Splunk Enterprise Security Reviews

Enterprise Security has reduced our mean time to detection to results. It used to take 25 to 30 minutes and now it's down to less than ten minutes. 

Our customer has been far more satisfied with our incident response and remediation since we adopted Splunk several years ago.

Our time to value was within a few weeks to a month.

The most valuable feature is the incident dashboard, and the extensive use of correlation searches, which isn't available with a standard Splunk search package. This feature is important to me because it enables SOC analysts to do their job more efficiently and be able to investigate or mediate incidents at a faster pace.

Another benefit is the expansion of the use of ITSI, SOAR, and now Mission Control being able to holistically monitor an environment with one tool. Also with Mission Control, we have the ability to have one interface.

It's very easy to monitor a single cloud with ES solutions. I've worked with several other SIEM tools before and Splunk does it better.

Splunk's ability to predict, identify, and solve problems in real time is good. They do it better than other tools.

I am looking forward to their expansion of the use of AI. Using AI in the user interface will go a long way because one of the challenges in my organization is getting other people to use Splunk. A lot of people are averse to using new tools so if they make it even more user-friendly than it already is, I think that could go a long way.

I have been using Splunk Enterprise Security Enterprise for three and a half years. 

Stability is excellent. It is the most stable SIEM solution I've worked with.

Scalability is excellent. If you need to add more capacity, you can add more indexes, and more search heads as you need. The environment stays stable as you're doing it if you do it the right way. 

My environment is about nine indexes, four search heads, and about 800 GBs a day.

Their support is excellent. Every case I ever had to put in has been handled and resolved in a matter that I would hope for many support tickets.

I would rate them a ten out of ten because they are much more responsive than a lot of other vendors I've worked with.

There are mostly pros when comparing Splunk to its competitors because it collects data and analyzes it. It analyzes data better and in a more detailed, documented, and organized fashion than any other SIEM that I've worked with.

I have worked with Microsoft Sentinel and ArcSight.

I was involved in the initial setup with the help of their professional services. It was complex at first because my colleagues and I did not know the application that well. There was definitely a learning curve but once we started to understand how to design it the proper way and how to manage it the proper way which made things a lot easier.

It's more expensive than the other tools but it's worth it. Every penny is worth it. They do analytics better. They do security investigations better. They do everything better.

I would rate Splunk Enterprise Security a ten out of ten. I have worked with other SIEM solutions before and Splunk is the best one.

The biggest value I get out of attending a Splunk conference is getting to network with other people within my same account under my same account manager. I appreciate the ability to go to sessions about different support products that my organization doesn't use and try to help myself understand how some of these tools are used and how I could encourage my organization to use them.

Enterprise security is the solution’s most valuable feature.

Its reporting functionality is excellent.

I really like the user interface and how it works.

It’s scalable.

The solution is stable.

You can integrate any other tool or any other solution, including existing solutions, with Splunk. They have a good setup.

The log analysis is something that is good. In general, data analysis is something you can do in Splunk in various ways. You can leverage it as per your requirements or as per your investigations. You can write your own queries and complicated queries, and you can have your own alerts. You can correlate events. It’s very flexible.

It is one of the best tools that I'm using. I don't have any feedback as such right now regarding improvements. I'm not also an expert, so maybe I'm missing something.

Writing queries is a bit complicated sometimes. If they could provide some building queries, that would be great.

It's been a while. For maybe four years, I've used Splunk, however, I'm not an expert on it.

It's a stable solution. We are not going to get rid of it anytime soon. It’s reliable. There are no bugs or glitches and it doesn’t crash or freeze. The performance is good.

The solution scales very well.

I wasn't part of the engineering side, so I never got a chance to contact the support team directly.

We have a SIEM solution, however, now the company is also trying to move to an Excel solution since the automation is better on their side. We aren't going to get rid of it or did not have any other SIEM solution in their mind when they were acquiring it. However, if any XOR solution works perfectly for us, the company might consider moving out of Splunk.

A different organization would have a different setup of Splunk. If you ask me, mostly, it is a simple setup. However, here in my current organization, it is mostly on the cloud, and a lot of things are integrated in a bit of a complex manner. I also understand that this changes from organization to organization in terms of how they will leverage it.

