Splunk Enterprise Security Reviews

There are lots of use cases such as finding threats, attack factors, and logs. It helps with rogue DNS or brute force attack detection. We have logs related to why a particular account was created. There is alerting. We can get some false positives, but by fine-tuning some of the things, we can reduce false positives.

Splunk is a security monitoring tool. It helps with incident handling, data logging, and observability of metrics. Splunk can handle all these things. Splunk Enterprise security is a premium app of Splunk through which we can have all the threat intelligence and incident reviews. It helps in finding all the attacks and Advanced Persistent Threats (APTs).

We also have dashboards. We can collect logs from different sources and applications. We can also troubleshoot issues. If we are having any issues with an application, we can go to that particular index to see what is the cause. If any application is failing or giving an error, we can troubleshoot the issue. We do not have to log into the server to find the error.

We monitor multiple cloud environments. We have GCP, Azure, and AWS. It is easy to monitor multiple cloud environments using the Splunk Enterprise Security dashboards. Splunk releases inbuilt apps, so by using those apps and add-ons, we can integrate it with our cloud environments. For example, for Azure, they have a Microsoft Cloud Services add-on. We need to register the app in Azure, and after registering the app, we have to use the tenant ID and set it up. There are a lot of inputs, and we can use all those inputs to onboard different logs from Azure. There is also the capability for HTTP event collection.

We have a hybrid environment, and that works best for us. For a lot of things, we cannot just go fully cloud. Hybrid is the best option for us. We are happy with the visibility that Splunk Enterprise Security provides. It is also about how we configure things. If we do not do it in the right way, we will not get visibility. We have to know what kind of tools we are using and what kind of data we are pulling. We cannot pull everything. We have to know what to pull. If we pull only what is required, we would not have any problems.

Splunk Enterprise Security comes with MITRE ATT&CK and Cyber Kill Chain frameworks by default. There are 12 processes in the MITRE ATT&CK framework. We just have to onboard logs, create the data models, and assign those ATPs to monitor all the kill chains. We can monitor all attack vectors and persistent threats that we want to monitor.

Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches. I would rate it a 9 out of 10 for that. It can also go to 10 for different clients based on different requirements.

Along with Splunk Enterprise Security, we also install another Splunk app that has all the threat intelligence. We then feed the data through a CSV file and create the use cases. We set up alerts for those. In the case of an event, an alert is generated and assigned to a particular SOC analyst. There can be some false positives, but with proper configuration and filtering, they can be reduced.

Splunk Enterprise Security has been very beneficial and valuable for us. Our application teams can use the indexes to troubleshoot the issues they are facing at their location.

Being able to ingest data from all the tools and all the apps being used in the environment is valuable. Being able to create alerts when, for example, the CPU usage reaches 95% is also valuable. We can set up alerts and proactively fix the issues. Splunk helps with all these things, and Splunk Enterprise Security has almost 2,000 use cases. It follows MITRE ATT&CK and Cyber Kill Chain frameworks. There are certain notable events for which we can configure our security posture. We can onboard all the logs through indexes and create dashboards to view what is going on in the environment.

Overall, it is pretty good. They are improving it every day. They recently released SC4S for onboarding syslog data. However, the support and the pricing can be better.

It has been 8 years since I have been using Splunk. I am not a part of the core security team. I handle some parts of enterprise security, such as SIEM data models or the creation of some correlation searches and use cases. The majority of things, such as threat hunting or threat intelligence, are managed by our core security team.

We faced some issues, but we fixed them ourselves. We have around 10,000 knowledge objects running. All the knowledge objects should not be running all the time. They should be distributed over 24 hours so that the servers do not have any extra pressure at a particular time. We used to have an issue with our indexes going down. The CPU was being utilized 100%, and everything was getting stopped. We found the issue. We fixed that, and we are good now.

It is pretty easy to scale. For Splunk Cloud, we log a ticket with Splunk support, and they start the process. It does not take much time. However, there is a cost involved in that. 

We have been ingesting 40 TB a day. We have three locations: The USA, the UK, and France.

The SLA for Splunk Cloud support is not satisfactory for a customer. The turnaround time is a bit low. That should be fixed. I would rate their support a 9 out of 10.

Positive

I have not used any similar solution in my current organization.

In my previous organizations, I have used solutions such as Elk, IBM QRadar, and Microsoft Sentinel. Microsoft Sentinel is good. Splunk is better than QRadar. Splunk has a lot of capabilities. It makes it easier to do many things and do them correctly. It does not require as much effort as required in IBM QRadar and Microsoft Sentinel.

Splunk is a bit costly, but if we control our usage during our searches, its cost is okay. When not controlled, it becomes a bit costly.

To those evaluating Splunk and solutions, I would advise knowing the features they would be getting. Elk is open source, but there is an underlying cost of infrastructure. The cost almost becomes the same. You have to hire people who can work on Elk and then you have the underlying infrastructure cost.

We were on-premises, but we recently moved to Splunk Cloud. We have been using Victoria for the last eight months. When going from on-premises to Splunk Cloud, Splunk recommends engaging professional services. 

The migration was done by Splunk. For administration and maintenance, we have about eight people, but the number of users in the environment would be in the thousands.

The maintenance of Splunk Cloud is taken care of by Splunk. Customers do not manage the clusters. With the on-prem setup, we have to patch the servers, upgrade the servers, or restart them from time to time so that the rebalancing of the buckets happens properly. In Splunk Cloud, we do not have to do these things. We only take care of the data normalization part. All other things are managed by Splunk.

It does provide a return on investment.

It is a bit costly.

Be clear about what you want and try to filter out as much as possible. Create role-based rules and assign them to users rather than assigning every role capability to all the users. Also, everyone should not have access to all indexes. Only certain people should have access. For example, if someone is from the AD team, he or she should have access to the particular index logging the AD logs. They should not have access to all of it. There should also be some kind of training before you give access to people so that they know which searches to use and which ones not to use. They should understand the impact of various things.

