. We have plenty of use cases. It is being used for IT security monitoring. We also have some custom use cases for securing applications, and then we have some of our internal customers developing their own use cases, but the main purpose is for the SOC. 

We also have additional work that is much more tricky. It is related to using AI to detect insider threats.

We are incredibly increasing our coverage as per the NIST framework that we are using for our operations. We are always extending. That really took off after implementing Splunk. It was a big moment. I have been there from the very beginning when we started implementing Splunk. Like everything new, there was a little bit of difficulty, but after we implemented it, there was an incredible increase in our SOC efficiency.

Splunk Enterprise Security helped reduce our mean time to resolve based on my knowledge, but I do not know how much because I left the department one year ago. On the security monitoring side, we have very good MTTR globally due to Splunk and the processes that we have implemented. We have other kinds of tools. Compared to the other tools that we have, our MTTR is far better with Splunk. Compared to last year, it was reduced by half. It was already good, but it got reduced a lot again.

It is lovely to have everything we need in one tool. Everything is quite centralized.

AI is everywhere, and I feel we need to discover AI for cybersecurity. For the last five years, I myself have been setting up a product and evaluating AI, but I did not do it directly in Splunk because there was some fear about the performance on the platform. That is why we chose to build our own platform based on S3 and AWS to execute and run all the algorithms and send the data back into Splunk. We now have a good base with innovation. We have a better base to directly include machine learning use cases in Enterprise Security, but they need to provide more capability and autonomy to the customers because there is so much to do. When you are lucky enough to have a team of data scientists, they want to have free hands, so a balance has to be found between giving a lot of autonomy and putting enough control so that they do not do something stupid on the platform, which can impact the performance of the standard use cases as well. There is a compromise there. However, AI is growing so fast that you absolutely need to give autonomy to the team to manage and utilize AI. This means providing easy access to a new library to build machine learning. They need to give us some flexibility, and it seems that with the new toolkit, it would be okay. Data scientists love to have freedom.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations, but it would be interesting to add even more context, for instance, in order to raise the level of risk. That is something that can be implemented. For instance, when it comes to data loss prevention, it is known that somebody who is about to leave the company is much more likely to take data. If you have this information soon enough, because the person will tell HR in advance, you can increase the level of risk for data loss for that user, but you do not always get to know that in advance. In such cases, some indicators in the behavior of the users who are leaving could be connected to AI. For instance, if you are using natural language programming, you can grab emails with words like farewell. There are plenty of keywords that you can catch that would give you an indication that the person is about to live. When you have internal and external partners, they can leave at any time. You do not always get the information in advance, but there are always farewell parties or goodbye emails. You can use this kind of information to raise their risk on the specific alert. It is efficient in the sense that you decrease your false positive rate. To me, AI is something that can help them accelerate and improve on what they are already doing.

Splunk Enterprise Security is very costly. Pricing is probably its weakest spot.

I have been using Splunk Enterprise Security for five years.

It is difficult for me to answer this because I am no longer in charge now, but it has been stable from my point of view. 

Its scalability is good provided you have the right license agreements.

It depends on the situation. The problem at our end that is causing an issue with Splunk support is that we have a customized environment. All the problems that we submit are specific, and they can be a bit difficult to solve. Sometimes, their support is efficient, and at other times, we have to wait a bit too much. I would rate their support a seven out of ten.

Neutral

I arrived at the time of transition. We were probably using RSA. We switched to Splunk Enterprise Security because we needed to jump to another scale. At that time, there was a complete change in the organization. We went from the old-school cyber to Cyber 2.0. We had a lot more visionary managers who came from other companies where they were using Splunk. We had good guidance.

It was a bit difficult. The team that was developing the use cases did not have access to the real data because it was not ready yet. Developing a SOC use case without the data is something difficult. That is why it was difficult at the start, but it was not because of the tool. It was more of a matter of project management. After we moved on from the difficult stage, we were able to set up this use case factory where some of the users were themselves in a bit of self-service mode. This was a very good opportunity to enlarge our capability to cover all the applications in the best way.

For Splunk, we use AWS. We have a private cloud. We have difficulty using cloud-managed services.

Pricing is probably its weakest spot. As compared to some competitors, Splunk is really expensive. The problem is that Splunk is like Rolls-Royce. It, for sure, is the best one. Gartner says it, and the customers say it, but sometimes, you do not need a Rolls-Royce to get to the supermarket.

