Splunk Enterprise Security Reviews

We use Splunk Enterprise Security as our SIEM solution.

The log sources are in multiple cloud environments, but the deployment of Splunk is on-premises.

Monitoring our AWS and Azure cloud environments with Splunk Enterprise Security is easy.

The visibility into multiple cloud environments is good. We have complete visibility because we integrate all our logs and sources into Splunk.

Splunk Enterprise Security's insider threat detection capabilities module runs on the backend and provides complete visibility into anomalous behavior and zero-day attacks.

The threat intelligence management feature is a necessary tool in our environment. The actionable intelligence provided by the threat intelligence management feature is helpful. We can see the IoC to help with our investigation.

Splunk Enterprise Security does a good job analyzing malicious activities and detecting breaches.

Splunk Enterprise Security helps us detect threats faster.

Splunk Enterprise Security helps reduce our alert volume by whitelisting the false positives.

Splunk Enterprise Security has helped speed up our security investigations. Splunk uses user-friendly language and visibility to speed up our investigation times.

Splunk offers significant time savings for analysts compared to tools like Azure Sentinel, with analysts resolving alerts 30-40 percent faster. Additionally, Splunk's user-friendly dashboards simplify administration.  

Splunk Enterprise Security's value lies in its ability to collect and analyze security logs, providing insightful dashboards.

Splunk's high cost, despite its recognition in our region, prevents many organizations from adopting Splunk Enterprise Security, suggesting there's room for improvement in their pricing strategy. 

I have been using Splunk Enterprise Security for six months.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is designed for easy scaling.

Our organization is expanding our clusters day by day.

The technical support is collaborative. We do receive a response within the appropriate time.

Positive

While I have experience with Azure Sentinel and other SIEM tools, Splunk stands out for me. It provides a full SIEM experience with informative dashboards, clear language for easy analysis, comprehensive visibility across my systems, and a robust CIM for data organization.

The initial deployment was technical but not overly complex. We faced difficulties with the log process going down and not getting the results in the client console. The overall deployment took around three hours to complete.

Three people were involved in the deployment. 

The implementation was completed in-house.

Splunk differs from other SIEM solutions by using a gigabyte-based pricing model, rather than the agent-based licenses common with its competitors.

While Splunk Enterprise Security carries a higher cost and requires budgeting, cheaper SIEM, and open-source alternatives often have limitations. This makes the decision a matter of weighing the cost against the features most important to each organization's security needs.

I would rate Splunk Enterprise Security nine out of ten.

On paper, Splunk Enterprise Security is the top solution for detecting security threats in any organization, but Splunk Enterprise Security is expensive and most organizations don't have a proper budget to implement a SIEM solution. So they look for a more reasonable cost-effective solution. This is a hurdle for implementing Splunk Enterprise Security. It was originally designed for data science and modified for security. It is a top tool for SIEM and data analytics.

Splunk Enterprise Security stands out for its threat detection capabilities, but its cost can be a barrier for many organizations. Originally designed for data science, it excels in both security and analytics, but its price tag often pushes businesses towards more budget-friendly SIEM solutions.

Splunk Enterprise Security offers good resilience for our customers.

For organizations that don't have the budget for Splunk Enterprise Security, I would recommend Azure Sentinel.

We use Splunk Enterprise Security to secure our client's network and provide clear visibility.

Our client lacked an SIEM solution to comply with regulations, so we recommended Splunk Enterprise Security, and they agreed to implement it.

Splunk Enterprise Security provides complete visibility into the environment. We can add any data to the indexer, and it will begin to be displayed. All we need to do is create use cases tailored to the client's needs.

Splunk's threat intelligence management capabilities are strong, thanks to its user-friendly interface and ability to correlate data from various sources. While it competes favorably with other SIEM tools, its effectiveness ultimately depends on how it's configured.

The actionable intelligence from Splunk's threat intelligence management feature helps us understand what's happening in our environment, enabling further investigation.

We updated the IOCs within the MITRE ATT&CK framework indexing for Splunk. This allows us to compare all received alerts against the MITRE ATT&CK categories. By using the MITRE ATT&CK framework, I can identify the potential type of threat, its mitigation strategies, and the overall attack behavior. Furthermore, I can use the framework to investigate the affected hosts, their origin, and the attack vector.

Splunk Enterprise Security does a good job analyzing malicious activities and detecting breaches.

Splunk Enterprise Security has improved our detection time.

Splunk Enterprise Security has improved our clients' security posture by providing them with better visibility into vulnerabilities, along with proper mitigation strategies and clear explanations. The benefits are apparent within the first month.

