Our primary use case is SOC operations. However, we do have a lot of people sprinkled around that deal specifically with data analytics.
Tech Director at a government with 10,001+ employees
Increases observability, cuts security operations costs, and has amazing support
Pros and Cons
- "The consolidated overview of all the events that come in through our environment and an easy-to-access interface for all our end users are valuable."
- "I love the solution, but I would like to see more accessibility to the machine-learning capabilities that are sprinkled around Splunk."
What is our primary use case?
How has it helped my organization?
Splunk Enterprise Security definitely improved our organization. It has helped out with handling our SOC operations across the enterprise. It has increased observability exponentially as we build out the solution to support enterprise operations, and we definitely hope to see it evolve in the near future as well.
We manage multiple clouds. The Spunk solution for the cloud environment is a great asset for us, especially because we are able to get full observability of our cloud platforms in a consolidated environment. In terms of integrations, Splunk has so many integrations with our different cloud service providers, which allows us to easily get that data down to our operators.
We run a global operation, so we have to have observability across the board. Splunk allows our operators to quickly gain insights into the global operation so that they can handle the day-to-day activities that they do, which includes the security analysts' work, data analysts' work, or anything along the lines of handling troubleshooting.
It has reduced our operation time, and it has cut time by more than half.
It has improved our organization’s business resilience. It has helped with disaster recovery and continued operations in the event of disaster recovery.
It has been an extremely good asset to support day-to-day activities for operations. It is something that was required and needed for over a decade now. It is definitely a nice change of pace, and it also improves the quality of service that our operators can provide to our customers and clientele.
It has cut our costs when it comes to running security operations. I do not have the exact numbers, but it has been a significant cut, especially because we have better access to data engineering and data scientists' tool sets to cut the data cost.
What is most valuable?
The consolidated overview of all the events that come in through our environment and an easy-to-access interface for all our end users are valuable. As we get more people onboard, it is important that they are able to easily jump onto the platform and understand what they need to see in our environment. Having that quick operational capability allows us to get our observability up to speed as fast as possible.
What needs improvement?
I love the solution, but I would like to see more accessibility to the machine-learning capabilities that are sprinkled around Splunk.
Buyer's Guide
Splunk Enterprise Security
November 2024
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
823,795 professionals have used our research since 2012.
For how long have I used the solution?
We have been using Splunk Enterprise Security for about a good five years.
What do I think about the stability of the solution?
It is probably one of the most resilient tools in our environment, so I really enjoy what it provides us. It definitely provides us that 24/7 accessibility to our environment.
What do I think about the scalability of the solution?
The scalability is exactly what we needed to make sure that we have observability at the global scale. For global operations, Splunk has great scaling features to make sure that it is able to handle the large volume of data that we handle.
How are customer service and support?
Splunk's support is great and amazing. The people we work with in our corporate environment are top-tier experts. They understand our environment very well, especially because they have worked in our environment before, so Splunk has done a great job in getting that type of talent to support their customers. I would rate them a ten out of ten.
How would you rate customer service and support?
Positive
How was the initial setup?
I was not involved in its deployment. I adopted it after I took this role.
What was our ROI?
We have seen a significant return on investment when it comes to Splunk, especially because of how it has allowed our operators to quickly respond to events on a day-to-day basis. It has allowed global observability.
There has definitely been a time to value. It comes down to having operators have access to such a unified platform.
What's my experience with pricing, setup cost, and licensing?
From what I have seen so far, Splunk has multiple cost models. The one that we are using is pretty good when it comes to ingesting data into the environment. It has worked out pretty well.
Which other solutions did I evaluate?
We have evaluated other solutions, and Splunk definitely comes out as one of the top competitors due to its interoperability with a lot of data sources that are sprinkled around in our environment. This interoperability is a key piece because we have such a diverse asset environment.
What other advice do I have?
Overall, I would rate Splunk Enterprise Security a ten out of ten.
The biggest value I get from Splunk conferences is being able to interact with my peers throughout our organization. I get an idea of what they are doing to make sure that we are on the same page and that we are able to cohesively build our security operations.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Analytics innovation lead at a pharma/biotech company with 10,001+ employees
Enables us to integrate the solution with other products to automate tasks, saving us time
Pros and Cons
- "You can integrate Splunk with third-party security automation solutions and set rules for automatic response."
- "Splunk ES could have more pre-built integrations and rules. The detection is fairly accurate, but it depends on the rules you create. Splunk's out-of-the-box configuration isn't that useful."
What is our primary use case?
We primarily use Splunk Enterprise Security for security incidents and event management. The solution is deployed in one department, but it covers multiple locations worldwide.
How has it helped my organization?
With Splunk, we can monitor and manage enterprise-wide events. It provides a single console for various data sources covering the entire organization, which is critical for compliance purposes.
We can integrate Splunk Enterprise Security with other solutions to automate some security tasks, saving us some time. For example, if you detect potential malware and you want to isolate one system from the organization's network, you don't need to trigger a process. We can fully automate that. Minutes after malware is detected, the machine will be automatically quarantined from the rest of the network.
