Splunk Enterprise Security Reviews

Splunk Enterprise Security use cases drive the workflow from threat detection all the way through to incident response, giving an approach mirrored with technology. Depending on use cases, whether having a tool drive some approach or conducting discovery, or looking to facilitate an operational security operations role at your company, it is very much driven heavily on the scheduler, setting things up and then looking and deep diving when necessary. Splunk Enterprise Security does well by giving a good framework.

Risk-based alerting is enabled in Splunk Enterprise Security. However, because of custom applications, a lot of times it works but doesn't work. Some discovery on our own is required, conducting our own campaigns to do that.

The time it takes the SecOps team to remediate any security incidents with Splunk Enterprise Security depends on the situation. Splunk skips over the whole trying to figure out how to use the tool. That is the biggest thing. Using Elastic SIEM and using other SIEMs, there is a learning curve, whereas with Splunk Enterprise Security, even if there is no one on the team who has mastery in Splunk, there is enough support and enough tooling and things that people have done before to really deep dive right in immediately.

Splunk Enterprise Security helps tell a story and helps focus at the customer level. As a managed service provider, I can only speak from the security side of it.

As a managed service provider, consolidating networking, security, and IT observability tools with Splunk Enterprise Security can be difficult, especially when providing those tools yourself. What Splunk does, and really is why it is a choice platform, is that it speaks all of those languages, no matter what IT discipline you are in. You are able to surface and view data in a quantitative manner and also get insights into what you are looking for. That is a very strong aspect of a tool where it does consolidate.

Splunk Enterprise Security has helped mainly when it comes down to the data science part. If you have a strong data science background, it is easy to detect anomalies. Some of the toolkits that are deployed with Splunk Enterprise Security and ML Toolkit allow you to do a lot more upfront than you typically would be able to do.

Splunk Enterprise Security has helped to improve the ability to ingest and normalize data.

The impressions of Splunk Enterprise Security's ability to identify and solve problems in close to real-time are that the different ingest methods that it provides are critical to finding out and looking at the breadth of data that comes in through machine data. In some parts, some people call them logs, some people call them metrics, some people call it telemetry. Having an aggregator at the ingest level like Splunk is amazing because it does not matter what you want to send, you can send it. It does not need to be in a particular format. A lot of the data brought in is not log data, it is programmatic from APIs and customer activity and things that need to be looked at as a whole picture. So when it comes to security, to be able to look at that in real-time requires compute and less structure because you need to be able to see there are payloads coming in that are typically not in this correct format, and the tool should not miss that because fields are not necessary. Splunk's ability to do schema on search is immensely powerful and that does aid in the ability to get results faster.

Threat topology and the MITRE ATT&CK framework features for helping discover the overall scope of an incident in Splunk Enterprise Security are pretty good. In this particular discipline when it comes to security, applying knowledge and then having a tool support that knowledge and drive forward, the integration paths of those particular types of things are very helpful. The more data that you bring in across your topology, if you will — network, user activity, user behavior activity, authentication, and application errors — you get this full landscape that you can see. With that, if a type of MITRE ATT&CK comes along and you understand what it is, you can see where the attack entry point was, the activity that was performed, and then start the incident response.

The biggest thing with Splunk is making sure that the documentation is maintained. There is a gap where if you search for an issue, a lot of times it is in the community. There should be a path that moves community answers into documentation or into an FAQ that allows people to not use the community answers to drive results. For instance, when you can use Splunk this way and this solves your problem, but if there is a better solution, that should be presented as an FAQ. Just working with Splunk for an immense amount of years, it is usually necessary to try to figure something out. The docs tell you where you can figure it out, as in a configuration file, but it does not really help you get to the end result. More complete documentation would be beneficial.

There has never been any instability with Splunk Enterprise Security. Some core dumps appear from time to time, but it really depends on your architecture. If you are really good at architecting Splunk, you should not ever run into that. Splunk is solid, and that is almost a ten.

Splunk Enterprise Security's scalability is huge. If you were to take one thing from Splunk that is probably really amazing, it is the scalability. With a handful of users now, coming from a shop where there were 5,000-plus users in Splunk and it was pretty stable, the scalability is immense. It is one of the things that separates it from other tooling, and if not, it is the most scalable solution out there.