Splunk Enterprise Security helped us reduce our alert volume. Initially, the high number of alerts was overwhelming because we were in a new environment, but the volume gradually leveled off and decreased by 50 percent.

Splunk Enterprise Security has accelerated our security investigations by 30 percent. It integrates seamlessly with our EDR solution, providing a single pane of glass view for all security logs.

Splunk Enterprise Security offers valuable features like seamless integration and a SQL-standard Structured Query Language for easy searching. Additionally, implementing devices is straightforward, similar to a plug-and-play process.

Splunk's insider threat detection capabilities have limitations. While it offers customization, pre-configured rules for common threats are scarce. This means we need to create our own rules, which can be effective if we have the expertise and understand our specific needs. However, behavior analytics seem less useful and have room for improvement.

Splunk's implementation process for managing multiple indexes can be complex, especially when dealing with a large number of components.

Splunk could benefit from a feature that allows users to indicate they are working on an alert or incident. This would prevent other users from wasting time investigating the same issue. Ideally, this wouldn't involve a formal assignment, but rather a temporary indication that someone is currently looking into it.

I have been using Splunk Enterprise Security for 9 months.

Splunk Enterprise Security is reliable and the stability is a ten out of ten.

Splunk Enterprise Security offers good resilience. Even for unsupported tools, simple integrations can be customized. Splunk is constantly improving.

I would rate the scalability of Splunk Enterprise Security ten out of ten.

The technical support team is excellent. They proactively identify and inform clients about any vulnerabilities or security gaps in their environment.

Positive

The initial deployment of Splunk Enterprise Security was fairly straightforward. While the documentation is comprehensive, fully deploying the solution can be time-consuming. The timeframe can vary depending on your environment's complexity. For instance, a company with 1500 to 2000 employees and a large number of systems and servers might require a month for complete deployment.

I collect the client's requirements and then open a support ticket with Splunk. The ticket will address configuration assistance and, if the deployment is in the cloud, will inquire about the client's storage needs. After I submit the ticket, Splunk will communicate directly with the client.

The deployment involves several teams, and I lead the oversight of both the deployment itself and the analytics function, ensuring a seamless process.

While some clients find the cost of Splunk Enterprise Security to be on the higher end, its pricing is comparable to other SIEM solutions. Ultimately, the value it delivers justifies the investment.

Don't simply choose the cheapest SIEM solution. Consider your organization's specific needs and environment. Even if you prioritize affordability right now, I can offer more powerful tools. However, the best solution isn't just about price. It depends entirely on your environment. Therefore, you need to establish a budget based on your specific requirements. Ultimately, the ideal SIEM solution aligns with your organization's needs.

I would rate Splunk Enterprise Security 8 out of 10.

Splunk Enterprise Security requires maintenance for new onboarding, log management, and archiving. A maximum of two people are required for the maintenance.

Splunk Enterprise Security is a robust security solution that's easy to manage after initial configuration.

We use Splunk Enterprise Security for threat detection on our network devices.

Splunk Enterprise Security excels at threat detection. We've developed multiple correlation searches leveraging security data. These searches identify threats and categorize them by urgency level, enabling our security analysts to prioritize and take swift action.

Splunk Enterprise Security has helped us improve our incident response time. We achieve this by ensuring our queries are completed in near real-time.

Access management focuses on storing and managing access controls, while identity management deals with user identities. For example, if we want to find IP addresses associated with CrowdStrike, we can use access management to look up their IP ranges. Then, we can check if any IPs match by adding them to a specific identity management lookup. Finally, by leveraging the combined identity and access management features of Splunk Enterprise Security, we can create correlations between these entities.

The security dashboard can be customized to display the information we need most quickly. It typically has seven to eight panels, each dedicated to reflecting specific data. While some initial data load time might be present, clicking on a specific panel will display its information as soon as possible. There can be delays in traditional dashboards when searching for specific data. To optimize this, we can create "base searches" within each panel. These predefined searches cover commonly used queries and fields. Alternatively, we can create a "summary index" that holds a longer span of pre-processed data. This summary index allows even large datasets to be displayed quickly when accessed through the dashboard.

Splunk enhances our team collaboration regarding security incidents. When a threat alert is received, we can click on it and choose "investigation in progress" from a dropdown menu. This selection redirects us to a dedicated investigation page for further details. For in-depth analysis, we can drill down into the logs to pinpoint the source of the issue. Additionally, the platform allows us to contact network devices to determine the root cause. Once the issue is resolved, we can close the investigation.

We monitor both AWS and GCP environments using Splunk Enterprise Security. 