What is most valuable?
You can integrate Splunk with third-party security automation solutions and set rules for automatic response. Splunk can monitor multiple cloud environments, but it's a little tricky if you're working with several vendors. Every cloud environment is slightly different, and some are better integrated.
The visibility into multi-cloud environments is decent. It depends on the number of sources you have, and Splunk is pretty flexible from that perspective. You can add any type of data source. The challenge is the engineering effort some of these data sources require, but others are effortless to manage.
We haven't used the insider threat capabilities yet, but it's an area that we want to explore. We have other tools for this. We use different products for threat intelligence.
What needs improvement?
Splunk Enterprise Security could have more pre-built integrations and rules. The detection is fairly accurate, but it depends on the rules you create. Splunk's out-of-the-box configuration isn't that useful.
If you spend time with your team creating rules specific to your environment, you can get a lot of value from Splunk. At the same time, that requires some additional effort and costs. Splunk has a few built-in integrations that are ready to go. In other cases, we need to build custom solutions, which is more difficult and costly.
For how long have I used the solution?
I have used Splunk Enterprise Security for about three years.
What do I think about the stability of the solution?
It is stable overall.
What do I think about the scalability of the solution?
Splunk Enterprise Security scales up pretty well.
How are customer service and support?
I rate Splunk support seven out of 10. There is a little room for improvement. We always start with junior support engineers who lack the experience to deal with complex issues, which are the only problems we ever contact support about. Our staff members can handle most minor issues.
We typically need to escalate, and we've had an excellent experience with the higher-level engineers. Those qualified engineers are scarce, so I can imagine a situation where two big Splunk customers have significant problems simultaneously, but there aren't enough available technicians. Splunk has the right people but maybe not enough of them. The process could also be improved.
How would you rate customer service and support?
Neutral
How was the initial setup?
Deploying Splunk was relatively complex. After deployment, it requires some maintenance and management. A team of about 10-15 people is responsible for the solution.
What about the implementation team?
We deployed Splunk with an in-house team of five to 10 people and some professional support from the vendor.
What was our ROI?
We've seen an ROI by automating Splunk Enterprise Security, but automation requires another product and license.
What's my experience with pricing, setup cost, and licensing?
Splunk Enterprise Security is quite expensive compared to some products on the market.
Which other solutions did I evaluate?
The company evaluated a few tools before deciding on Splunk. I used ArcSight at a previous job. Splunk is more flexible than ArcSight, and it has various modules you can purchase to expand the functionality. You don't need to invest in a different solution because you can purchase add-ons for your existing infrastructure.
It's modular, so you can tailor Splunk to your organization's size, structure, and specific needs. The customer can do it. You don't need to request it from a service provider.
What other advice do I have?
I rate Splunk Enterprise Security eight out of 10. My advice would be that before deploying Splunk, research some of the company's materials and make sure it meets your cybersecurity requirements.
You may need to purchase other tools, and the solution might not do everything you want it to do out-of-the-box. Depending on your environment, you'll probably need to invest some time and money into the solution to get the results you want.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Splunk Enterprise Security
November 2024
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
823,795 professionals have used our research since 2012.
Security Engineer at a recreational facilities/services company with 10,001+ employees
Very versatile for many use cases
Pros and Cons
- "The feature that I have found most valuable with Splunk is the ability to sift through a bunch of data very quickly."
- "Their technical support sucks."
What is our primary use case?
We are using Splunk in the standard information security use case. We're also using it for various application use cases around identity management, windows active directory, and those types of use cases.
How has it helped my organization?
Splunk has provided a venue for us to determine student engagement during COVID, for which we didn't really have any other way except by looking at data that we captured off of our student systems and our authentication servers to see who's logging in, and who's logging out, and for how long they've been logged in.
What is most valuable?
The feature that I have found most valuable with Splunk is the ability to sift through a bunch of data very quickly.
We have about a 500 gig license with Splunk, so it's not like petabytes of data, but even 500 gigs is kind of hard to sift through sometimes.
What needs improvement?
Splunk has been improving consistently over the last couple of revs. I still think there are some administrative features that they could improve on and make them less kludgy, but from a user perspective, it has gotten very clean and very sexy looking over the last few builds. So the users seem to like it.
By less kludgy, I mean that in the version I'm running, I still have to go into the command line and modify files and then go into the GUI and validate that they got modified. So it's not all in the GUI, but it has been moving slowly to the GUI over the last several versions. It would be nice if they could move all of the administrative features into a GUI platform so that when you're in the Splunk distributed environment management platform, you then don't have to go into the command line to add new applications or new packages that you then want to be able to push out to your forwarders. Their forwarder management is still kind of split that way.
I don't really have any feature requests in Splunk's space. They seem to be doing a good job of keeping it contemporary from that perspective.