The problem is that the licenses that we have are based on the volume of data that we ingest in a day. The data that we ingest is only growing. We have initiatives right now for better management of data. It makes sense in terms of storage and sustainability. The pricing model, especially for Europe, is difficult. I am just out of the negotiation for the renewal of the license. We bought it for three more years. This is good news for Splunk and us as well, but it was difficult to discuss with the sales and explain that we do not want to increase the cost because it is already too high, and if it could decrease, it would make sense. It is very difficult to have this understanding from the salesperson. It was difficult for my Splunk account partner, but we succeeded in the negotiation. It was a win-win situation.

They need to be fair and adjust the price as per the usage. If the price goes too high, we would just have a no-go from the top level of the company, which would be a pity. It can happen. It has happened in the past. At some point, we had a big contract with Microsoft for Office, and we are now with Google. It was a shock for the partners and people inside the company, but we did it. We now have Google and we are happy with it. We still have a bit of Microsoft. It is important to keep the balance.

We are looking at the data usage with Splunk's team. We are looking at whether the data onboarded and dashboards that were developed are really being used to avoid wastage. If any data is not necessary in Splunk, we just stop onboarding it. We have other data to onboard anyway. My idea is to be much more efficient in the way we are managing the data and not to go the way we did it in the past.

I did not evaluate other solutions but the company surely did.

Splunk's unified platform has not helped consolidate networking, security, and IT observability tools, but it is not due to the tool. It is due to our company's structure. I have been part of the two teams. Previously, I was a part of the cybersecurity team, so I was mainly using Splunk Enterprise Security. Now I am leading the monitoring team, so I am much more on the SOC side of it. My team provides service to the cybersecurity team that is using Splunk Enterprise Security. In the end, we would like to have one solution, which would be Splunk. I would like to have IT monitoring and observability with ITSI in the future. This centralization would bring efficiency. One log being used for cybersecurity purposes can also be used for other purposes. Everything centralized would give us the most efficient way to access the data and limit duplication. It would be helpful for efficiency, cost control, and data governance.

It is absolutely crucial for us to have end-to-end visibility. For our cybersecurity needs, we should be able to reach anything. We even have this concept of Watch the Watcher, so visibility is absolutely key. We have the opportunity to audit the activities of even cyber analysts, so visibility at every stage is absolutely key. For example, all the SIEMs could be under attack, which would be a nightmare. Imagine it being an insider threat where the attacker knows what exactly we are monitoring. With AI, these kinds of risks are even higher. That is why we are all in for AI for Cyber and Cyber for AI. We need absolute visibility, but we also need protection.

Splunk Enterprise Security has not helped us reduce our alert volume. We are not at that level of maturity at this point. It is still growing.

I would rate Splunk Enterprise Security a nine out of ten. It is a good product. It needs some progress with AI, but based on what I have seen in the presentation for version 8, it seems promising.

I am a SOC lead, and we use Splunk Enterprise Security for alerting and working on incident review and incident response.

We have a hybrid environment. We have multiple clouds, and I am not sure if I know all of them. We have Azure Labs that we run for our students. We have cloud infrastructure. We have cloud applications on which we need visibility.

It is incredibly important that Splunk Enterprise Security provides end-to-end visibility into our environment. Especially being someone who goes through and reviews the work that my analysts are doing, I definitely need to be able to see what is happening all across different domains of our network.

We work for a large university, and we have different tenants. We have our students, we have our employees, and then we have our faculty as well. We definitely need to see what is happening across the domains and across all of those different tenants.

It saves so much time for the analysts, and it empowers analysts to carry out and triage an investigation, wherever needed. It is incredibly hard when you are working with different sources. I am sure everyone else knows that you cannot expect your analysts to be on the same page a hundred percent at the time. They might say, "Hey, I am going to go into this tool and look at these alerts here, or I am going to look at these learnings from this tenant." We need to be looking at all of those sources and all of those domain tenants at once. Being able to see that across the board and not having to jump through hoops to get the data that we want is extremely valuable. I do not have metrics for how much time it has saved because I do not know our life before Splunk. I know that it has done a great deal in saving time, and now with SOAR, that is exactly what we are looking into. We are looking into how we can empower that even more by combining it with Splunk Enterprise Security.

Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data. Splunk is definitely a leader. I cannot imagine leaving and going to another toolset and losing the capabilities that I have and the knowledge that I have. One of my favorite parts is that Splunk really does work. It seems to me that they work with actual users on a regular basis, so they know the pain points and they know what our issues or our primary concerns are.

