Splunk Enterprise Security Reviews

Our use cases are mostly for security and detection, basic use cases. It's always been a security use case. We never used it for observability or ITSI. 

Our analysts use it a lot.

I like that it's a review panel, you can see all of your alerts. Another valuable feature is that it integrates with other apps like UBA and SOAR. 

I also like the guided alert creation. The guided alert creation is useful, especially for new people who don't know CPL. 

It's a premium app, it's easy to use and intuitive. 

Enterprise Security has one pane of glass for all of our alerts. We still use the Enterprise Security page where we keep track of everything. 

It's very important to us that Splunk offers end-to-end visibility into our environment. It has the ability to identify any security events or if data is reingested, we'll get an alert for that. End-to-end visibility is very important for a mature security program.  

Splunk helped to ingest and normalize data. Anytime that we put data in, we always normalize the SIEM model. ES runs off of that so it helps us to dot our I's and cross our T's. It helps us to use our data effectively.

It has tools to reduce our alert volume. We get a lot of alerts. It's more of a tuning thing than anything that the app can help with. 

It provides us with the relevant context to help guide our investigations. It's really useful in that aspect. 

It hasn't reduced our MTTR. SOAR would do that. It has helped our mean time to detect. 

It has increased our business resilience. It's a top-of-the-line SIEM security product. It's the best tool for our security analysts which helps them do their job better. That then protects our company from adversary actors. 

I have been using Splunk Enterprise Security for about five years. 

I've never had too many issues with the stability. Years ago we had indexes crash but that was more on us. We didn't understand how to properly size Splunk. If you work within the required parameters, it's stable. 

Their support is great. I've never had any issues with them.

Positive

The setup was pretty straightforward unless you add a search head cluster. Then it becomes a lot more complicated very fast. Other than that, it's not too bad. It's pretty simple and intuitive. I've done it before and it's not difficult especially if you have the docs to help you. 

I can't speak to the dollar amount but we see ROI in the way that it helps the analysts to better do their work. It helps keep track of things and having one pane of glass for all things data. 

I would rate Splunk Enterprise Security a nine out of ten. It's a top-of-the-line product. It allows analysts to do their jobs better. It's a single pane of glass. It's a fantastic tool that we couldn't do our work without. 

We use Splunk Enterprise Security for a lot of use cases. We use the predefined use cases and dashboards for AWS, notable events, endpoint detection network, and audit notable events.

The most valuable function is the notable events. When I joined the team, I asked them what they could currently see, and they said nothing. I was pretty shocked. I know that they were using Enterprise Security or at least they had purchased it. I told them that there are several dashboards within Splunk that we can leverage. There is also notable events where we can see potential incidents or potential alerts about the infrastructure and the network itself. 

The dashboards give us numbers for malware infection. So long as those dashboards are actionable, they help the SOC team a lot.

It's important to respond to incidents in a timely manner. Having end-to-end visibility across the board equips the team to make sure that whatever incident happens, it has a very minimum impact on the business. It also allows us to fix things that need to be fixed immediately. That's the asset of having end-to-end visibility across the board.

Enterprise Security really helps us normalize our data because it comes with predefined dashboards, so we only need to ingest the logs and Splunk will do the work to display what we need to see on a day-to-day basis.

When we started using Splunk, we had tons of false positives. We reduced our alerts by 90%. Most of our alerts now are actionable.

I would like to have fraud detection features. Fraud is within the same turf as with security operations. Fraud and cybersecurity work hand in hand. I would like to have detection capabilities, or at least dashboards in Enterprise Security for fraud. 

There's already a fraud offering from Splunk for fraud use cases but it's different. I need to get professional services for me to get that feature. It would be much more cost-efficient for customers if all those dashboards could be readily available within ES.

I have been using Splunk Enterprise Security since I joined my company in 2019, so it's been roughly five years.

Cisco just acquired Splunk so I expect the stability to still be the same since Cisco is established. 