Splunk's mission is to move everyone to the cloud and charge us a bunch more money. Their goal is to cloud source everything, and quite honestly, the price of cloud sourcing the product, even at smaller 500 gigs a day (which isn't a lot of data by Splunk standards) in the cloud for that is ludicrous. The cost for me to buy equipment every three years and own licensing and run it local to my prem, is significantly less from a three or five year license. I'm going to spend X amount of money on hardware every X years, and I'm going to have to pay licensing costs on software of X over that same period versus that amount that I'd amortize over five years is what I would be paying every year in the cloud.
That is the point with the product. It seems like they are so focused on forcing everyone into the cloud that they seem to be not understanding that there are people that don't have those really deep pockets. It's one thing for a Fortune 50 company to spend a million dollars a year in the cloud. It's another thing when you're a nonprofit educational institute to spend that kind of money in the cloud. Even though we do get some discounts in most of the cloud space providers, it is still not on par with the big public businesses.
For how long have I used the solution?
I have been using Splunk for probably 10 years.
What do I think about the stability of the solution?
At least in our environment, it is super stable. When you think about how much time you spend working with other applications, just Windows Server requires more feeding than Splunk does, you see that Splunk is a very low maintenance care and feeding product.
We have probably 150 users in the environment and their roles vary from being application management folks to application engineering folks to the executive suite, so lots of different use cases. The executive suite tend to prefer more curated content and the application owners have a mix of curated content and dynamic search functions they can perform. Then the engineering tier basically gets some curated content and some free reign to do whatever they want for the most part. I'm the guy that supports this instance. So there's one person.
I support not only Splunk, but I am also the campus security engineer and I'm also the dude that runs or is responsible for all of our campus monitoring infrastructure. So that tells you how little maintenance is required.
We are adding new use cases on a fairly regular basis and we are adding more licensing to our indexing license. I don't see Splunk going away. There's nothing else that I think provides the ability to do this much data analytics from just the numbers of equipment that you need to run it. Also, the number of people that you need to actually make sure that it's functioning well. In higher ed., everybody always says we should do open source. And I respond that what I do in Splunk with 20 systems, I would need three racks of equipment to do on an open source platform. I have basically 70 - 75% of the racks now and I'd need three times that or more to run this as an open source product. And it wouldn't be as cute and it wouldn't be as beautiful or as flexible.
What do I think about the scalability of the solution?
I know other folks in the higher ed. space that are running petabyte size instances with Splunk. So I would have to say it scales very well just from talking to the folks in my market silo.
How are customer service and support?
Their technical support sucks.
My engagement with their technical support was for a product which they basically took over from an open source product and they just seemed to not be able to figure out why it's not doing what it's supposed to do. The number of times I've had to engage with Splunk for solutions has been for a couple of use cases. And in every one of those use cases, support was very painful. It took a very long time and it seemed like they were more interested in burning their queue volume than actually satisfying me as a customer.
I work in higher ed. Here in higher ed., it costs us a lot of money to run it. The support from the company that you spend a lot of money with is pretty poor. I get most of my support through the Splunk sales folks because they seem to know more and they're more incentivized to keep me as a customer. When I call in to open a ticket with Splunk support, they really don't know, and this is going to sound terrible, they don't really care whether I have a 50 Meg license or a 50 petabyte license. If it's not on their workflow, their pre-programmed triage, they can't do it.
Which solution did I use previously and why did I switch?
Splunk came into being at Case Western when we were looking for a better log product than Check Point was providing at that point in time. My entire investment in Splunk, in hardware and software and integration cost, was cheaper than what Check Point was going to provide, or what the Check Point solution path was for just looking at firewall data. We knew we needed to be able to do more analytics than what we were currently getting out of our firewall products and Splunk was brought in to do that. It can do this and a whole lot more.
How was the initial setup?
Splunk is a complex critter to put in and it's a more complex critter to keep running. We have 10 search heads and four indexers and universal and a heavy forwarding cluster. We have clustered indexers and clustered search heads. This is definitely not a drag and drop product.
We engaged a third party Splunk integrator to help us do our Splunk deployment and they did our initial deployment. We used a different integrator to do some of our upgrades, which we probably won't use again. Our implementation strategy was we really just wanted to look at the classic security use case when we put this in 10 years ago. Then after that came in, and everybody was happy with what it was doing, we added some other use cases and universal forwarding and so on and so forth.
What about the implementation team?
We used an integrator.
The integrator we used to do our initial deployment was excellent. The integrator we used to do our last round of upgrades was less than excellent.
When I hire an integrator to do an upgrade in an environment, I expect them to come back and say "all of your application layer apps are upgradeable, but your OS's need to be upgraded. Do you want me to do that? Or should you do that?" I now have different versions of OS's under Splunk running in my Linux world and it would've been nice to upgrade the system OS and then upgrade Splunk, even if it was more disruptive. I guess I have to read the statement of work more closely in the future.
What was our ROI?
The TCO and ROI are really great if you're in the private, non-public sector and you're in a more standard business sector. The return on investment in total cost of ownership on Splunk is from somebody who doesn't fit into that neat silo. Do we calculate that stuff? So our return on investment is by being able to solve problems that we never knew we could solve. My answer to it is the flexibility to be able to figure out student engagement when COVID hit. This was the only platform we could do it on.
