Splunk Enterprise Security Reviews

We mostly use the solution for compliance, logging, log storage, and root cause analysis. In 2015, we had AIG as a client, and they only had Splunk. Splunk Enterprise Security is one of the oldest solutions that did the logging and storage.

Splunk has fantastic brand value, which helps us sell it as resellers. The solution's pricing is quite competitive. The solution meets all the requirements. As a compliance person, I know that log storage is very important for data privacy compliance guidelines like ISO or CCPA. Splunk provides all of those compliances and checkmarks.

I like that the tool is light and the agent doesn't slow down the machine. Splunk Enterprise Security is a standard solution providing good customer service and partnership.

The solution should improve regional knowledge of the new regulations coming out of the Middle East. As a consulting firm, we are currently targeting many Middle Eastern markets, including Saudi Arabia and Dubai. They don't have a local server support cloud center there, which is a big issue because they don't want their data to go out of the region. Splunk should have more regional data centers in the Middle East.

I have been using Splunk Enterprise Security for five years.

Splunk Enterprise Security provides good stability.

The solution's scalability is fantastic. Even 10,000 to 50,000 endpoints don't slow anything down. The servers, log storage, and ingestion work smoothly, irrespective of whether there are 5,000 or 50,000 endpoints.

The solution’s technical support is very good.

Our customers using Splunk Enterprise Security don't have any compliance issues, and they don't get fined by the regulators, which saves them money.

Splunk Enterprise Security's pricing is pretty competitive.

I'm a consultant who uses Splunk for other clients. It's important for the clients that it can communicate with all kinds of devices, like firewalls, WAFs, servers, endpoints, switches, and routers. All of that is figured out over time, which is useful.

Splunk Enterprise Security is a good tool for finding security events across multi-cloud, on-premises, or hybrid environments.

Splunk has helped improve our organization's ability to ingest and normalize data. It can also identify and solve P1 or high-critical-priority problems in real-time.

Splunk Enterprise Security has helped us reduce our alert volume by around 50%.

The solution provides us with the relevant context to help guide our investigations, and this context information has impacted our investigation process. Having all the data in a single place does help with post-incident response and forensic root cause analysis.

Splunk Enterprise Security has significantly helped speed up our security investigations. I save 60% to 70% of my time because it's easier to find what I want to find through the tool's user interface.

Splunk Enterprise Security has helped reduce our mean time to resolve by around 50%.

Overall, I rate the solution ten out of ten.

We use Splunk daily to find the root cause of attacks and analyze users attempting to access our system. We create incidents and address 5 to 7 simultaneously. Once we analyze and record the activity, we can delete the incident. Our admin team will verify whether it originated externally or internally. 

We use Splunk to respond to security incidents and for data analytics. We conduct custom correlations for the customer and write reports on any attacks. We set alerts for user behavior to discover threats, like if someone is constantly attempting to access our internal domain. The admin will identify that threat and block it. 

Splunk helps us be more proactive. We can take predictive action to identify and block threats so that nothing harmful gets into the system. With Splunk, we can monitor the entire environment from one place. It's a single point of control for all infrastructure, whether in the cloud or on-premise. Splunk has sped up our security investigations. 

I like Splunk's Notable Events. We have created several dashboards for our customers, where you can see the activity and number of alerts. The database receives data about the mask and domain IPs of any user trying to gain access.  We ingest logs from multiple antivirus products and firewalls and analyze them to prevent attacks and threat activities.

Splunk could have more built-in use case presets that customers can build on and customize. 

I have used Splunk for 9 years. 

Splunk is a stable product.

I rate Splunk technical support 8 out of 10. 

Positive

We previously used Dynatrace but switched to Splunk because it has more features. 

Splunk is easy to deploy if you have some basic knowledge. You need experience. It doesn't require any maintenance after deployment. 

Splunk is a good value for the features it provides. The license is costly, but it's better than the other tools. 

I rate Splunk Enterprise Security 8 out of 10. I would recommend Splunk to others. It's one of the most powerful tools available. It's a valuable tool for monitoring infrastructure. 

Splunk Enterprise Security has given me quite a context of how I will approach deploying use cases. I'm also using other tools that Splunk sells. The query-based Splunk deployment certainly needs a specific knowledge requirement because knowledge transfer has to be there. There has to be practice on the query side because the query is the main part of understanding Splunk.

In other tools, it's just click and drag where you take the fields from one place and copy-paste them. There is a learning curve in the context of understanding Splunk, which is difficult for every user to grasp within a short time. It is easy to use the solution after having that knowledge. There is a certain learning curve to learn Splunk query language.

With Sentinel, you can click on the field and select it, but with Splunk, we have to write queries to understand what is in the logs and understand certain fields from the logs that are visible to us. We need to know what kind of fields we need, how to create statistics or tables through it, and how to create visibility of reports through query because everything is through query. A query is the main thing for Splunk. There is a learning timeline that users will have to cover to benefit from Splunk because that is something that a user has to be careful about.

We use Splunk Enterprise Security to serve our clients. Our clients from the financial and health sectors deploy the solution in their environment for cloud visibility. Our clients use the solution to find any threats or vulnerabilities inside their environment. We use the solution to get use cases, reports, dashboards, or visibility onto their environment. We use the solution to detect any attack or malicious intent of users inside the environment. We try to create use cases specific to their environment through Splunk Enterprise Security.

Splunk Enterprise Security has a learning curve that needs to be improved. I have seen users struggle with Splunk just because of the language they've used to create it. I've recently started working for the past three months on Sentinel. The same thing happens with Sentinel, where you select certain things, and it will create a query for you.

It would be great if I could have a certain dialogue box in Splunk that uses innovative AI tools like ChatGPT, which are available now in the tech department. If a user is struggling, they can just ask an AI tool what they are trying to do with a query, and then it can suggest how a query can be written for a particular user. It can help in a way to understand the context of what the user is trying to write, which will be very helpful for ongoing operations.