I would rate Splunk Enterprise Security a 9 out of 10 based on my experience and the work that I do with the core security team. They are pretty satisfied with it.

I mostly use the solution in my company for incident response, ticket management, and integration with other endpoint products.

The benefits my company has seen from the use of Splunk Enterprise Security revolve around the speed of detection it offers.

The most valuable feature of the solution is the correlation searches. The one-stop shop shows me all my insights, and alerts, and can send alerts to my analysts.

I would say it is fairly important for my organization that Splunk Enterprise Security provides end-to-end visibility in our environment. At the same time, my company has other products that cover the observability piece. From a security perspective, we use data outside of our security data to piece together the whole picture. I think our company's perspective is that no matter how we get the whole picture, we will do it, even if it is from outside Splunk Enterprise Security. I think Splunk Enterprise Security plays a major role in this.

In terms of Splunk Enterprise Security for helping our company find any security event across multi-cloud, on-premises, or hybrid environments, I would say that it is great once you get past the learning curve. The learning curve is higher than normal.

I think Splunk Enterprise Security has helped improve our organization's ability to ingest and normalize data in a great manner. Splunk is a great product and provides these features, but not so much when it comes to identifying and solving problems in real-time because there are always data delays. There is always onboarding, mapping, creation of correlation search, and then enabling Splunk ESCU part. It works in a general sense and not on a real-time basis.

In terms of whether Splunk Enterprise Security has helped reduce alert volume, I would say that it is the only active SIEM tool my company is currently utilizing. Reducing alert volumes involves tuning up certain areas of the engineering team. If I look at the product alone, I would say it can help reduce alert volume. If I consider the learning curve, I would say that you have to learn how to tune it the right way with the help of professional services or experts. You need to utilize your resources, which I think is the best way to do it.

Splunk Enterprise Security provides our company with relevant context to help guide our investigations since the correlation searches with the enriched data do help gain insights on all of our investigations. At the current point, we are still trying to get past the tool's learning curve so that all of our analysts and everyone on the security team can utilize the tool the best way they can. The more they learn, the better it gets, so currently, we are doing our best.

Splunk Enterprise Security helped reduce the meantime needed to resolve our issues because we have all our data in a centralized location and mapped to a data model. As long as we know what detection and data we are looking at, we can go to our data model and figure out where the issue lies.

Splunk Enterprise Security's ability to help improve our organization's business resilience revolves more around observability. Our company recently migrated to Splunk Cloud, and I think we have more hands-on experience with the ingestion side than ever before. I think it is a lot easier for us since we moved to Splunk Cloud as we don't have to focus on maintaining the infrastructure so much, and we can focus more on the data. I think this is outside of Splunk Enterprise Security's scope and falls under Splunk Cloud's capacity.

Speaking about Splunk's unified platform helping consolidate networking, security, and IT observability tools, I would say that my company is not there yet.

In the next release, I want Splunk to offer more openness to integrations with other products that may be more of a preference for my incident response teams.

I have been using Splunk Enterprise Security for five years. I am an end-user.

In terms of stability, if configured correctly, it works great.

With Splunk Cloud, I think using the tool's scalability feature is easy since one can just call the product's support team.

The solution's technical support is great since they have been very responsive and very attentive while answering all my questions. If the support team can't answer my questions, they escalate it to their engineering team. 

I have had nothing but good things to say about Splunk's technical team. There have been times when I had to rephrase my questions or when there were communication issues, but the time to respond, escalation, and the attempts in trying to find help and answers from the support team's end have always been great. 

I think the only thing lacking is that there are some answers that I couldn't find about the tool without reaching out to support, and it had to be escalated to the engineering team. If this process is the only way I can find answers, I think it is a little bit limiting for an engineer who supports a real-time incident response team. I rate the technical support a nine and a half out of ten.

Positive

I have personally not used any other product before Splunk Enterprise Security.

The product's deployment phase was pretty easy to manage since our company has a migration team and support staff. We also had a really good project manager from Splunk to help us, who walked us through every step, and it was a great experience.

The solution is deployed on Splunk Cloud, which runs on AWS.

My company works with Splunk directly to help us with the implementation, and our experience with the product has been great.

I have not seen an ROI.

The pricing model is great. You can choose between workloads or volume. I am not part of the conversation about pricing in my organization. I just know what I know about the tool from learning about Splunk.

I rate the tool a ten out of ten.

We use Splunk Enterprise Security as our SIEM solution.

The log sources are in multiple cloud environments, but the deployment of Splunk is on-premises.

Monitoring our AWS and Azure cloud environments with Splunk Enterprise Security is easy.

The visibility into multiple cloud environments is good. We have complete visibility because we integrate all our logs and sources into Splunk.

Splunk Enterprise Security's insider threat detection capabilities module runs on the backend and provides complete visibility into anomalous behavior and zero-day attacks.

The threat intelligence management feature is a necessary tool in our environment. The actionable intelligence provided by the threat intelligence management feature is helpful. We can see the IoC to help with our investigation.

Splunk Enterprise Security does a good job analyzing malicious activities and detecting breaches.

Splunk Enterprise Security helps us detect threats faster.

Splunk Enterprise Security helps reduce our alert volume by whitelisting the false positives.

Splunk Enterprise Security has helped speed up our security investigations. Splunk uses user-friendly language and visibility to speed up our investigation times.

Splunk offers significant time savings for analysts compared to tools like Azure Sentinel, with analysts resolving alerts 30-40 percent faster. Additionally, Splunk's user-friendly dashboards simplify administration.  

Splunk Enterprise Security's value lies in its ability to collect and analyze security logs, providing insightful dashboards.