In the beginning, it did not help to reduce our alert volume, but over time, it has definitely reduced that. Something that I am working on primarily with our SOC right now is increasing our alert volume because we are at such a low rate because of the work that we can do with Splunk's capabilities. We are looking into what areas in the network we are not alerting on. We have these out-of-the-box solutions, but there is more that we can build on. It is empowering our analysts to be SOC analysts, but the more advanced employees can work towards the threat detection engineering side or SOAR playbooks development side or even just on the backend of setting up and working with the configuration.

I wish I knew the metrics for the reduction in the alert column. I do not have any approximation, but our SOC is very manageable. We are a small team, and the number of alerts varies. On average, we get about 300 alerts a day on the high end and 150 alerts on the low end. If it is a very slow day, such as a vacation for everyone, and we do not have a lot of activity going on in the network on our endpoints, it is very manageable for a small team. Our SOC team has four full-time employees, and then we have intern/student workers because we partner with the university. We have three of them. Overall, there are seven, but, of course, students are only able to work a maximum of 15 or 18 hours a week or something like that, so the amount of man-hours that we have is pretty low.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. There could be a little bit more, but that also depends on the analysts and where they are in terms of maturity. I have a lot of capability to go and expand what I need to, but others do need a little bit more guidance. It is not easy on the first look for someone who has never done it before, but after being taught or learning about it themselves, it is pretty easy. It can still do a whole lot. If we are looking at an anonymous login, we are getting context from different sources. If there is an activity that is going on in the host machine, such as we have some login from Russia, which has never happened before, there is a firing of alerts from the EDR. We can see our email gateway firing alerts regarding their account. That allows us to contextualize and correlate the activity very easily.

Splunk Enterprise Security has helped improve our organization’s business resilience. We are able to take action immediately when we need to. Especially with risk-based alerting, we are able to understand what needs attention right now. We do work with young junior analysts a lot, and we are able to teach them how to identify what needs action right now or what needs to be investigated or triaged immediately. We are basically protecting our crown jewels first rather than some low-hanging fruit that we see everyday, but we cannot take a look at them because we have some important things going on in our network.

Being able to aggregate detection and alerts from various sources is valuable. Like everyone else, we have a wide range of tools in our shop. We are able to stop at one spot and look at all the data. All the data is able to come through, and we can then jump from source to source or index to index. We can dig deep whenever we need to and get a good high-level understanding.

The first thing that comes to mind is a little bit of UI improvement. It sometimes can be a little bit buggy or it can be a little bit slow, but that varies from customer to customer.

They can continue building out the Splunk community. They can give incentives for customers to collaborate and expand on what they are working on but also provide the tools to do that. There are good resources such as Splunktern. I love the Splunk education and training platform. It is amazing, but I wish there was a little bit more. Especially with the training and applications, they should give us real-world use cases and a little bit more specific scenarios. Splunk is doing a much better job than a lot of other organizations or technology platforms, but they can give more information. I know a lot of my Splunk users do not even realize the things that they can do. On the user end or analyst end, they need to be more proactive by giving more of a heads-up. For example, I found out about Splunk research today. I have been using Splunk for two years. I wish I had known about that more. They can reach out more. The incentives can be anything. Some people love stickers, and some people love shirts. They can create that community a little bit more.

I have been using Splunk Enterprise Security for two years.

I do not have much to compare it to, but it is stable. We hardly have any issues, and if we do, they are intermittent. 

The growth that we have seen in my time with our team has not been so much. However, we are adding more tools or trying to gain visibility into different areas of our network or applications that have already been there. Being able to throw some logs in and figure out that we should be monitoring this has been painless. We can just forward them all over. It takes an hour or so. We get the answers and the visibility that we need.

I have not used it very often. I have used it once or twice, but I would say that the engineers I have worked with have been extremely knowledgeable. They have helped so much. We were working on SOAR, and we were pretty new to it as a SOC. We were able to work all of that out with a Splunk engineer on a call. They were able to answer our questions. They knew our needs and goals, and they were able to guide us to meet those. That has been very effective for us. I would rate them a ten out of ten. I have not had any bad experiences.

Positive

We have had Splunk since I have been in this company.

Specifically, I cannot say what return on investment we are getting. However, when we look at other products, we know we are not going to have the same capabilities and we are not going to have the same response times and correlation capabilities. Even working with other vendors and getting their logs into Splunk can be a nightmare, and that is enough to make us say that we do not want to buy their product.