Even if users have zero knowledge, they can get comfortable with Splunk much more easily if an AI tool helps them write a query or search for any indexes or data models. It will be able to give more context to the user regarding how they should approach the query. This can be done using AI tools like ChatGPT, which will understand the context of what the user is trying to approve and give suggestions based on it.

I have been regularly using Splunk Enterprise Security for the last seven months.

Splunk Enterprise Security is stable 70 or 80% of the time. However, the query gets slow whenever a large number of people are working on Splunk.

Splunk Enterprise Security is a scalable solution, but the scalability part impacts the solution's performance.

We have not yet contacted Splunk's technical support, but we do get regular emails from them providing some context of updating something or threats and vulnerabilities. They do provide a certain kind of visibility, which I do like. They provide their clients with insights into what kind of threats might be present or what kind of composition they're trying to resolve. They give quite a library of expertise and particular emails.

The documentation side of Splunk is something that I appreciate as a Splunk user. This is something that is not visible in other environments. Splunk has taken a step ahead compared to other SIEM tools in providing context for understanding the documentation of how the tools work and how you can utilize the tools.

There is a great learning website for Splunk users, where they provide sets of videos. A small environment will be deployed for users to test and understand the queries. That is something which Splunk has invested quite heavily in, which is very much appreciated by the users. We can easily learn Splunk from their environment and understand any attacks happening because they've already provided so much of the content library. That is great from Splunk's perspective.

Our client already had Splunk working for them for the past six to seven years. The earlier version of Splunk was not reliable and stable to deploy because it used to take so many resources. Even though it has decreased now, the resource requirement is much greater than other tools. Certain organizations or start-ups feel a little bit restricted because, despite being a great tool, they can't use Splunk because of its cost features.

Some organizations use basic SIEM tools like QRadar, which is a great tool. Some organizations use LogRhythm. LogRhythm has a market presence since it also writes great insights into the dashboard. Splunk has certain tools that precede other SIEM tools. QRadar and LogRhythm are used because they are very intuitive and don't require any previous knowledge of using those tools. With Splunk, you will have to understand the context of using a particular field or setting and what it provides you.

The ease of deploying Splunk Enterprise Security is very good. You can get visibility on which particular device you are receiving logs from, give them an index name, and give them a field where you want the logs to go. That is something good that we can understand directly from Splunk. We don't have to go and do that manually from different tools. That was one of the good things while implementing the solution.

From the client team, two people were involved in the deployment process. One person was from their implementation team to understand how the tool is deployed. Another person was from the admin team of engineering, where they were trying to understand what resources they needed to deploy to get usability of plans. A third person was there to understand the context of how the log will be initiated into Splunk.

That is something that was required from their environment. From our side, there were three resources with expertise in Splunk. They were the first hands-on people who were working on the implementation side. Later on, I came into the picture so that implementation could be done to create visibility in the client's environment. Before passing and giving them indexes, the context was taken from us by giving us visibility into the environment and how we want to approach it.

US customers or customers with a bigger cybersecurity budget have seen a return on investment with Splunk Enterprise Security because their internal team is using it. They have seen much more return on investment regarding how their environment is visible. However, the majority of Splunk users have faced issues because of licensing purposes.

Companies cut out budgets to include a reasonable SIEM tool rather than having the costliest solution. For certain markets, it serves a purpose and gives a great ROI. One of our customers has said that it's a good investment tool. They have been using it, and they have been getting great insight. It is certainly serving them a purpose, and that's why they are using Splunk Enterprise Security.

Splunk Enterprise Security is a very good tool, but it uses many resources and comes at a very particular cost, while other tools can easily do the work. There are certain pros and cons to using Splunk Enterprise Security.

The solution's pricing will depend on enterprise to enterprise. For a small enterprise, the solution's cost of ingestion to the cloud will be very high compared to other tools. The licensing cost of data usage is much higher for Splunk than any other tool. Splunk Enterprise Security is not at all cost-friendly to be deployed in very small enterprises like start-ups. Using Splunk for small enterprises is unreliable, and I rate the solution two or three out of ten for its pricing in small enterprises.

I rate the solution five out of ten for its small to medium-enterprise pricing. If they deploy it and have expertise, Splunk Enterprise Security will give them more visibility into their environment. This tool will require licensing costs. If they don't have more environments from where they ingest logs, their data licenses will also be less.

If large enterprises can afford Splunk Enterprise Security, they must select it since the experts working on Splunk can give much more complex insight than any other tool. For large enterprises, it's a great tool for visibility because it can create complex queries, including two different indexes. That is something quite unique about Splunk Enterprise Security.

I am working with the cloud version of Splunk Enterprise Security.

Splunk has certain kinds of health issues that usually get reported. If the search query is lagging, we do check where the query is lagging. That is something that we have to refine. It's a hectic activity, which requires the workforce to understand the context because not every user with a simple understanding of Splunk will be able to do it. It requires understanding how the queries are running, how it is scheduled, and how it uses the resources.

Two sets of people work on it: the analyst from our side and those directly using resources from the client side, who work in their security department. They might have some precedence in the environment, which we might not have. We may face lagging of query and, sometimes, queuing of the query, even though we have run it. It will be the first query we are running, but it will be skewed since we don't have the precedence of running a query.

It will give precedence to other queries over ours. It's a thing that we have to manage. This usually doesn't happen with other SIEM tools. That is something where Splunk has to be less expensive or less maintenance. We are struggling because we only identify after the query has gone rogue to invest in it and spend more time resolving issues.

Until now, I haven't used the threat intelligence management feature or even the data model. I use the documentation provided by Splunk on different attacks, which we can view on their site. They already provide insight into attacks on Active Directory or AWS in their documentation library. That gives a good context of how I can search for the different kinds of attacks.