Splunk's high cost, despite its recognition in our region, prevents many organizations from adopting Splunk Enterprise Security, suggesting there's room for improvement in their pricing strategy. 

I have been using Splunk Enterprise Security for six months.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is designed for easy scaling.

Our organization is expanding our clusters day by day.

The technical support is collaborative. We do receive a response within the appropriate time.

Positive

While I have experience with Azure Sentinel and other SIEM tools, Splunk stands out for me. It provides a full SIEM experience with informative dashboards, clear language for easy analysis, comprehensive visibility across my systems, and a robust CIM for data organization.

The initial deployment was technical but not overly complex. We faced difficulties with the log process going down and not getting the results in the client console. The overall deployment took around three hours to complete.

Three people were involved in the deployment. 

The implementation was completed in-house.

Splunk differs from other SIEM solutions by using a gigabyte-based pricing model, rather than the agent-based licenses common with its competitors.

While Splunk Enterprise Security carries a higher cost and requires budgeting, cheaper SIEM, and open-source alternatives often have limitations. This makes the decision a matter of weighing the cost against the features most important to each organization's security needs.

I would rate Splunk Enterprise Security nine out of ten.

On paper, Splunk Enterprise Security is the top solution for detecting security threats in any organization, but Splunk Enterprise Security is expensive and most organizations don't have a proper budget to implement a SIEM solution. So they look for a more reasonable cost-effective solution. This is a hurdle for implementing Splunk Enterprise Security. It was originally designed for data science and modified for security. It is a top tool for SIEM and data analytics.

Splunk Enterprise Security stands out for its threat detection capabilities, but its cost can be a barrier for many organizations. Originally designed for data science, it excels in both security and analytics, but its price tag often pushes businesses towards more budget-friendly SIEM solutions.

Splunk Enterprise Security offers good resilience for our customers.

For organizations that don't have the budget for Splunk Enterprise Security, I would recommend Azure Sentinel.

We use Splunk Enterprise Security as the main SIEM system for our operation center. We use it for monitoring detection, and alert management.

We implemented Splunk Enterprise Security to help detect attacks on our network.

Splunk Enterprise Security is highly flexible, allowing us to create whatever we desire. This exemplifies its inherent power. The visibility it offers is notably robust. We can craft it to our needs and even utilize various frameworks within Splunk, prepackaged for security purposes. We possess distinct applications hosting diverse dashboards, catering to numerous security products, including those from different vendors.

The effectiveness of Splunk Enterprise Security insider threat detection capabilities, aimed at identifying unfamiliar threats, relies on whether we establish alerts based on the rules we formulate. If we construct rules incorporating user behavior criteria, the system functions optimally. It appears that there is an Extended User and Entity Behavior Analytics add-on available, which requires a separate license in addition to the enterprise security license. This add-on utilizes machine learning and encompasses multiple developed use cases. While it has limitations, it effectively serves the specific use cases it is designed for.

The threat intelligence framework within Splunk is also highly potent. We can ingest, link, and integrate external data feeds. Concerning IOCs, there are numerous pre-configured alerts within the system that rely on a feed of undesirable IPs. If one of these IPs triggers any of the alerts, such as those generated by our firewall's traffic logs, and the IP matches the bad IPs in the threat intelligence feed, the system correlates this information. If the flagged IP is detected within our network or appears in our firewall logs, an automatic alert is generated. We simply need to ingest the external feed. Subsequently, if the system identifies the IP anywhere, we will receive corresponding alerts.

I appreciate the new MITRE ATT&CK feature. I believe it's a valuable addition and reasonably priced. It seems the feature has been largely developed through marketing efforts, utilizing the capabilities of Splunk to display the MITRE ATT&CK map and the associated rules. This is important since MITRE ATT&CK encompasses over a hundred techniques. It presents the information to us based on the MITRE ATT&CK framework to illustrate ongoing activities. However, achieving a comprehensive understanding of each technique within the MITRE ATT&CK framework requires significant effort and adjustments.

Splunk Enterprise Security has enhanced our organization by offering increased visibility. If any adverse incidents occur, we are promptly informed. Even without configuring the custom rules, Splunk provides effective out-of-the-box rules that help prevent attacks. Consequently, it effectively halts these attacks. In fact, we have been able to detect and thwart potential attacks in their initial stages. This exemplifies the benefits it provides us.

Splunk Enterprise Security has helped to speed up our security investigations. We are now able to complete our investigations within three or four days. 

The most valuable features include agility and Splunk Enterprise Security's ability to quickly search for alerted items, as well as the capacity to create custom alerts using the SQL language employed by Splunk. This makes it a highly potent and versatile solution tailored to both user and company needs.

Splunk could enhance its services by providing more comprehensive professional assistance aimed at optimizing our investment. This aspect seems lacking as our expenses increase with higher data connectivity, seemingly without much consideration, as this translates to increased revenue for them. The challenge lies in the fact that we don't always require all the amassed data. Oftentimes, clients are uncertain about their actual data needs. Therefore, if Splunk integrated a service dedicated to system optimization and pricing, focusing on essential monitoring data while eliminating less crucial elements, it could potentially lead to cost savings for the customers. This strategic move would demonstrate their commitment to customers beyond just financial gain. It would highlight their genuine intention to provide support, streamline operations, and maximize the potential of this technology for individuals and their respective companies.

Splunk provides automation for large-scale environments where numerous servers are present. Consequently, efficient management of these servers becomes imperative. Currently, our management server operates using a top-down approach. This involves establishing connections from the main management server to every individual leaf and subsequently, to each lower-level server.

However, this architecture lacks inherent security measures. In the current setup, Splunk employs multiple collectors to gather data. Subsequently, this data is relayed upward, filtered, and then once again transmitted to the main management server. Notably, data traffic consistently flows from external sources toward the central management hub. This design enhances security, as even if a hacker were to compromise or gain control of the management server, their influence would be limited. The data originates externally and travels inwards, preventing unauthorized access to the entire system. 

