Splunk Enterprise Security Reviews

We have customized use cases for Splunk Enterprise Security as per our environment, due to our infrastructure related to cloud, virtualization, and a few application servers, along with Active Directory management, where we look for user interface and access management. We receive alerts related to any password breaches or unauthorized user access, or if any applications stop running. 

Consequently, we created multiple customized use cases, and accordingly, we receive alerts on Splunk Enterprise Security. It integrates with other tools for threat intelligence and anomaly detection. We are enjoying a good experience so far, and our admins ensure that the use cases are well-maintained. Additionally, they perform fine-tuning as needed. 

We have some database servers integrated for alerting us about unused services. We communicate with our database admins regarding incidents related to data management issues. We suggest actions to the database admins based on these alerts for better data management.

Splunk Enterprise Security is highly customizable, which is an excellent feature. We are continually fine-tuning it to meet our requirements, and everything has been smooth thus far. We also have well-designed dashboards that allow us to visualize data from various use cases in comprehensive graphs, which is beneficial for management reviews, especially during inspections, to display the status of our environment.

We monitor multiple environments, and those environments are integrated with Splunk Enterprise Security, functioning effectively.

In terms of visibility, it offers insights into integrated devices such as firewalls, cloud infrastructure, and virtual machines. The extent of visibility corresponds to the number of devices we integrate with Splunk Enterprise Security. We have access management servers and Threat Intelligence integrated, enhancing visibility across various elements in our environments.

Splunk Enterprise Security provides good visibility into our environments.

Splunk Enterprise Security aids us in detecting threats faster. Over time, it has incorporated enhanced AI support that enables self-analysis and offers valuable feedback. It operates as an intelligent tool, parsing and generating relevant incidents effectively.

Splunk Enterprise Security significantly improves our organization's business resilience. Since my introduction to Splunk Enterprise Security in 2022, I have observed an increase in its intelligence levels, and I look forward to integrating more infrastructure with it. Our reliance is shifting more towards Splunk Enterprise Security for providing solid decision-making capabilities and easy integrations with multiple cybersecurity and IT infrastructure controls.

Splunk Enterprise Security has helped reduce our alert volume to a good extent. It goes beyond mere incident handling by providing feedback to IT infrastructure personnel and database administrators. The incident responses have enabled us to make several environmental corrections, reducing flaws and incidents over time. For instance, alerts related to unnecessary service account logins have prompted us to give feedback to admins, which reduces their workload. False positives are a notable aspect we address to minimize unnecessary alerts, while true positives associated with malware or MITRE framework indicators prompt effective management action.

Splunk Enterprise Security accelerates security investigations. The tool contains extensive data, and the key lies in how to extract that information, depending on the analyst's capability. Our company emphasizes obtaining Splunk Core admin and user certifications to enhance our understanding of the Splunk Enterprise Security product.

I find it beneficial that Splunk Enterprise Security easily integrates with other tools. Due to its excellent API capabilities, it facilitates connections with various cybersecurity tools. We utilize different controls, such as Anomaly and Threat Intelligence, and also integrate it with Data Diode, which assists in one-way communication for infrastructure. Splunk Enterprise Security can seamlessly receive logs from various infrastructures, including Data Diode and firewalls.

We utilize Threat Topology and MITRE ATT&CK features, as these aspects fall under the MITRE ATT&CK framework. They provide coverage for continuous user activities and password issues. The MITRE ATT&CK framework is beneficial for detection and outbound traffic, and it offers a good number of default use cases that we have implemented in our environment.

In terms of recommendations for improvement, when performance degradation occurs, we need to do a root cause analysis. The repeated tendency to inform us about memory utilization complaints encourages us to consider adjusting our query needs. Improving the infrastructure behind Splunk Enterprise Security is vital—enhanced cores, CPUs, and memory should be prioritized to support better processing power. When we execute heavy, resource-intensive queries over long periods, the performance dips. Our admin quickly intervenes to correct resource bottlenecks, allowing everything to function properly again.

I have been working with Splunk Enterprise Security for approximately two years now.

I find it easy to scale Splunk Enterprise Security for our environment, and I would rate its scalability an eight.

I have sought assistance from Splunk Enterprise Security support in the past, particularly during deployment, and they provide friendly and effective help.