Technical support or customer support at Splunk has been contacted.

The quality and speed of the support at Splunk are interesting. As an expert in the field, the work is really far beyond what customer support can probably handle. They are pretty good when it comes to that, especially if you have a Sev 1 ticket. The support team overall at Splunk, the people that have been interacted with, are fine, but typically if there is a problem, someone like a specialist needs to be spoken to. This one is hard to answer because of being such a niche customer.

If Splunk support were to be put on a scale from 1 to 10, it would receive a seven. This has been discussed with them and it is fair feedback. The reason for giving seven is simply because the first contact is not necessarily able to answer most of the problems that have to be submitted.

Alternatives to Splunk have been used. In the past, ArcSight has been used, of course managed service provider tools that you typically get with the big cloud providers, and then Elastic.

Splunk Enterprise Security is just an app that sits on top of Splunk. There really is not much to it. It is pretty straightforward and about as easy as production enterprise software that has ever been seen. It is super easy.

Implementation was automation, probably a couple of minutes and a button click.

There is not anything that is close to Splunk Enterprise Security as of right now. Splunk has taken this weird leap ahead of everybody else. It is also the most expensive tool out there. It is kind of like buying a luxury SUV or a used entry-level SUV. There is a difference for a reason. That is not saying that any of the other tools mentioned are that. It is just that Splunk is ahead, so there is really not a fair comparison.

Splunk Enterprise Security has not been upgraded to 8.0. Splunk Enterprise Security does require maintenance between patching and upgrades. Professional services are available and have been done on behalf of another customer, but it is done mainly personally. The overall review rating for Splunk Enterprise Security is an eight.

My use cases for Splunk Enterprise Security are extensive in production. I utilize it for all available functions including observability, asset management, vulnerability management, threat detection, network security, identity management, and various other capabilities.

The solution does require a lot of customization for an organization. 

It is highly customizable, which is a significant advantage. It requires substantial customization and tailoring to particular organization requirements, meaning that out of the box, most features would need configuration.

The risk and notables component, particularly the two-tier system of picking something from risk into the notable, is one of the most problematic features. 

The GUI, now called Mission Control, which serves as issue management or ticket management, falls below what would be considered industry standards.

AI assistance for security analysts to analyze notables and risks needs improvement. Although it exists, the demonstration is not yet sufficient for the required level. We need this as soon as possible to help security analysts. 

Splunk Enterprise Security is not cloud environment-friendly, especially when dealing with large cloud infrastructures. With significant AWS presence and multiple clouds, collecting asset data is challenging. The AWS add-on is particularly problematic, with most inputs requiring manual writing due to lack of out-of-box functionality.

Regarding the platform and Enterprise Security specifically, the lack of Git-friendly or Git-native integration is problematic. The recently introduced content management system is inadequate, attempting to implement an outdated concept of storing rule versions in an index while teams work with Git natively.

The storage of queries in savedsearches.conf prevents efficient work with query text. It should be structured as separate SPL files that can utilize intellectual add-ons for Visual Studio Code and work natively with GitHub. Content management is limited to applications within the Enterprise Security suite, excluding custom applications not starting with SA or DA.

I have been using Splunk Enterprise Security for more than five years.

The product is generally stable and forgiving.

When considering Enterprise Security in particular, it demonstrates good scalability.

I contacted their technical support recently. The support provided is decent, though they often reference their knowledge base. For publicly available solutions, this can be redundant as these solutions can be found through internet searches. Support becomes valuable when dealing with issues requiring access to their closed knowledge base for faster responses.

While support provides solutions, implementation can be complex. In a recent case, the provided solution was so complex to implement that I decided not to proceed. The support staff themselves are highly knowledgeable, polite, and responsive, with some being exceptional. The support team deserves a perfect score.

Positive

I have experience with similar solutions such as AlienVault and ArcSight, each with its advantages and disadvantages. The recommendation depends on the working environment. For cloud-native and GitHub-native organizations, the Enterprise Security solution should align with those principles.

I was solely responsible for the implementation.