Splunk provides threat intelligence capabilities that can be valuable. This, combined with the comprehensive set of dashboards available, allows us to effectively monitor for threats. We can also create custom apps within Splunk for threat detection. These apps can include custom dashboards or reports that display specific information. For example, we could create a dashboard that shows the number of users accessing unknown URLs or another that monitors a particular device for suspicious activity. An example of suspicious activity might be a device where the print command is being executed repeatedly but failing each time. This could indicate a malfunction or, potentially, a malicious attempt to exploit the system. Similarly, a sudden spike in activity, such as millions of clicks on a specific device within a short timeframe, could also be a sign of a threat. By monitoring these parameters within Splunk's threat detection features, we can identify and investigate potential security incidents.

Splunk provides valuable visibility across multiple environments. Whether we have an on-premises or cloud architecture, Splunk offers self-monitoring capabilities. Additionally, depending on our environment, we can leverage existing monitoring tools. For on-premises deployments, we can utilize the Martin Console alongside Splunk for comprehensive monitoring. Cloud environments often come with built-in monitoring handled by the cloud provider's support team. In such cases, Splunk can focus on applications and custom log data for deeper insights.

The threat topology provided by Splunk gives us a comprehensive overview of potential threats. By analyzing queries or notable events, we can identify and neutralize these threats.

Splunk does a good job of analyzing malicious activities.

Splunk has improved our organization's decision-making by centralizing all the information in our environment and allowing us to access multiple dashboards and reports in one place.

Splunk has helped us reduce our alert volume. By using Splunk, we can identify the root causes of failures, which in turn leads to a decrease in alerts.

Splunk accelerates our security investigations by enabling us to resolve issues and document them in Standard Operating Procedures or knowledge-base articles. This facilitates a swifter response to similar incidents in the future.

Splunk Enterprise Security's dashboards are a key asset. They offer comprehensive visibility across our entire environment, allowing us to diagnose and address security issues directly from the interface.

I would like Splunk to offer a quicker and easier way to run queries.

Splunk could improve its cost-efficiency for our organization by offering pre-built architectures tailored to specific environments. This would provide a clearer picture of required licenses and their implementation, ultimately reducing licensing costs.

The presence of multiple layers creates a significant challenge for monitoring across cloud environments.

I am currently using Splunk Enterprise Security.

Splunk Enterprise Security is a very stable product, but there are occasional bugs that can appear.

We can scale Splunk Enterprise Security up or down depending on our demands.

The Splunk support team is helpful. For complex issues or on-demand requests, we raise cases with them. On-demand requests requiring impactful solutions are paid. However, for UK-based users, standard support is free and usually resolves issues efficiently. In some cases, the support team rushes to provide a solution without even looking at the issue.

Positive

The initial deployment can be complex. It involves creating multi-site clusters for each location and configuring a cluster master for each. This is because the cluster master will replicate data across multiple sites, making the environment more complex.

Four people were required for the deployment.

I would rate Splunk Enterprise Security 6 out of 10 because of the complexities that occur at times.

I highly recommend Splunk Enterprise Security for organizations seeking comprehensive security monitoring. Splunk offers a centralized platform to collect and analyze vast amounts of security data. This empowers us to gain full visibility across our entire IT environment, including applications, user activity, and potential security threats. Splunk provides insightful dashboards, reports, and real-time alerts to help proactively identify and address security issues.

While cost is a consideration, prioritizing features over functionalities for SIEM solutions can be risky. It's best to identify your business needs first and then choose an SIEM that offers the most relevant benefits to address those needs.

Splunk Enterprise Security is deployed across multiple locations and departments within our organization.

Splunk Enterprise Security required maintenance.

We use Splunk Enterprise Security to enhance our overall security posture by proactively managing our threat profile across the enterprise. This enables us to see valuable insights and effectively monitor all OEM devices.

It is easy to monitor multiple cloud environments using Splunk Enterprise Security. This helps with DLP and security across our SAM solutions.

Although I favor the cloud's convenience for credential management, Splunk Enterprise Security's visibility remains consistent across multiple environments.

Splunk's insider threat detection reveals daily threat events and highlights anomalous behavior on the dashboard.

The threat intelligence management feature continuously monitors activities across cloud, on-premises, and hybrid environments, and informs stakeholders of any suspicious activity.

Splunk Enterprise Security has endpoint security protection to analyze malicious activities and detect breaches through the analysis of new log content.

Splunk Enterprise Security helps us detect threats two to three hours faster.

Splunk Enterprise Security has helped improve our incident review times, security posture, network protection, and endpoint protection. We saw the benefits within the first month of use.