I'm also automating some of the reports on how I challenge threat intelligence. I'm also doing threat hunting in their environment for some of our clients. I'm trying to find any anomalies with the configuration in their environment, which they are unaware of.

Suppose someone gets a response from their environment regarding weak encryption or a configuration that provides certain privileges to certain users, like any query or command line. We find great visibility from their documentation side. We will need time to get acquainted with Splunk threat intelligence management.

Earlier, I started using Splunk Enterprise Security in 2021. I had a trial with Splunk Enterprise Security and contacted the Singapore team to understand the solution. I was working in a startup and wanted to integrate this solution. I was able to get a trial period for three months. I was able to deploy it on the whole server and learn about the Splunk query language. After the trial, we couldn't purchase Splunk as it's a costly tool.

I initiate use cases, analyze the logs, and implement new logs. Since Splunk supports add-ons specifically for different services, we have created plug-ins to integrate any new AWS logs. Implementation of logs also falls under our category. My main job is cybersecurity. I need to understand all the logs to create use cases that cannot be specifically created by a single person who only understands the injection. The context is important to create the use cases.

We use Splunk Enterprise Security to create visibility into the client's environment and research the threats or vulnerabilities inside their servers. We're trying to detect any vulnerabilities regularly by creating specific reports for our purposes for some exploitation, which can happen if you get certain kinds of privileges. Whenever something malicious happens, Splunk Enterprise Security will send us a report containing that specific activity's data.

I can create specific queries to get reports, which I have not observed in other tools. The same can be replicated for the dashboard or vice versa. Splunk already provides a library of use cases regarding attacks. Their website also has a great amount of documentation on how to search for different kinds of attacks in an environment using certain scripts.

It's very good for users to go through their documentation. Users need not purchase a second solution or outside inventory to get visibility about the kind of attacks they can see. That is something Splunk has already prepared for its clients or users.

Everything concerning Splunk Enterprise Security is quite different from other tools. Splunk Enterprise Security has features that are very different from other vendors. These features include viewing correlation or drill-down searches of specific use cases, mapping those comments, and closing any alerts triggering the incident review.

The solution gives us some visibility on the use cases directly. Query is one of the strongest things that Splunk has. With the respective data models, we can create queries running much faster than other environments.

Splunk Enterprise Security gives certain advantages of deploying and automating some of the things we usually do manually in other tools. One of the biggest advantages of the solution is that we can detect threats and vulnerabilities in the environment by creating certain dashboards that give visibility. We can create certain reports, giving us continuous activity reports of anything malicious. We can schedule it at a specific time and send it as a mail.

That gives Splunk a greater advantage of providing insight to the person trying to see any kind of threats or visibility. The solution is intuitive because it lets you choose how you want to be notified regarding any kind of threat. I can correlate from one index to another by correlating searches by stretching one of the fields from one index and then searching for that information in another index. That is not quite possible in other tools and is unique to Splunk Enterprise Security.

With Splunk, we can correlate between any kind of endpoint device, what IP they are mapping through, and search the firewall in the same query whether that IP was allowed or not. It's a very intuitive tool that allows us to create multiple complex queries to solve a problem in a single go rather than opening different instances of different devices and then comparing them manually.

We deploy all of our use cases and reports with respect to the MITRE ATT&CK framework. We write the tactics and techniques of the MITRE ATT&CK framework inside the use cases because there are fields we can fill in about the MITRE ATT&CK framework. It is very useful for us to monitor what kind of MITRE tactics and techniques we have already covered. For anything missing out, visibility is also great so that we can monitor all the users with respect to the MITRE ATT&CK framework.

In our organization, rather than using only the field change, which covers only some parts, we always deploy use cases with respect to the MITRE ATT&CK framework. We have assessed specific use cases for every environment, whether Windows or AWS. We cover certain default use cases, which we want to create in the environment for covering the MITRE so that those are crucial for discoverability whenever something triggers.

Those are also crucial whenever we want to see how much coverage we have according to one device, like Windows log, Linux log, or AWS or Azure environment. If there is any scope of vulnerability present, someone might be trying to attack AD, and the MITRE ATT&CK framework covers it. On the MITRE ATT&CK framework side, I can put a technique they're using for a threat that might be present for initiating the attack. That gives us great visibility of providing threats.

When we are filling out the MITRE ATT&CK framework, any person from cybersecurity will be directly able to copy-paste any technique onto their Google search. They will be able to know what kind of MITRE technique we are trying to cover and how the use case will help them. That can already be done from a use-case perspective. We don't have to go to the library to know how we deployed the use case. That can be done from every different alert.

There are glitches and notes, and it gives more context with respect to the sensing tool. The main field is the activity field, where jobs are there. The usability of that particular feature, where I can see which particular job they're running, gives context to us on how the query is being run in the back end and how they are scheduling it.

If I don't have certain admin privileges, I might not be able to schedule my query. It will certainly give precedence to the admin account, and if I want to see great visibility into the search I'm doing, it will take a certain time.

Only after a certain privilege query is being run will it give precedence to my query. That is something where the distribution of resources can be separate. A separate tool can also be created for giving certain privileges to temporary users so that they can run their queries to find any threats or vulnerabilities. Also, not every query for admin needs to be run at certain privileges. It can be asked during the time of deploying whether this query requires a certain precedence.

Splunk already has specific definitions for finding threats. It can be through a network or a signature. They already have different kinds of internal assessments of how we're deploying use cases and how Splunk understands it. The same can be given to users because sometimes when we try to search for any threats, it gives precedence to other things. Even though the tool is good, it takes time to give us visibility because of the involvement of so many resources.