It was one of the most difficult deployments I've ever handled. After we set up a cluster with consultants, we made it usable after a year and a half. 

Splunk Enterprise Security requires continuous maintenance, consuming approximately 50% of the time. The numerous data sources and constantly changing formats and source types demand ongoing work on data quality, detection rules, assets, and identities.

People are delegated for platform administration, though they currently need additional time to reach optimal performance levels.

We did work with consultants during the deployment. 

The pricing is currently managed by procurement. Even with substantial company discounts, it remains extremely expensive. This creates internal challenges when teams independently choose open-source or less expensive solutions for log dumping. Duplicating application logs becomes costly as teams may already use DataDog, ELK stack, Elasticsearch, or S3.

With data ingestion of two terabytes or more daily, Splunk Enterprise Security costs become significant. Cloud-native solutions, particularly in AWS, make it more practical to use native security detection mechanisms such as Security Hub, GuardDuty, and Inspector, using Splunk Enterprise Security as a data aggregator.

Many users prefer pre-processing data before ingestion using the Databricks platform for large data sources such as cloud trail logs. The on-premises pricing model based on data ingestion affects Splunk Enterprise Security's market position.

This product requires significant investment in learning as it is not easily understood. Organizations purchasing the solution should expect 6-12 months with a dedicated team before meaningful insights can be delivered.

On a scale from one to ten, Splunk Enterprise Security rates as a seven.

We use Splunk Enterprise Security for security monitoring purposes, and we have many security use cases configured to detect cybersecurity-related risks. We have 100+ use cases related to brute force attacks, ransomware, credential access attacks, et cetera.

We use it for the extra security layer since we want to be very proactive and monitor our infrastructure fully end-to-end.

We now have a single platform where we can visualize our entire landscape. It's improved our security posture. We can see all the logs getting ingested, and if there are any anomalies, we're able to visualize that as well. The alerts help us be very proactive. We used to miss a few things happening in our organization. Now we get alerts on time. 

The best features I've experienced over the past six years with Splunk Enterprise Security are the ability to create use cases and the flexibility to customize searches and use cases based on our specific requirements. 

It's user-friendly. You don't need to be an expert to create a use case. Even a basic understanding will allow you to do the work. There are lots of knowledge articles as well. 

From a visibility perspective, the solution has significantly improved our organization by providing a single platform to visualize our entire IT landscape. This has also enhanced our security posture by enabling us to view all logs.

We do connect with a Splunk representative on a monthly basis. They can proactively provide us with solutions. 

Regarding room for improvement, I expect Splunk to provide information about new features on a regular basis, such as notifications about enhancements that may improve security posture. I want these notifications to come to us quite regularly, as we always want to improve our security posture. 

I'm interested in the notifications and alerts aspect, particularly since Splunk Enterprise Security's Mission Control feature was very proactive when it was rolled out.

I have been using Splunk Enterprise Security for the last six years.

I would rate the stability at eight out of ten; we never had any gap in monitoring. That said, there were instances of backend issues that did not impact our monitoring.

It is a scalable solution for our business, and I would rate it nine out of ten, as we have recently scaled it to monitor operational use cases.

I would rate the technical support as nine out of ten. They are always on top of resolving issues, providing technical account manager details for further assistance. 

Positive

We had tried IBM QRadar and Azure Sentinel previously.

If I need to set up Splunk from scratch, I don't have to do a lot of planning. It's pretty straightforward. 

It took about a month to deploy Splunk Enterprise Security, as we took many days to plan how to set up the architecture.

There is some maintenance required once it is set up.

The IT team exclusively uses Splunk Enterprise Security for assistance. The team is always there to assist.

I don't deal with pricing. I have a fair understanding based on the market research; from what I've witnessed, the pricing is competitive.

I rate Splunk Enterprise Security higher due to its user-friendliness. That is something on top of my list. 

Splunk Enterprise Security is on top in terms of how users or administrators can manage it. Everything else looks pretty fine regarding the support we get from Splunk Enterprise Security. 

I would rate Splunk Enterprise Security overall as eight out of ten.

Our purpose for using Splunk Enterprise Security is SIEM.