I would rate support a nine out of ten because there's always room for improvement. 

Positive

I would rate Splunk Enterprise Security an eight out of ten. To make it a perfect ten, I would like to see them implement the fraud detection features. 

We are using it for our SOC. We integrated it with our SOC.

We have had a couple of benefits. We are using it as a SIEM. We do log extraction and analyze them. We also use reporting and dashboards. We are using it for security assessment. It is very helpful for us to be able to see what it has been like. Based on the incidents, we can take measures to cover any gaps.

Our security posture has definitely improved since we started using Splunk Enterprise Security. We are scaling it in stages. We are not yet using it at an optimum level. We are using 50% to 60% of it. Based on the analysis that we are doing, our security posture has definitely improved.

The end-to-end visibility that it provides is very important for any organization. It is the right tool to get end-to-end visibility. We get 360-degree visibility.

Like most organizations, we are moving to the cloud. We have a hybrid environment. We have a SaaS, PaaS, and on-prem environment. It is a very good tool for identifying security incidents. There are statistics, and we can go back and forth to see exactly what happened.

Splunk Enterprise Security has improved our organization’s ability to ingest and normalize data.

It is a real-time tool. What I like about it is how they are able to bring all the logs into a single dashboard. We can quickly get what we are looking for. We have queries. That is amazing.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. We are not using it completely, but based on our usage, it is up to our expectations.

Splunk Enterprise Security has helped reduce our mean time to resolve. Previously, if an incident used to take us an hour, it now takes us a few minutes.

The dashboard is amazing. Out-of-the-box dashboard is very good. It is very user-friendly. It is out of the box. With a few clicks, the dashboard is there.

Its performance can be better. Sometimes, it takes longer when we do queries.

Their support can also be better.

We have been using Splunk Enterprise Security for the last seven or eight years.

It is very stable. I would rate it a ten out of ten for stability.

Scalability is there. I would rate it a ten out of ten for scalability.

As we are increasing our cloud and on-prem infrastructure, logs are increasing. We have to come up with policies on our side for log retention and other things, but we are able to collect logs from multiple sources.

I would rate their support a seven out of ten. Its implementation was a big challenge, and sometimes, the ticket went from one person to another person.

Neutral

We were using Alert Logic. It is good, but there are performance issues with the dashboard and other things. At times, it takes ages, whereas Splunk Enterprise Security is real-time.

Its deployment is not easy. It is difficult. It is a one-time job, and once it is done, you get the benefits. 

We had to engage a third party or a channel partner. It was the right choice.

Application-wise, we have seen a lot of improvement in our application delivery. On the security side, we are still learning.

It is pretty straightforward and based on the sizing. If I compare it with other competitors, it makes sense.

We looked at LogRhythm, but Splunk is more mature.

I would rate Splunk Enterprise Security a nine out of ten. It is not a ten because of the support.

We use Splunk Enterprise Security to monitor our network environment for abnormal activities and threats.

We easily monitor multiple cloud environments with Splunk Enterprise Security.

Insider threat detection helps our security posture.

I use the threat intelligence management feature whenever I do a threat analysis.

When Splunk detects breaches and malicious activities it notifies our IT team so they can analyze the notifications and respond accordingly.

Splunk has helped our organization by allowing us to gain valuable insight through the analysis of large datasets.

The customizable dashboards are user-friendly and visually appealing.

It has helped reduce our alert volume.

It has helped speed up our security investigations.

The most valuable feature of Splunk Enterprise Security is website activity monitoring.

While Splunk Enterprise Security offers valuable features, its cost is high and could be more competitive.

I have been using Splunk Enterprise Security for around five months.

Splunk Enterprise Security is stable.

We frequently connect with the support team to review our options. They resolve our issues quickly.

Neutral

We also use IBM QRadar but Splunk Enterprise Security is more functional and user-friendly.

Splunk Enterprise Security is expensive.

I would rate Splunk Enterprise Security eight out of ten.