Personally, I have not evaluated other solutions. We do have some friends and family connections who use other solutions. Based on their stories, we will continue using Splunk.

I would rate Splunk Enterprise Security a nine out of ten. If it were a ten, it would do my job for me.

We mostly use the solution for compliance, logging, log storage, and root cause analysis. In 2015, we had AIG as a client, and they only had Splunk. Splunk Enterprise Security is one of the oldest solutions that did the logging and storage.

Splunk has fantastic brand value, which helps us sell it as resellers. The solution's pricing is quite competitive. The solution meets all the requirements. As a compliance person, I know that log storage is very important for data privacy compliance guidelines like ISO or CCPA. Splunk provides all of those compliances and checkmarks.

I like that the tool is light and the agent doesn't slow down the machine. Splunk Enterprise Security is a standard solution providing good customer service and partnership.

The solution should improve regional knowledge of the new regulations coming out of the Middle East. As a consulting firm, we are currently targeting many Middle Eastern markets, including Saudi Arabia and Dubai. They don't have a local server support cloud center there, which is a big issue because they don't want their data to go out of the region. Splunk should have more regional data centers in the Middle East.

I have been using Splunk Enterprise Security for five years.

Splunk Enterprise Security provides good stability.

The solution's scalability is fantastic. Even 10,000 to 50,000 endpoints don't slow anything down. The servers, log storage, and ingestion work smoothly, irrespective of whether there are 5,000 or 50,000 endpoints.

The solution’s technical support is very good.

Our customers using Splunk Enterprise Security don't have any compliance issues, and they don't get fined by the regulators, which saves them money.

Splunk Enterprise Security's pricing is pretty competitive.

I'm a consultant who uses Splunk for other clients. It's important for the clients that it can communicate with all kinds of devices, like firewalls, WAFs, servers, endpoints, switches, and routers. All of that is figured out over time, which is useful.

Splunk Enterprise Security is a good tool for finding security events across multi-cloud, on-premises, or hybrid environments.

Splunk has helped improve our organization's ability to ingest and normalize data. It can also identify and solve P1 or high-critical-priority problems in real-time.

Splunk Enterprise Security has helped us reduce our alert volume by around 50%.

The solution provides us with the relevant context to help guide our investigations, and this context information has impacted our investigation process. Having all the data in a single place does help with post-incident response and forensic root cause analysis.

Splunk Enterprise Security has significantly helped speed up our security investigations. I save 60% to 70% of my time because it's easier to find what I want to find through the tool's user interface.

Splunk Enterprise Security has helped reduce our mean time to resolve by around 50%.

Overall, I rate the solution ten out of ten.

We use Splunk daily to find the root cause of attacks and analyze users attempting to access our system. We create incidents and address 5 to 7 simultaneously. Once we analyze and record the activity, we can delete the incident. Our admin team will verify whether it originated externally or internally. 

We use Splunk to respond to security incidents and for data analytics. We conduct custom correlations for the customer and write reports on any attacks. We set alerts for user behavior to discover threats, like if someone is constantly attempting to access our internal domain. The admin will identify that threat and block it. 

Splunk helps us be more proactive. We can take predictive action to identify and block threats so that nothing harmful gets into the system. With Splunk, we can monitor the entire environment from one place. It's a single point of control for all infrastructure, whether in the cloud or on-premise. Splunk has sped up our security investigations. 

I like Splunk's Notable Events. We have created several dashboards for our customers, where you can see the activity and number of alerts. The database receives data about the mask and domain IPs of any user trying to gain access.  We ingest logs from multiple antivirus products and firewalls and analyze them to prevent attacks and threat activities.

Splunk could have more built-in use case presets that customers can build on and customize. 

I have used Splunk for 9 years. 

Splunk is a stable product.

I rate Splunk technical support 8 out of 10. 

Positive

We previously used Dynatrace but switched to Splunk because it has more features. 

Splunk is easy to deploy if you have some basic knowledge. You need experience. It doesn't require any maintenance after deployment. 

Splunk is a good value for the features it provides. The license is costly, but it's better than the other tools. 

I rate Splunk Enterprise Security 8 out of 10. I would recommend Splunk to others. It's one of the most powerful tools available. It's a valuable tool for monitoring infrastructure. 

Splunk Enterprise Security has given me quite a context of how I will approach deploying use cases. I'm also using other tools that Splunk sells. The query-based Splunk deployment certainly needs a specific knowledge requirement because knowledge transfer has to be there. There has to be practice on the query side because the query is the main part of understanding Splunk.

