Splunk Enterprise Security Reviews

My main use cases for Splunk Enterprise Security are insider threat, application security, incident response, and risk forecasting.

I appreciate the ability of Splunk Enterprise Security to tap into various network equipment and services on the network to pull it all into one place. That's my favorite feature.

The feature I've mentioned helps us in responding to incidents and disasters and different technical situations by being able to pull data from various sources and analyze it and take action.

Splunk Enterprise Security's Risk-Based Alerting, or RBA, has enabled us to prioritize and focus on the most critical threats and issues, while blocking out some of the noise and various information that can come from all these different sources.

Splunk Enterprise Security helps my SOC team prioritize and investigate high-fidelity alerts more effectively by enabling us to quickly gather information, collaborate, and provide various teams with access to the same information, allowing them to follow the workflow to complete the task.

Splunk Enterprise Security's ability to ingest and normalize data from diverse sources has enhanced our threat detection capabilities by making us aware of what's going on in the world, relating to our use cases and our threat tolerance, as we constantly pull in that information and brief everyone who has a stake.

Splunk Enterprise Security can improve in terms of being able to add to additional sources. They're adding many different ones, but as more cloud and data lakes emerge, being able to touch all those different new technologies that emerge together would be beneficial.

I assess the stability and reliability of Splunk Enterprise Security as very reliable and stable so far. We haven't had any glitches with testing out the first pilot use of it.

From my point of view, the biggest return on investment when using Splunk Enterprise Security is definitely being able to respond to incidents faster, adapt to future attacks by analyzing that information and doing risk-based management decisions, and also preparing for the future by looking at new technologies that can help us.

I'm not too involved with the pricing, the setup costs, and the licensing of the platform. It is pretty straightforward.

We just started turning on UEBA in our company, but we haven't really started utilizing it yet. There is a roadmap to try to do some of that stuff from the program side, and we just have to get access to it once the enterprise is ready to implement it and hand it over to the program office.

Even though we just started using UEBA, it's very useful, and it helps us set a bar for what normal activity is, and then it sets alerts and gives us awareness for anything that's out of the norm in terms of normal user behavior and the data that's being accessed.

My advice to other companies considering Splunk Enterprise Security is that you should definitely look into it, get your folks a proof of concept and try it out, send folks to training, and let them learn about it, and see how it can help you be better at securing your environment.

I rate Splunk Enterprise Security nine out of ten.

My main use cases for Splunk Enterprise Security are threat alerts.

The feature I appreciate the most about Splunk Enterprise Security is the dashboard. It has supported my SOC by making their job easier regarding notifications. It also reduces the time they have to spend using other tools to help them out, cutting down on their workload.

When it comes to incidents, we are able to detect, monitor, and handle incidents that come in. We can take those incidents and correlate them to other tools that we use. It serves as our single pane of focus.

Our security ops team's remediation time with Splunk Enterprise Security is measured in minutes. One notable improvement has been the maturation of our SOC, which now features a single pane of glass for incident viewing.

The correlation of events is the most significant challenge I face when using Splunk Enterprise Security for advanced threat detection. I am still looking at version 8 to see how it can be improved or how we can utilize it better.

I have been using Splunk Enterprise Security for three years.

I assess the stability and reliability of Splunk Enterprise Security as having some issues because we have problems with our SC4S. We are working through it. There are some things that we need to troubleshoot, but we are addressing those.

It is easy to scale Splunk Enterprise Security, and the plan is to expand it, however, we are in the planning stages right now. My experience with scaling has been smooth.

I evaluate customer service and technical support as good, with no issues.

On a scale of one to ten, I would rate customer service and technical support an eight.

Positive

My experience with pricing, setup costs, and licensing is that they are expensive and growing, but that is really above my level. Our C suite handles more of the pricing aspects.

I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security not overly complicated because we use Splunk resources to help us with this. It is not as challenging as we would think it would be.

I have seen a return on investment with Splunk Enterprise Security.