For someone who wants to use the cheapest solution, I would tell them that this is the best solution and worth the cost.

I recommend Splunk Enterprise Security to others.

I use Splunk Enterprise Security for monitoring, threat hunting, and quick response. By implementing Splunk Enterprise Security I aimed to address security challenges and threats for both myself and my clients.

Splunk Enterprise Security has significantly improved our organization by centralizing data and enabling efficient correlation across multiple vectors. The benefits were realized quickly after deployment, with noticeable improvements within the first three to six months.

Splunk Enterprise Security has sped up my security investigations, approximately by 30-40%.

The most valuable features of Splunk Enterprise Security are its high-performance data collection, flexible query language, and its versatility across the organization. The unique query language, once mastered, provides flexibility, and the tool extends beyond just security, benefiting network and development teams. This versatility and speed in searching and trend identification enable quick defense for my clients. For me, it is about fast detection, rapid response, and easy access to crucial data.

Splunk Enterprise Security could improve in automation, flexibility, and providing more content out of the box. The effort required for tuning and management is higher compared to some other solutions. Focusing on automation and reducing the engineering effort would enhance its effectiveness. I would like a store platform similar to what Sentinel offers to be included in the next release of Splunk Enterprise Security. Additionally, the pricing structure needs improvement.

I have been using Splunk Enterprise Security since 2016.

The stability of the solution is quite good.

The scalability of Splunk Enterprise Security is good. The solution is stable and performance-driven, making it well-suited for scalability.

The community support for Splunk is excellent, with an engaged user community. However, for the standard technical support, unless you opt for the premium, I would rate the support as three on a scale of one to ten. It is not as helpful as desired.

Negative

Before Splunk Enterprise Security, I used various solutions, including LogRhythm. I chose Splunk because it proved to be more stable and reliable, especially compared to the issues I experienced with LogRhythm. With Splunk Enterprise Security, it takes my analysts approximately 30-40% less time to resolve alerts compared to our previous solution.

Monitoring multiple cloud environments using Splunk Enterprise Security dashboards is moderately easy, around a six out of ten. Setting it up requires a fair amount of engineering effort, especially for non-Splunk Cloud environments like Azure and GCP. Once configured, monitoring becomes straightforward, allowing easy creation of use cases and efficient log monitoring for improved cloud security.

The initial deployment of Splunk Enterprise Security was complex, involving significant engineering effort and tuning. It took anywhere from three to twelve months, which is considered a relatively long time. In comparison, deploying Microsoft solutions typically takes around six weeks on average, which is a significant difference in deployment efficiency.

The implementation strategy for Splunk Enterprise Security involved workshops, high-level design approval, and phased deployment covering physical deployment, log collection, testing, and tuning. Typically, three people from my team (project manager, lead engineer, and lead analyst) and around half a person from the customer's side are involved. Maintenance is substantial, requiring a team of 13 engineers for 60 customers, ensuring not everything breaks simultaneously.

I find Splunk Enterprise Security to be overly expensive, and their pricing model lacks flexibility. There is no consumption-based pricing, and dealing with Splunk can be challenging. They seem rigid, less accommodating, and often don't listen to customer needs. A more flexible and customer-friendly pricing approach, aligning with industry trends, would be appreciated.

Before choosing Splunk, I evaluated other options, including QRadar. However, if I were to evaluate them today, my choice might be different.

If you are willing to invest in engineering effort, Splunk Enterprise Security provides excellent visibility into multiple environments, including cloud, on-premises, and hybrid setups. While some solutions may require less effort, Splunk is capable and versatile, making it a strong choice for comprehensive visibility across diverse IT environments.

Assessing threat detection capabilities in Splunk Enterprise Security is like evaluating how easy it is to drive a car. It provides powerful tools, but mastering the query language for utilizing these features requires effort. Once you know how to use them, it becomes an effective tool for detecting unknown threats and monitoring user behavior.

