Splunk Enterprise Security Reviews

We use Splunk Enterprise Security for our security monitoring and incident management. This is our global application that we are using for security monitoring and compliance.

We've seen some good improvements from a business perspective, particularly regarding security monitoring. However, when I consider our current challenges and future roadmap, I don't believe Splunk Enterprise Security has the capabilities we need. We previously faced challenges with QRadar, which prompted us to migrate to Splunk Enterprise Security. While Splunk Enterprise Security has addressed the past issues we encountered, it fails to meet our future requirements. Currently, it effectively addresses existing threats, but it doesn’t tackle advanced threats, which is a significant challenge we foresee with Splunk. There is still a lot of room for improvement.

With the Classic flavor we have in our company, the feature that I find good in Splunk Enterprise Security is from the MITRE coverage point of view, and then the level of information that it provides. The integration with its own SOAR platform is also one of the pros.

From the product point of view and deployment point of view, Splunk Enterprise Security is satisfactory. It is not simple; it is at a medium level when it comes to deployment and management of the tool altogether. This includes not only the enterprise platform but also other components such as deployment servers or the Splunk agents we use for collecting logs. When comparing it with different vendors in the industry, from the deployment and maintenance point of view, it is not up to the level of other vendors. 

When discussing the drawbacks, it's important to note that the flavor I’m currently using is called "Classic." Unfortunately, this platform does not offer any of the new features that Splunk introduces. As a result, we are the last ones to find out about new capabilities, and we’re also slow to implement them. Splunk tends to release new features with different flavors of their platform, and being on the Classic flavor means we are least likely to receive the latest updates. This is a significant concern I have regarding Splunk.

When comparing Splunk Enterprise Security with next-gen SIEMs, we look for AI and ML models being incorporated in such a way that it automatically should be able to detect behavioral-based detections. It should be able to detect behaviors from logs and show us the entire attack surface and blast radius of any particular incident, which is primarily missing.

The capability of AI, Artificial Intelligence, is missing, which would help to automatically detect and read data comprehensively. Splunk lacks the new native solutions for agent deployment, which is essential for a large enterprise.

Currently, there is Machine Learning in Splunk Enterprise Security, but that is resource exhaustive and complex, bringing an impact onto our overall stack performance. Technical expertise in Machine Learning is required, and continuous monitoring is needed to ensure Machine Learning learns about our data to provide results, which is resource exhaustive, time-consuming, and costly.

Artificial Intelligence is missing in the Splunk Enterprise Security platform, which would help us read the data automatically, learn from it, and provide attack surface area from a 360-degree perspective. The fixed pricing model requires upfront purchase based on assumptions and roadmap, requiring payment for the next two to three years regardless of usage.

I have been using Splunk Enterprise Security for around three years.

On a stability scale, I would rate it an eight out of ten.

Regarding scalability, I would rate it a seven out of ten. I don't have the pay as you go model. 

We have 150 users using this solution.

Whenever we raise any support case in Splunk, even after providing the required information, if a person is working on it and it gets transferred or handed over to a different representative in a different shift, they keep asking the same questions and requesting more details. Even when we ask for a call, even for P1 or P2 incidents, they keep going around asking for details. When we request P1 or P2 support, it would be wise to get into a call, get all the details, and have a troubleshooting call to address the issue on a priority basis. The technical support representatives keep transferring the tickets during shift handover, and different representatives ask the same questions multiple times, wasting our precious time. The issue doesn't get resolved until I escalate it to their higher management.

We were using QRadar previously. We had legacy systems, and from the volume and log source point of view, from the costing perspective and detection point of view, we thought Splunk Enterprise Security was far better than QRadar. Splunk Enterprise Security would provide better capabilities and out-of-box detections. These were some of the things that we saw, and Splunk Enterprise Security was also one of the leaders in SIEM technology. However, once we started using Splunk Enterprise Security, we discovered it was not the right tool.

The initial setup was of medium complexity. It took approximately 8 to 12 months to migrate from QRadar to Splunk Enterprise Security. 