In contrast, the proposed approach for managing extensive infrastructures situates the management hub at the core. This central position allows us to establish connections from the hub to the various peripheral components, even if they are located on a secure network. However, this configuration carries significant risks. A security breach at the central hub could potentially grant an attacker elevated permissions. This would enable them to compromise the entire network by gaining access to all Splunk nodes within the company. This architecture is vulnerable and has room for improvement.

I have been using Splunk Enterprise Security for four years.

I would rate Splunk Enterprise Security's stability a seven out of ten. This is because the system lacks built-in protection against certain issues. It alerts us when there are problems in the system, which we then need to address. However, these issues are not always easily fixable, setting it apart from other systems. For instance, sometimes the system slows down while we're working. This can occur when a new alert is implemented, leading to high resource usage and system instability. We are then required to identify and rectify the specific cause of this problem. This might involve disabling or adjusting the alert to ensure it doesn't negatively impact the system's performance.

Splunk Enterprise Security's ability to scale is good. I rate the scalability an eight out of ten.

The technical support is good.

Positive

Previously, I used QRadar, McAfee, and ArcSight. However, Splunk Enterprise Security is a more modern solution. While ArcSight from HP is powerful, it is an older system with limited flexibility and complex architecture. Many companies implemented SIEM systems before Splunk became available. It seems that most large companies might still be using ArcSight, but other competitors have entered the market since then.

McAfee attempted to develop a similar system, but it lacked scalability and was better suited for small businesses rather than larger enterprises. QRadar, on the other hand, remains robust, but it lacks Splunk's flexibility. One of Splunk's notable advantages is its ability to generate alerts and then allow users to enter searches and queries to investigate network activities and log data. This process, known as threat hunting, enables users to conduct specific searches, such as identifying individuals who accessed a particular system and the internet between four and five o'clock on a Friday. Splunk promptly provides the desired results, typically within a few minutes, making it a strong choice for this purpose. Additionally, Splunk Enterprise Security features a highly effective filtering mechanism.

I participated in the planning and implementation of Splunk Enterprise Security, as well as the creation of all rulesets and alerts. I am also configuring it to align with our technical framework.

Individuals who market Splunk Enterprise Security often claim that it can be deployed within half a day, which is quite amusing. While it is conceivable to perform the installation in that timeframe, the real complexity arises when we must establish connections with numerous systems. This involves accessing each system external to our main setup, configuring it, and directing the system to send its logs to Splunk. On the Splunk side, we encounter the need to create parsing mechanisms that allow proper data reading. This entails installing applications capable of correctly parsing the data, and addressing issues where parsing is inadequate. We then proceed to work with the data. Although Splunk provides some pre-configured rules, we also need to develop our own rules to identify specific events and potential attacks. The process of rule creation demands a substantial investment in writing rule sets. Additionally, integrating a threat intelligence framework becomes essential. We aspire to leverage the micro-framework we have established. Splunk Enterprise Security undeniably possesses considerable capabilities. Nevertheless, it necessitates continuous effort to unlock its full potential and achieve ongoing enhancements.

The solution's complete implementation may require up to one year. Throughout most of the deployment, we had a team of two members, occasionally expanding to three.

For the implementation, we used two integrators and Splunk Professional Services.

Considering the fact that Splunk Enterprise Security aids in thwarting attackers from gaining access to our environment, I would correlate this with a return on investment.

Splunk Enterprise Security's pricing is high. Larger companies may afford it, but I believe that in the current market situation, where everyone is facing challenges, financial resources are tight. Even stock market tech companies are embracing cost-saving measures. Expenses are now more constrained compared to a few years ago when companies had greater spending capacity. Companies are reluctant to make hefty payments. While Splunk is cheaper than Microsoft Sentinel, QRadar is priced at half the cost of Splunk.

Splunk Enterprise Security's licensing is typically determined by the data throughput we handle. Additionally, they offer an alternative pricing model which involves payment based on CPU usage. This newer model was introduced as a response to Elastic Security. However, Splunk enforces licensing in either scenario. 

I rate Splunk Enterprise Security a nine out of ten.

We do not monitor the cloud environments with Splunk. While we have several cloud environments, we avoid using Splunk for this purpose due to its high cost. To utilize Splunk, it would be necessary to place the Splunk engine in the cloud and gather all the logs from various cloud sources, resulting in substantial expenses due to the large volume of logs. As a result, our primary usage of Splunk is on-premise. Instead, we employ different systems to monitor the cloud, generating alerts through various security mechanisms. These alerts are then processed in Splunk, reducing both data traffic and costs.

Splunk Enterprise Security's capabilities to analyze malicious activities and detect breaches are similar to those of other systems. Its effectiveness depends on the rules we develop within it. To truly maximize its value and tailor it to the organization's needs, a significant amount of additional work and utilization of professional services are required.

The reduction of the alert volume presents a challenge due to the X number of personnel in the security alert center. They can effectively handle only Y alerts per day without experiencing fatigue. When the volume surpasses this limit, they tend to merely open and close alerts without thorough investigation. It's as if they've become weary of the process. Therefore, we must determine the optimal number of alerts per day and adjust the rules accordingly. The primary objective is to achieve a statistically reasonable number of alerts per day. This number should be somewhat higher than the current rate, but not three times greater, as exceeding this threshold would render their efforts ineffective. Conversely, if the number of alerts is too high, the personnel's capacity to take action is undermined, resulting in a lack of meaningful outcomes. Striking a balanced middle ground is imperative. This approach enables us to effectively identify and address crucial matters while ensuring our personnel can thoroughly investigate each alert.