On the admin side, if I have certain privileges and everything is running fine, I have great visibility on understanding the use cases and deploying correlation between two different indexes to find any threat. That is great because I don't have to manually create ten use cases, where I can create five and cover both the indexes from which I want to get a query. If I want to search a user's active directory for the kind of privileges they have, I can only create a single use case and cover both.

I don't have to search for it on different use cases manually. Splunk gives great visibility into the dependents of both indexes' coverage in one field. It gives much more context. I can get output from both indexes and correlate what has happened in the user's environment much more quickly rather than using other tools.

Compared to other tools, Splunk Enterprise Security has helped us reduce the volume of alerts and visibility of fine-tuning because it provides many different aspects. I can reduce the volume of alerts by helping users. If they have certain kinds of IPs or exceptions to the rule, I can create a macro. If they have a list of things, they can directly include another macro to make it an exception.

I can create a local file, which is a very good thing for them. They can provide insight on the local file, and I can create a specific query if they want insights on that particular local file whenever something is happening. This useful feature that Splunk provides allows users to have visibility because these are the things users might have done manually on other tools.

Since some dependencies or add-ons for visibility are already inside Splunk, it gives a lot of insight into threats. It reduces threats and gives more context to what we are trying to search for. It automatically gives us a report rather than manually checking for every other field.

Compared to other tools, Splunk Enterprise Security gives context into the raw logs, which are present in my environment, and also what are the fields I'm trying to see. It gives visibility rather than showing all the empty fields, usually presented in other tools, whenever I open any alert.

There are certain fields that are empty and others that are filled. With Splunk Enterprise Security, I can directly check which particular fields I want to see. I don't have to manually go through the whole logs page and select whatever field I'm trying to see. That is a feature in Splunk for investigation purposes.

The time taken by our analyst to resolve alerts compared to other solutions is less. Other tools provide all the available fields, and a person has to decide which field they require for a particular use case.

In Splunk, you can directly point out all the necessary fields required for a particular query you are trying to run. Then, the user can easily assess which particular field they want to investigate more. This great feature from Splunk gives an analyst less time to wait for the alert and more time to do an analysis.

The recent CrowdStrike report reported that the majority of the cyber attacks are from active directories and from the carelessness of users through phishing emails. Even though the visibility needs to be there in cyber security, organizations still usually use SIEM tools, which are much cheaper. For such cheaper tools, they have to hire many analysts, and every analyst has to be on the same page to understand the context of what is going on in their environment.

If they already have a small team, they can do this work easily in Splunk. An organization needs to understand how complex their environment is. If their environment needs a certain kind of visibility, they need to go for a tool that serves their purpose of providing insight rather than going for the cheapest solution. Also, it will be much more beneficial for their hiring purposes. Relatively fewer people will be required if they can closely monitor Splunk and create queries. If certain users have already used Splunk, it will be great for them to deploy the solution.

Splunk provides much more insight concerning the closeness of understanding everything going on in their environment. A certain group of people can get the context of what is working in their environment and how they're approaching it. This is less of a hassle in other tools where every use case will be deployed irrespective of dependency on one use case.

One field or one endpoint solution will be different from an authentication tool, and they won't be correlating as such. We will have to do that manually and search for any similar field manually. Whereas in Splunk Enterprise Security, you can deploy it at once. So, less workforce will be required for deploying, understanding, and giving context to the users working on the environment inside their organization.

Our US customer has more than 15,000 to 20,000 devices deployed since it's a hospital. They have ingestion of data from every side from where logs can be ingested. Every employee working in the environment will be interacting with the internal sources. So, we see logs in every device, including laptops, desktops, medical devices, firewalls, and mobile devices. Usually, doctors get updates and visibility on their mobile devices. These mobile devices should not be attacked as they are the ones where the user data or the patient's data is exchanged very informally.

They have deployed specifically Armis to get visibility onto their network communication, which is a very good tool. They have invested in automating the resources, creating visibility onto their environment, and blocking certain communication. They can create specific playbooks with respect to it. It has given them a much more context. The same thing is not necessarily happening with other clients because they have deployed very few devices.

So, there was no complexity in understanding the environment as such. For them, Splunk provides the same insight as any other tool. For them, it's not serving the same purpose. For them, the deployment of use cases is good and not that complex. Besides that, Splunk is not serving this client's purpose because they already have fewer resources deployed. For them, Splunk does not provide any visibility or context that could not have been filled out with any other SIEM application.

I will certainly say that Splunk Enterprise Security is a great tool if you have the context and patience to learn it. It can also serve a great purpose of understanding the environment much more clearly and easily than other tools. Users will have to compare the pros and cons if they can afford it because it will be expensive for any organization.

Overall, I rate Splunk Enterprise Security an eight out of ten.

I use the solution in my company, and most of the use cases are security-specific. My company uses it to transfer from our detection engineering team to our incident response team. For observability, our company is looking for security events within the tool, and we are logging all the critical security infrastructure and security-relevant logs to a platform for security operations.

The tool has helped to streamline our company's mean time spent in understanding security-relevant events and mitigating those risks.

Some of the tool's best features are RBA and UBA. I also like the tool's single point-of-view dashboard for incident response. The case management area is one of its good features.

The tool has reduced the mean time needed to resolve. The reason is that the dashboard offers a single point of view, especially in areas where people aren't spread out. Our company is getting all the relevant data in there, and we are able to identify the problem instead of having to go to multiple tools or different interfaces.

It is very important for our organization that Splunk Enterprise Security provides end-to-end visibility into our environment. It is our company's way of understanding what is going on in our environment, and then it is our way of handling security events, relevant events, mitigating risk, understanding risk, quantifying risk, producing metrics, and everything else.

Splunk Enterprise Security provides our company with the relevant context to help guide your investigations. The tool has allowed us to gain better visibility and accuracy into security events.