The cloud platform we are using is maintained by the Splunk team itself. However, when it comes to our on-premises deployment, the maintenance is very high, cumbersome, and costly from both resource and time perspectives.

We haven't saved any money with Splunk Enterprise Security. Instead, we have spent excess of the budget on this with unexpected costs. That's one of the pain points I see with Splunk Enterprise Security. There haven't been any savings.

Splunk Enterprise Security comes with high fixed costs. That's one of the disadvantages. When comparing with different vendors, they offer pay-as-you-use models, which is more user-friendly, but Splunk Enterprise Security comes with fixed pricing.

We use different security tools as well.

For any user who wants to have a cost-efficient and next-gen SIEM solution, I wouldn't recommend Splunk Enterprise Security. However, if a user is not concerned about cost and is looking for an on-premises solution, then I would suggest Splunk Enterprise Security. For anyone who wants to go for a cloud and cost-effective solution with next-gen capability, I wouldn't recommend this.

I would rate it a seven out of ten.

My main use case for Splunk Enterprise Security is web uploads.

The ability to create SPLs in Splunk Enterprise Security is my favorite feature. These features benefit my organization primarily through threat detection, which I use for, so that's a huge benefit. Splunk Enterprise Security has absolutely helped improve my organization's business resilience.

Splunk Enterprise Security could be improved by incorporating AI features, as it doesn't have the AI capability that Pyramid does, where users can ask questions without having to write code.

It has been more than three years.

I haven't experienced any downtime or performance issues with Splunk Enterprise Security. Zscaler may experience issues because Splunk grabs data from them, but other than that, I haven't had anything crash.

Splunk Enterprise Security adapts to our growing needs on a yearly basis, as we're constantly growing our program and it has helped in that way. We have expanded usage from just engineering, as now our whole DLP team uses it, allowing us to not rely on other people for it. It was a smooth process when we were expanding usage.

The most significant challenges I've faced when using Splunk include getting the code right. I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security to be good, as changes are easy to make. On average, my security ops team takes about three days to remediate security incidents with Splunk Enterprise Security, depending on what the incident is.

My advice to other organizations considering Splunk Enterprise Security is that it depends on their needs and costs, but I think it can cover everything from a small business to a large business, so I would definitely recommend it.

On a scale of 1-10, I rate Splunk Enterprise Security an 8.

My main use case for Splunk Enterprise Security is incident response.

The feature I appreciate the most in Splunk Enterprise Security is the case management, although I have more critiques for the case management than favorite features. Having case management in Splunk Enterprise Security is something I appreciate since we needed a way to centrally manage all of our incidents. 

Having case management in Splunk Enterprise Security has really benefited our organization.

To improve Splunk Enterprise Security, I would suggest allowing third-party SOAR solutions to work with it. The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection include the user interface, which isn't terribly intuitive, and it has been a process to get people to adopt it and use it as much as they should.

The user interface feels clunky to navigate and interact with in Splunk Enterprise Security compared to other case management solutions where it feels easier to use at a high level. In Splunk Enterprise Security, the way you click through everything, attach stuff, and interact with other analysts feels cumbersome, with a lot of digging required to get into things; not everything is just one click away—things are usually three clicks away. 

The process of extending the usage of Splunk Enterprise Security is still bumpy; the user experience is really the challenge there, as many of our analysts complain about its difficulty for day-to-day use.

I have been using Splunk Enterprise Security for about three years.

I have not experienced any downtime, crashes, or performance issues with Splunk Enterprise Security. Although we occasionally receive emails from Splunk about performance issues, they are typically resolved quickly, and the system appears to be running smoothly.

Splunk Enterprise Security scales effectively with the growing needs of my organization and there are no issues.

I evaluate customer service and technical support as great; our support team is fantastic, and we have regular cadence with our support teams and our representatives.

Positive

Before adopting Splunk Enterprise Security, we were using several different SIM products to address similar needs, but I disliked them all; none of them really worked and they all crumbled under the ingest load. 

One product required us to completely sever logs since it couldn't compute; it was pretty bad. Splunk Enterprise Security is probably one of the first products that actually could handle all the ingest and do all the correlation without crumbling under its own weight.