Depending on the goals an organization aims to achieve, if their sole focus is on finding the most economical solution and they do not prioritize comprehensiveness, then QRadar would suffice. However, if they seek instant access to answers, I would recommend Splunk Enterprise Security.

Splunk Enterprise Security is deployed across our entire network.

Maintenance is necessary for the system, and updates are needed periodically. Whenever we acquire a new system, we must connect it to Splunk.

Resilience constitutes a crucial component of Splunk Enterprise Security, contributing significantly to the safeguarding of our system.

I recommend Splunk Enterprise Security for organizations that have the budget, time, and skill to properly utilize the solution. I do recommend paying for Splunk Professional Services.

We use Splunk Enterprise Security for various security use cases, including writing correlation searches. This has significantly improved both our use cases and correlation searches. We can leverage existing resources, making modifications as needed, rather than starting from scratch each time. Splunk Enterprise Security provides diverse use cases across different environments, including AWS, Azure, and multi-cloud setups, while also integrating with Microsoft Sentinel. Additionally, we can integrate Splunk's service orchestration product for further automation. Overall, this allows us to automate tasks that security analysts previously performed manually, such as reviewing incident dashboards. We can fine-tune alerts based on analyst feedback. Splunk's research team ensures that use cases are updated with the latest security content, enabling us to understand and implement necessary steps while customizing them to fit our company's needs. This is what makes Splunk Enterprise Security so popular; it streamlines processes compared to legacy security products that often rely on manual scripts. Clients, including government agencies and banks, are transitioning to Splunk Enterprise Security due to its reduced training requirements and comprehensive features. Everything is consolidated, simplifying training and certification. Additionally, integrating Splunk's service orchestration product further automates tasks and improves response times. The substantial investment in Splunk indicates its staying power; no other product on the market currently offers comparable capabilities. Cisco's acquisition of Splunk reinforces its potential for success, combining APM, data logging, and security portfolios. In one financial project involving 600,000 users, we were able to monitor all incoming traffic, identify security activities, and distinguish between legitimate and malicious traffic, including phishing attacks and potential identity-based threats. Splunk enables tracking individual identities, crucial for detecting attacks where perpetrators hide behind compromised identities, often leading to data breaches and other security incidents.

We implemented Splunk Enterprise Security to assist with AWS security, which includes GuardDuty, CloudTrail, CloudWatch, and Inspector. These AWS components generate compliance and security alerts, which we correlate and use to create dashboard reports and identify security events for various use cases. We then enable the out-of-the-box use cases and send notable events to the dashboard. The implementation is currently in its early stages.

Splunk Enterprise Security operates based on incoming data, making monitoring multiple cloud environments relatively simple due to data availability and integration capabilities. Data from cCloudRail, CloudWatch, Azure, and other diverse environments can be incorporated. While occasional patching might be necessary, most integrations are readily available, offering extensive coverage without customization. Specific customizations might still be required, but most functionalities are pre-built, leveraging code developed by Splunk. This efficient approach involves analyzing data from vendors like Palo Alto and applying add-ons to apply code and automate parsing.

Our visibility into various environments depends on how much data we incorporate; therefore, the more we scan, the better our visibility.

Splunk Enterprise Security's insider threat detection capabilities act as a secondary approval and vetting process, helping our organization ensure there are no unauthorized users.

The MITRE ATT&CK framework allows us to identify criticality levels, helping us respond to incidents. We might integrate incident response with a REST API, where a notable event triggers the creation of a ServiceNow ticket. Information flows from ServiceNow back to Splunk, which then feeds other systems, enabling bidirectional incident management. These processes are largely out-of-the-box, as Splunk integrates well with ServiceNow, except for any customizations. We understand the data integration requirements and leverage Splunk's extensive integration capabilities.

Splunk Enterprise Security does a good job of analyzing malicious activities and detecting breaches. The amount of information the research and threat detection teams receive from Splunk enables faster threat detection of up to 60 percent, eliminating the need to consult numerous sources. This efficiency is a key benefit of Splunk, as its significant investment in security allows for expedited processes.

I have seen the older legacy product where they have this manual process to identify issues, run scripts, try to identify the output, and then go through ten systems to collect data. This could take days. Now, with Splunk, we have everything correlated with multiple use cases, and we have a correlation search between multiple systems, along with application data. Splunk Enterprise Security can stitch all this information together and show it in a single pane of glass, which makes decision-making faster and allows us to focus on the relevant issues instead of wasting time on non-relevant ones. They have done this well.

Splunk Enterprise Security significantly reduced our alert volume. The initial challenge was dealing with a legacy IBM system that generated a massive amount of unfiltered noise, making it difficult to identify relevant events to send to the incident dashboard. This process was time-consuming and inefficient, and the value of the system wasn't apparent. To address this, we fine-tuned both the SOAR system and Splunk by applying filters and conditions to focus on relevant data. Ultimately, Splunk reduced the alert noise from 1,000 events in two hours down to ten, which were then grouped into a single notable event. Despite potentially having hundreds of background events, Splunk condensed this information into a single, actionable item, allowing us to focus on investigating the most relevant issues.

Splunk Enterprise Security accelerates our security investigations by reducing noise, allowing us to focus on relevant use cases. Everything is categorized as high, medium, or low priority, and people immediately start investigating high-priority issues connected to PagerDuty. Sometimes, this leads to on-call situations, sometimes immediate action. Service orchestration and playbook scenarios enable automated responses, like instantly blocking unauthorized access to a system. The possibilities for security use cases with playbooks and service orchestration are vast, and I'm excited to explore them further in the coming days.

The dashboards and reporting capabilities help to aid our security analysis.

We have integrated Splunk Enterprise Security with various services to streamline our security operations. This integration allows us to leverage diverse data sources for creating lookups, data models, knowledge objects, and regular expressions. By automating the development of use cases and regular expressions, we can apply them to data more efficiently, enabling faster implementation and analysis. This approach enhances our ability to detect and respond to security threats effectively.