In other tools, it's just click and drag where you take the fields from one place and copy-paste them. There is a learning curve in the context of understanding Splunk, which is difficult for every user to grasp within a short time. It is easy to use the solution after having that knowledge. There is a certain learning curve to learn Splunk query language.

With Sentinel, you can click on the field and select it, but with Splunk, we have to write queries to understand what is in the logs and understand certain fields from the logs that are visible to us. We need to know what kind of fields we need, how to create statistics or tables through it, and how to create visibility of reports through query because everything is through query. A query is the main thing for Splunk. There is a learning timeline that users will have to cover to benefit from Splunk because that is something that a user has to be careful about.

We use Splunk Enterprise Security to serve our clients. Our clients from the financial and health sectors deploy the solution in their environment for cloud visibility. Our clients use the solution to find any threats or vulnerabilities inside their environment. We use the solution to get use cases, reports, dashboards, or visibility onto their environment. We use the solution to detect any attack or malicious intent of users inside the environment. We try to create use cases specific to their environment through Splunk Enterprise Security.

Splunk Enterprise Security has a learning curve that needs to be improved. I have seen users struggle with Splunk just because of the language they've used to create it. I've recently started working for the past three months on Sentinel. The same thing happens with Sentinel, where you select certain things, and it will create a query for you.

It would be great if I could have a certain dialogue box in Splunk that uses innovative AI tools like ChatGPT, which are available now in the tech department. If a user is struggling, they can just ask an AI tool what they are trying to do with a query, and then it can suggest how a query can be written for a particular user. It can help in a way to understand the context of what the user is trying to write, which will be very helpful for ongoing operations.

Even if users have zero knowledge, they can get comfortable with Splunk much more easily if an AI tool helps them write a query or search for any indexes or data models. It will be able to give more context to the user regarding how they should approach the query. This can be done using AI tools like ChatGPT, which will understand the context of what the user is trying to approve and give suggestions based on it.

I have been regularly using Splunk Enterprise Security for the last seven months.

Splunk Enterprise Security is stable 70 or 80% of the time. However, the query gets slow whenever a large number of people are working on Splunk.

Splunk Enterprise Security is a scalable solution, but the scalability part impacts the solution's performance.

We have not yet contacted Splunk's technical support, but we do get regular emails from them providing some context of updating something or threats and vulnerabilities. They do provide a certain kind of visibility, which I do like. They provide their clients with insights into what kind of threats might be present or what kind of composition they're trying to resolve. They give quite a library of expertise and particular emails.

The documentation side of Splunk is something that I appreciate as a Splunk user. This is something that is not visible in other environments. Splunk has taken a step ahead compared to other SIEM tools in providing context for understanding the documentation of how the tools work and how you can utilize the tools.

There is a great learning website for Splunk users, where they provide sets of videos. A small environment will be deployed for users to test and understand the queries. That is something which Splunk has invested quite heavily in, which is very much appreciated by the users. We can easily learn Splunk from their environment and understand any attacks happening because they've already provided so much of the content library. That is great from Splunk's perspective.

Our client already had Splunk working for them for the past six to seven years. The earlier version of Splunk was not reliable and stable to deploy because it used to take so many resources. Even though it has decreased now, the resource requirement is much greater than other tools. Certain organizations or start-ups feel a little bit restricted because, despite being a great tool, they can't use Splunk because of its cost features.

Some organizations use basic SIEM tools like QRadar, which is a great tool. Some organizations use LogRhythm. LogRhythm has a market presence since it also writes great insights into the dashboard. Splunk has certain tools that precede other SIEM tools. QRadar and LogRhythm are used because they are very intuitive and don't require any previous knowledge of using those tools. With Splunk, you will have to understand the context of using a particular field or setting and what it provides you.

The ease of deploying Splunk Enterprise Security is very good. You can get visibility on which particular device you are receiving logs from, give them an index name, and give them a field where you want the logs to go. That is something good that we can understand directly from Splunk. We don't have to go and do that manually from different tools. That was one of the good things while implementing the solution.

From the client team, two people were involved in the deployment process. One person was from their implementation team to understand how the tool is deployed. Another person was from the admin team of engineering, where they were trying to understand what resources they needed to deploy to get usability of plans. A third person was there to understand the context of how the log will be initiated into Splunk.