The tool has helped our company improve the resiliency of our security operations. This is based on the fact that we don't have full adoption of the tool for all users in our organization, especially not Splunk Enterprise Security.

My company uses the tool for security operations, and we have built our security operations around Splunk based on what it can do and its performance.

I think Splunk is already improving its products. Some of the features that Splunk has been bringing out, like Splunk Attack Analyzer, while covering some of the other areas, like regulatory compliance and asset security, are good. It is just a matter of the customers being able to see the new features introduced by Splunk and get a demo to see if it makes sense for their work.

I already have Splunk Enterprise Security set up. My company is interested in seeing Splunk Attack Analyzer, and that is why we are dealing with Splunk's point of contact right now.

The area of concern revolves around the fact that Splunk is an expensive product. Splunk's expensive nature is an aspect where improvements are needed.

I have been using Splunk Enterprise Security for six to seven years.

It is a very stable solution. I never really had a hiccup with the tool. Even for migrations or anything, our company has never had to use Splunk's partners, and it has been a seamless process.

The tool's scalability has been good, but it depends on the organization and how Splunk is being adopted there.

The solution's technical support can be hit or miss, but it is mostly positive. I can't give you all the scenarios, but the one thing that I do like about Splunk is that if there ever is a hiccup, a simple phone call from our end can ensure that Splunk's technical team takes care of our problems. I rate the technical support a ten out of ten.

Positive

I have used many products in the past, but they were not in my present organization. It has been a long time since I used some products, as it was done back during my engineering days. I used to use HPE ArcSight. I have been through McAfee products, such as McAfee Nitro, back in the day. I have been an active Splunk business owner for almost a decade now.

The product's initial setup phase has been perfect since our company uses the cloud services offered by Splunk.

The solution is deployed on the cloud services offered by Splunk.

The reseller that my company gets in touch with to help with the implementation part is called GuidePoint Security. My company's experience with GuidePoint Security has been good.

I think that based on my experience in the organizations that I have been in with Splunk, the tool definitely fetches a return on investment because it allows us to streamline security-relevant events that we need to take care of quickly. Overall, the tool saves us from any impact on our finances and business.

Most of Splunk's customers are trying to find ways to keep the pricing from the ingest licensing model of Splunk down. What that comes down to is that we have to manage the platform. For our company, being a security enterprise and using it for security-relevant data allows us to streamline and control the ingest licensing model because we don't put in a lot of stuff in the tool. We have other things that we output to different data lakes. Splunk has always been on the expensive side.

The ease of deploying the tool, its great customer service, and the development you can do within the tool is very seamless, so I would recommend the product to my peers since it is a great solution.

I rate Splunk Enterprise Security a ten out of ten.

We use the solution for monitoring and detection and for threat hunting.

On the threat-hunting side, we can easily hunt down what we're looking for because Splunk's language parses the data coming in and allows us to utilize it to filter down through the data we need.

I very much enjoy Splunk's robust search nature, which enables me to find the data I want within the data I have. It's helpful for doing an investigation, whether that's an incident response or threat hunting.

It is important to our organization that Splunk Enterprise Security provides end-to-end visibility into our environment. That way, we can see where the data is throughout the entire process, depending on where we are in the incident.

Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data.

Splunk Enterprise Security has, by far, the best search capabilities. It ties that into alerts and notables, allowing you to refine what you want to see in your data.

There's been a big push for SBC compute over the ingestion model, which will hamper us. We're trying to increase our search counts with things like risk-based alerting, and I think that change will hinder our process.

I have been using Splunk Enterprise Security for eight years.

Splunk Enterprise Security is a stable solution.

Splunk Enterprise Security is a scalable solution.

I think we recently switched to the SVC pricing compared to the ingest pricing. I don't know if that was the right move for us.

Overall, I rate the solution an eight out of ten.

I use Splunk for visualization, reporting, monitoring, log aggregation, and other security purposes. We gather various logs into one place and analyze them based on specific business use cases to get high-level insights that inform decision-making at every level of the organization. We also use it to aggregate other IT logs — not just security. 

Our organization is working in a massive on-prem environment. We're one of Splunk's oldest clients. It's convenient to migrate everything to the cloud, and we would have more flexibility. However, we currently have our resources and everything established to use Splunk on-premises, so we aren't switching to a cloud environment.

Splunk allows us to monitor logs and track suspicious activity in real time. With the help of the SOAR platform powered by AI and ML, we can respond quickly. Our security posture is better, and we can resolve security incidents quicker. Splunk has improved our visibility by providing critical security metrics in our dashboard and strengthened our security controls. 

The number of alerts we receive is similar to what we saw using our previous solution. While it hasn't necessarily reduced our alerts, Splunk is improving our resolution time and overall security.

I like Splunk's automated threat detection and orchestration capabilities. Splunk offers a single solution for analyzing, aggregating, correlating, monitoring, reporting, visualizing, etc. You can get all of these capabilities in one place. On top of that, it provides a cloud, testing, on-premise, and hybrid solution, giving customers more flexibility for their use cases. 

Splunk's real-time monitoring is one of its best features.  The user interface gives you a single dashboard to directly view all the high-level information. The security incident monitoring and investigation page is also very helpful. You can document an investigation step by step. Many investigators can work on a single incident also based on their shifts. Everyone can add notes on the investigation page. 

The incident response features are based on real-time data. The monitoring team can immediately take over an incident and prioritize tasks based on risk scores. We can assign multiple technicians to one security incident based on their skill, improving resolution time.  The incident review dashboard provides many useful details, like the indicators of compromise and risk scores.

We can get threat intelligence from multiple platforms, including the latest known IOCs, to support our response to security incidents. We store the threat data from various sources in a centralized place, and it updates every six to 12 hours. 