Splunk Enterprise Security has enhanced our organization's security posture by providing comprehensive security compliance dashboard reports.

I appreciate how Splunk Enterprise Security connects users to the research team and threat documentation, providing access to current events impacting other clients, security vulnerabilities, and relevant use cases. The platform's daily updates offer valuable insights for enhancing our security posture.

Splunk Enterprise Security allows us to create custom dashboards by changing fonts and modifying widgets. Those familiar with XML coding can further personalize dashboards to align with frameworks such as MITRE. Alternatively, we have the option to use the pre-built dashboards.

I've noticed that onboarding data from various multi-cloud sources and diverse products, such as security network devices, can be challenging. Although Splunk has simplified data onboarding with features like data managers, they need to improve their out-of-the-box parsing capabilities. While they've made significant progress, covering about 70 percent of common products, there's still a 30 percent gap where manual configuration is required. This forces us to spend time understanding and writing custom parsing rules instead of focusing on data analysis. With Splunk's recent acquisition by Cisco, I'm hopeful they will prioritize enhancing this functionality and increasing their coverage to 90 percent or more.

I want to see Splunk Enterprise Security dashboards incorporate more features, such as out-of-the-box AI and user behaviour analytics, which are accessible within a single dashboard.

The technical support response time has room for improvement.

I have been using Splunk Enterprise Security for three years.

Splunk Enterprise Security has stability issues, especially with large data volumes, increased data intake, complex dashboards, custom models, and processing that significantly impact performance. Many customers experience this; even with demos using small datasets, performance degrades with millions of data points. This necessitates capacity planning, dedicated teams, and enforced best practices. These practices include restricting complex searches, blocking problematic users, and providing training to prevent performance degradation. Constant vigilance and proactive measures are crucial to maintaining a stable Splunk Enterprise Security environment. I would rate the stability of Splunk Enterprise Security five out of ten.

I would rate Splunk Enterprise Security's scalability six out of ten. We need to add more shared CPU memory and increase the capacity, and scaling requires a lot of planning and effort.

Splunk's support quality has declined in the past five years. Response times are now slower, and resolving an issue can take weeks. Submitting a ticket and connecting with the appropriate support agent often requires numerous emails and calls.

Neutral

To improve security coverage and user experience, we replaced our outdated legacy solution with Splunk Enterprise Security.

Our Splunk Enterprise Security cloud deployment utilizes a DevOps approach with a fully automated CI/CD pipeline. This automation has significantly improved our deployment speed, reducing the process from a week to a few minutes. Changes are made in the development environment and then automatically pushed to production after a click-through approval process. This streamlined workflow eliminates the previous manual process and associated delays, resulting in a faster and more efficient deployment cycle.

Splunk Enterprise Security's pricing is based on data volume, which generally suits large enterprises.

I would rate Splunk Enterprise Security eight out of ten.

Splunk is widely used across larger organizations. While large organizations often have extensive teams dedicated to Splunk projects and upgrades, smaller organizations can also use Splunk, taking advantage of more affordable pricing options like the free tier for limited data. Cost isn't a significant concern for larger organizations, who prioritize Splunk's security features and are willing to invest in its capabilities.

Splunk Enterprise Security is deployed across all departments, processing millions of data points. Over 500 people manage this data: building dashboards and reports, working with Enterprise Security, discussing use cases, and creating custom data models. This represents a massive effort for any large organization where every department utilizes Splunk.

Government departments are transitioning to Splunk, with daily onboarding increasing the current user base of 5,000.

Because the deployment is cloud-based, the Splunk DevOps team handles maintenance.

Splunk offers a resilient SIEM solution with comprehensive capabilities for research and a wide range of use cases. It is constantly updated, ensuring it remains a valuable and comprehensive SIEM package.

I recommend Splunk Enterprise Security. It is an excellent tool widely used by many organizations, making it a valuable choice for security information and event management.

Splunk Enterprise Security offers a wide range of capabilities that benefit our organization. This includes user behavior analytics, which helps us identify suspicious activity. Additionally, Splunk Enterprise Security allows us to create custom alerts for various internal security needs.

Splunk has been instrumental in improving our incident response time, especially for user authentication issues. It excels at detecting anomalous behavior, such as brute force attacks or multiple login attempts from a single source. This allows us to quickly identify and address potential security threats, making Splunk a vital tool for our cybersecurity incident response efforts.

The asset and identity management feature strengthens our overall security posture. This system relies on the creation of security roles by administrators. These roles then determine access permissions based on the principle of Role-Based Access Control. In this way, access is carefully controlled and assigned based on specific job duties. It's important to note that administrators retain a high level of access and make final decisions regarding access permissions.

Splunk offers a variety of dashboards, including real-time dashboards that update continuously. These dashboards complement Splunk's real-time alerts by providing a visual overview of our system's health. They can be built to leverage different Splunk resources, like indexes, search clusters, and host clusters. This allows us to monitor key metrics and identify potential issues in real-time, helping us maintain a healthy and efficient system.

Our SoC and Analytics teams use Splunk to monitor multiple cloud environments.

The visibility into multiple environments is good.

The insider threat detection is valuable for our organization because it helps us identify unknown threats. While we leverage existing threat intelligence for known threats through signatures and endpoint protection tools, these methods have limitations. Since they rely on predefined information, they can't be readily integrated with Splunk to monitor for and generate alerts based on these known threats. Splunk's strength lies in its ability to detect anomalies and suspicious user behavior, which can be crucial for uncovering insider threats that might bypass traditional signature-based defenses.