That is something that was required from their environment. From our side, there were three resources with expertise in Splunk. They were the first hands-on people who were working on the implementation side. Later on, I came into the picture so that implementation could be done to create visibility in the client's environment. Before passing and giving them indexes, the context was taken from us by giving us visibility into the environment and how we want to approach it.

US customers or customers with a bigger cybersecurity budget have seen a return on investment with Splunk Enterprise Security because their internal team is using it. They have seen much more return on investment regarding how their environment is visible. However, the majority of Splunk users have faced issues because of licensing purposes.

Companies cut out budgets to include a reasonable SIEM tool rather than having the costliest solution. For certain markets, it serves a purpose and gives a great ROI. One of our customers has said that it's a good investment tool. They have been using it, and they have been getting great insight. It is certainly serving them a purpose, and that's why they are using Splunk Enterprise Security.

Splunk Enterprise Security is a very good tool, but it uses many resources and comes at a very particular cost, while other tools can easily do the work. There are certain pros and cons to using Splunk Enterprise Security.

The solution's pricing will depend on enterprise to enterprise. For a small enterprise, the solution's cost of ingestion to the cloud will be very high compared to other tools. The licensing cost of data usage is much higher for Splunk than any other tool. Splunk Enterprise Security is not at all cost-friendly to be deployed in very small enterprises like start-ups. Using Splunk for small enterprises is unreliable, and I rate the solution two or three out of ten for its pricing in small enterprises.

I rate the solution five out of ten for its small to medium-enterprise pricing. If they deploy it and have expertise, Splunk Enterprise Security will give them more visibility into their environment. This tool will require licensing costs. If they don't have more environments from where they ingest logs, their data licenses will also be less.

If large enterprises can afford Splunk Enterprise Security, they must select it since the experts working on Splunk can give much more complex insight than any other tool. For large enterprises, it's a great tool for visibility because it can create complex queries, including two different indexes. That is something quite unique about Splunk Enterprise Security.

I am working with the cloud version of Splunk Enterprise Security.

Splunk has certain kinds of health issues that usually get reported. If the search query is lagging, we do check where the query is lagging. That is something that we have to refine. It's a hectic activity, which requires the workforce to understand the context because not every user with a simple understanding of Splunk will be able to do it. It requires understanding how the queries are running, how it is scheduled, and how it uses the resources.

Two sets of people work on it: the analyst from our side and those directly using resources from the client side, who work in their security department. They might have some precedence in the environment, which we might not have. We may face lagging of query and, sometimes, queuing of the query, even though we have run it. It will be the first query we are running, but it will be skewed since we don't have the precedence of running a query.

It will give precedence to other queries over ours. It's a thing that we have to manage. This usually doesn't happen with other SIEM tools. That is something where Splunk has to be less expensive or less maintenance. We are struggling because we only identify after the query has gone rogue to invest in it and spend more time resolving issues.

Until now, I haven't used the threat intelligence management feature or even the data model. I use the documentation provided by Splunk on different attacks, which we can view on their site. They already provide insight into attacks on Active Directory or AWS in their documentation library. That gives a good context of how I can search for the different kinds of attacks.

I'm also automating some of the reports on how I challenge threat intelligence. I'm also doing threat hunting in their environment for some of our clients. I'm trying to find any anomalies with the configuration in their environment, which they are unaware of.

Suppose someone gets a response from their environment regarding weak encryption or a configuration that provides certain privileges to certain users, like any query or command line. We find great visibility from their documentation side. We will need time to get acquainted with Splunk threat intelligence management.

Earlier, I started using Splunk Enterprise Security in 2021. I had a trial with Splunk Enterprise Security and contacted the Singapore team to understand the solution. I was working in a startup and wanted to integrate this solution. I was able to get a trial period for three months. I was able to deploy it on the whole server and learn about the Splunk query language. After the trial, we couldn't purchase Splunk as it's a costly tool.

I initiate use cases, analyze the logs, and implement new logs. Since Splunk supports add-ons specifically for different services, we have created plug-ins to integrate any new AWS logs. Implementation of logs also falls under our category. My main job is cybersecurity. I need to understand all the logs to create use cases that cannot be specifically created by a single person who only understands the injection. The context is important to create the use cases.

We use Splunk Enterprise Security to create visibility into the client's environment and research the threats or vulnerabilities inside their servers. We're trying to detect any vulnerabilities regularly by creating specific reports for our purposes for some exploitation, which can happen if you get certain kinds of privileges. Whenever something malicious happens, Splunk Enterprise Security will send us a report containing that specific activity's data.