Having experienced using QRadar from IBM, I find Splunk Enterprise Security more intelligent and supportive.

The deployment of Splunk Enterprise Security is straightforward, and integration with other security controls is quite easy after the initial setup.

Initially, we required the assistance of Splunk Enterprise Security consultants for the deployment process.

I have noticed a return on investment with Splunk Enterprise Security, as it delivers substantial value for money. This is why we are keen on expanding our infrastructure under Splunk Enterprise Security rather than other SIEM options.

We are currently using Splunk Enterprise Security for our SOC in our office, and as long as the office continues its use, we will still be using it.

I haven't faced any other difficulties apart from the CPU resource issues. I find Splunk Enterprise Security to be very customizable and user-friendly. The only consideration is that if we want to increase the volume of logs processed, we need to buy more licenses.

Maintaining Splunk Enterprise Security requires personnel, especially due to the existence of different search heads and various forwarders in our robust setup, supporting a centralized logging environment.

I find it easy to scale Splunk Enterprise Security for our environment, and I would recommend that potential users consider their capacity to invest financially based on the criticality of their infrastructure, as adoption comes with licensing costs.

I would rate Splunk Enterprise Security an eight out of ten.

I'm part of the Splunk operations team, which means I support Splunk functionality and occasionally conduct threat management onboarding. We assist various teams with threat-related tasks. If they need help bringing log sources into Splunk, we guide them through the process. Once the logs are onboarded, we create correlations to identify threats, troubleshoot issues, and help mitigate potential risks.

We handle incidents through a queue configured in our event management system. This includes automated incidents for our Splunk infrastructure, like server health checks, and user-reported issues where functionalities like the fetch score aren't working. We address all incidents, whether automated or user-raised, through this system.

We've made significant improvements to our Splunk infrastructure to support our internal teams. This ongoing effort focuses on helping application teams onboard logs from various applications for their review and troubleshooting. We've streamlined the onboarding process, improved data quality, and ensured smooth data consumption for our internal users.

Splunk Enterprise Security offers multi-cloud environment monitoring capabilities that we can utilize for our users if they require it.

We can build a dashboard in Splunk to centralize the monitoring of critical information. This dashboard can display key metrics for onboarding methods and LogSources we actively track, providing a clear view of our entire monitoring environment.

While Splunk Enterprise Security offers good threat detection capabilities, our current process limits visibility into user activity. When users request correlations, we create the code and configure everything on our end, and then they test and work on it from theirs. This lack of transparency extends to threat management, as we can't directly see tickets in their separate ServiceNow system. If they encounter issues, they share details in a document for us to review and address.

It comes with a large collection of correlation searches, but we'll need to review them to find the ones that match our specific needs for monitoring malicious activity. Once we've identified the relevant searches, we can customize or recreate them within the correlation settings to best suit our environment.

Splunk Enterprise Security helps us detect threats faster.

Splunk Enterprise Security is a good monitoring tool that allows us to track specific details by creating custom queries. For instance, to monitor a particular organization's infrastructure, we would first onboard their logs and then create queries to capture relevant information. This way, any suspicious activity, attacks, or other events would be easily identified within the infrastructure. Additionally, Splunk's checkup operation minimizes the chance of missed alerts by automatically identifying detections, ensuring near-complete coverage of around 99 percent unless there are outages or limitations with global agents.

Splunk Enterprise Security helps us speed up our security investigations.

The customizable dashboard for our security operations is a good feature.

The most valuable features in Splunk Enterprise Security are the cluster capabilities.

The licensing price is high and has room for improvement.

I have been using Splunk Enterprise Security for four years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security can scale according to our needs.

The technical support has been successful in resolving the majority of our cases.

Positive

While the deployment process itself is simple, the number of personnel needed varies depending on the infrastructure size and user base. A small deployment for 50 users can be completed by two people, while larger deployments supporting over 500 users may require up to 15 people.

The Splunk Enterprise Security license is expensive.

I would rate Splunk Enterprise Security eight out of ten. Splunk improves user efficiency by streamlining workflows and enabling the detection of anomalies within data.

Splunk Enterprise Security is deployed across multiple locations in our organization.

To ensure our data remains secure, Splunk servers require monthly maintenance. This maintenance includes installing security patches that address vulnerabilities and prevent unauthorized access to our information.