A decrease in false positives has enhanced our risk analysis, security posture, and the speed of our alert investigations, resulting in daily time savings of four hours. 

Splunk Enterprise Security has saved us two hours per day of investigation time.

The ability to manage large amounts of generated data and to protect all devices from unauthorized use are the most valuable features.

The threat detection library needs to increase the frequency at which the playbooks are updated. 

I have been using Splunk Enterprise Security for two years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is scalable.

The technical support is good.

Positive

The initial deployment was straightforward. We wanted to cover all of our endpoints. Two people were required for the deployment.

The implementation was completed in-house.

I would rate Splunk Enterprise Security an eight out of ten.

Splunk Enterprise Security is a leader in the market and provides great visibility into an organization's security posture.

We have 100 people that are using Splunk Enterprise Security.

The continuous visibility and SOC requirements of the resilience Splunk offers are a benefit to any SIEM. Resilience is important for organizations that run a hybrid environment.

We use Splunk to monitor our private cloud, data center, and other applications.

I don't like Splunk very much and find that it does not have many useful features.

Splunk works based on parsing log files.

I don't like the pipeline-organized programming interface.

I find the graphical options really limited and you don't have enough control over how to display the data that you want to see.

I find that the performance really varies. Sometimes, the platform doesn't respond in time. It takes a really long time to produce any results. For example, if you want to display a graph and put information out, it can become unresponsive. Perhaps you have a website and you want to show the data, there's a template for that, or it has a configuration to display your graphics, and sometimes it just doesn't show any data. This is because the system is unresponsive. There may be too much data that it has to look through. Sometimes, it responds with the fact that there is too much data to parse, and then it just doesn't give you anything. The basic problem is that every time you do a refresh, it tries to redo all of the queries for the full dataset.

Fixing Splunk would require a redesign. The basic way the present the graphs is pipeline-based parsing of log files, and it's more of a problem than it is helpful. Sometimes, you have to perform a lot of tricks to get the data in a format that you can parse.

You cannot really use global variables and you can't easily define a constant to use later. These things make it not as easy to use.

I have been using Splunk for approximately one year.

I use Splunk at least a couple of times a week.

I'm not sure about scalability but to my thinking, it's not very scalable. I know that it's probably expensive because it relies a lot on importing log files from all of the systems. One of the issues with respect to scalability is that there's never enough storage. Also, the more storage you have, the more systems you need to manage all the log files.

Splunk is open for all of the users in the company. We might have 1,000 IT personnel that could access it, although I'm not sure how many people actually use it. I estimate that there are perhaps 200 active users.

I have not been in contact with technical support from Splunk.

In this company, we did not previously use a different monitoring solution.

I was not involved in the initial setup.

We have a DevOps team that is implementing Splunk and they are responsible for it. For example, they take care of the licensing of the product.

We have a team at the company that completed the setup and deployment.

The other product that I've seen is Elastic, and I think that it would be a better choice than Splunk. This is something that I'm basing on performance, as well as the other features.

My understanding is that as a company, we are migrating to Azure. When this happens, Splunk will be decommissioned.

Overall, I don't think that this is a very good product and I don't recommend it.

I would rate this solution a five out of ten.

We use Splunk Enterprise Security to track threats and errors and receive alerts and notifications.

We implemented Splunk Enterprise Security to improve our troubleshooting, mean time to detect and resolve issues, and our alerting system.

Monitoring multiple cloud environments with Splunk Enterprise Security is not difficult as long as we have data ingestion in place.

Operationally, having end-to-end visibility into our environment is critical. We need to know what is happening in our environment, and Splunk Enterprise Security can provide this.

Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches.

Splunk Enterprise Security helps us detect threats faster. We are not dependent on a person to review the data. We have alerts, dashboards, and pattern definitions.

Splunk Enterprise Security has helped improve our mean time to detect issues.

Since implementing Splunk Enterprise Security, we have seen reduced incidents and the time it takes to resolve them. We saw these benefits within a month of deployment.

Splunk Enterprise Security helps reduce our alert volume, eliminating the need for manual triage of numerous alerts.

Splunk Enterprise Security has helped improve our mean time to resolve issues. We went from three hours down to 20 minutes.

Splunk Enterprise Security has helped us consolidate many of our tools.

The search engine and indexes are fast and optimized, and the report generation dashboard is user-friendly.

I want Splunk Enterprise Security to release more AI and machine learning features in the future.

We use Dynatrace for our monitoring and Splunk for log management. I want to centralize everything within Splunk.

I have been using Splunk Enterprise Security for almost four years.