Machine learning has been incredibly beneficial in our efforts to detect various threats. For example, we pull all security logs and utilize the MLTK framework, which helps us identify potential risks effectively. So, overall, it's been quite helpful.

We use the risk-based alerting feature. For instance, when it detects a failed login attempt, it assigns a risk score to it. This allows us to utilize the risk-based alerting features effectively to prioritize incidents based on their severity.

Risk-based alerting generates notifications based on the level of risk associated with a transaction. This approach effectively assists in monitoring transactions, such as payments. It allows us to track the progress of a transaction, from initiation to completion, and identify any errors that may occur during the process. If there are numerous errors, we can assess the risk and determine whether the transaction might be a false positive.

Splunk Enterprise Security has been very helpful in this regard. However, I've noticed that improvement is still needed. We need to analyze the data more thoroughly. While this can be quite complex, finding a simpler solution would be beneficial.

The best features of Splunk Enterprise Security are the correlation rules and automation over the correlation rules. We can trigger alerts and notifications. The alerting and notification mechanism is really powerful and good. 

It needs more AI integration. The threat intelligence framework requires some AI functionality, which would be helpful.

We have been using Splunk Enterprise Security for a couple of years, and I have been on the ES team for the last year. I have also used it in my previous company.

The stability of Splunk Enterprise Security rates at eight out of ten.

It is scalable. We can only increase the environment. For instance, with an ES server, we cannot make a cluster of ES. If you have two servers and want to make a cluster of these two servers for ES, that is not possible. There is only one server, and if you want to increase scalability, you must increase the RAM and memory for that same server. The scalability is an eight out of ten.

We simply request Splunk support to increase our storage or make other adjustments as needed. We don't have access to AWS; all of that is managed by Splunk. We just need to reach out to them and say, "Please increase our storage by one terabyte," and they can handle that for us.

Technical support for Splunk Enterprise Security is very good. We have daily calls. They are very helpful, rating at nine out of ten.

Positive

We tried LogScale in the past, but it has very limited functionalities and not a proper UI. It offers approximately 10% of Splunk Enterprise Security's capabilities. We haven't found any solution comparable to Splunk Enterprise Security.

We utilize a combination of both cloud and on-premises setup. Specifically, we use Splunk Cloud for search indexes and other things. On the on-premises side, we have our heavy forwarders, standard forwarders, and user-defined forwarders. So, we effectively integrate both approaches.

The deployment for Splunk Cloud is very easy. They have predefined templates and setups on the AWS end. They utilize many AWS features. If you terminate any indexer, it will spawn up again. This type of automation exists with Splunk Cloud, making it really efficient.

It doesn't require any maintenance, but when we are doing batch upgrades, we need downtime, which is acceptable. It's four to five hours of downtime.

Currently we have a team of seven people for Splunk Enterprise Security, with additional staff using Splunk Cloud and related services.

Splunk Enterprise Security helps to save a lot of time, which is our main purpose. Whenever something is wrong in our environment, we immediately get an alert. It saves time and costs. Compared to traditional methods, Splunk Enterprise Security saves approximately 40% to 50% of time.

For small customers, Splunk Enterprise Security is quite expensive. For my team with a substantial budget, the cost is acceptable.

I would definitely recommend Splunk Enterprise Security because if you are really concerned about security and want to follow compliance rules, this product is really helpful.

Splunk Enterprise Security helps save significant time and money, which most customers are looking for. It is easy to configure and manage. If you have certification or basic knowledge of Splunk Enterprise Security, it provides excellent job opportunities. The solution provides numerous helpful dashboards where you can directly check threats and other metrics. 

Overall, I would rate it an eight out of ten.

My main use cases for Splunk Enterprise Security include cybersecurity threat, incident response, and security events.

The features I find most valuable in Splunk Enterprise Security are Incident Review, Security Essentials, Asset and Identity Management, and Machine Learning Toolkit. 

We are enriching data from Asset and Identity Management, and we have more data for our incident response and investigation with Splunk Enterprise Security when we need more data to investigate.

I use disparate security solutions that integrate or import data into Splunk Enterprise Security. The integration currently supports my security operations as it's now on a POC, however, it's not in production right now. 

