Splunk Enterprise Security Reviews

My main use cases for Splunk Enterprise Security are event correlation and risk-based alerting.

The features I appreciate most about Splunk Enterprise Security are the different domains they have and the intelligence that comes along with each of those dashboards, being that single pane of glass for analysts to go in and look at. Splunk Enterprise Security has helped improve my organization's business resilience.

We use Cribl to pull data in and get it optimized before it hits Splunk Enterprise Security as far as collection. I have not done much customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security yet; we started off with just getting data in, and now we are at the point where we are starting to look at detections.

In Splunk Enterprise Security, I do not use risk-based alerting as much as we should. That goes back to the whole time issue, as we need to teach people what to do with it and how to tune them, and we do not have enough time in the day.

As for improvements to Splunk Enterprise Security, we will see how ES 8.2 looks. It is hard to say. We just found out about a bunch of changes, so it is difficult to make specific recommendations at this point.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection include not having enough time to be in it, the resources and people to also be in there, and trying to configure it and teach people how to use it. A lack of resources prevents us from giving it the attention it needs.

I have been using Splunk Enterprise Security for two years.

I would assess the stability and reliability of Splunk Enterprise Security as good, as I have not had any issues with it. I have experienced downtime, crashes, or performance issues with Splunk Enterprise Security only once or twice when we have had to restart our Splunk instance, and it has taken three minutes and come right back, so nothing major.

Splunk Enterprise Security has not hit the point yet where we need to scale; we are still at the initial ingestion phase. We are in the process of expanding usage for Splunk Enterprise Security; we have not actually done it yet, as we are still planning and trying to get other teams involved while meeting their use cases, so we are probably a month away from that.

I would evaluate customer service and technical support for Splunk Enterprise Security as far better than anything else, giving it an eight out of ten, thanks to the response times they meet. When going to our account representatives, if we need something, they are always responsive and we get whatever we need.

Positive

The deployment was easy since we're cloud-based. We didn't really didn't have to do anything.

I have seen ROI with Splunk Enterprise Security. Just getting data in and being able to use the data and making sure it is compliant and mapping it to data models is far more efficient than any other SIM I have had experience with.

My experience with pricing, setup costs, and licensing for Splunk Enterprise Security is straightforward and self-explanatory. We are ingest-based, so we are not compute-based, making it pretty simple to get everything in without worrying about pricing.

Factors that led me to consider the change include shifting to a cloud-based solution at an affordable price and moving to something that is going to help reduce time spent on alerts and maintaining the system, with maintaining the system being probably the biggest reason since shifting to the cloud.

For the future of Splunk Enterprise Security, I would want the Edge Processor to be able to send to multiple destinations rather than just Splunk, though that is more about Observability.

The advice I would give to other organizations considering Splunk Enterprise Security is that everybody wants to drive a Ferrari, so get the Ferrari of SIMs.

I rate Splunk Enterprise Security ten out of ten.

Public Cloud

Other

Many of my use cases for Splunk Enterprise Security involve integrating with our networks and systems to troubleshoot and streamline our capabilities.

One of the features of Splunk Enterprise Security that I really enjoy is the ability to have the scalability of the product and the moldability that's really customized to meet our specific needs. 

The flexibility of Splunk Enterprise Security is beneficial, and that feature, while a broad statement, is crucial in itself, as it allows us to design our own environments with the flexibility and malleability needed to function effectively.

Splunk Enterprise Security's Risk-Based Alerting or RBA has been really amazing. We're still new at it, however, it's definitely nice to be able to have those results at your fingertips instead of having to search what you need to.

Using Splunk Enterprise Security's dashboards to communicate security posture to executives is probably one of the nicest things that Splunk offers. Not everyone is as skilled with the inner workings of the system as we are in my industry, so being able to put a visualization on there is critical.

The ability of Splunk Enterprise Security to ingest data has been amazing for our threat detection. Combating insider threats and advanced persistent threats is an amazing feature of Splunk Enterprise Security, and it gives us the visibility that we need for those detections that other software doesn't have.