I lead a team that does Splunk administration. We mainly worry about the platform itself, ensuring everything works, log sources are coming in, and assisting with searches. We have a dedicated security team that represents the user side, the consumers of that data. We try to get all the log sources in for them so they can create detections, alerts, dashboards, and their own custom app integrations. We support them as much as we can in the platform, and they do their security work based on that.

The biggest thing that Splunk is known for across all its platforms is aggregation. We have thousands of log sources coming in, and Splunk Enterprise Security does a great job of correlating that information and making it very searchable and usable for the end user. This is my most enjoyable feature. 

Splunk Enterprise Security is a huge value-add to us because I can confirm that our security team treats it as a normal component of their daily operations. They access Splunk Enterprise Security multiple times every single day doing their job. This proves substantial value given they need it that frequently, and considering the proportion of our contract.

Even though aggregation is one of the best features, they do poorly at integrating their own products with each other. There is Splunk Cloud, which handles searching, and there is Splunk Enterprise Security. In the backend, these are separate instances, even though the data comes from essentially the same database source. When I make changes on one platform, it may or may not affect the other side. This leaves me with uncertainty between what I'm doing in one, not knowing if it will affect the same thing on the other side. By extension, I sometimes make redundant changes already done on the other side. The discrepancy between the different search heads leaves me confused most of the time about these changes.

Their support also needs improvement.

I have been using this solution for about two years now.

For stability, I would give it an A grade. The platform generally runs exceptionally. It occasionally experiences brief interruptions, but their operations people who manage the cloud side typically have the system back up before I receive a response to my submitted ticket. They are very aware of their system's stability on the operational side.

For performance, I would give it a B grade. Some of the performance issues could be due to our own tuning that we could improve. However, Splunk is designed to handle vast amounts of data, and in my opinion, it should operate a bit faster, especially when initiating searches or processing smaller jobs. It would be helpful if these tasks could run more quickly because, once the search actually starts, it performs well. The initial parsing phase, when running a new search, can take quite a while, and I find it frustrating to have to wait during that part.

In terms of infrastructure, I cannot speak to it since it is cloud-based and operates as a black box regarding scaling. However, when it comes to handling increased data loads, Splunk Enterprise Security performs exceptionally. When we onboard new things, new log sources, or experience extra volume from heavy firewall activity, Splunk Enterprise Security processes all the data efficiently. From the time a log is generated on a system to when it reaches Splunk Enterprise Security is extremely fast. Though search time might be slightly slower than preferred, ingestion time for logs to hit the cloud is fantastic.

Both quality and speed are lacking. Quality-wise, tickets sometimes go in circles, with unnecessary complications and escalations requiring repeated explanations.

Speed is particularly problematic. I submitted a high-priority ticket for a broken login configuration to Splunk Enterprise Security, called twice, and received no response from Friday until the following Monday. After escalating to our sales team requesting immediate response for our security team's broken access, we finally received assistance, and we were able to get back on track, but I was really unhappy with the situation. It was a critical priority issue that they were not addressing appropriately. We have paid for Splunk support, and we’re not on the free tier hoping for assistance; we are a significant customer and invest a lot in this service. Given our active contract, we expect to receive better support. This area definitely needs improvement.

Neutral

I previously used AlienVault, an open source solution, but was not as deeply involved with it as I am with Splunk Enterprise Security.

The initial setup precedes my time with the company. When I started using it, it was a bit of a challenge. Splunk Enterprise Security is extensive and complex. The setup was not necessarily more difficult than regular Splunk Core since they are integrated, but the learning curve was quite steep. It took approximately six months to feel comfortable administering the full system independently.

The solution requires significant maintenance. It is very stable, but to keep things moving forward, we must do considerable work. Apps or add-ons we install require our own updates if they are not default ones offered by Splunk Enterprise Security. The baseline configuration gets upgraded automatically, which I appreciate. However, maintaining all other add-ons falls to us, which requires substantial work, especially as Splunk Enterprise Security is aggressive with their updates and minor versions. We must constantly do compatibility checks or create technical debt by staying behind versions sometimes, not knowing what features we might miss.