I have expanded usage, and that process was very smooth. I assess the stability and reliability of Splunk Enterprise Security as very good.

Splunk Enterprise Security can be improved with more AI in the commands and more help in the commands, as not all people know how to write code in SPL, and we need more help in this area. 

That additional features such as AI command help and more flexibility in the search should be included in the next release to make it more simple.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection involve correlating data from multiple assets and networks simultaneously, as our network is very complex and we have not yet properly collected all the data from our various data centers within my environment.

I have been using Splunk Enterprise Security for five years.

I have not experienced any downtime, crashes, or performance issues; it is very redundant.

Splunk Enterprise Security scales very well with the growing needs of my organization.

I evaluate customer service and technical support as very good.

Positive

Prior to adopting Splunk Enterprise Security, I was not using another solution to address similar needs.

I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security very simple and straightforward.

I have yet to see an ROI.

I'm not famiiar with the pricing. 

My organization does not use risk-based alerting yet. My security ops team takes 60 or 70% longer to remediate security incidents with Splunk Enterprise Security compared to our previous solution.

The advice I would give to other organizations considering Splunk Enterprise Security is to design, design, design, and design. Expanding on what that means, you need to be very organized with what you want and what you want to achieve from the product because the deployment is very crucial; once you install it, it's very hard to change the topology and to add more tenants or search heads, which is very complex. The vendor can contact me with any questions or comments about my review. 

On a scale of one to ten, I would rate Splunk Enterprise Security overall an eight.

My main use case for Splunk Enterprise Security is getting observability and insights in order to meet compliance objectives.

I appreciate the integrations with the SOAR architectures and the expandability that can be used throughout the entire ecosystem of Splunk Enterprise Security. They've improved my threat detection capabilities.

The system can be intimidating, and sometimes the concepts conveyed in the documentation require adjustment. The product is mature and continuing to mature. There could be a better opportunity to let larger groups outside of the community know about the ease of deploying the product.

I'm finding that newer generations, including my own, don't respond well to TL; DRs that often come from third parties and are often incorrect. If there was more of a quick answer, perhaps with Splunk AI, they could start implementing that on the documentation page to let people who have trust in that get a quicker answer.

Professionally, I have been using Splunk Enterprise Security in the last one to two years. Personally, I've used it several times as a hobby product and competitively in cyber games.

The product is mature. 

I don't directly deal with technical support.

Positive

Prior to adopting Splunk Enterprise Security, I was using another solution to address similar needs, however, I can't go into details.

I would describe my experience with deploying Splunk Enterprise Security as one that needs some more hand-holding. Some aspects of the language and understanding can be challenging for individuals unfamiliar with Splunk. There are opportunities to improve that dissemination.

With training, I find deployment relatively easy. There's some self-service that has to be done as a user in terms of learning and understanding the product. Once you understand those workflows, it presents as a relatively easy and intuitive product to expand and grow into.

I have seen a return on investment with Splunk Enterprise Security. It's a useful system, and I would highly advocate it with any Splunk deployment.

I'm not involved on the licensing side. 

The features that have been demoed and debuted in Splunk Enterprise Security are of particular interest, and I'm interested to see where that journey continues. I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security relatively easy with training.

My advice to other organizations considering Splunk Enterprise Security is to try it. I would suggest getting a demo from Splunk as that's the worthwhile approach. It's better to see all the powers that this tool can bring in terms of those capacities rather than trying to figure it out on your own journey.

I would rate Splunk Enterprise Security an eight out of ten. The only reason for this rating is, from an outside-in perspective, as someone who hasn't spent time either deploying it themselves or learning more of the nuances of how clustered designs work, it can be an intimidating experience and requires a lot of hand-holding. This creates a barrier to adoption.

We are an MSSP, and some of our customers have Splunk Enterprise Security, and we run it for them.

Splunk Enterprise Security is very good for helping us find any security event across multi-cloud environments.

Splunk's unified platform works very nicely to help consolidate networking, security, and IT observability tools.

It helps speed up security investigations. There is a 25% to 30% improvement. There is also a 25% reduction in the mean time to resolve, but we are also using a SOAR tool, which reduces that by 70% to 80%. 