I’ve never looked into ROI and have not been a part of conversations concerning ROI.

I don’t have any idea what the cost of the solution is. I don’t handle the licensing.

A company that wants to leverage Splunk should understand its environment first - including the organization, the network infrastructure, and the overall infrastructure. Then, based on requirements, they should go ahead with any SIEM solution. Splunk is kind of an expensive tool to have. Therefore, the company should be clear about what requirements they have, what they need, and whether they want to use Splunk. It is very crucial to understand your requirements and your network or your environment first before going ahead.

I’d rate the solution eight out of ten.

Overall, it's a good tool. It's a very intelligent tool. It definitely depends on how you are going to use it. However, I love the product. I love Splunk. I want to learn more about it as much as I can.

We primarily use the solution for monitoring, intrusion detection, and prevention. It is mostly a lot of security and network and server monitoring.

It automated the way we look at intrusion detection and prevention. It automatically picks up intrusion attempts within our environment.

The monitoring and the security functionality are the most valuable aspects of the solution.

It is easy to set up.

It is very scalable. 

You can basically make it do whatever you want, from log management and monitoring security, intrusion detection, prevention, and linking to your antivirus to report to it. Having kind of a single point where everything feeds in and create dashboards however you like is useful and works with how many ever systems you want in that dashboard.

I've not come across any areas that need improvement.

I'd like to see more integration with more antivirus systems.

We've used the solution for roughly, one year and a half years.

The solution is highly scalable.

We have four people that use the solution and they were split between infrastructure and security.

We don't have a plan to increase usage as we're almost at capacity with our servers, for our purposes. I don't think we're going to scale it as we're using everything we can from anything we need. However, it's intensely used for security purposes.

Technical support is perfect.

Positive

The initial setup was straightforward. It was done by Splunk entirely. After that, the configuration took a bit of time, however, we bought professional service days from them to help us build the configuration.

The full deployment took about five months due to the fact that we have quite a lot of servers.

I'd rate the experience a five out of five in terms of ease of execution. 

The amount of people you require for deployment and maintenance depends on the complexity of the environment. It can be run and managed by a single person if the environment is not highly complex. If you're talking about probably less than 200 servers, and a couple of network endpoints, one person can manage it easily after it's been configured. Otherwise, I wouldn't be able to say. In more complex environments where you've got several geographical locations, several data centers in geographical locations, and so on, you'd probably need more than one.

Splunk handled the implementation. It was a joint effort between them bringing the knowledge and us doing the actual work.

It's a great investment, especially if you want to strengthen your security stance.

It's yearly a yearly license on a three-year contract. On a three-year contract, you get a discount basically - rather than putting it on a rolling yearly contract.

On pricing, if I base it on the functionality of the system out of the box, I would rate it five out of five.

They have several prepackaged modules you can purchase. For example, for the security type, they have Security Enterprise, with the default products getting security essentials. With Infrastructure, the same. We've got an ITOps enterprise, which again, is payable on top of the standard license. 

It's pretty much how much you can actually build in-house. The difference between AT&T, LogRhythm, and Splunk, while AT&T and LogRhythm are pretty out of the box (it's click and configure), Splunk is highly configurable. 

You can make it do whatever you want to, as long as you know how to edit the configuration files. What ITOps and Security Enterprise do, instead of you having to build all that from the ground up, so the dashboards, the logic behind it, the configuration files, and so on, become prepackaged and pre-installed.

We did test AT&T and LogRhythm as well. We chose this solution as a balance between cost and functionality.

AT&T was a great security tool, however, it lacked a lot of the infrastructure things that Splunk does, in terms of server monitoring and network monitoring. LogRhythm did have a dose, however, at a very prohibitive price. It was almost twice the cost of Splunk.

We've got a version of Splunk Cloud. I'm not sure of which version.

I'd advise users to get more professional service days. You get five professional service days with the product, when you buy the license, usually. Definitely get at least ten more.

You need to have some strategy before. You definitely need a strategy. Before you do your PS days, definitely have a look at your strategy and make sure you've arranged your questions rather diligently. Based on how you think you're going to use the system, where you are where you want to be, just box them into separate parts - security, infrastructure, and monitoring. It's going to make life a lot easier when you talk to consultants as the consultants are very, very knowledgeable. However, you need to ask the right questions.