The stability and reliability of Splunk Enterprise Security is outstanding. It's a software and product that anybody can really pick up and use.

I'm not as familiar as I should be to answer how Splunk Enterprise Security can be improved, however, one of the improvement points that Enterprise Security could offer is on-prem training, the availability to have a Splunk representative come out to different sites and actually sit down with the organizations and help them understand.

I've been using Splunk Enterprise Security for about a year to a year and a half now.

I handle most things in-house, however, I evaluate Splunk Enterprise Security's technical support and service as outstanding based on the few times we've had to contact them.

Positive

My experience with deploying Splunk Enterprise Security is that the deployment process is pretty straightforward, especially once you have the certifications and you understand how the process works. I'd say it goes back to the training opportunities; some people are unfamiliar with it, so a little bit of support would be appreciated sometimes.

Splunk Enterprise Security has definitely reduced the amount of time that it takes us to detect and respond. I would say the percentage lowered by using Splunk Enterprise Security is around 25 to 30%.

I understand how the pricing, the setup costs, and the licensing of Splunk Enterprise Security work, however, I personally don't have knowledge of the numerical values.

I'd give Splunk Enterprise Security a rating of ten out of ten. 

My advice to other companies considering Splunk Enterprise Security is to just do it. Don't look at any of the competitors; Splunk, hands down, is the product that I would recommend to other companies.

My main use cases for Splunk Enterprise Security are security, general security, and SIM.

The feature I appreciate the most in Splunk Enterprise Security is RBA. These features in Splunk Enterprise Security help my organization contextualize security alerts and put them in a framework that makes sense for our customers.

My organization uses risk-based alerting in Splunk Enterprise Security. Risk-based alerting in Splunk Enterprise Security supports my SOC by giving me a holistic view of what's happening and prioritizing alerts based on various risk factors that are important to me.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection are zero-day events. I use disparate security solutions that integrate or import data into Splunk Enterprise Security. This integration supports my security operations by giving me a holistic view of what's happening in my environment. I find the process of customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security easier than other platforms.

On average, my security ops team takes fairly quickly to remediate security incidents with Splunk Enterprise Security, depending on the use case, minutes versus hours, compared to my previous solution, which was ArcSight.

Splunk Enterprise Security has helped improve my organization's business resilience.

My impressions of Splunk Enterprise Security's ability to predict, identify, and solve problems are good. I would say to other organizations considering Splunk Enterprise Security to solve your data challenges first and focus on data quality, and then everything else will work with your infrastructure.

Splunk Enterprise Security could be cheaper. More artificial intelligence implementation for features should be included in the next release of Splunk Enterprise Security.

I have been using Splunk Enterprise Security for nine years.

Splunk Enterprise Security is very reliable. I have not experienced any downtime, crashes, or glitches with Splunk Enterprise Security.

Splunk Enterprise Security scales efficiently with the growing needs of my organization. I have expanded usage, and the process was very smooth.

I would evaluate customer service and technical support as pretty good. There is a good community.

On a scale of one to ten, I would rate customer service an eight.

Positive

Prior to adopting Splunk Enterprise Security, I was using ArcSight to address similar needs.

I would describe my experience with deploying Splunk Enterprise Security as easy. I deploy it all the time, so it's easy for me.

I have seen a return on investment with Splunk Enterprise Security.

I don't deal with pricing, setup cost, and licensing mainly; however, everyone says it's pricey.

I was using ArcSight, and the factor to change was that it could not accept all the data.

On a scale of one to ten, I would rate Splunk Enterprise Security an eight.

Hybrid Cloud

Amazon Web Services (AWS)

My main use cases for Splunk Enterprise Security are insider threat, application security, incident response, and risk forecasting.

I appreciate the ability of Splunk Enterprise Security to tap into various network equipment and services on the network to pull it all into one place. That's my favorite feature.

The feature I've mentioned helps us in responding to incidents and disasters and different technical situations by being able to pull data from various sources and analyze it and take action.

Splunk Enterprise Security's Risk-Based Alerting, or RBA, has enabled us to prioritize and focus on the most critical threats and issues, while blocking out some of the noise and various information that can come from all these different sources.