They have approximately 50,000 predefined correlation rules, which is quite a lot, and I find that good.

It is very complicated to write your own correlation rules without the help of Splunk support.

What Splunk could do better is to create an API to the standard SIEM tools, such as Microsoft Sentinel. The idea would be to make it less painful. In ELK Stack, Kibana is the query language with which you can search log files. I believe Splunk has also a query language in which they search their log files, but once you have identified the log file that you want to use for further security correlation, you want to very quickly transport that into your SIEM tool, such as Microsoft Sentinel. That is something that Splunk could make a little bit less painful because it is a lot of effort to find that log file and forward it. An API with Microsoft Sentinel or a similar SIEM tool would be a good idea.

I have used the solution for about five years.

It is very stable. Sometimes it can be sluggish, especially in completely virtualized environments, but overall, it is good.

I would rate it a nine out of ten for scalability. They struggle a bit with pure virtual environments, but in terms of how much they can handle, it is pretty good.

Based on what customers tell me, it has been good. If you want to write your own correlation rules, it is very difficult to do, and you need Splunk's support to write new correlation rules for the SIEM tool.

Positive

In our organization, we use our own tools such as Kyndryl Bridge and Elastic. We use Kyndryl Bridge which essentially has a similar function. It is based on Elastic. It indexes log files and flags log files. It helps you to very quickly search log files similar to the Splunk algorithm.

Our clients use Splunk Enterprise Security. If somebody already has Splunk as a business intelligence tool, then very often, it makes sense to expand the Splunk subscription they have to include Enterprise Security as well. We base our decisions on customer requirements, not on anything else. If a customer comes to us looking for a SIEM solution, we advise them based on their infrastructure and objectives. If we deliver the service for them and they want us to do that, we mostly go with Microsoft Sentinel when they already do not have Splunk. Otherwise, we go with Splunk Enterprise Security. We have about 30 customers in Germany who have Splunk, and we run it for them.

Monitoring multiple clouds with Splunk Enterprise Security is no more difficult than it is with Sentinel. I find Sentinel a bit easier. Splunk, of course, is very useful if you have AWS. Generically, because Splunk is not a cloud provider itself, it fits with anything. However, integration can be challenging at times, especially in virtualized environments. Splunk struggles a bit with speed in virtualized environments. Most importantly, Splunk can be outrageously expensive. That is the problem with both Splunk and Sentinel. Their pricing literally explodes based on the amount of data you feed in.

I like Elastic SIEM. It is a tool that allows you to determine the price. It is based on the computing power you require and not on the amount of data you put in, so it is a lot more flexible than Splunk or Sentinel. If there is a cost concern, Elastic SIEM is a good idea. Elastic is also pretty good at creating on-premises data lakes to control the amount of information you put into the same tool. That is something that neither Splunk nor Sentinel offers. 

In our operations, we use a separate threat intelligence vendor. To the SIEM tool, we added a SOAR tool for security orchestration, automation, and response, which is very critical these days. We get threat intelligence from a third-party provider because neither Splunk nor Microsoft gives the coverage that our customers need. Splunk does not have a SOAR capability, so we add that on top. We could add that on top of any tool, so it is not specific to Splunk, but Splunk helps because going through the log files is very fast. It does help when you do the incident analysis. Elastic also provides that, and Sentinel has that to some degree, but Splunk is still the Google for log files.

MITRE ATT&CK framework is integrated pretty much into any SIEM tool. It is not unique to Splunk. It is there in QRadar and other solutions. MITRE ATT&CK framework is helpful when designing incident response plans or playbooks. It is nice that they have it, but that is nothing unique to Splunk.

It is mostly a cloud solution.

The pricing is based on the volume of data fed into it, which can lead to substantial costs. This pricing model is complex and unpredictable, making cost management difficult.

Many parts of the IT world price based on IP addresses, nodes, or the number of devices. Splunk, of course, prices its services based on the volume of data submitted into the Splunk system. From a security perspective, it is very hard for clients to figure out how many security events per second their SIEM tool needs to work with. With Splunk, it is not just the events per second. They also need to know how much data per event per second the Splunk SIEM tool needs to work with. That is almost impossible to indicate.