I use the Splunk Mission Control feature, which is highly important to my security operations. It is particularly valuable for multi-tenant and multi-site mission control scenarios. The Splunk Mission Control feature is effective for centralizing threat intelligence and ticketing system data when dealing with a single entity or group. However, its usefulness diminishes when managing multiple customers with diverse policies and groups.

The features in Splunk for discovering the overall scope of an incident, including the topography aspect, are considered industry standards. However, the topography feature is not particularly useful in my case, so I don't extensively use it.

Splunk Enterprise Security is effective for analyzing malicious activities and detecting breaches, especially if you invest the effort. However, newer solutions are considered better and more flexible. While Splunk was an industry leader five years ago, today, platforms like Microsoft Sentinel may outshine it in terms of ease of use, especially for users unfamiliar with Splunk.

Splunk Enterprise Security has helped me detect threats faster compared to other solutions. It stands out in terms of speed and effectiveness.

My advice to others is that if you are looking for the cheapest solution, Splunk may not be the right choice. Consider alternatives like LogPoint or Arctic Wolf, but be cautious as they might not offer the quality and capabilities needed for effective security. Sometimes it is better to invest in a more robust solution than settling for a cheap option that might not meet your requirements. Overall, I would rate the solution as a six out of ten, mostly because of its pricing.

The use cases are mainly around monitoring for our clients' security operation centers and correlation of events and analytics for incidents that have been identified.

It has really improved things for our clients by reducing false positives. Most of the time, analysts end up wasting their time with false incidents, and that has been drastically reduced by Splunk.

It also definitely helps speed up your security investigations.

The dashboard and reporting are very good. Our clients monitor multiple cloud environments and Splunk helps because, in general, monitoring multiple cloud environments is definitely difficult and very complex. It provides very good visibility in a hybrid cloud environment, and you can build custom utilization APIs using Splunk.

The solution is also very good in its threat-hunting capabilities and anomaly detection. It uses an AI-based detection system to identify real-time anomalies and provides complete visibility into the network.

And you can feed multiple threat sources into Splunk and the Threat Intelligence Management feature gives you information about current or potential attacks. It provides complete security support in the threat intelligence space. It helps your administrator to correlate indicators of compromise from threat intelligence databases and feeds.

Also, the Splunk Mission Control feature, which is mainly for Splunk Enterprise Security cloud users, provides a unified and simplified security operations experience for SOC analysts.

We also use the solution's Threat Topology and MITRE ATT&CK framework feature. That's something you need for cyber breaches to contain a threat. This feature comes into play when you need to mitigate an incident in your environment.

While there aren't any major areas where the solution has to be improved, there are certain integrations that are still not available. I would specifically like to see legacy applications integrated. Splunk has integrations with AWS, Azure, and other cloud providers, but when it comes to legacy applications, it is difficult to do a Splunk integration.

We have been working with Splunk Enterprise Security for one and a half years.

It's a very stable solution. 

It is very highly scalable.

The technical support is very good.

Positive

I used IBM Security QRadar. The main reason for switching is that Splunk has the scalability to handle bigger enterprise logs. Log management is the biggest issue in any SIEM. Splunk is able to rapidly grow its capacity.

Our clients' implementations are mostly on-prem and in the cloud.

Splunk is definitely not a cheap solution. It is an expensive product.

If a customer is evaluating SIEM solutions and is considering cheaper products, it depends on the customer's budget and use cases. For a large, enterprise customer with critical infrastructure that needs to be monitored 24/7, obviously, the cheaper solutions may not have the capacity to handle the huge volume of data. Splunk has the SIEM and the scalability as well as visibility features. When you want to monitor your applications and how they are performing, that is where Splunk is very strong.

In terms of maintenance of Splunk, you need to have an IT administrator monitoring it at all times.

When it comes to a large, enterprise customer's critical infrastructure, Splunk is one of the best solutions to use in a security operations center. It has multiple advantages, such as the dashboard that provides complete visibility, and a threat detection system with very advanced features. It is very valuable for any company that wants a good protection system.