I would describe my experience with deploying Splunk Enterprise Security as easy, mainly because we use the cloud version; since it's Splunk Cloud, we didn't have to do much to deploy it, and we don't do a deployment in the cloud—it's managed.

I have a team that customizes, develops, tests, deploys, and refines detections in Splunk Enterprise Security; I don't do that personally, so I cannot talk extensively to that process, however, we go through a process to do that and I haven't heard many complaints about it.

I have seen a return on investment with Splunk Enterprise Security. Incident response, along with triaging and increased efficiency, has been a notable example of return on investment.

It would always be great if Splunk Enterprise Security was cheaper; we definitely hit limits frequently with our ingest. I'm planning to explore the SVC model soon to see what that looks like. We're able to get what we need with what we have and can afford, so I'm satisfied.

We do not purchase this product on AWS Marketplace; instead, we get it directly from Splunk, or we go through a VAR.

My advice to other organizations considering Splunk Enterprise Security is to make sure you understand all the functionality of it, not just what they show you, but also the integration points; understand the automation side of it and get a good holistic understanding before making a decision. 

On a scale of one to ten, I rate this solution a seven out of ten.

As a threat detection engineer, my main use case for Splunk Enterprise Security is to create content to find anomalous activity in our environment. Splunk Enterprise Security, via the content management interface, allows us to create correlation searches, take advantage of summary indexes where we can correlate multiple findings per host, per user, whatever anchor point you want to use, and get those alerts to our analysts in a timely manner, where they can be triaged based on alert severity and criticality.

The notable feature of Splunk Enterprise Security, which in version 8 is going to be called "findings," is the ability to send notables, and all the actions that can be chained with the notable when you actually have a hit or a finding.

The ability to quickly automate detections based on alerts or intelligence that we operationalize in the environment benefits my company, as we get that alert sent to the appropriate parties and put in front of the analysts quickly, allowing for triage and the ability to group the alerts together instead of just always looking at a single finding.

Splunk Enterprise Security can be improved by addressing the content management interface, which is very outdated, slow, and clunky; sometimes we think things are saved and they haven't. Being able to edit saved content and saved searches in batch, such as when you have a log source and a field changes, is a pain point right now since you have to go in and basically update all of them unless you do some kind of Eval on the ingestion side; that's probably the biggest pain point with it right now.

I would assess the stability and reliability of Splunk Enterprise Security as very reliable and very stable.

Splunk Enterprise Security scales very well with the growing needs of our company, although there are definitely some things that are behind the times, such as some of the limitations out of the box on KV Stores, lookups, and some of the commands, the MV line of commands and some of the limitations there. Hopefully, with the advent of all the cool AI and ML capabilities coming down in the 8 series, many of those limitations will be eliminated.

Regarding customer service and technical support, I don't generally submit support tickets, however, I have on a few occasions. It's usually our Splunk engineering team.

We have bimonthly meetings with our account representatives, and we have some sort of on-call technical staff that are assigned to our company and our contract, and they've all been excellent; wonderful people to work with.

Positive

Prior to adopting Splunk Enterprise Security, I used another solution that does similar things, and over the course of my career, I've used a couple of different solutions, peer solutions with Splunk, but Splunk Enterprise Security is the best.

It really comes down to the versatility and how powerful it is; I have never worked with another platform where I can do as much for as many teams, not even just security, which is my primary focus, and the value that you can get out of it, I've never seen a platform that versatile.

From my point of view, the biggest return on investment when using Splunk Enterprise Security is keeping our company safe.

The advice I would give to other companies that are considering Splunk Enterprise Security is that if you've never used Splunk, it can be a little daunting at first, learning a new language, Splunk SPL. That said, it's worth it.

The cycle time that's going to be taken in training and upskilling, once your staff is familiar with that, and you don't even have to do a lot of training, just a couple of the basic classes from Splunk University to get proficient, it's going to open a lot of doors.

On a scale of one out of ten, I rate Splunk Enterprise Security a nine out of ten.

My main use cases for Splunk Enterprise Security are mostly for SOC, detection engineering, and incident response.