I use other security solutions that integrate or import data into Splunk Enterprise Security such as CrowdStrike, Proofpoint, and a threat intel platform called ThreatConnect.

My advice to other organizations considering Splunk Enterprise Security is to weigh their options, but I would definitely recommend it.

On a scale of one to ten, I rate Splunk Enterprise Security an eight.

As a threat detection engineer, my main use case for Splunk Enterprise Security is to create content to find anomalous activity in our environment. Splunk Enterprise Security, via the content management interface, allows us to create correlation searches, take advantage of summary indexes where we can correlate multiple findings per host, per user, whatever anchor point you want to use, and get those alerts to our analysts in a timely manner, where they can be triaged based on alert severity and criticality.

The notable feature of Splunk Enterprise Security, which in version 8 is going to be called "findings," is the ability to send notables, and all the actions that can be chained with the notable when you actually have a hit or a finding.

The ability to quickly automate detections based on alerts or intelligence that we operationalize in the environment benefits my company, as we get that alert sent to the appropriate parties and put in front of the analysts quickly, allowing for triage and the ability to group the alerts together instead of just always looking at a single finding.

Splunk Enterprise Security can be improved by addressing the content management interface, which is very outdated, slow, and clunky; sometimes we think things are saved and they haven't. Being able to edit saved content and saved searches in batch, such as when you have a log source and a field changes, is a pain point right now since you have to go in and basically update all of them unless you do some kind of Eval on the ingestion side; that's probably the biggest pain point with it right now.

I would assess the stability and reliability of Splunk Enterprise Security as very reliable and very stable.

Splunk Enterprise Security scales very well with the growing needs of our company, although there are definitely some things that are behind the times, such as some of the limitations out of the box on KV Stores, lookups, and some of the commands, the MV line of commands and some of the limitations there. Hopefully, with the advent of all the cool AI and ML capabilities coming down in the 8 series, many of those limitations will be eliminated.

Regarding customer service and technical support, I don't generally submit support tickets, however, I have on a few occasions. It's usually our Splunk engineering team.

We have bimonthly meetings with our account representatives, and we have some sort of on-call technical staff that are assigned to our company and our contract, and they've all been excellent; wonderful people to work with.

Positive

Prior to adopting Splunk Enterprise Security, I used another solution that does similar things, and over the course of my career, I've used a couple of different solutions, peer solutions with Splunk, but Splunk Enterprise Security is the best.

It really comes down to the versatility and how powerful it is; I have never worked with another platform where I can do as much for as many teams, not even just security, which is my primary focus, and the value that you can get out of it, I've never seen a platform that versatile.

From my point of view, the biggest return on investment when using Splunk Enterprise Security is keeping our company safe.

The advice I would give to other companies that are considering Splunk Enterprise Security is that if you've never used Splunk, it can be a little daunting at first, learning a new language, Splunk SPL. That said, it's worth it.

The cycle time that's going to be taken in training and upskilling, once your staff is familiar with that, and you don't even have to do a lot of training, just a couple of the basic classes from Splunk University to get proficient, it's going to open a lot of doors.

On a scale of one out of ten, I rate Splunk Enterprise Security a nine out of ten.

My use cases for Splunk Enterprise Security are extensive in production. I utilize it for all available functions including observability, asset management, vulnerability management, threat detection, network security, identity management, and various other capabilities.

The solution does require a lot of customization for an organization. 

It is highly customizable, which is a significant advantage. It requires substantial customization and tailoring to particular organization requirements, meaning that out of the box, most features would need configuration.

The risk and notables component, particularly the two-tier system of picking something from risk into the notable, is one of the most problematic features. 

The GUI, now called Mission Control, which serves as issue management or ticket management, falls below what would be considered industry standards.

AI assistance for security analysts to analyze notables and risks needs improvement. Although it exists, the demonstration is not yet sufficient for the required level. We need this as soon as possible to help security analysts. 

Splunk Enterprise Security is not cloud environment-friendly, especially when dealing with large cloud infrastructures. With significant AWS presence and multiple clouds, collecting asset data is challenging. The AWS add-on is particularly problematic, with most inputs requiring manual writing due to lack of out-of-box functionality.