You should definitely consider Splunk as one of your options for your SOC.

We have an engineering team working on the back end to receive data, they do data modeling, and create dashboards. That's been pretty useful.

Splunk Enterprise Security helped our organization a lot. In the past, we relied on every single product that had its own kind of audit trail information. We needed to go and look for it, for example, in the Windows environment. We have to use the event viewer a lot to look for certain things, like system applications and security logs. In Linux, we have to use the log file, and under certain applications in the Linux environment, we have to look at the logs for that as well.

That's just part of the operating system. It is not the infrastructure, like network devices. When we centralize logs, we put everything in one location. 

Our advanced users can do the SPL query anything they want. Executives or higher-up management users need to look for certain things, like how many systems are missing patches for this month or who logged in today from where, what they did, and how often they re-authenticated to the systems. 

We have a lot of data from businesses, data from our devices, and more. When we put it all in the ES, it gives us the ability to look at certain functions. It provides more insight into our data, where it's traveling from, between endpoints, and what they're doing with it. 

We also look into performance. We use other monitoring tools as well, and that data is also piped into Splunk. We have a centralized platform that we can navigate to look for everything we need rather than having to go to each individual system, like Cisco Syslog or we have to go to the Forcepoint console to look for it. It is a centralized platform that gives us more insights into our data or what's happening in general. 

It is very important that Splunk Enterprise Security provides end-to-end visibility into our environment because, at any given point in time, we want to know what's happening to the data. Data privacy is the primary concern. We want to make sure that authorized users get access to what they are authorized to so that data would not leak out or travel from a different path. Again, we get a lot of data in there. We understand more about our data to improve the business in certain aspects.

We know that during certain times of the day, a lot of people access a server or website.

Then it'll give us more insight about where we need more network bandwidth or where we need to upgrade network devices. We understand more about our data, like how many people access the data lake house. And that's just for performance. 

On the security side, we would know who's accessing it from where. Are they authorized to do so, or is there any weird access pattern in locations that they're not supposed to be in?

So again, we get the data, we centralize it, and we can do data mining. We can pull out anything from there rather than looking all over the place, like, "I want to find out if he's working today if someone's using his account, or from which devices he accessed data from two different places."

From Splunk Enterprise, we can either do it manually or have our engineers create an audit dashboard. Or, if you are an advanced user, you can do SPL queries that will give you anything you need.

The alert volume depends on the users. If they do what they're supposed to, then there's nothing to talk about. If not, it's more or less on how you manage the data, educate your users, and control your system. Based on that, Splunk might play zero, fifty percent, or seventy-five percent role.

In a way, it has helped improve our organization's business resilience. It's a way for us to predict the pattern of data access and other things going on.

Knowing a way to do that, if we have enough resources to do it, is fine because we have so much data, but no one's really monitoring it. If we get alerts in the middle of the night and we don't have anyone to handle it, it's not going to help.

It's another aspect that we worry the most about, where our data is floating. 

Now that we've centralized our log information into Splunk, we want it to be secured well because now users can predict a pattern of data access from where, and from whom. 

We put all of our logs and data into Splunk, like network switches, firewalls, and web-based protection. In general, every component within the infrastructure sends data to Splunk. 

Then, we have an engineering team transforming, manipulating, and analyzing the data to create a front-end dashboard in a meaningful way.   

With the new announcement of version eight, it's going to give us a single point-and-click. On the front page there, that will give us a whole lot of information that we need to look into on the right panel without navigating down or going to more details, clicking here and there.

We've been using it for quite a few years now.

The solution of choice depends on the engineers and teams. If they manage Linux, they're comfortable with certain tools to read the logs. In a Windows environment, it depends on the engineers. They favor any certain tool; they would do it, but it would be to cut down costs and consolidate all the software strings.  

Splunk was not that big years ago. But then we started seeing that they put more investment into it and made the tool more useful.