What's my experience with pricing, setup cost, and licensing?
I can comment on price in this way - in education in Ohio, we're part of the Ohio supercomputer consortium, and they act as a collective bargaining agent. So we get our licensing as a piece of the State of Ohio's Splunk license. So my pricing is very much not list or even reduced list because of the volume that the state buys.
We generally spend about $20,000 a year in third party integrator costs to get us past some of the rough edges that we get with Splunk support.
Which other solutions did I evaluate?
We briefly looked at the open source product and we obviously looked at a Check Point product. When we looked at Splunk it seemed like they had a smaller cost to procure it, and a much smaller cost to maintain it than all of those other solutions. So it was kind of why we went with Splunk. This is very non-intuitive since everybody says they love Splunk but it costs too much.
What other advice do I have?
My advice to anyone considering Splunk is to understand exactly how much data you want to look at and you want to bring in on a daily basis. Then create a rational strategy to bring the data in, in reasonably sized chunks, that fulfill a use case at a time.
On a scale of one to ten, I would rate Splunk a really good nine.
I'd rate it a really good nine because it's really versatile. You can do a lot of things with it. It allows you to do a lot of analytics in the platform without needing a bunch of other third partyware to help you figure it out.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Security Engineer at a financial services firm with 5,001-10,000 employees
Helps us fully understand the origin of threats and where we need to go next to go in our investigative process but lacks SOAR and AI integrations
Pros and Cons
- "The most valuable feature is the ability to look at threats and link them to the MITRE ATT&CK framework."
- "We don't have SOAR products from Splunk. I believe that's an important piece."
What is our primary use case?
I work on the engineering side, so we build for the SOC. The use cases revolve around how the SOC can better leverage the toolset and how we can improve the tool for the SOC to better identify threats within the environment.
How has it helped my organization?
I have used it in previous jobs and found it very useful there. It's important for our organization to have end-to-end visibility.
We don't have SOAR products from Splunk. I believe that's an important piece if it is offered with this platform to fully have the enterprise end-to-end visibility. While Splunk's offering is great, and we should consider leveraging it, we do have another platform in place. We need to carefully evaluate how Splunk's offerings integrate into the environment to provide that end-to-end visibility.
From the threat landscape view within Splunk Enterprise Security, it is valuable. The fields that are available provide a high-level overview of what is in front of us and drill down further to see the threat landscape that is in your environment. You can further investigate these threats in the Attack Analyzer. So, even with our current setup, we can achieve a degree of end-to-end visibility and threat analysis within the platform.
Splunk Enterprise Security helped improve our organization's ability to ingest and normalize data.
Before this, we used a different SIEM solution, but there was no visualization to it. Splunk gives us the ability to correlate data from different sources, see it in real-time, pull it all together from different landscapes of data sources, pull it all together, and look at the timelines of events about what's going on. It helps to narrow down quickly.
The recent feature updates with AI integrations are even more promising. I believe these will further enhance the SOC's ability to quickly identify threats and, hopefully, mitigate them before they propagate throughout our environment.
What is most valuable?
The most valuable feature is the ability to look at threats and link them to the MITRE ATT&CK framework. This helps our staff identify threats within our environment and appropriately landscape them.
Splunk Enterprise Security provides us with relevant context to help guide our investigations.
At a high level, we can see threat details and then drill down further. It maps to important frameworks, like MITRE ATT&CK, to help us fully understand the origin of threats and where we need to go next to go in our investigative process.
It integrates with other platforms like Attack Analyzer and SOAR, and soon, AI integrations. These will further help us reduce the threat landscape.
What needs improvement?
We don't have SOAR and AI integrations yet.
For how long have I used the solution?
I've been using Splunk Enterprise Security for about a year, but we recently just onboarded Splunk to the organization, so we're still working on permissions that we used at a previous job.
We're still working on permissions within the organization.
What do I think about the stability of the solution?
It's a stable product. I've used other SIEMs. It is much easier to navigate. It is more user-friendly. It is understanding SPL (Search Processing Language), coming in, not knowing it at all.
It is much easier to go to the Splunk documentation, read the Splunk documentation, and understand, "Okay, this is what I'm looking for!"
At my previous company, they rolled out Splunk and said, "Okay, we're ingesting all the logs in Splunk. Now go and just do it."
There was no training involved, so I had to go and learn it on my own. And because while the logs were in the environment, I had to just go and go get the logs out of Splunk; I couldn't go to a server anymore or get logs the old-fashioned way.
I had to learn Splunk quite quickly. It was easy to navigate the documentation, read the documentation, go to the community site, and navigate the community site; getting that information was quite easy.
So it was a good experience, a much better experience in dealing with some other vendors. I've dealt with things like QRadar, and I had a difficult time even figuring out what their query language was and understanding how to translate that into actually getting a search to pull back data.
What do I think about the scalability of the solution?
I've worked in some environments where it's been used extensively with enormous amounts of data.
In my current environment, we're still figuring out how much data to ingest and how it will be managed. We can adjust whatever we want, but it is an enormous amount of it because we are a "Big Data World" now.