Regarding the platform and Enterprise Security specifically, the lack of Git-friendly or Git-native integration is problematic. The recently introduced content management system is inadequate, attempting to implement an outdated concept of storing rule versions in an index while teams work with Git natively.

The storage of queries in savedsearches.conf prevents efficient work with query text. It should be structured as separate SPL files that can utilize intellectual add-ons for Visual Studio Code and work natively with GitHub. Content management is limited to applications within the Enterprise Security suite, excluding custom applications not starting with SA or DA.

I have been using Splunk Enterprise Security for more than five years.

The product is generally stable and forgiving.

When considering Enterprise Security in particular, it demonstrates good scalability.

I contacted their technical support recently. The support provided is decent, though they often reference their knowledge base. For publicly available solutions, this can be redundant as these solutions can be found through internet searches. Support becomes valuable when dealing with issues requiring access to their closed knowledge base for faster responses.

While support provides solutions, implementation can be complex. In a recent case, the provided solution was so complex to implement that I decided not to proceed. The support staff themselves are highly knowledgeable, polite, and responsive, with some being exceptional. The support team deserves a perfect score.

Neutral

I have experience with similar solutions such as AlienVault and ArcSight, each with its advantages and disadvantages. The recommendation depends on the working environment. For cloud-native and GitHub-native organizations, the Enterprise Security solution should align with those principles.

I was solely responsible for the implementation.

It was one of the most difficult deployments I've ever handled. After we set up a cluster with consultants, we made it usable after a year and a half. 

Splunk Enterprise Security requires continuous maintenance, consuming approximately 50% of the time. The numerous data sources and constantly changing formats and source types demand ongoing work on data quality, detection rules, assets, and identities.

People are delegated for platform administration, though they currently need additional time to reach optimal performance levels.

We did work with consultants during the deployment. 

The pricing is currently managed by procurement. Even with substantial company discounts, it remains extremely expensive. This creates internal challenges when teams independently choose open-source or less expensive solutions for log dumping. Duplicating application logs becomes costly as teams may already use DataDog, ELK stack, Elasticsearch, or S3.

With data ingestion of two terabytes or more daily, Splunk Enterprise Security costs become significant. Cloud-native solutions, particularly in AWS, make it more practical to use native security detection mechanisms such as Security Hub, GuardDuty, and Inspector, using Splunk Enterprise Security as a data aggregator.

Many users prefer pre-processing data before ingestion using the Databricks platform for large data sources such as cloud trail logs. The on-premises pricing model based on data ingestion affects Splunk Enterprise Security's market position.

This product requires significant investment in learning as it is not easily understood. Organizations purchasing the solution should expect 6-12 months with a dedicated team before meaningful insights can be delivered.

On a scale from one to ten, Splunk Enterprise Security rates as a seven.

We use Splunk Enterprise Security for security monitoring purposes, and we have many security use cases configured to detect cybersecurity-related risks. We have 100+ use cases related to brute force attacks, ransomware, credential access attacks, et cetera.

We use it for the extra security layer since we want to be very proactive and monitor our infrastructure fully end-to-end.

We now have a single platform where we can visualize our entire landscape. It's improved our security posture. We can see all the logs getting ingested, and if there are any anomalies, we're able to visualize that as well. The alerts help us be very proactive. We used to miss a few things happening in our organization. Now we get alerts on time. 

The best features I've experienced over the past six years with Splunk Enterprise Security are the ability to create use cases and the flexibility to customize searches and use cases based on our specific requirements. 

It's user-friendly. You don't need to be an expert to create a use case. Even a basic understanding will allow you to do the work. There are lots of knowledge articles as well. 

From a visibility perspective, the solution has significantly improved our organization by providing a single platform to visualize our entire IT landscape. This has also enhanced our security posture by enabling us to view all logs.

We do connect with a Splunk representative on a monthly basis. They can proactively provide us with solutions. 