Splunk features benefit my organization as we can use it for any custom needs. That's the biggest benefit of getting it. It doesn't matter what team has what kind of requirements. There's a possibility through Splunk's back-end that we can customize it and make it work.

The features of Splunk Enterprise Security that I appreciate the most are its flexibility and scalability. 

I use disparate security solutions that integrate or import data into Splunk Enterprise Security. This integration supports my security operations, as one of the biggest advantages is that Splunk Enterprise Security comes with many apps and applications out of the box through Splunkbase, and there's essentially a connector available for any log source imaginable.

I find the process of customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security pretty straightforward overall. There's a lot of out-of-box content that can be leveraged and many features available to ensure all configurations are working as expected.

My organization uses risk-based alerting in Splunk Enterprise Security. It supports our SOC by significantly reducing the alert count and allowing analysts to focus on what matters most.

My SecOp team's remediation time for security incidents with Splunk Enterprise Security is definitely faster than other solutions.

I am utilizing new threat detection features in Splunk Enterprise Security, specifically the Assets and Identity Framework and risk-based alerting. These features have improved efficiency and helped reduce false positive counts.

Splunk Enterprise Security has helped improve my organization's business resilience. The flexible pricing models allow us to pick and choose, and I can easily see how different business units are consuming Splunk Enterprise Security, thereby distributing the cost within the organization.

I have recently expanded my usage, and the process was smooth.

Splunk Enterprise Security can be improved by having more focus on the data health monitoring aspect, which will definitely be helpful. A good out-of-box application that can help monitor if the data feeds are feeding in properly or if there is any drop will really help make life easier.

I have been using Splunk Enterprise Security for six years now.

I would assess the stability and reliability of Splunk Enterprise Security in terms of downtime, crashes, and performance issues, as there are no issues with the availability of the platform since it's cloud-based.

Splunk Enterprise Security scales with the growing needs of my organization as it's highly scalable. As the organization grows, Splunk Enterprise Security can also grow.

I would evaluate customer service and technical support as good.

Positive

I was mostly using Splunk Enterprise Security.

I would describe my experience with deploying Splunk Enterprise Security as time-consuming. It definitely needs some planning and time to ensure that everything is set up and configured properly.

I have seen return on investment with Splunk Enterprise Security.

Im not on the licensing side. 

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection are that it takes some time to get the hang of the platform, and it has a slight learning curve associated with it. Other than that, I have no complaints.

The advice I would give to other organizations considering Splunk Enterprise Security is to try it out and see if it fits their requirements. It's highly flexible, highly customizable, and can scale according to needs.

On our rating scale, I give Splunk Enterprise Security an eight out of ten.

Splunk Enterprise Security is mainly used for detecting and monitoring log analysis, threat detection, and incident investigation. It is primarily used for failed login detection where multiple login failed attempts occur from the same source IP. Brute force attacks are another common use case. Splunk Enterprise Security use cases can be extended through visualization on data dashboards, setting incident triage, and Windows event log analysis in SOC environments. I use it from a SIEM perspective in my organization.

The best features of Splunk Enterprise Security are that it is the leading platform in cybersecurity right now in SOC environments. Business resilience is very useful for real-time monitoring and investigation, which improves our business resilience.

The AI-driven detections have improved the accuracy of my investigations significantly. I have worked with two other SIEM tools: Wazuh and Azure Microsoft Sentinel. Compared to both, Splunk AI is very good. When we mark an alert as a false alert, Splunk Enterprise Security automatically detects it as a false positive. Whenever another similar alert comes through, it automatically takes action, so we will not get that alert on our dashboard again. It automatically handles false positive alerts, preventing clutter on our dashboard.

It has reduced my mean time to detection (MTTD) by about 30 percent and my mean time to resolution (MTTR) by about 40 percent. Our SLA has reduced from fifteen minutes to ten minutes, which is very helpful because we are raising alerts within ten minutes.

Risk-based alerting provides significant value. When we raise an alert, we provide the incident classification as either true positive or false positive in Splunk and also in the ticketing tool. If an alert is a false positive, Splunk's AI takes care of this and tells us whether we want this alert to show to the SOC team or not. The decision depends on AI analysis.