Splunk Enterprise Security excels at analyzing malicious activity. Our team has created several use cases to identify such activity. These use cases focus on data patterns that might indicate malicious intent, such as a sudden increase in login attempts or logins occurring outside of regular business hours. Additionally, we can identify brute force attacks attempting to crack passwords through repeated login attempts. This allows us to effectively monitor for and respond to potential security threats.

It has improved our detection ability and has helped reduce our alert volume to a manageable level.

Splunk has helped speed up our security investigation.

Splunk stands out for its extensive application integrations. It boasts a user-friendly interface with intuitive features that are easy to understand and navigate for technical users. This accessibility is a major reason why I find Splunk so appealing.

The user interface is not user-friendly for non-technical users. 

I have been using Splunk Enterprise Security for three and a half years.

Splunk Enterprise Security is extremely stable.

Splunk Enterprise Security is easily scalable.

We have only had minimal contact with Splunk technical support.

Neutral

The initial deployment is straightforward.

Splunk Enterprise Security is affordable.

While affordability is important, I recommend Splunk Enterprise Security over the cheapest option on the market. This is because Splunk offers a robust feature set that justifies its cost.

I would rate Splunk Enterprise Security nine out of ten.

We have Splunk Enterprise Security deployed across multiple locations.

Splunk Enterprise Security requires minimal maintenance.

I recommend Splunk Enterprise Security as a scalable and reliable solution for both on-premises and cloud environments. 

The solution is used in my company to help the security operation center in work areas like detection, response, and investigation while maintaining cybersecurity standards.

My company has benefited from using Splunk Enterprise Security, which has helped us stay out of the headlines in newspapers. The tool helps detect threats early and respond to them effectively.

The solution's most valuable feature is that it helps with our use cases to detect anomalies in our data and it is important to my company since we have a lot of data on different logs on the systems. We need to be able to create insights that are indicative of malicious activities, which is one of the main purposes of having Splunk Enterprise Security in our company.

The product lacks cross-cutting capabilities. The features in Splunk Enterprise Security that were initially promised to our company are still not available. My company has been asking Splunk for some of these features to be provided in the product for years, and we have been promised that they will be introduced soon in the solution and be part of the product's next release.

I believe that the contract and the terms and conditions mentioned in it are areas where improvements are required.

I have experience with Splunk Enterprise Security.

When it comes to the on-premises version, the stability of the product was quite reliable. When my company moved to the product's cloud version, we faced some major issues related to availability and dealing with events like data corruption.

The product's scalability is okay. I do not think my company faced issues in the area of scalability.

The product's support services were not great initially, but now they are in really good shape. Whenever my company connects with the product's support team, they listen to our questions and queries, so I feel that we are in a much better place now. I rate the technical support as eight out of ten.

Positive

My company has experience with ArcSight. We switched to Splunk Enterprise Security because we couldn't get good answers to our questions from ArcSight, and it was just not functional.

The solution is deployed using the cloud services offered by Splunk. Recently, my company also deployed the tool on an on-premises model. In our company, we monitor both, cloud and on-premises, with our cloud instance.

In the beginning phase, I would describe the deployment experience as a costly and hard process. The migration process from on-premises to cloud was hard and took our company a year to complete. There were different kinds of roadblocks on our company's and Splunk's end. My company worked directly with the migration process associated with the product.

It is difficult to say whether I have seen an ROI since it is like trying to figure out how much an insurance policy works. I think that our company will receive a return on investment from the use of the solution since it helps the organization's cybersecurity team stay out of the newspapers. My company has always been able to deal with threats quickly with the product.

Regarding the product's pricing, I think it has always been difficult to have a conversation with Splunk. Considering the contract thing and the whole legal area, it takes forever to get the contracts signed and to be able to agree to the terms and conditions for my company as well as for Splunk's team. I like the direction Splunk stays in by thinking with the customers about how to reduce costs and only have that data searchable or available, which you need at a particular time. I like the path Splunk is going on, specifically its current trajectory. I appreciate the efforts put in by Splunk in the area partnership, which is what my company expects.

My company uses Microsoft Sentinel. A multi-SIEM environment provides my company with the best of both worlds. Sentinel has some good features, like Microsoft Graph Security, that the tool uses for the whole Microsoft ecosystem. Microsoft Sentinel is a good option for my organization.

In my company, Splunk acts as a product that complements Sentinel because the former lacks some features. I think Microsoft is strong in the area of service delivery. Microsoft's EDR tools, like Microsoft Defender, use Servers from Microsoft Graph Security, and my company benefits from such a type of integration, and we are able to send alerts to Splunk. In our company, if we start to ingest all the data we usually ingest in Splunk by moving to Sentinel, it will become too expensive, so we have to choose where to keep our data.

My company has been able to reduce the mean time to resolve with Splunk Enterprise Security as it went down from a couple of days to hours.

My company has seen a significant reduction in alert volume. It was very noisy earlier, but lately, my company hardly sees any false positives.

It is super important that the solution provides end-to-end visibility of our company's environment because you can never know from where threats can materialize. The fact that users can correlate and ingest data makes sense and is crucial, considering the massive amounts of data.

Splunk Enterprise Security has helped improve our company's ability to ingest and normalize data, which is one of the tool's key benefits.

I would not say that Splunk Enterprise Security has helped solve problems in real-time scenarios, but it has helped solve problems on a near real-time basis. In my company, there is always some lag between the data that comes in and the ones being ingested and correlated. Splunk Enterprise Security aids in solving problems in a matter of minutes.

Splunk Enterprise Security provides relevant context to help guide our company's investigations, and it is very important and can be considered everything for our organization. In our company, we pull in data from assets and registries to give index-based alerts and be able to find owners quickly to notify them and respond to threats.

Splunk Enterprise Security's ability to help our company find any security events across environments is excellent. My company is really happy with Splunk Enterprise Security. The product helps our company find bad stuff when needed.