Regarding room for improvement, I expect Splunk to provide information about new features on a regular basis, such as notifications about enhancements that may improve security posture. I want these notifications to come to us quite regularly, as we always want to improve our security posture. 

I'm interested in the notifications and alerts aspect, particularly since Splunk Enterprise Security's Mission Control feature was very proactive when it was rolled out.

I have been using Splunk Enterprise Security for the last six years.

I would rate the stability at eight out of ten; we never had any gap in monitoring. That said, there were instances of backend issues that did not impact our monitoring.

It is a scalable solution for our business, and I would rate it nine out of ten, as we have recently scaled it to monitor operational use cases.

I would rate the technical support as nine out of ten. They are always on top of resolving issues, providing technical account manager details for further assistance. 

Positive

We had tried IBM QRadar and Azure Sentinel previously.

If I need to set up Splunk from scratch, I don't have to do a lot of planning. It's pretty straightforward. 

It took about a month to deploy Splunk Enterprise Security, as we took many days to plan how to set up the architecture.

There is some maintenance required once it is set up.

The IT team exclusively uses Splunk Enterprise Security for assistance. The team is always there to assist.

I don't deal with pricing. I have a fair understanding based on the market research; from what I've witnessed, the pricing is competitive.

I rate Splunk Enterprise Security higher due to its user-friendliness. That is something on top of my list. 

Splunk Enterprise Security is on top in terms of how users or administrators can manage it. Everything else looks pretty fine regarding the support we get from Splunk Enterprise Security. 

I would rate Splunk Enterprise Security overall as eight out of ten.

My main use cases for Splunk Enterprise Security are security, general security, and SIM.

The feature I appreciate the most in Splunk Enterprise Security is RBA. These features in Splunk Enterprise Security help my organization contextualize security alerts and put them in a framework that makes sense for our customers.

My organization uses risk-based alerting in Splunk Enterprise Security. Risk-based alerting in Splunk Enterprise Security supports my SOC by giving me a holistic view of what's happening and prioritizing alerts based on various risk factors that are important to me.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection are zero-day events. I use disparate security solutions that integrate or import data into Splunk Enterprise Security. This integration supports my security operations by giving me a holistic view of what's happening in my environment. I find the process of customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security easier than other platforms.

On average, my security ops team takes fairly quickly to remediate security incidents with Splunk Enterprise Security, depending on the use case, minutes versus hours, compared to my previous solution, which was ArcSight.

Splunk Enterprise Security has helped improve my organization's business resilience.

My impressions of Splunk Enterprise Security's ability to predict, identify, and solve problems are good. I would say to other organizations considering Splunk Enterprise Security to solve your data challenges first and focus on data quality, and then everything else will work with your infrastructure.

Splunk Enterprise Security could be cheaper. More artificial intelligence implementation for features should be included in the next release of Splunk Enterprise Security.

I have been using Splunk Enterprise Security for nine years.

Splunk Enterprise Security is very reliable. I have not experienced any downtime, crashes, or glitches with Splunk Enterprise Security.

Splunk Enterprise Security scales efficiently with the growing needs of my organization. I have expanded usage, and the process was very smooth.

I would evaluate customer service and technical support as pretty good. There is a good community.

On a scale of one to ten, I would rate customer service an eight.

Positive

Prior to adopting Splunk Enterprise Security, I was using ArcSight to address similar needs.

I would describe my experience with deploying Splunk Enterprise Security as easy. I deploy it all the time, so it's easy for me.

I have seen a return on investment with Splunk Enterprise Security.

I don't deal with pricing, setup cost, and licensing mainly; however, everyone says it's pricey.

I was using ArcSight, and the factor to change was that it could not accept all the data.

On a scale of one to ten, I would rate Splunk Enterprise Security an eight.

My main use cases for Splunk Enterprise Security include cybersecurity threat, incident response, and security events.

The features I find most valuable in Splunk Enterprise Security are Incident Review, Security Essentials, Asset and Identity Management, and Machine Learning Toolkit. 