Splunk Enterprise Security helps my SOC team prioritize and investigate high-fidelity alerts more effectively by enabling us to quickly gather information, collaborate, and provide various teams with access to the same information, allowing them to follow the workflow to complete the task.

Splunk Enterprise Security's ability to ingest and normalize data from diverse sources has enhanced our threat detection capabilities by making us aware of what's going on in the world, relating to our use cases and our threat tolerance, as we constantly pull in that information and brief everyone who has a stake.

Splunk Enterprise Security can improve in terms of being able to add to additional sources. They're adding many different ones, but as more cloud and data lakes emerge, being able to touch all those different new technologies that emerge together would be beneficial.

I assess the stability and reliability of Splunk Enterprise Security as very reliable and stable so far. We haven't had any glitches with testing out the first pilot use of it.

From my point of view, the biggest return on investment when using Splunk Enterprise Security is definitely being able to respond to incidents faster, adapt to future attacks by analyzing that information and doing risk-based management decisions, and also preparing for the future by looking at new technologies that can help us.

I'm not too involved with the pricing, the setup costs, and the licensing of the platform. It is pretty straightforward.

We just started turning on UEBA in our company, but we haven't really started utilizing it yet. There is a roadmap to try to do some of that stuff from the program side, and we just have to get access to it once the enterprise is ready to implement it and hand it over to the program office.

Even though we just started using UEBA, it's very useful, and it helps us set a bar for what normal activity is, and then it sets alerts and gives us awareness for anything that's out of the norm in terms of normal user behavior and the data that's being accessed.

My advice to other companies considering Splunk Enterprise Security is that you should definitely look into it, get your folks a proof of concept and try it out, send folks to training, and let them learn about it, and see how it can help you be better at securing your environment.

I rate Splunk Enterprise Security nine out of ten.

On-premises

My main use cases for Splunk Enterprise Security are threat alerts.

The feature I appreciate the most about Splunk Enterprise Security is the dashboard. It has supported my SOC by making their job easier regarding notifications. It also reduces the time they have to spend using other tools to help them out, cutting down on their workload.

When it comes to incidents, we are able to detect, monitor, and handle incidents that come in. We can take those incidents and correlate them to other tools that we use. It serves as our single pane of focus.

Our security ops team's remediation time with Splunk Enterprise Security is measured in minutes. One notable improvement has been the maturation of our SOC, which now features a single pane of glass for incident viewing.

The correlation of events is the most significant challenge I face when using Splunk Enterprise Security for advanced threat detection. I am still looking at version 8 to see how it can be improved or how we can utilize it better.

I have been using Splunk Enterprise Security for three years.

I assess the stability and reliability of Splunk Enterprise Security as having some issues because we have problems with our SC4S. We are working through it. There are some things that we need to troubleshoot, but we are addressing those.

It is easy to scale Splunk Enterprise Security, and the plan is to expand it, however, we are in the planning stages right now. My experience with scaling has been smooth.

I evaluate customer service and technical support as good, with no issues.

On a scale of one to ten, I would rate customer service and technical support an eight.

Positive

My experience with pricing, setup costs, and licensing is that they are expensive and growing, but that is really above my level. Our C suite handles more of the pricing aspects.

I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security not overly complicated because we use Splunk resources to help us with this. It is not as challenging as we would think it would be.

I have seen a return on investment with Splunk Enterprise Security.

I use other security solutions that integrate or import data into Splunk Enterprise Security such as CrowdStrike, Proofpoint, and a threat intel platform called ThreatConnect.

My advice to other organizations considering Splunk Enterprise Security is to weigh their options, but I would definitely recommend it.

On a scale of one to ten, I rate Splunk Enterprise Security an eight.

Public Cloud

Amazon Web Services (AWS)

I deal with the Palo Alto FO and then Cortex XSIAM. I work with Cortex XSIAM and Cortex EDR products. We recently adopted Cortex XSIAM from Splunk Enterprise Security as our SIEM product for log management.