I'd rate the solution ten out of ten.

It is a very well-organized solution. I find it more user-friendly than ArcSight and QRadar. I can search, and I can do whatever I need in terms of dashboards, reports, etc.

It is the best tool if you have a complex environment or if data ingestion is too huge.

The cluster environment should be improved. We have a cluster. In the Splunk cluster environment, in the case of heavy searches and heavy load, the Splunk cluster goes down, and we have to put it in the maintenance mode to get it back. We are not able to find the actual culprit for this issue. I know that cluster has RF and SF, but it has been down so many times. There should be something in Splunk to help users to find the reason and the solution for such issues.

I would also like to be able to see all the data for internal logs. When we search for internal logs, sometimes, we are not able to find some of the data. For example, when Splunk crashes or something happens, we don't get to know what happened. We tried looking into the internal logs, but we could never figure out the reason from the logs. The information is limited, and it should be improved.

We have been using Splunk for more than four years.

Its scalability is very good. Companies nowadays are totally dependent on tools like Splunk. It is widely used in our organization. We have a huge team that uses it on a daily basis. For onboarding, we have another team, and we also have a team for Splunk monitoring. We have a large amount of data ingestion per day, so our team has more than 25 people in it.

In my current company, I have seen the tickets getting resolved soon. In my previous company, which was a startup, a P1 ticket generally took 24 hours or less. They called us back and resolved it as soon as possible, but if it was a P2 or P3, I have seen them taking a month or more.

We worked with QRadar for some time, but after that, we just came to Splunk.

It is straightforward. The deployment duration totally depends on how you are working.

We have it on-premises as well as on the cloud.

We have an unlimited one, and we pay yearly, but I don't know how much it costs. Previously, I worked for a startup, and when they started building it up, it was complicated for them because they didn't have the budget for that many licenses. It was very costly for them. So, startups might find it a little bit problematic because of the licensing, but for bigger companies, there is no issue.

If it is a complex environment and data ingestion is huge where you want to ingest Syslogs or networking devices logs, you should go with Splunk. It is better than QRadar. Nowadays, the usage of AWS is growing, and that should be taken into consideration when deciding about on-premises or cloud deployment.

I would rate it a nine out of 10. I find it great. I'm very eager to do the Splunk certifications as well.

We primarily use the solution for log management and security purposes.

The log management is great.

It has a very good alert tool that you can create with the logs that Splunk gets.

You can check up on security from the dashboards. We use some custom applications which we have created by ourselves. It's very helpful to have custom dashboards with knowledge of the system of what we monitor.

The initial setup is simple. 

We have found the solution to be stable.

Its scalability is quite good.

Right now, everything is good. I don't really have notes for aspects of improvement. 

There can be a bit of complexity around some fields during the initial setup. There are some places where you have to use regular expressions to parse logs. The part of parsing logs correctly is the most, let's say, difficult thing, and when this is done, all of the other things are easier. Anyway, the regex part is a very good feature and in my opinion, it should stay like it is, because it gives a lot of flexibility. Customers may learn to use it or use technical support.

The cost of the solution is a little bit high.

I've used the solution since 2016. I've used it for around six years at this point.

In terms of stability, it's reliable. There aren't bugs or glitches. it works well. It doesn't crash or freeze. 

The solution is scalable. If a company needs to expand it, it can do so.

We have a technical support contract.  

For the most part, we can do it probably ourselves. When technical support helps us, however, everything goes pretty smoothly. We are quite satisfied with them. We typically get immediate support and assistance.

The ease or difficulty of the initial setup depends on the infrastructure of the organization. However, when we have installed it, it was pretty simple. That said, there are some fields that are complex, and for this, we have support.

We did get support to assist us with a few complex fields.

We pay a yearly license. You do need to set up a contract for technical support.

While I don't have details about the exact pricing, my understanding is that it can be a bit expensive. 

We are a customer and an end-user.

I would rate the solution at a nine out of ten. We've been very happy with its capabilities in general. 

The only downside is the pricing. If the price would be lower, you would have the possibility to buy more capacity for parsing logs per day. In Splunk, you have a daily limit of logs that will be parsed. If you place that limit several times, the Splunk license will be blocked and you have to talk with support to get a recovery license. With the capacity, you can include, let's say, 30 servers, but if you want to include another 20 servers, you have to buy an additional license, which is very costly.