We are enriching data from Asset and Identity Management, and we have more data for our incident response and investigation with Splunk Enterprise Security when we need more data to investigate.

I use disparate security solutions that integrate or import data into Splunk Enterprise Security. The integration currently supports my security operations as it's now on a POC, however, it's not in production right now. 

I have expanded usage, and that process was very smooth. I assess the stability and reliability of Splunk Enterprise Security as very good.

Splunk Enterprise Security can be improved with more AI in the commands and more help in the commands, as not all people know how to write code in SPL, and we need more help in this area. 

That additional features such as AI command help and more flexibility in the search should be included in the next release to make it more simple.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection involve correlating data from multiple assets and networks simultaneously, as our network is very complex and we have not yet properly collected all the data from our various data centers within my environment.

I have been using Splunk Enterprise Security for five years.

I have not experienced any downtime, crashes, or performance issues; it is very redundant.

Splunk Enterprise Security scales very well with the growing needs of my organization.

I evaluate customer service and technical support as very good.

Positive

Prior to adopting Splunk Enterprise Security, I was not using another solution to address similar needs.

I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security very simple and straightforward.

I have yet to see an ROI.

I'm not famiiar with the pricing. 

My organization does not use risk-based alerting yet. My security ops team takes 60 or 70% longer to remediate security incidents with Splunk Enterprise Security compared to our previous solution.

The advice I would give to other organizations considering Splunk Enterprise Security is to design, design, design, and design. Expanding on what that means, you need to be very organized with what you want and what you want to achieve from the product because the deployment is very crucial; once you install it, it's very hard to change the topology and to add more tenants or search heads, which is very complex. The vendor can contact me with any questions or comments about my review. 

On a scale of one to ten, I would rate Splunk Enterprise Security overall an eight.

My main use case for Splunk Enterprise Security is getting observability and insights in order to meet compliance objectives.

I appreciate the integrations with the SOAR architectures and the expandability that can be used throughout the entire ecosystem of Splunk Enterprise Security. They've improved my threat detection capabilities.

The system can be intimidating, and sometimes the concepts conveyed in the documentation require adjustment. The product is mature and continuing to mature. There could be a better opportunity to let larger groups outside of the community know about the ease of deploying the product.

I'm finding that newer generations, including my own, don't respond well to TL; DRs that often come from third parties and are often incorrect. If there was more of a quick answer, perhaps with Splunk AI, they could start implementing that on the documentation page to let people who have trust in that get a quicker answer.

Professionally, I have been using Splunk Enterprise Security in the last one to two years. Personally, I've used it several times as a hobby product and competitively in cyber games.

The product is mature. 

I don't directly deal with technical support.

Positive

Prior to adopting Splunk Enterprise Security, I was using another solution to address similar needs, however, I can't go into details.

I would describe my experience with deploying Splunk Enterprise Security as one that needs some more hand-holding. Some aspects of the language and understanding can be challenging for individuals unfamiliar with Splunk. There are opportunities to improve that dissemination.

With training, I find deployment relatively easy. There's some self-service that has to be done as a user in terms of learning and understanding the product. Once you understand those workflows, it presents as a relatively easy and intuitive product to expand and grow into.

I have seen a return on investment with Splunk Enterprise Security. It's a useful system, and I would highly advocate it with any Splunk deployment.

I'm not involved on the licensing side. 

The features that have been demoed and debuted in Splunk Enterprise Security are of particular interest, and I'm interested to see where that journey continues. I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security relatively easy with training.

My advice to other organizations considering Splunk Enterprise Security is to try it. I would suggest getting a demo from Splunk as that's the worthwhile approach. It's better to see all the powers that this tool can bring in terms of those capacities rather than trying to figure it out on your own journey.

I would rate Splunk Enterprise Security an eight out of ten. The only reason for this rating is, from an outside-in perspective, as someone who hasn't spent time either deploying it themselves or learning more of the nuances of how clustered designs work, it can be an intimidating experience and requires a lot of hand-holding. This creates a barrier to adoption.