I have two to three years of experience with Splunk Enterprise Security, but not continuously; this is just a tool used by me, not daily. We send logs from the firewalls to XSIAM and analyze the traffic logs to determine whether deny or allow for migration. We use both Splunk and Cortex XSIAM for log analysis. I have never dealt with Splunk support.

I have experience with Palo Alto, Cisco, and Fortinet products. Splunk Enterprise Security is more dedicated to logs, not a unified product like Palo Alto. Palo Alto Cortex has the same UI across Cortex EDR and Cortex XSIAM, so all the product family is in one UI, whereas Splunk Enterprise Security is more focused on log search.

Palo Alto has better speed and better visibility. I can see all the M-points from one UI and search the logs from this UI. I use disparate security solutions that integrate or import data into Splunk Enterprise Security, including different log sources from the endpoint, firewall, router, switches, and everything that needs logging for visibility.

Splunk Enterprise Security can retain logs for compliance purposes longer than the usual three months. The dashboard capability also allows Splunk Enterprise Security to create dashboards based on logs, which makes it really helpful for visibility.

I feel more comfortable using XSIAM now compared to Splunk Enterprise Security. Splunk Enterprise Security is already a mature product, so I do not have much to point out. It could be a little more user-friendly, which would be nice.

It could also expand the product family beyond security log search. Since it has the capability of indexing things, perhaps Splunk Enterprise Security could develop their own EDR agent like Palo Alto and create a product family with a unified dashboard. This would definitely help the enterprise.

Splunk Enterprise Security documentation exists, but compared to Palo Alto, Palo Alto has more knowledge base articles. Even though the concepts are the same and multiple engineers have written articles for cross-reference, I do not see this level of documentation in Splunk Enterprise Security.

I have two to three years of experience with Splunk Enterprise Security, but not continuously; this is just a tool used by me, not daily.

The switch to Cortex came from management, likely because the Palo Alto product family is already in our environment. We have been using Palo Alto GlobalProtect and other security products, so bringing XSIAM into the environment makes sense.

I do not see a real difference between XSIAM and Splunk Enterprise Security; they both have a search query functionality. Splunk Enterprise Security has Splunk query language, so it is just a different language and different way of searching logs. Eventually, we get the same logs including source, destination, port, and traffic allow and deny information.

I used to be a customer with Splunk Enterprise Security. I have hands-on experience but not extensive experience with Splunk Enterprise Security products in the past. I am more focused on networking than the security team. I do not have an answer about how long on average it takes SecOps teams to remediate security incidents using Splunk Enterprise Security.

I would rate this review an 8.

Splunk Enterprise Security use cases drive the workflow from threat detection all the way through to incident response, giving an approach mirrored with technology. Depending on use cases, whether having a tool drive some approach or conducting discovery, or looking to facilitate an operational security operations role at your company, it is very much driven heavily on the scheduler, setting things up and then looking and deep diving when necessary. Splunk Enterprise Security does well by giving a good framework.

Risk-based alerting is enabled in Splunk Enterprise Security. However, because of custom applications, a lot of times it works but doesn't work. Some discovery on our own is required, conducting our own campaigns to do that.

The time it takes the SecOps team to remediate any security incidents with Splunk Enterprise Security depends on the situation. Splunk skips over the whole trying to figure out how to use the tool. That is the biggest thing. Using Elastic SIEM and using other SIEMs, there is a learning curve, whereas with Splunk Enterprise Security, even if there is no one on the team who has mastery in Splunk, there is enough support and enough tooling and things that people have done before to really deep dive right in immediately.

Splunk Enterprise Security helps tell a story and helps focus at the customer level. As a managed service provider, I can only speak from the security side of it.

As a managed service provider, consolidating networking, security, and IT observability tools with Splunk Enterprise Security can be difficult, especially when providing those tools yourself. What Splunk does, and really is why it is a choice platform, is that it speaks all of those languages, no matter what IT discipline you are in. You are able to surface and view data in a quantitative manner and also get insights into what you are looking for. That is a very strong aspect of a tool where it does consolidate.