The MITRE ATT&CK framework feature is helpful for understanding which phase an incident is in and what the next steps are so a technician can prevent it from progressing. It gives us a detailed overview of other tactics it might be associated with, enabling us to stay vigilant. We can correlate with other simultaneous or sequential incidents and take action to strengthen our security based on these incidents.

We've sometimes faced issues with upgrades. The incident review dashboard sometimes breaks after updates. When we add a space or something in the description or anywhere in the SQL, the drill-down value may be reset with a blank value. Before rolling out any software, they should test it thoroughly and ensure clients won't have issues with the upgraded version. It should be compatible with all or most of the apps. All major issues must be addressed before rolling out the upgrade.

I have used Splunk for eight or nine years. 

I rate Splunk nine out of 10 for stability. 

I rate Splunk eight out of 10 for scalability. Scalability is always a challenge. The larger your environment, the more issues you'll have. There aren't many problems with Splunk on the cloud, but scaling can be challenging in an on-prem environment. If you're ingesting a significant volume of data, you need a proper maintenance routine to maintain your base architecture. Sometimes, it's a bucket application. It can take a few hours to reset those things, and network issues might contribute to that. 

I rate Splunk support eight out of 10. It varies based on your data volume and number of licenses. 

Positive

I have used several solutions for different clients, including QRadar, Palantir, and Microsoft Sentinel. Splunk has more capabilities than QRadar. It's also more flexible and user-friendly. You can modify and customize the solution to show you the information you want.

The deployment depends on the environment. It may take only a couple of weeks to deploy Splunk in a small environment, but a larger environment involves a detailed process that may take months. It helps to have a larger staff. It also depends on how process-oriented an organization is. Some organizations will take much more time in the planning and design phase. 

After deployment, Splunk requires a good deal of maintenance, depending on the volume of data you're ingesting and your user base. It may require multiple resources to manage this environment. 

Splunk improves our security controls, resolution time, and threat-handling capabilities. We're saving time and resources, meaning more money for our clients. 

I don't know about Splunk's pricing because I work on the technical side, but I know it is a costly platform. There are cheaper products and some open-source ones, but Splunk costs a lot because of the features it provides. Still, the pricing is a concern for many of my clients, and more would use Splunk if they lowered the cost a bit. 

I rate Splunk Enterprise Security nine out of 10. I would recommend Splunk because it covers multiple services in one place. It also has a strong developer community. You can easily get help from community support. Splunk is a versatile product that competes well with leading security tools like Microsoft Sentinel.

We use Splunk Enterprise Security as the main SIEM system for our operation center. We use it for monitoring detection, and alert management.

We implemented Splunk Enterprise Security to help detect attacks on our network.

Splunk Enterprise Security is highly flexible, allowing us to create whatever we desire. This exemplifies its inherent power. The visibility it offers is notably robust. We can craft it to our needs and even utilize various frameworks within Splunk, prepackaged for security purposes. We possess distinct applications hosting diverse dashboards, catering to numerous security products, including those from different vendors.

The effectiveness of Splunk Enterprise Security insider threat detection capabilities, aimed at identifying unfamiliar threats, relies on whether we establish alerts based on the rules we formulate. If we construct rules incorporating user behavior criteria, the system functions optimally. It appears that there is an Extended User and Entity Behavior Analytics add-on available, which requires a separate license in addition to the enterprise security license. This add-on utilizes machine learning and encompasses multiple developed use cases. While it has limitations, it effectively serves the specific use cases it is designed for.

The threat intelligence framework within Splunk is also highly potent. We can ingest, link, and integrate external data feeds. Concerning IOCs, there are numerous pre-configured alerts within the system that rely on a feed of undesirable IPs. If one of these IPs triggers any of the alerts, such as those generated by our firewall's traffic logs, and the IP matches the bad IPs in the threat intelligence feed, the system correlates this information. If the flagged IP is detected within our network or appears in our firewall logs, an automatic alert is generated. We simply need to ingest the external feed. Subsequently, if the system identifies the IP anywhere, we will receive corresponding alerts.

I appreciate the new MITRE ATT&CK feature. I believe it's a valuable addition and reasonably priced. It seems the feature has been largely developed through marketing efforts, utilizing the capabilities of Splunk to display the MITRE ATT&CK map and the associated rules. This is important since MITRE ATT&CK encompasses over a hundred techniques. It presents the information to us based on the MITRE ATT&CK framework to illustrate ongoing activities. However, achieving a comprehensive understanding of each technique within the MITRE ATT&CK framework requires significant effort and adjustments.

Splunk Enterprise Security has enhanced our organization by offering increased visibility. If any adverse incidents occur, we are promptly informed. Even without configuring the custom rules, Splunk provides effective out-of-the-box rules that help prevent attacks. Consequently, it effectively halts these attacks. In fact, we have been able to detect and thwart potential attacks in their initial stages. This exemplifies the benefits it provides us.

Splunk Enterprise Security has helped to speed up our security investigations. We are now able to complete our investigations within three or four days. 

The most valuable features include agility and Splunk Enterprise Security's ability to quickly search for alerted items, as well as the capacity to create custom alerts using the SQL language employed by Splunk. This makes it a highly potent and versatile solution tailored to both user and company needs.

Splunk could enhance its services by providing more comprehensive professional assistance aimed at optimizing our investment. This aspect seems lacking as our expenses increase with higher data connectivity, seemingly without much consideration, as this translates to increased revenue for them. The challenge lies in the fact that we don't always require all the amassed data. Oftentimes, clients are uncertain about their actual data needs. Therefore, if Splunk integrated a service dedicated to system optimization and pricing, focusing on essential monitoring data while eliminating less crucial elements, it could potentially lead to cost savings for the customers. This strategic move would demonstrate their commitment to customers beyond just financial gain. It would highlight their genuine intention to provide support, streamline operations, and maximize the potential of this technology for individuals and their respective companies.