The assessment of the threat topology and the MITRE ATT&CK framework in Splunk shows that Splunk already maps MITRE ATT&CK with incidents. Whenever an alert comes, the AI configures it to that framework. For investigation purposes, I check the process tree to see how the alert originates and where the malware is going to end. This is very good for threat investigation.

Splunk Enterprise Security has become at least forty to fifty percent faster at detecting threats compared to Azure Sentinel. It is very fast for detecting alerts.

It has contributed to the reduction of analyst burnout and fatigue because it reduces our alerts. If we raise an alert on Splunk, it takes care of them through AI. False positive alerts will not show up, preventing mess for our team. Our threat hunting team and forensic team handle the true positive alerts, while false positives are automatically taken care of by AI.

When comparing Splunk with other vendors, I find that Splunk use cases have more power to detect alerts. Azure Microsoft Sentinel has inbuilt over two hundred use cases analytics for their team only, and we cannot create more customized use cases. In Splunk, we can create additional customized use cases, plus there is AI for detection. If we miss some use cases for any logs or events, AI takes care of it and creates its own use case, showing alerts for us. The dashboard is also very user-friendly compared to both.

Areas that have room for improvement in Splunk Enterprise Security include user access. When we give access to a new user, it becomes difficult for them to log in and understand the interface. It would be beneficial if there is a demo for L1 users. I also see improvement needed in integration. Currently, we have to manually integrate devices, but I would like AI to take care of it, similar to how SentinelOne operates. This would make the process smoother.

My experience using the solution has been two years.

Stability-wise, Splunk Enterprise Security is very good. I have not experienced any significant performance issue or downtime.

I rate the scalability of Splunk Enterprise Security as an eight. It depends on how stable and scalable you manage Splunk Enterprise Security for your organization.

I rate the technical support of Splunk Enterprise Security as a three. I find it not good because whenever I raise a ticket, they take a very long time. Even if I call the toll-free number, tickets are pending.

I have worked with two other SIEM tools: Wazuh and Azure Microsoft Sentinel. The AI-driven detections have improved the accuracy of my investigations significantly compared to these solutions.

It is very easy to deploy Splunk Enterprise Security compared to both other SIEM tools. Splunk connector is very easy to set up.

The time it takes to install depends on whether we are installing on a Windows or Linux machine or the size of the organization. For a moderate-level company, it usually takes around five days to install everywhere the connectors and endpoints.

When it comes to upgrading Splunk Enterprise Security to version eight point zero, I have a team that handles the upgrade, and it is basically easy to upgrade the version.

Combining SIEM, SOAR, and UEBA into a single interface has improved my operational efficiency significantly. Before we integrated SOAR, we usually took fifteen minutes to raise SLA alerts. For analysis, L1 would take ten to twelve minutes to decide if they wanted to raise an alert or not. With SOAR, we have predefined playbooks, so if any inbound connection happens from a malicious IP, it automatically blocks on the firewall. We handle most alerts through SOAR now, which allows us to focus on the more significant incidents like malicious attacks, effectively reducing our response time.

Regarding the pricing of Splunk Enterprise Security, I would say it is very expensive for our organization compared to the two others. Wazuh is open-source, and for SentinelOne, we are a partner with Microsoft, but Splunk has a high cost for setup, which is based on the EPS count and storage.

When comparing Splunk with other vendors, I find that Splunk use cases have more power to detect alerts. Azure Microsoft Sentinel has already inbuilt over two hundred use cases analytics for their team only, and we cannot create more customized use cases. In Splunk, we can create additional customized use cases, plus there is AI for detection. If we miss some use cases for any logs or events, AI takes care of it and creates its own use case, showing alerts for us. The dashboard is also very user-friendly compared to both.

My main use cases for Splunk Enterprise Security include finding out excessive login failures, any compromised accounts, any compromised emails using phishing tactics with Proofpoint, network anomalies, User Behavior Analysis, and detecting rogue assets.