Splunk Enterprise Security has helped mainly when it comes down to the data science part. If you have a strong data science background, it is easy to detect anomalies. Some of the toolkits that are deployed with Splunk Enterprise Security and ML Toolkit allow you to do a lot more upfront than you typically would be able to do.

Splunk Enterprise Security has helped to improve the ability to ingest and normalize data.

The impressions of Splunk Enterprise Security's ability to identify and solve problems in close to real-time are that the different ingest methods that it provides are critical to finding out and looking at the breadth of data that comes in through machine data. In some parts, some people call them logs, some people call them metrics, some people call it telemetry. Having an aggregator at the ingest level like Splunk is amazing because it does not matter what you want to send, you can send it. It does not need to be in a particular format. A lot of the data brought in is not log data, it is programmatic from APIs and customer activity and things that need to be looked at as a whole picture. So when it comes to security, to be able to look at that in real-time requires compute and less structure because you need to be able to see there are payloads coming in that are typically not in this correct format, and the tool should not miss that because fields are not necessary. Splunk's ability to do schema on search is immensely powerful and that does aid in the ability to get results faster.

Threat topology and the MITRE ATT&CK framework features for helping discover the overall scope of an incident in Splunk Enterprise Security are pretty good. In this particular discipline when it comes to security, applying knowledge and then having a tool support that knowledge and drive forward, the integration paths of those particular types of things are very helpful. The more data that you bring in across your topology, if you will — network, user activity, user behavior activity, authentication, and application errors — you get this full landscape that you can see. With that, if a type of MITRE ATT&CK comes along and you understand what it is, you can see where the attack entry point was, the activity that was performed, and then start the incident response.

The biggest thing with Splunk is making sure that the documentation is maintained. There is a gap where if you search for an issue, a lot of times it is in the community. There should be a path that moves community answers into documentation or into an FAQ that allows people to not use the community answers to drive results. For instance, when you can use Splunk this way and this solves your problem, but if there is a better solution, that should be presented as an FAQ. Just working with Splunk for an immense amount of years, it is usually necessary to try to figure something out. The docs tell you where you can figure it out, as in a configuration file, but it does not really help you get to the end result. More complete documentation would be beneficial.

There has never been any instability with Splunk Enterprise Security. Some core dumps appear from time to time, but it really depends on your architecture. If you are really good at architecting Splunk, you should not ever run into that. Splunk is solid, and that is almost a ten.

Splunk Enterprise Security's scalability is huge. If you were to take one thing from Splunk that is probably really amazing, it is the scalability. With a handful of users now, coming from a shop where there were 5,000-plus users in Splunk and it was pretty stable, the scalability is immense. It is one of the things that separates it from other tooling, and if not, it is the most scalable solution out there.

Technical support or customer support at Splunk has been contacted.

The quality and speed of the support at Splunk are interesting. As an expert in the field, the work is really far beyond what customer support can probably handle. They are pretty good when it comes to that, especially if you have a Sev 1 ticket. The support team overall at Splunk, the people that have been interacted with, are fine, but typically if there is a problem, someone like a specialist needs to be spoken to. This one is hard to answer because of being such a niche customer.

If Splunk support were to be put on a scale from 1 to 10, it would receive a seven. This has been discussed with them and it is fair feedback. The reason for giving seven is simply because the first contact is not necessarily able to answer most of the problems that have to be submitted.

Positive

Alternatives to Splunk have been used. In the past, ArcSight has been used, of course managed service provider tools that you typically get with the big cloud providers, and then Elastic.

Splunk Enterprise Security is just an app that sits on top of Splunk. There really is not much to it. It is pretty straightforward and about as easy as production enterprise software that has ever been seen. It is super easy.

Implementation was automation, probably a couple of minutes and a button click.

There is not anything that is close to Splunk Enterprise Security as of right now. Splunk has taken this weird leap ahead of everybody else. It is also the most expensive tool out there. It is kind of like buying a luxury SUV or a used entry-level SUV. There is a difference for a reason. That is not saying that any of the other tools mentioned are that. It is just that Splunk is ahead, so there is really not a fair comparison.