I have used it in environments where we had data lakes upon data lakes. Scalability from Splunk's point of view wasn't an issue. It was able to scale quite easily.
The issue lies more on the business side like:
- How to maintain that growth?
- How do you account for that growth?
I don't think the issue is really from the Splunk standpoint. It's on the business side: How do you make sure you account for that growth in your models?
How are customer service and support?
I had a good experience with support.
How would you rate customer service and support?
Positive
What other advice do I have?
Based on my limited experience, I'd rate it a seven out of ten. However, I have high expectations due to the integrations I see possible, such as SOAR and the upcoming AI integrations. The roadmap for it is out of this world.
I'm excited to see what Splunk has to offer with the Cisco offerings and the interconnectivity with Cisco.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Jul 9, 2024
Flag as inappropriateInformation Security Engineer at a educational organization with 1,001-5,000 employees
Helps with quick analysis and helped improve our organization’s ability to ingest data
Pros and Cons
- "Splunk Enterprise Security quickly gives us a view of an endpoint or a user or identity. If I want to look for an identity or an asset, I just quickly go into Splunk Enterprise Security. I know where to go and get a quick analysis for a respective object."
- "At Splunk .conf24, I saw a demo for Splunk Enterprise Security 8. All the things that they have done in Splunk Enterprise Security 8 are what it can be better at."
What is our primary use case?
We use Splunk Enterprise Security for our security analysts for them to be able to view incidents. They are not 100% dependent on Splunk Enterprise Security as their incident source. They do have other tools that they use and other things like whois data, threat intel, and lookups for our domain. They are able to quickly look at the activities done for the assets that we have.
How has it helped my organization?
I am not from the management or the leadership, but I do feel that it has been helpful for us Splunk engineers who are responsible for looking at all the data and logs. Splunk Enterprise Security quickly gives us a view of an endpoint or a user or identity. If I want to look for an identity or an asset, I just quickly go into Splunk Enterprise Security. I know where to go and get a quick analysis for a respective object. The analysts have their dashboards, and they have their action items. They use it differently. They follow all the common procedures.
We are on-prem. We are not on the cloud. As of now, Splunk Enterprise Security does not provide us with end-to-end visibility, which is one of the drawbacks of why we need to use other tools. It is not that Splunk Enterprise Security cannot do it. It is just the way it is configured right now. We are working with Splunk engineers. We have a lot of professional service hours that we spend with them bringing all parties into the picture and doing working sessions.
Right now, Splunk Enterprise Security is in the middle in terms of helping us find any security event across our environment. Based on the way the configuration is done in our environment, it would not be right to say that the incident would be reported accurately from Splunk Enterprise Security. That is because not a lot of data is being put into Splunk Enterprise Security to make something a notable event and report about it. If we configure it better and have more data models normalized, and then we use it, it will be more helpful. It has been a long-term goal, but we will reach there soon.
Splunk Enterprise Security has helped improve our organization’s ability to ingest data.
Splunk's unified platform has not helped consolidate networking, security, and IT observability tools. I am an engineer, and I am more into administration and creating user interfaces on Splunk Enterprise itself, not Splunk Enterprise Security. We have done some work on Splunk Enterprise Security and then left it with analysts. It is up to the analysts now. Splunk Enterprise Security is not 100% configured. Some basic data models have been set up. They are generating notables, and we are generating alerts out of it, but it is not 100% there. They do have to use other tools such as their networking tools to get a full picture for incident reporting.
What is most valuable?
One of the most popular features that I personally like is that in the case of an event, I should be able to run a desired action for that on a threshold, but that is not how we are using it right now, unfortunately. We have a pretty manual process. We have an operating procedure, and we follow that. I would like to see it automated. I do not want analysts to decide whether the action needs to be done or not. It should be done provided the policy says so. If the policy says it needs to be done, it should be an automatic process rather than a manual process.
What needs improvement?
At Splunk .conf24, I saw a demo for Splunk Enterprise Security 8. All the things that they have done in Splunk Enterprise Security 8 are what it can be better at. They have put Mission Control as a part of the notable or finding itself. The investigation shows the findings, and the findings allow us to do everything that we are doing in Mission Control right there on that same screen. That is what we want now. They said it is going to be released in two to three months. We are hoping that we will be able to use it. I was hoping that I would be able to see version 8 when I am here at Splunk .conf24, and when I go back, I would be able to help them implement it, but it is still 7.3.
For how long have I used the solution?
I have been using Splunk Enterprise Security for two years.
What do I think about the stability of the solution?
It is pretty stable.
What do I think about the scalability of the solution?
It is pretty scalable. We have a huge deployment. It is good.
We are a huge agency. It is in the public sector. We have 15 terabytes of data.
How are customer service and support?
They are good. We have a huge team of Splunk engineers within our company. Some of them are contractors, and some of them are employees. They are pretty responsive.
Based on my interaction, I would rate them an eight out of ten. Some engineers do not understand what is there to solve, and they start pushing their perspective on the customer, which is not how it should be because it is not their environment.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We did not use any similar solution previously.