Splunk provides automation for large-scale environments where numerous servers are present. Consequently, efficient management of these servers becomes imperative. Currently, our management server operates using a top-down approach. This involves establishing connections from the main management server to every individual leaf and subsequently, to each lower-level server.

However, this architecture lacks inherent security measures. In the current setup, Splunk employs multiple collectors to gather data. Subsequently, this data is relayed upward, filtered, and then once again transmitted to the main management server. Notably, data traffic consistently flows from external sources toward the central management hub. This design enhances security, as even if a hacker were to compromise or gain control of the management server, their influence would be limited. The data originates externally and travels inwards, preventing unauthorized access to the entire system. 

In contrast, the proposed approach for managing extensive infrastructures situates the management hub at the core. This central position allows us to establish connections from the hub to the various peripheral components, even if they are located on a secure network. However, this configuration carries significant risks. A security breach at the central hub could potentially grant an attacker elevated permissions. This would enable them to compromise the entire network by gaining access to all Splunk nodes within the company. This architecture is vulnerable and has room for improvement.

I have been using Splunk Enterprise Security for four years.

I would rate Splunk Enterprise Security's stability a seven out of ten. This is because the system lacks built-in protection against certain issues. It alerts us when there are problems in the system, which we then need to address. However, these issues are not always easily fixable, setting it apart from other systems. For instance, sometimes the system slows down while we're working. This can occur when a new alert is implemented, leading to high resource usage and system instability. We are then required to identify and rectify the specific cause of this problem. This might involve disabling or adjusting the alert to ensure it doesn't negatively impact the system's performance.

Splunk Enterprise Security's ability to scale is good. I rate the scalability an eight out of ten.

The technical support is good.

Positive

Previously, I used QRadar, McAfee, and ArcSight. However, Splunk Enterprise Security is a more modern solution. While ArcSight from HP is powerful, it is an older system with limited flexibility and complex architecture. Many companies implemented SIEM systems before Splunk became available. It seems that most large companies might still be using ArcSight, but other competitors have entered the market since then.

McAfee attempted to develop a similar system, but it lacked scalability and was better suited for small businesses rather than larger enterprises. QRadar, on the other hand, remains robust, but it lacks Splunk's flexibility. One of Splunk's notable advantages is its ability to generate alerts and then allow users to enter searches and queries to investigate network activities and log data. This process, known as threat hunting, enables users to conduct specific searches, such as identifying individuals who accessed a particular system and the internet between four and five o'clock on a Friday. Splunk promptly provides the desired results, typically within a few minutes, making it a strong choice for this purpose. Additionally, Splunk Enterprise Security features a highly effective filtering mechanism.

I participated in the planning and implementation of Splunk Enterprise Security, as well as the creation of all rulesets and alerts. I am also configuring it to align with our technical framework.

Individuals who market Splunk Enterprise Security often claim that it can be deployed within half a day, which is quite amusing. While it is conceivable to perform the installation in that timeframe, the real complexity arises when we must establish connections with numerous systems. This involves accessing each system external to our main setup, configuring it, and directing the system to send its logs to Splunk. On the Splunk side, we encounter the need to create parsing mechanisms that allow proper data reading. This entails installing applications capable of correctly parsing the data, and addressing issues where parsing is inadequate. We then proceed to work with the data. Although Splunk provides some pre-configured rules, we also need to develop our own rules to identify specific events and potential attacks. The process of rule creation demands a substantial investment in writing rule sets. Additionally, integrating a threat intelligence framework becomes essential. We aspire to leverage the micro-framework we have established. Splunk Enterprise Security undeniably possesses considerable capabilities. Nevertheless, it necessitates continuous effort to unlock its full potential and achieve ongoing enhancements.

The solution's complete implementation may require up to one year. Throughout most of the deployment, we had a team of two members, occasionally expanding to three.

For the implementation, we used two integrators and Splunk Professional Services.

Considering the fact that Splunk Enterprise Security aids in thwarting attackers from gaining access to our environment, I would correlate this with a return on investment.

Splunk Enterprise Security's pricing is high. Larger companies may afford it, but I believe that in the current market situation, where everyone is facing challenges, financial resources are tight. Even stock market tech companies are embracing cost-saving measures. Expenses are now more constrained compared to a few years ago when companies had greater spending capacity. Companies are reluctant to make hefty payments. While Splunk is cheaper than Microsoft Sentinel, QRadar is priced at half the cost of Splunk.

Splunk Enterprise Security's licensing is typically determined by the data throughput we handle. Additionally, they offer an alternative pricing model which involves payment based on CPU usage. This newer model was introduced as a response to Elastic Security. However, Splunk enforces licensing in either scenario. 

I rate Splunk Enterprise Security a nine out of ten.

We do not monitor the cloud environments with Splunk. While we have several cloud environments, we avoid using Splunk for this purpose due to its high cost. To utilize Splunk, it would be necessary to place the Splunk engine in the cloud and gather all the logs from various cloud sources, resulting in substantial expenses due to the large volume of logs. As a result, our primary usage of Splunk is on-premise. Instead, we employ different systems to monitor the cloud, generating alerts through various security mechanisms. These alerts are then processed in Splunk, reducing both data traffic and costs.

Splunk Enterprise Security's capabilities to analyze malicious activities and detect breaches are similar to those of other systems. Its effectiveness depends on the rules we develop within it. To truly maximize its value and tailor it to the organization's needs, a significant amount of additional work and utilization of professional services are required.