I can create specific queries to get reports, which I have not observed in other tools. The same can be replicated for the dashboard or vice versa. Splunk already provides a library of use cases regarding attacks. Their website also has a great amount of documentation on how to search for different kinds of attacks in an environment using certain scripts.

It's very good for users to go through their documentation. Users need not purchase a second solution or outside inventory to get visibility about the kind of attacks they can see. That is something Splunk has already prepared for its clients or users.

Everything concerning Splunk Enterprise Security is quite different from other tools. Splunk Enterprise Security has features that are very different from other vendors. These features include viewing correlation or drill-down searches of specific use cases, mapping those comments, and closing any alerts triggering the incident review.

The solution gives us some visibility on the use cases directly. Query is one of the strongest things that Splunk has. With the respective data models, we can create queries running much faster than other environments.

Splunk Enterprise Security gives certain advantages of deploying and automating some of the things we usually do manually in other tools. One of the biggest advantages of the solution is that we can detect threats and vulnerabilities in the environment by creating certain dashboards that give visibility. We can create certain reports, giving us continuous activity reports of anything malicious. We can schedule it at a specific time and send it as a mail.

That gives Splunk a greater advantage of providing insight to the person trying to see any kind of threats or visibility. The solution is intuitive because it lets you choose how you want to be notified regarding any kind of threat. I can correlate from one index to another by correlating searches by stretching one of the fields from one index and then searching for that information in another index. That is not quite possible in other tools and is unique to Splunk Enterprise Security.

With Splunk, we can correlate between any kind of endpoint device, what IP they are mapping through, and search the firewall in the same query whether that IP was allowed or not. It's a very intuitive tool that allows us to create multiple complex queries to solve a problem in a single go rather than opening different instances of different devices and then comparing them manually.

We deploy all of our use cases and reports with respect to the MITRE ATT&CK framework. We write the tactics and techniques of the MITRE ATT&CK framework inside the use cases because there are fields we can fill in about the MITRE ATT&CK framework. It is very useful for us to monitor what kind of MITRE tactics and techniques we have already covered. For anything missing out, visibility is also great so that we can monitor all the users with respect to the MITRE ATT&CK framework.

In our organization, rather than using only the field change, which covers only some parts, we always deploy use cases with respect to the MITRE ATT&CK framework. We have assessed specific use cases for every environment, whether Windows or AWS. We cover certain default use cases, which we want to create in the environment for covering the MITRE so that those are crucial for discoverability whenever something triggers.

Those are also crucial whenever we want to see how much coverage we have according to one device, like Windows log, Linux log, or AWS or Azure environment. If there is any scope of vulnerability present, someone might be trying to attack AD, and the MITRE ATT&CK framework covers it. On the MITRE ATT&CK framework side, I can put a technique they're using for a threat that might be present for initiating the attack. That gives us great visibility of providing threats.

When we are filling out the MITRE ATT&CK framework, any person from cybersecurity will be directly able to copy-paste any technique onto their Google search. They will be able to know what kind of MITRE technique we are trying to cover and how the use case will help them. That can already be done from a use-case perspective. We don't have to go to the library to know how we deployed the use case. That can be done from every different alert.

There are glitches and notes, and it gives more context with respect to the sensing tool. The main field is the activity field, where jobs are there. The usability of that particular feature, where I can see which particular job they're running, gives context to us on how the query is being run in the back end and how they are scheduling it.

If I don't have certain admin privileges, I might not be able to schedule my query. It will certainly give precedence to the admin account, and if I want to see great visibility into the search I'm doing, it will take a certain time.

Only after a certain privilege query is being run will it give precedence to my query. That is something where the distribution of resources can be separate. A separate tool can also be created for giving certain privileges to temporary users so that they can run their queries to find any threats or vulnerabilities. Also, not every query for admin needs to be run at certain privileges. It can be asked during the time of deploying whether this query requires a certain precedence.

Splunk already has specific definitions for finding threats. It can be through a network or a signature. They already have different kinds of internal assessments of how we're deploying use cases and how Splunk understands it. The same can be given to users because sometimes when we try to search for any threats, it gives precedence to other things. Even though the tool is good, it takes time to give us visibility because of the involvement of so many resources.

On the admin side, if I have certain privileges and everything is running fine, I have great visibility on understanding the use cases and deploying correlation between two different indexes to find any threat. That is great because I don't have to manually create ten use cases, where I can create five and cover both the indexes from which I want to get a query. If I want to search a user's active directory for the kind of privileges they have, I can only create a single use case and cover both.