That said, for medium and large enterprise businesses it's really necessary to have. Even in smaller businesses, it is good to have. It's just the price that would stop small businesses from taking it on. 

If a small business has less than 500 MB logs/day, they may use a splunk free license.

I work for a government agency and we use Splunk to monitor our Cisco equipment. I'm a senior network engineer and we are customers of Splunk. 

This is a very capable and flexible solution. It's based on Linux and even Windows installations use the Linux file structure. You can use it to gather syslog messages from anything; jet engines, fin-tech financial institutions, banking, regular enterprise, etc. You can gather the messages from network equipment, elevators, anything you can think of that generates syslog, and Splunk it. They also have a good API so you can write your own code to talk to it or interact with it. The solution has a lot of applications that people have written. It's the best solution on the market. 

It would be nice if they had a wizard to construct searches, including more complex searches that include math or statistics. 

I've been using this solution for 10 years. 

The product runs on Linux so it's very stable. It's important to have a well-run SAN environment to store the data. 

The solution can be scaled up to any size of enterprise or agency. I have heard of Splunk installations of over 100 terabytes of licensing.

We used Logrhythm previously but it was not a good fit for our environment. That is why we switched to Splunk.

The initial setup is fairly complex. There's a certain architecture that Splunk utilizes to handle its indexing and it also depends on the size of your deployment. If you have a relatively low amount of gigabytes per day, deployment is simple. And of course it scales to terabyte, so if you have a terabytes installation, there are a lot of additional services that need to be implemented such as licensing servers and clustering. We sometimes configure syslog NG servers to front end the date before it ends up at an indexer. If it's a large terabyte installation, you definitely want to use professional services.

This was implemented through a combination of in house and vendor developers.

n/a

Splunk charges on the basis of gigabytes of incoming log messages per day. Also I would recommend that funds be set aside for Splunk training and certification.

There is a large number of options for training and certification. The more training you have the more useful Splunk becomes. However, right out the gate you can do useful searches due to the search bar design.

The most valuable feature of Splunk is security information and event management(SIEM). Additionally, the solution is easy to use, has useful reports, and good interface.

I have used Splunk within the past 12 months.

Splunk is stable, and this is why many customers want it.

The scalability of Splunk is good. Customers can purchase 100 GB now and if they wanted more, they can immediately add an additional 100. The customer will have to only pay for additional licenses.

I hear that customers usually have support on time from the Splunk team. Generally, they are satisfied with the response they receive from Splunk.

The total time of the implementation depends upon the customer's requirement. The factors that affect the implementation time are the type of use case, the environment of deployment, one location or multiple locations, number of devices, and applications. The requirements play a large role in the time it might take for implementation. You cannot simply explain in one week or one month.

There are two to three people required for the implementation of Splunk.

The price of this solution is expensive. However, it has great features. If you want a great solution you need to pay a price matching the features.

If this solution matches the needs of your use case then I would give it a try.

I rate Splunk a nine out of ten.

The project we are working on with Splunk is short as the customer has given us two months to implement. My company is a Splunk partner.

Splunk is quite flexible for our customers. Splunk does not filter from a specific lock, you can define it later.

I would like Splunk to add more integration. QRadar has many indications with more products than Splunk.

I have been working with Splunk for three months.

Splunk is quite good if you want to scale it.

My client has some pain points with QRadar and does not feel the kilogram function is accurate. Other features do not match with the customer behavior as well. They want to replace QRadar with Splunk because they are familiar with this solution.

The initial setup of Splunk is complex. It requires a lot of equipment and uploads.

My company provides the implementation and maintenance services to our customers.

Splunk licensing requires you to purchase licenses for any feature per user. For example, if you need UEBA, it is difficult to propose in the project. QRadar has a free upcharge for UEBA. Customers cannot calculate the additional costs based on gigabytes per day because they can not forecast the future.

Due to the cost of Splunk, I recommend it for larger companies. Splunk is powerful when sorting huge amounts of data. 

Implementation of Splunk takes preparation. It requires a lot of resources and needs the infrastructure to support the project.

I would rate the solution an 8 out of 10.