The reduction of the alert volume presents a challenge due to the X number of personnel in the security alert center. They can effectively handle only Y alerts per day without experiencing fatigue. When the volume surpasses this limit, they tend to merely open and close alerts without thorough investigation. It's as if they've become weary of the process. Therefore, we must determine the optimal number of alerts per day and adjust the rules accordingly. The primary objective is to achieve a statistically reasonable number of alerts per day. This number should be somewhat higher than the current rate, but not three times greater, as exceeding this threshold would render their efforts ineffective. Conversely, if the number of alerts is too high, the personnel's capacity to take action is undermined, resulting in a lack of meaningful outcomes. Striking a balanced middle ground is imperative. This approach enables us to effectively identify and address crucial matters while ensuring our personnel can thoroughly investigate each alert.

Depending on the goals an organization aims to achieve, if their sole focus is on finding the most economical solution and they do not prioritize comprehensiveness, then QRadar would suffice. However, if they seek instant access to answers, I would recommend Splunk Enterprise Security.

Splunk Enterprise Security is deployed across our entire network.

Maintenance is necessary for the system, and updates are needed periodically. Whenever we acquire a new system, we must connect it to Splunk.

Resilience constitutes a crucial component of Splunk Enterprise Security, contributing significantly to the safeguarding of our system.

I recommend Splunk Enterprise Security for organizations that have the budget, time, and skill to properly utilize the solution. I do recommend paying for Splunk Professional Services.

Being in an air-gapped environment, we pretty much look for insider threats and other notables related to improper configurations and against security best practices.

We are 100% on-prem and in an air-gapped environment, so there is no Internet connection.

There have been some improvements, especially related to centering. We added user behavioral analytics, so it imports everything. Any threat generated inside of that goes into Enterprise Security. I wish anomalies would go in there, but I can understand why they don't, as it generates so many anomalies. However, it would be nice if I could select certain anomalies that would be helpful with notables. This way, I can track down security events before they become threats.

I believe Splunk Enterprise Security has reduced our mean time to resolve, but we do not have any definitive timing metrics.

Splunk has helped improve our organization’s business resilience because it is a central location where correlation searches populate. We can easily track down and figure out where issues lie, which minimizes the time of my SOC team. It probably saves them a couple of hours considering it is colocating everything in one location. It would be nice if there were better ways to search for the data. We can take a look at the raw logs, but we should be able to find the actual event that caused the problem and see all the logs associated with it in a standard log format as opposed to just a text file with all the events added in.

We are a small environment, so we do not get a lot of alerts. We work on the issues as we get them and I am sure it saves a couple of hours.

In terms of its ability to predict, identify, and solve problems in real-time, it works really well when you are connected to the Internet. The predictive analysis is more cloud-based. Trying to find ways to do it on-prem in an air-gapped environment with no Internet connection can be a pain. There are some ways to do risk-based analysis, but we are still hamstrung because we do not have the Internet connection and the larger data sets that they have.

Internal tracking is helpful because we do not like to deal with multiple ticketing systems, and I am not a fan of ServiceNow. We are able to keep everything internal and utilize Enterprise Security. Internal ticketing is helpful because we can bring in all the data and have it all available. That way, we can go back and take a look at it if we find another situation. We do not have to utilize other ticketing systems for cybersecurity.

Its interface and usability can always be improved. We are running on the last version, so I have not checked out how the newest one looks. Currently, we have to track down and remember where things are located. We have new guys on the team, and sometimes they have to click around and figure out where things are.

We have been using Splunk Enterprise Security for about five years.

The solution is not going anywhere. As long as they continue to support and develop it, and not make it a cloud solution, we will continue to purchase it.

We have a total of 500 devices, and we ingest around 150 gigs a day.

The scalability is pretty easy. They recently enabled it to be able to go into a search head cluster. Previously, the only way to install this was on its own dedicated search and it could not be connected to a cluster. Over the last four or five years, they have been pushing harder and harder for clustering everything up for shared resources. Enterprise Security is one of the few apps where you were not allowed to do that. Having scalability with the search head cluster is nice, and it is one thing I am looking at implementing in the future.

Splunk's support is pretty good. I contacted Splunk's support a couple of times. In total, they are helpful, and we are able to get the support where we need it, but unfortunately, it is self-inflicted because we are air-gapped. It takes me anywhere between 45 minutes to an hour and a half to get the logs required. I need to get them sanitized, approved, and transferred over so that I can get them to Splunk. I would rate them a nine out of ten because a couple of times, I found the answer before they did.

They have the best documentation in all of the tech sector, and it is not behind a paywall where you cannot find information. There is certain information in Splunk Knowledge Base under the support page that I believe should be searchable through Google.

Positive

The return on investment is very good because, with ELA, we purchased the products at a reasonable price. We did not have to pay significantly more for licensing than we could possibly use. We were able to combine and get it at a much lower cost point.

In terms of the time to value, it took us a couple of months to get used to the interface and get people trained. Unfortunately, we had some turnover during that time, so we had to constantly retrain or train new people. The newer versions of Enterprise Security that came along made things a little bit easier. Luckily, we had some free training provided to us because we have an enterprise license agreement.

Luckily, we come under a large federal agency, and before the pandemic, they signed a large enterprise license agreement. It worked out great and to our advantage because we are a small organization. We got a 300 gig license, and we just did not have the buying power to be able to get products cheaply. Because we all partnered together under the agency umbrella, we were able to get Splunk Enterprise Security, UBA, and ITSI for cheap. This was good considering the fact that some of these premium apps require a minimum number of users, and we do not have the number of people needed to even justify buying it.

I would rate Splunk Enterprise Security a seven out of ten. There is definitely some room for improvement. I have not installed the newer version. Once I get into it, I will see what new capabilities there are, but there is a decent lift that is needed for the setup. Professional services help with that, but the customer generally does not like paying for that more than once.

Because of the ELA, I am able to come to Splunk conferences for free instead of having to pay my own dime. That helps tremendously, especially considering the fact that education is included. I believe that is because of the enterprise license agreement with the government contract. That helps out a lot. I have been coming to conferences since 2017. There are a lot of good people and a great community.