The truth is that it is very hard to deliver solutions that work at a certain scale. I think that one of the things I could say is that it is a solution that scales up at work. There are many organizations where solutions fail, and I can say that since I have been a part of the deployment of many other tools, it is hard to get many products to work. Splunk Enterprise Security works, and our company's analysts rely on it and trust it. I can only see improvements considering the strategies in terms of where the product's management team is going, and I believe that I will be able to rate the tool a nine out of ten pretty soon.

I rate the overall solution an eight out of ten.

We use Splunk Enterprise Security for threat detection on our network devices.

Splunk Enterprise Security excels at threat detection. We've developed multiple correlation searches leveraging security data. These searches identify threats and categorize them by urgency level, enabling our security analysts to prioritize and take swift action.

Splunk Enterprise Security has helped us improve our incident response time. We achieve this by ensuring our queries are completed in near real-time.

Access management focuses on storing and managing access controls, while identity management deals with user identities. For example, if we want to find IP addresses associated with CrowdStrike, we can use access management to look up their IP ranges. Then, we can check if any IPs match by adding them to a specific identity management lookup. Finally, by leveraging the combined identity and access management features of Splunk Enterprise Security, we can create correlations between these entities.

The security dashboard can be customized to display the information we need most quickly. It typically has seven to eight panels, each dedicated to reflecting specific data. While some initial data load time might be present, clicking on a specific panel will display its information as soon as possible. There can be delays in traditional dashboards when searching for specific data. To optimize this, we can create "base searches" within each panel. These predefined searches cover commonly used queries and fields. Alternatively, we can create a "summary index" that holds a longer span of pre-processed data. This summary index allows even large datasets to be displayed quickly when accessed through the dashboard.

Splunk enhances our team collaboration regarding security incidents. When a threat alert is received, we can click on it and choose "investigation in progress" from a dropdown menu. This selection redirects us to a dedicated investigation page for further details. For in-depth analysis, we can drill down into the logs to pinpoint the source of the issue. Additionally, the platform allows us to contact network devices to determine the root cause. Once the issue is resolved, we can close the investigation.

We monitor both AWS and GCP environments using Splunk Enterprise Security. 

Splunk provides threat intelligence capabilities that can be valuable. This, combined with the comprehensive set of dashboards available, allows us to effectively monitor for threats. We can also create custom apps within Splunk for threat detection. These apps can include custom dashboards or reports that display specific information. For example, we could create a dashboard that shows the number of users accessing unknown URLs or another that monitors a particular device for suspicious activity. An example of suspicious activity might be a device where the print command is being executed repeatedly but failing each time. This could indicate a malfunction or, potentially, a malicious attempt to exploit the system. Similarly, a sudden spike in activity, such as millions of clicks on a specific device within a short timeframe, could also be a sign of a threat. By monitoring these parameters within Splunk's threat detection features, we can identify and investigate potential security incidents.

Splunk provides valuable visibility across multiple environments. Whether we have an on-premises or cloud architecture, Splunk offers self-monitoring capabilities. Additionally, depending on our environment, we can leverage existing monitoring tools. For on-premises deployments, we can utilize the Martin Console alongside Splunk for comprehensive monitoring. Cloud environments often come with built-in monitoring handled by the cloud provider's support team. In such cases, Splunk can focus on applications and custom log data for deeper insights.

The threat topology provided by Splunk gives us a comprehensive overview of potential threats. By analyzing queries or notable events, we can identify and neutralize these threats.

Splunk does a good job of analyzing malicious activities.

Splunk has improved our organization's decision-making by centralizing all the information in our environment and allowing us to access multiple dashboards and reports in one place.

Splunk has helped us reduce our alert volume. By using Splunk, we can identify the root causes of failures, which in turn leads to a decrease in alerts.

Splunk accelerates our security investigations by enabling us to resolve issues and document them in Standard Operating Procedures or knowledge-base articles. This facilitates a swifter response to similar incidents in the future.

Splunk Enterprise Security's dashboards are a key asset. They offer comprehensive visibility across our entire environment, allowing us to diagnose and address security issues directly from the interface.

I would like Splunk to offer a quicker and easier way to run queries.

Splunk could improve its cost-efficiency for our organization by offering pre-built architectures tailored to specific environments. This would provide a clearer picture of required licenses and their implementation, ultimately reducing licensing costs.

The presence of multiple layers creates a significant challenge for monitoring across cloud environments.

I am currently using Splunk Enterprise Security.

Splunk Enterprise Security is a very stable product, but there are occasional bugs that can appear.

We can scale Splunk Enterprise Security up or down depending on our demands.

The Splunk support team is helpful. For complex issues or on-demand requests, we raise cases with them. On-demand requests requiring impactful solutions are paid. However, for UK-based users, standard support is free and usually resolves issues efficiently. In some cases, the support team rushes to provide a solution without even looking at the issue.

Positive

The initial deployment can be complex. It involves creating multi-site clusters for each location and configuring a cluster master for each. This is because the cluster master will replicate data across multiple sites, making the environment more complex.

Four people were required for the deployment.

I would rate Splunk Enterprise Security 6 out of 10 because of the complexities that occur at times.

I highly recommend Splunk Enterprise Security for organizations seeking comprehensive security monitoring. Splunk offers a centralized platform to collect and analyze vast amounts of security data. This empowers us to gain full visibility across our entire IT environment, including applications, user activity, and potential security threats. Splunk provides insightful dashboards, reports, and real-time alerts to help proactively identify and address security issues.

While cost is a consideration, prioritizing features over functionalities for SIEM solutions can be risky. It's best to identify your business needs first and then choose an SIEM that offers the most relevant benefits to address those needs.

Splunk Enterprise Security is deployed across multiple locations and departments within our organization.

Splunk Enterprise Security required maintenance.