I don't have to search for it on different use cases manually. Splunk gives great visibility into the dependents of both indexes' coverage in one field. It gives much more context. I can get output from both indexes and correlate what has happened in the user's environment much more quickly rather than using other tools.

Compared to other tools, Splunk Enterprise Security has helped us reduce the volume of alerts and visibility of fine-tuning because it provides many different aspects. I can reduce the volume of alerts by helping users. If they have certain kinds of IPs or exceptions to the rule, I can create a macro. If they have a list of things, they can directly include another macro to make it an exception.

I can create a local file, which is a very good thing for them. They can provide insight on the local file, and I can create a specific query if they want insights on that particular local file whenever something is happening. This useful feature that Splunk provides allows users to have visibility because these are the things users might have done manually on other tools.

Since some dependencies or add-ons for visibility are already inside Splunk, it gives a lot of insight into threats. It reduces threats and gives more context to what we are trying to search for. It automatically gives us a report rather than manually checking for every other field.

Compared to other tools, Splunk Enterprise Security gives context into the raw logs, which are present in my environment, and also what are the fields I'm trying to see. It gives visibility rather than showing all the empty fields, usually presented in other tools, whenever I open any alert.

There are certain fields that are empty and others that are filled. With Splunk Enterprise Security, I can directly check which particular fields I want to see. I don't have to manually go through the whole logs page and select whatever field I'm trying to see. That is a feature in Splunk for investigation purposes.

The time taken by our analyst to resolve alerts compared to other solutions is less. Other tools provide all the available fields, and a person has to decide which field they require for a particular use case.

In Splunk, you can directly point out all the necessary fields required for a particular query you are trying to run. Then, the user can easily assess which particular field they want to investigate more. This great feature from Splunk gives an analyst less time to wait for the alert and more time to do an analysis.

The recent CrowdStrike report reported that the majority of the cyber attacks are from active directories and from the carelessness of users through phishing emails. Even though the visibility needs to be there in cyber security, organizations still usually use SIEM tools, which are much cheaper. For such cheaper tools, they have to hire many analysts, and every analyst has to be on the same page to understand the context of what is going on in their environment.

If they already have a small team, they can do this work easily in Splunk. An organization needs to understand how complex their environment is. If their environment needs a certain kind of visibility, they need to go for a tool that serves their purpose of providing insight rather than going for the cheapest solution. Also, it will be much more beneficial for their hiring purposes. Relatively fewer people will be required if they can closely monitor Splunk and create queries. If certain users have already used Splunk, it will be great for them to deploy the solution.

Splunk provides much more insight concerning the closeness of understanding everything going on in their environment. A certain group of people can get the context of what is working in their environment and how they're approaching it. This is less of a hassle in other tools where every use case will be deployed irrespective of dependency on one use case.

One field or one endpoint solution will be different from an authentication tool, and they won't be correlating as such. We will have to do that manually and search for any similar field manually. Whereas in Splunk Enterprise Security, you can deploy it at once. So, less workforce will be required for deploying, understanding, and giving context to the users working on the environment inside their organization.

Our US customer has more than 15,000 to 20,000 devices deployed since it's a hospital. They have ingestion of data from every side from where logs can be ingested. Every employee working in the environment will be interacting with the internal sources. So, we see logs in every device, including laptops, desktops, medical devices, firewalls, and mobile devices. Usually, doctors get updates and visibility on their mobile devices. These mobile devices should not be attacked as they are the ones where the user data or the patient's data is exchanged very informally.

They have deployed specifically Armis to get visibility onto their network communication, which is a very good tool. They have invested in automating the resources, creating visibility onto their environment, and blocking certain communication. They can create specific playbooks with respect to it. It has given them a much more context. The same thing is not necessarily happening with other clients because they have deployed very few devices.

So, there was no complexity in understanding the environment as such. For them, Splunk provides the same insight as any other tool. For them, it's not serving the same purpose. For them, the deployment of use cases is good and not that complex. Besides that, Splunk is not serving this client's purpose because they already have fewer resources deployed. For them, Splunk does not provide any visibility or context that could not have been filled out with any other SIEM application.

I will certainly say that Splunk Enterprise Security is a great tool if you have the context and patience to learn it. It can also serve a great purpose of understanding the environment much more clearly and easily than other tools. Users will have to compare the pros and cons if they can afford it because it will be expensive for any organization.

Overall, I rate Splunk Enterprise Security an eight out of ten.