I appreciate the Identity and Assets framework the most, as well as the threat analysis framework. Those are my two favorites in Splunk Enterprise Security, along with correlation searches and the entire incident response workflow.

The Risk-Based Alerting in Splunk Enterprise Security is a great addition to our team, as it correlates data from different sources and adds scores to users or systems, allowing us to make decisions based on risk scores assigned to assets or identities.

Splunk Enterprise Security dashboards communicate our security posture and risk score to executives, including major contributing risk factors, key performance indicators (KPIs), and key risk indicators, which help us make informed decisions about future focus areas.

Splunk Enterprise Security helps our team save time by performing correlation searches automatically, eliminating the need for manual searches. We also utilize SOAR for taking automated remediation responses.

To improve Splunk Enterprise Security, I suggest incorporating more AI features for faster remediation and enhanced responses, allowing users to build more correlation searches quickly. Regarding improvements in Enterprise Security, I believe the incorporation of AI would enable Splunk users to spend less time on building correlation searches while still gaining productive ideas.

I have over eight-plus years of experience working in the IT sector, with six-plus years of experience collectively working on security and Splunk-related tasks.

I would assess the stability and reliability of Splunk Enterprise Security at 90%.

The scalability of Splunk Enterprise Security is impressive, as you can scale it to any size and make various types of data readable, although event types and tagging are necessary for optimal performance.

Customer service and technical support for Splunk Enterprise Security are great; they respond quickly and handle our cases efficiently whenever we require assistance.

Positive

I used Splunk Enterprise Security at my previous company yet have not used any different products since then, although I have some knowledge about platforms such as Elastic Search and QRadar.

The challenges with deployment are the fine-tuning and some of the correlations, such as where the data is not normalized. And that's why the CIM module has been great so far.

The biggest return on investment with Splunk Enterprise Security lies in the time and effort it saves due to its built-in features, datasets, and pre-built dashboards, providing us with visibility across different data sources.

My advice for other companies considering Splunk Enterprise Security is that if they're looking to enhance their security visibility or establish a security operation center, this tool is an excellent starting point, and they can scale and automate processes using SOAR effectively.

On a scale of one to ten, I rate this solution an eight.

My main use cases for Splunk Enterprise Security are detections and incident response.

An example of how these features have benefited my organization is that risk-based alerting has transformed our ability to reduce the number of detections that we have, streamline our observability into risks and threats in our environment, and really focus our analysts on actual real problems, helping to remove the noise and false positives to a large degree. It frees us up to do actual work.

The features of Splunk Enterprise Security that I prefer the most are risk-based alerting, the new Mission Control, and the integrations that are coming into place between Mission Control and Splunk SOAR.

Splunk Enterprise Security could be improved by having better role-based access controls. We need to be able to better control who can do what, which people can be allowed to take certain actions, run certain playbooks, or view specific items, and separate things between teams.

I have been using Splunk Enterprise Security for about 8 years.

I evaluate customer service and technical support as fantastic. Technical support is some of the best that I've worked with.

I work with a lot of different vendors, and Splunk support is very responsive and capable. They have very knowledgeable people who can deep dive into the details and understand the inner workings of the platform without having to engage developers or back-end people all the time; they can just deal with it because they know what they're doing.

Positive

I have also used Google Chronicle and the Google SecOps platform. The factors that led me to consider a change included the lack of maturity in the other product and the maturity of Splunk. Google SecOps doesn't have anywhere near the capabilities of the Splunk ecosystem.

The search capabilities in Splunk Enterprise Security, and Splunk in general, are far superior to the search capabilities in Google's products. Their automation platform was extraordinarily immature. It doesn't have many of the basic capabilities that you would expect in an enterprise-class platform, and Splunk does have that. The Splunk capabilities were just vastly superior.

I would describe my experience with deploying Splunk Enterprise Security as fairly straightforward.  We have detection engineers who know what they're doing, and so learning the detection platform in Splunk Enterprise Security was quick for them to pick up. Even those who were not familiar with Splunk Enterprise Security to begin with were able to pick that up quickly.

I have seen a return on investment with Splunk Enterprise Security.

I would rate it an eight out of ten.