How was the initial setup?
The deployment of Splunk Enterprise Security was very simple.
What about the implementation team?
We have professional service hours. We worked with Splunk engineers, and we had live working sessions. We were doing it like that. We did it for over a period of time, but that did not give us the full power of Splunk Enterprise Security. For that, we need to be able to configure our own data models and normalize the data. That is not happening 100%.
What's my experience with pricing, setup cost, and licensing?
It is quite expensive.
Which other solutions did I evaluate?
We did not evaluate any similar solutions.
What other advice do I have?
At this time, I cannot assess Splunk Enterprise Security in terms of the ability to identify and solve problems in real time, but we do use regular Splunk to pinpoint a lot of problems. It helps us a lot. We are able to pinpoint a lot of things, whether they are vulnerabilities or pointing to some logs in the firewall or authentication logs. All the analysts use it very frequently to write searches.
Splunk Enterprise Security has not helped improve our organization’s business resilience because we are not 100% dependent on it.
Splunk Enterprise Security can provide us with the relevant context to help guide our investigations. However, the input is not 100% perfect, so the output is not 100% perfect.
I would rate Splunk Enterprise Security a ten out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Jun 23, 2024
Flag as inappropriateSecurity Engineer at Softtek
Has been instrumental in improving our incident response time, especially for user authentication issues
Pros and Cons
- "Splunk stands out for its extensive application integrations."
- "The user interface is not user-friendly for non-technical users."
What is our primary use case?
Splunk Enterprise Security offers a wide range of capabilities that benefit our organization. This includes user behavior analytics, which helps us identify suspicious activity. Additionally, Splunk Enterprise Security allows us to create custom alerts for various internal security needs.
How has it helped my organization?
Splunk has been instrumental in improving our incident response time, especially for user authentication issues. It excels at detecting anomalous behavior, such as brute force attacks or multiple login attempts from a single source. This allows us to quickly identify and address potential security threats, making Splunk a vital tool for our cybersecurity incident response efforts.
The asset and identity management feature strengthens our overall security posture. This system relies on the creation of security roles by administrators. These roles then determine access permissions based on the principle of Role-Based Access Control. In this way, access is carefully controlled and assigned based on specific job duties. It's important to note that administrators retain a high level of access and make final decisions regarding access permissions.
Splunk offers a variety of dashboards, including real-time dashboards that update continuously. These dashboards complement Splunk's real-time alerts by providing a visual overview of our system's health. They can be built to leverage different Splunk resources, like indexes, search clusters, and host clusters. This allows us to monitor key metrics and identify potential issues in real-time, helping us maintain a healthy and efficient system.
Our SoC and Analytics teams use Splunk to monitor multiple cloud environments.
The visibility into multiple environments is good.
The insider threat detection is valuable for our organization because it helps us identify unknown threats. While we leverage existing threat intelligence for known threats through signatures and endpoint protection tools, these methods have limitations. Since they rely on predefined information, they can't be readily integrated with Splunk to monitor for and generate alerts based on these known threats. Splunk's strength lies in its ability to detect anomalies and suspicious user behavior, which can be crucial for uncovering insider threats that might bypass traditional signature-based defenses.
Splunk Enterprise Security excels at analyzing malicious activity. Our team has created several use cases to identify such activity. These use cases focus on data patterns that might indicate malicious intent, such as a sudden increase in login attempts or logins occurring outside of regular business hours. Additionally, we can identify brute force attacks attempting to crack passwords through repeated login attempts. This allows us to effectively monitor for and respond to potential security threats.
It has improved our detection ability and has helped reduce our alert volume to a manageable level.
Splunk has helped speed up our security investigation.
What is most valuable?
Splunk stands out for its extensive application integrations. It boasts a user-friendly interface with intuitive features that are easy to understand and navigate for technical users. This accessibility is a major reason why I find Splunk so appealing.
What needs improvement?
The user interface is not user-friendly for non-technical users.
For how long have I used the solution?
I have been using Splunk Enterprise Security for three and a half years.
What do I think about the stability of the solution?
Splunk Enterprise Security is extremely stable.
What do I think about the scalability of the solution?
Splunk Enterprise Security is easily scalable.
How are customer service and support?
We have only had minimal contact with Splunk technical support.
How would you rate customer service and support?
Neutral
How was the initial setup?
The initial deployment is straightforward.
What's my experience with pricing, setup cost, and licensing?
Splunk Enterprise Security is affordable.
While affordability is important, I recommend Splunk Enterprise Security over the cheapest option on the market. This is because Splunk offers a robust feature set that justifies its cost.
What other advice do I have?
I would rate Splunk Enterprise Security nine out of ten.
We have Splunk Enterprise Security deployed across multiple locations.
Splunk Enterprise Security requires minimal maintenance.
I recommend Splunk Enterprise Security as a scalable and reliable solution for both on-premises and cloud environments.
Which deployment model are you using for this solution?
Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Jun 2, 2024
Flag as inappropriateCyber Security Specialist at a tech services company with 10,001+ employees
Monitors multiple cloud environments and integrates well with other tools
Pros and Cons
- "It follows MITRE ATT&CK and Cyber Kill Chain frameworks. There are certain notable events for which we can configure our security posture."
- "The support and the pricing can be better"
What is our primary use case?
There are lots of use cases such as finding threats, attack factors, and logs. It helps with rogue DNS or brute force attack detection. We have logs related to why a particular account was created. There is alerting. We can get some false positives, but by fine-tuning some of the things, we can reduce false positives.
Splunk is a security monitoring tool. It helps with incident handling, data logging, and observability of metrics. Splunk can handle all these things. Splunk Enterprise security is a premium app of Splunk through which we can have all the threat intelligence and incident reviews. It helps in finding all the attacks and Advanced Persistent Threats (APTs).
We also have dashboards. We can collect logs from different sources and applications. We can also troubleshoot issues. If we are having any issues with an application, we can go to that particular index to see what is the cause. If any application is failing or giving an error, we can troubleshoot the issue. We do not have to log into the server to find the error.
How has it helped my organization?
We monitor multiple cloud environments. We have GCP, Azure, and AWS. It is easy to monitor multiple cloud environments using the Splunk Enterprise Security dashboards. Splunk releases inbuilt apps, so by using those apps and add-ons, we can integrate it with our cloud environments. For example, for Azure, they have a Microsoft Cloud Services add-on. We need to register the app in Azure, and after registering the app, we have to use the tenant ID and set it up. There are a lot of inputs, and we can use all those inputs to onboard different logs from Azure. There is also the capability for HTTP event collection.
We have a hybrid environment, and that works best for us. For a lot of things, we cannot just go fully cloud. Hybrid is the best option for us. We are happy with the visibility that Splunk Enterprise Security provides. It is also about how we configure things. If we do not do it in the right way, we will not get visibility. We have to know what kind of tools we are using and what kind of data we are pulling. We cannot pull everything. We have to know what to pull. If we pull only what is required, we would not have any problems.
Splunk Enterprise Security comes with MITRE ATT&CK and Cyber Kill Chain frameworks by default. There are 12 processes in the MITRE ATT&CK framework. We just have to onboard logs, create the data models, and assign those ATPs to monitor all the kill chains. We can monitor all attack vectors and persistent threats that we want to monitor.
Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches. I would rate it a 9 out of 10 for that. It can also go to 10 for different clients based on different requirements.
Along with Splunk Enterprise Security, we also install another Splunk app that has all the threat intelligence. We then feed the data through a CSV file and create the use cases. We set up alerts for those. In the case of an event, an alert is generated and assigned to a particular SOC analyst. There can be some false positives, but with proper configuration and filtering, they can be reduced.
Splunk Enterprise Security has been very beneficial and valuable for us. Our application teams can use the indexes to troubleshoot the issues they are facing at their location.
What is most valuable?
Being able to ingest data from all the tools and all the apps being used in the environment is valuable. Being able to create alerts when, for example, the CPU usage reaches 95% is also valuable. We can set up alerts and proactively fix the issues. Splunk helps with all these things, and Splunk Enterprise Security has almost 2,000 use cases. It follows MITRE ATT&CK and Cyber Kill Chain frameworks. There are certain notable events for which we can configure our security posture. We can onboard all the logs through indexes and create dashboards to view what is going on in the environment.
What needs improvement?
Overall, it is pretty good. They are improving it every day. They recently released SC4S for onboarding syslog data. However, the support and the pricing can be better.
For how long have I used the solution?
It has been 8 years since I have been using Splunk. I am not a part of the core security team. I handle some parts of enterprise security, such as SIEM data models or the creation of some correlation searches and use cases. The majority of things, such as threat hunting or threat intelligence, are managed by our core security team.
What do I think about the stability of the solution?
We faced some issues, but we fixed them ourselves. We have around 10,000 knowledge objects running. All the knowledge objects should not be running all the time. They should be distributed over 24 hours so that the servers do not have any extra pressure at a particular time. We used to have an issue with our indexes going down. The CPU was being utilized 100%, and everything was getting stopped. We found the issue. We fixed that, and we are good now.
What do I think about the scalability of the solution?
It is pretty easy to scale. For Splunk Cloud, we log a ticket with Splunk support, and they start the process. It does not take much time. However, there is a cost involved in that.
We have been ingesting 40 TB a day. We have three locations: The USA, the UK, and France.
How are customer service and support?
The SLA for Splunk Cloud support is not satisfactory for a customer. The turnaround time is a bit low. That should be fixed. I would rate their support a 9 out of 10.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I have not used any similar solution in my current organization.
In my previous organizations, I have used solutions such as Elk, IBM QRadar, and Microsoft Sentinel. Microsoft Sentinel is good. Splunk is better than QRadar. Splunk has a lot of capabilities. It makes it easier to do many things and do them correctly. It does not require as much effort as required in IBM QRadar and Microsoft Sentinel.
Splunk is a bit costly, but if we control our usage during our searches, its cost is okay. When not controlled, it becomes a bit costly.