Splunk Enterprise Security is a stable platform available for many years.

We have a good relationship with the technical support team; they are responsive.

Positive

We previously used Elastic, but Splunk Enterprise Security is a superior product. It offers extensive usability and a vast customer base. The active customer forums are incredibly helpful, allowing me to quickly find the information I need.

The initial deployment was complex due to the presence of both vendor-based and in-house applications. The implementation relied almost exclusively on a Jenkins CI/CD pipeline.

We realized a total return on our investment in Splunk Enterprise Security within the first two years of implementation.

The price of Splunk Enterprise Security is reasonable, falling somewhere in the middle range.

I would rate Splunk Enterprise Security eight out of ten.

Splunk Enterprise Security is easy to maintain and doesn't require much time due to its full automation.

Splunk is a good solution if you haven't automated your log management, as manual log reviews are no longer efficient or practical.

Our primary use case is for detected malware. 

The end-to-end visibility into our environment that Splunk provides is impressive. We just need to use it better.

We are a small team. For us to look at all those logs ourselves would be difficult. There is some decent insight into what's going on. It's just a matter of actually utilizing that data and taking action on it. 

We would probably see more time savings if we used Splunk more. 

We're an on-prem network. During the installation, we found several issues that we should look into. We just need to utilize more.

Splunk has shown us some gaps where we need to ingest and normalize data, and we have built those gaps.

Splunk Enterprise Security provides us with context to help guide our investigation. It's a starting point to actually look at the logs and figure out what we need to look into. It's useful. 

It helped to consolidate networking security and IT observability tools. We use Splunk in general a lot for operations, and then we've been able to build dashboards.

I have been using Splunk Enterprise Security for two years. 

The stability is pretty good. It's fairly stable. I haven't had any issues with it so far.

Splunk support is difficult for us. There are gaps in the network. I work for a government entity so getting a classified rep to come out is difficult. 

I would rate their support a five out of ten due to their availability and talent. 

Neutral

It took what took us a while to groom all of our data correctly so that it worked well with ES. That took two weeks. As far as the finish, there's definitely room for improvement.

I would like more assistance with use cases and help with teaching us how to use it once it's installed. 

We deployed through professional services. 

We're a young team so we're still evaluating processes. We already had Splunk Core. It was already installed when I started working here. I was part of the installation team when they deployed Splunk Enterprise Security.

I would rate Splunk Enterprise Security a five out of ten because I'm still figuring it out.

We use the solution for detection, basic building searches, and creating many dashboards for investigation purposes. We have also been using it recently to create some RBA detection rules.

The solution's newly developed dashboard is pretty amazing. The full platform is quite useful, and there are a lot of tools that we can use to leverage and modify for our own purposes. Clients don't necessarily know about it, but the tool is powerful because it saves so much time.

The solution has so many features that it's easy to get lost. Many of my clients want to get better at Splunk, but they're afraid of using the tool because they feel it's too complex for them. They also need to go through a certification to use the tool.

I have been using Splunk Enterprise Security for five to six years.

The solution's stability is a lot better on the cloud than on-premises.

The solution’s technical support is good. Sometimes, the technical support team's response time depends on the severity of the alerts. Sometimes, we don't get the right person on the call.

Positive

I use solutions like ArcSight, Exabeam, and Sentinel for different clients.

The solution’s initial setup is easy and not that difficult.

Our clients have seen a return on investment with the solution.

Splunk Enterprise Security is an expensive solution.

It is extremely important to our organization that the solution provides end-to-end visibility into our environment. Usually, a lot of companies don't have full visibility on their endpoints or servers.

Splunk Enterprise Security is a really good tool for helping us find any security event across multi-cloud, on-premises, or hybrid environments, like finding a needle in the haystack.

The solution has improved our organization’s ability to ingest and normalize data. Splunk Enterprise Security has also helped us identify and solve problems in real-time.

When processed correctly, the solution provides us with the relevant context to help guide our investigations.

If everything works correctly, Splunk Enterprise Security helps speed up our security investigations by 50%.

The solution has helped reduce our mean time to resolve by 20%.

When something breaks with the solution, troubleshooting and figuring out the problem is hard. The solution runs better on the cloud, with fewer problems and errors, than on-premises. We may not have the right hardware on-premises.

Splunk Enterprise Security is a great app that has been really innovative in the past. I would recommend the solution to other users. There's a cost to it, like anything that is of quality. However, if you want the best, Splunk is at the top right now. The solution is deployed on AWS and Microsoft Azure clouds.

Overall, I rate Splunk Enterprise Security a nine out of ten.