Microsoft Sentinel is just as weird as Splunk. They also base the price on the amount of data you feed, whereas Elastic has a very interesting approach. It is not the amount of data you feed in; it is the amount of processing power you want to use. If you have a very large amount of data and want to correlate that very quickly, you need a lot more processing power. They base the pricing on processing power rather than on the amount of data. That is not a bad approach because that is scalable up and down depending on the needs of the organization, so the pricing from Splunk is a bit weird. That is what most people that I speak to are unhappy about because the cost can literally explode. I saw clients spend two million dollars a year just feeding data into the Splunk solution. You might have spent two million in feeding data into the SIEM tool a year, but the next year, it could be half of that. You find yourself frequently in an unpredictable situation of how much cost you are going to generate with your SIEM tool, so Splunk or Cisco needs to come up with a better and more scalable way of pricing their SIEM tool.

Overall, Splunk is among the top three SIEM tools due to its capabilities and agility in bridging business analytics with security needs. They very much deserve where they stand on the Gartner Magic Quadrant. I like it a lot better than ArcSight, which was owned by HP at one point or another. In comparison to that, Splunk is much more agile and quick. It comes from a business analytics perspective. It is a lot easier to build the bridge between the business and security based on that platform. As far as stability and scalability are concerned, it is a brilliant solution.

I would rate Splunk Enterprise Security a nine out of ten.

My main use cases for Splunk Enterprise Security include insider threat hunting, supporting operations, and Threat Intel integration for security; I have a lot of use cases.

The features of Splunk Enterprise Security benefit my organization by providing a faster response and making it easier for the analyst to investigate.

The features I appreciate the most about Splunk Enterprise Security are the Enterprise Security features, the threat intelligence of Enterprise Security, the onboarded ones, and the versioning of the rules introduced on Enterprise Security; these are the top ones.

My organization uses risk-based alerting in Splunk Enterprise Security. Splunk Enterprise Security has supported my SOC a lot, however, we have some challenges due to the architecture of our network, so there is some custom work to be done by Splunk engineers to help us maximize the benefits.

I am using new threat detection features in Splunk Enterprise Security, including the onboard ones and Mandiant. These new features have highly improved our threat detection capabilities.

Splunk Enterprise Security has helped improve my organization's business resilience.

I'm not dealing with pricing, setup costs, or licensing for Splunk Enterprise Security; I'm focused on the technical part. What works with Splunk Enterprise Security is that it does work in general; I haven't faced any challenges; it's great.

Improving Splunk Enterprise Security is a challenging task; I have already reported several technical issues to the relevant teams and received solutions from them.

One favor I ask for them is just to keep maintaining the on-prem version of Enterprise Security and not move everything to the cloud since we operate mostly in an air-gapped environment, so we only use some of the features of it.

Some additional features that should be included in the next release of Splunk Enterprise Security are an integrated Attack Range, not as a separate solution, and providing a way to test the rules in the production environment.

I've been using the solution for 11 years.

I have not experienced any downtime, crashes, or performance issues with Splunk Enterprise Security.

Splunk Enterprise Security scales pretty well with the growing needs of my organization; we don't have issues. I have expanded the usage of Splunk Enterprise Security a lot. The process of expanding usage has been smooth; I have no problems so far, and it scales very easily.

I would evaluate customer service and technical support for Splunk Enterprise Security as fast.

Positive

I would describe my experience with deploying Splunk Enterprise Security as straightforward.

I have seen a return on investment with Splunk Enterprise Security, definitely, however, I don't have the specific metrics to back that up.

The most significant challenge I face when using Splunk Enterprise Security for advanced threat detection is alert fatigue. Although there are ways to mitigate it, it remains a persistent issue, as evidenced by complaints from analysts. While alert fatigue is alleviated to some extent, it still persists.

My advice to other organizations considering Splunk Enterprise Security is to at least give it a try; I know there are other solutions in the market, some of which may even be better than Enterprise Security, however, you have everything on a single pane of glass, so I think it's definitely something that enterprises should test.

On a scale of one to ten, I rate Splunk Enterprise Security an eight out of ten.