We're not using the cloud version yet. This is just the enterprise product on-premises.

Splunk can improve the pricing. People like certain features, and sales use the features that they provide, the automated features, to hook customers into paying for the big-price license.

Everyone does it, like Microsoft and Cisco. Initially, you try out the free version, but once you get it in your shop and turn it into production, you start relying on it and don't want to get out. You start paying a lot more for it.

Splunk is on the right path. It's good, but it does not provide everything that we need. There's a lot more to it. I look at it as ideal for detecting in real-time, but we're always behind and just look at the log information. 

If you have a network device, a Splunk Enterprise instance, and you have to send data to it. You're relying on network connections. 

If you're using a cloud service or anything where Splunk is not on-premises, there's high latency. If that network connection is down, that's it. You don't know what's going on. So even if you have it on-prem, you're still relying on it after the fact. 

When you look at Splunk, you're looking at things that have already happened. It's nothing that's actively going out there and doing something for you. 

If you had to give it a number, from one to ten, since they've gone this far, I'd give it a five or six. Because locking or monitoring is just a part of business, and how you're going to receive those alerts and act on them is another part of it, when I look at the overall infrastructure and infrastructure management.

I have used the solution in my company since I was an admin for Splunk. Most of the people involved in the use cases associated with the product are those in the SOC team.

The tool has helped us to identify and analyze the possible threats. The product helps identify threats and do further investigations.

In terms of the benefits I have seen from using Splunk Enterprise Security, I would say that we are still working on implementing Splunk tools.

The most valuable feature of the solution is correlation searches, which allow you to easily find threats and other such areas.

It is really important that Splunk Enterprise Security provides end-to-end visibility into our company's environment, as it can help save time and make the response faster.

Splunk Enterprise Security has helped improve our organization's ability to ingest and normalize data with the use of data models and Splunk CIM.

The tool has helped reduce our company's alert volume as the identification process is fast.

Splunk Enterprise Security provides our company with relevant context to help guide our investigations. Any incident can be resolved in a minimal amount of time than expected, and we can get more information about such incidents. It can be resolved mostly on the same day and even in a few hours.

Splunk Enterprise Security helped reduce mean-time resolve. It has also helped improve our organization's business resilience. Considering the tool's ability to predict, identify, and solve problems in real-time, I would say that it keeps our company safe.

Splunk's unified platform helps consolidate networking, security, and IT observability tools. I cannot provide too many details because I am not working directly on the analytics part.

I think in the near future, we want to have Splunk Enterprise Security complemented with Splunk SOAR because we have been checking the administrations. It is pretty cool, considering the things that you can do with Splunk Enterprise Security and Splunk SOAR together.

Resource usage can probably be described as an area with shortcomings in the product where improvements are required.

Our company just saw the latest version of the tool here in the Gulf. I am not sure, though, about it because what Splunk showed us was really impressive.

I have been using Splunk Enterprise Security for five years. My company is a customer.

It is a stable solution. At my company, there are two Splunk admins. Splunk is so stable that though there are two Splunk admins in the company, nobody complains that something is not working. Stability-wise, I rate the solution a nine out of ten.

Scalability-wise, the tool is awesome since you can add or reduce your resources in an easy way.

The solution's technical support offered to users could be much more. At times, I get answers related to Splunk from the support team, which I feel are available on Google. I rate the technical support a seven or eight out of ten. I feel that sometimes the tool's support team uses Google to provide me with answers.

Neutral

I did not previously use a different solution.

It was harder to get it working and configured correctly in the past. Things have changed a lot since the first version of the tool was released. I honestly feel comfortable anytime the tool releases something new to be deployed or if there is a new upgrade.

The solution is deployed on an on-premises model. I use the cloud services offered by Azure and AWS.

I have not seen a return on investment.

Splunk Enterprise Security is not a cheap product, but I think it is worth every dollar that you pay.

Considering that the initial configuration is difficult, I rate the solution an eight out of ten.