To those evaluating Splunk and solutions, I would advise knowing the features they would be getting. Elk is open source, but there is an underlying cost of infrastructure. The cost almost becomes the same. You have to hire people who can work on Elk and then you have the underlying infrastructure cost.
How was the initial setup?
We were on-premises, but we recently moved to Splunk Cloud. We have been using Victoria for the last eight months. When going from on-premises to Splunk Cloud, Splunk recommends engaging professional services.
What about the implementation team?
The migration was done by Splunk. For administration and maintenance, we have about eight people, but the number of users in the environment would be in the thousands.
The maintenance of Splunk Cloud is taken care of by Splunk. Customers do not manage the clusters. With the on-prem setup, we have to patch the servers, upgrade the servers, or restart them from time to time so that the rebalancing of the buckets happens properly. In Splunk Cloud, we do not have to do these things. We only take care of the data normalization part. All other things are managed by Splunk.
What was our ROI?
It does provide a return on investment.
What's my experience with pricing, setup cost, and licensing?
It is a bit costly.
What other advice do I have?
Be clear about what you want and try to filter out as much as possible. Create role-based rules and assign them to users rather than assigning every role capability to all the users. Also, everyone should not have access to all indexes. Only certain people should have access. For example, if someone is from the AD team, he or she should have access to the particular index logging the AD logs. They should not have access to all of it. There should also be some kind of training before you give access to people so that they know which searches to use and which ones not to use. They should understand the impact of various things.
I would rate Splunk Enterprise Security a 9 out of 10 based on my experience and the work that I do with the core security team. They are pretty satisfied with it.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Last updated: May 12, 2024
Flag as inappropriateDefense protection study manager at Ministère de la Défense
The search feature is fast and comprehensive
Pros and Cons
- "I like the search feature and the indexing. It's very fast and comprehensive."
- "Splunk is very expensive. The license is based on the volume of the logs ingested. I was responsible for managing the contract with our service integrator. I don't know the precise details of the competing solution, but I have heard that Splunk is more expensive than others. I don't know what the going rate is on the market, but I think there are at least two competitors that are less expensive. We have experienced a few issues with our service providers in terms of log filtering and ingestion, so we continue to pay a bit more per day for our logs."
What is our primary use case?
We use Splunk for log analytics, blocking dangerous files, etc. It helps to shape our security policies. Splunk is managed by our service provider, but we regularly get security insights from them.
What is most valuable?
I like the search feature and the indexing. It's very fast and comprehensive. It's easily tuned by your service provider, so I can quickly find the results I'm seeking. So it's very practical. We are working with the search feature and using multiple indexes that combine devices from different environments, so it's easy to collect information across environments.
We can relatively quickly detect some malicious activities based on attack patterns and implement use cases configured by our service provider with help from Splunk. It improves the speed of threat mitigation because you can gather information about the attack patterns from a few days of online activity to block threats and take the necessary actions.
For how long have I used the solution?
We implemented Splunk at the end of 2020, so it's been around three years.
What do I think about the scalability of the solution?
Splunk Enterprise Security is scalable.
How are customer service and support?
We have not been in direct contact with Splunk except for a workshop where I met a few of them. My impression was that they were skilled, experienced experts. They seemed helpful, so I had a good impression.
How was the initial setup?
The service provider deployed Splunk, so I wasn't involved. I had heard that they experienced some difficulties setting it up, but I don't think it was harder to install than other solutions.
What's my experience with pricing, setup cost, and licensing?
Splunk is very expensive. The license is based on the volume of the logs ingested. I was responsible for managing the contract with our service integrator. I don't know the precise details of the competing solution, but I have heard that Splunk is more expensive than others. I don't know what the going rate is on the market, but I think there are at least two competitors that are less expensive. We have experienced a few issues with our service providers in terms of log filtering and ingestion, so we continue to pay a bit more per day for our logs.
What other advice do I have?
I rate Splunk Enterprise Security eight out of 10.
Which deployment model are you using for this solution?
Private Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Security Information and Event Management (SIEM) Log Management IT Operations AnalyticsPopular Comparisons
CrowdStrike Falcon
Microsoft Sentinel
IBM Security QRadar
Elastic Security
LogRhythm SIEM
Sumo Logic Security
Rapid7 InsightIDR
Fortinet FortiSIEM
AlienVault OSSIM
Cortex XSIAM
Securonix Next-Gen SIEM
USM Anywhere
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What are some of the best features and use-cases of Splunk?
- What SOC product do you recommend?
- Splunk as an Enterprise Class monitoring solution -- thoughts?
- What is the biggest difference between Dynatrace and Splunk?
- IBM QRadar is rated above competitors (McAfee, Splunk, LogRhythm) in Gartner's 2020 Magic Quandrant. Agree/Disagree?
- What are the advantages of ELK over Splunk?
- How does Splunk compare with Azure Monitor?
- New risk scoring framework in the Splunk App for Enterprise Security -- thoughts?
- Splunk vs. Elastic Stack
- What is a better choice, Splunk or Azure Sentinel?