Splunk Enterprise Security has not been upgraded to 8.0. Splunk Enterprise Security does require maintenance between patching and upgrades. Professional services are available and have been done on behalf of another customer, but it is done mainly personally. The overall review rating for Splunk Enterprise Security is an eight.

My use cases for Splunk Enterprise Security are extensive in production. I utilize it for all available functions including observability, asset management, vulnerability management, threat detection, network security, identity management, and various other capabilities.

The solution does require a lot of customization for an organization. 

It is highly customizable, which is a significant advantage. It requires substantial customization and tailoring to particular organization requirements, meaning that out of the box, most features would need configuration.

The risk and notables component, particularly the two-tier system of picking something from risk into the notable, is one of the most problematic features. 

The GUI, now called Mission Control, which serves as issue management or ticket management, falls below what would be considered industry standards.

AI assistance for security analysts to analyze notables and risks needs improvement. Although it exists, the demonstration is not yet sufficient for the required level. We need this as soon as possible to help security analysts. 

Splunk Enterprise Security is not cloud environment-friendly, especially when dealing with large cloud infrastructures. With significant AWS presence and multiple clouds, collecting asset data is challenging. The AWS add-on is particularly problematic, with most inputs requiring manual writing due to lack of out-of-box functionality.

Regarding the platform and Enterprise Security specifically, the lack of Git-friendly or Git-native integration is problematic. The recently introduced content management system is inadequate, attempting to implement an outdated concept of storing rule versions in an index while teams work with Git natively.

The storage of queries in savedsearches.conf prevents efficient work with query text. It should be structured as separate SPL files that can utilize intellectual add-ons for Visual Studio Code and work natively with GitHub. Content management is limited to applications within the Enterprise Security suite, excluding custom applications not starting with SA or DA.

I have been using Splunk Enterprise Security for more than five years.

The product is generally stable and forgiving.

When considering Enterprise Security in particular, it demonstrates good scalability.

I contacted their technical support recently. The support provided is decent, though they often reference their knowledge base. For publicly available solutions, this can be redundant as these solutions can be found through internet searches. Support becomes valuable when dealing with issues requiring access to their closed knowledge base for faster responses.

While support provides solutions, implementation can be complex. In a recent case, the provided solution was so complex to implement that I decided not to proceed. The support staff themselves are highly knowledgeable, polite, and responsive, with some being exceptional. The support team deserves a perfect score.

Positive

I have experience with similar solutions such as AlienVault and ArcSight, each with its advantages and disadvantages. The recommendation depends on the working environment. For cloud-native and GitHub-native organizations, the Enterprise Security solution should align with those principles.

I was solely responsible for the implementation.

It was one of the most difficult deployments I've ever handled. After we set up a cluster with consultants, we made it usable after a year and a half. 

Splunk Enterprise Security requires continuous maintenance, consuming approximately 50% of the time. The numerous data sources and constantly changing formats and source types demand ongoing work on data quality, detection rules, assets, and identities.

People are delegated for platform administration, though they currently need additional time to reach optimal performance levels.

We did work with consultants during the deployment. 

The pricing is currently managed by procurement. Even with substantial company discounts, it remains extremely expensive. This creates internal challenges when teams independently choose open-source or less expensive solutions for log dumping. Duplicating application logs becomes costly as teams may already use DataDog, ELK stack, Elasticsearch, or S3.

With data ingestion of two terabytes or more daily, Splunk Enterprise Security costs become significant. Cloud-native solutions, particularly in AWS, make it more practical to use native security detection mechanisms such as Security Hub, GuardDuty, and Inspector, using Splunk Enterprise Security as a data aggregator.

Many users prefer pre-processing data before ingestion using the Databricks platform for large data sources such as cloud trail logs. The on-premises pricing model based on data ingestion affects Splunk Enterprise Security's market position.

This product requires significant investment in learning as it is not easily understood. Organizations purchasing the solution should expect 6-12 months with a dedicated team before meaningful insights can be delivered.

On a scale from one to ten, Splunk Enterprise Security rates as a seven.

On-premises

Amazon Web Services (AWS)