The pricing is very reasonable for what it offers us. Out of our entire contract, Splunk Enterprise Security represents approximately 15% of our total Splunk expenditure. Splunk Enterprise Security is a huge value add to us because our security team treats it very much as a normal component of their daily operations. They go into Splunk Enterprise Security multiple times every single day doing their job. That means that it proves a lot of value to where they need it that frequently. Given the proportion of our contract, there is a lot of value right there.

Splunk Enterprise Security has approximately seven different AI capabilities. These include natural language processing for search query assistance, machine learning for alerts and data processing, and plugins such as Tensor for external AI processing. However, I remain cautious about enabling all AI features without understanding their performance impact. 

I would rate Splunk Enterprise Security a nine out of ten.

Our primary use case is for detected malware. 

The end-to-end visibility into our environment that Splunk provides is impressive. We just need to use it better.

We are a small team. For us to look at all those logs ourselves would be difficult. There is some decent insight into what's going on. It's just a matter of actually utilizing that data and taking action on it. 

We would probably see more time savings if we used Splunk more. 

We're an on-prem network. During the installation, we found several issues that we should look into. We just need to utilize more.

Splunk has shown us some gaps where we need to ingest and normalize data, and we have built those gaps.

Splunk Enterprise Security provides us with context to help guide our investigation. It's a starting point to actually look at the logs and figure out what we need to look into. It's useful. 

It helped to consolidate networking security and IT observability tools. We use Splunk in general a lot for operations, and then we've been able to build dashboards.

I have been using Splunk Enterprise Security for two years. 

The stability is pretty good. It's fairly stable. I haven't had any issues with it so far.

Splunk support is difficult for us. There are gaps in the network. I work for a government entity so getting a classified rep to come out is difficult. 

I would rate their support a five out of ten due to their availability and talent. 

Neutral

It took what took us a while to groom all of our data correctly so that it worked well with ES. That took two weeks. As far as the finish, there's definitely room for improvement.

I would like more assistance with use cases and help with teaching us how to use it once it's installed. 

We deployed through professional services. 

We're a young team so we're still evaluating processes. We already had Splunk Core. It was already installed when I started working here. I was part of the installation team when they deployed Splunk Enterprise Security.

I would rate Splunk Enterprise Security a five out of ten because I'm still figuring it out.

We deploy Splunk for law enforcement agencies facing attacks from threat actors in China, Iran, and Pakistan. It helps plug the gaps because Splunk can easily identify malicious traffic.

In this instance, Splunk was only deployed for a specific department, not the entire ministry. However, this department has multiple cloud clusters for their operations, storage, and computing. Splunk is monitoring all of these clusters. It started as an on-premise solution, but then the department decided to go for cloud-based services that require a connector. Now, it's more of a hybrid solution.

 We face a lot of government-backed threats from India's neighbors, so threat intelligence can provide us with the information to take preemptive steps to stop the attacks. We were able to configure our network and the gateway firewalls. So that helped us overall.

We use the threat topology and MITRE ATT&CK features to compile our quarterly reports, but the leaders of the government departments are hardly concerned with these things.  They only respond to certain keywords if you highlight them. However, if you explain that something is an IOC according to the MITRE ATT&CK framework, they won't understand the jargon. They don't have the technical knowledge to comprehend MITRE ATT&CK. A private organization might have that capability. Government agencies may go for a full-fledged enterprise solution, but there are many features they don't understand or want to use. 

We still need to use manual techniques to investigate threats. Once, we had to look for devices that were infected, and we manually located the threat because the attacker had used a particular telecom handle to steal the data. In that sense, we did it manually but used Splunk to find the threat actor and the credentials used in the attack. The investigations were also quicker because we had the necessary information on hand. 

Resilience is essential, but it's something that can't fall entirely on a solution. Information security is the responsibility of every employee. While a cloud system doesn't go down easily, on-prem environments are more vulnerable.

Splunk has an excellent threat intel feed, so we can get the latest IOCs. The threat intel service enhances the threat detection capabilities because the solution is purely based on threat intel. They gather each threat intel from the dark web and the other areas of the internet. Once the integration is done, it's much more helpful than the traditional Splunk features, which may yield limited visibility. Splunk isn't purely a threat intelligence solution, but it may not have feeds at that frequency.

The threat detection capabilities are excellent, but it depends a lot on the configuration. If we can't configure the indicators of compromise correctly, then it becomes difficult for Splunk to evaluate a threat. For example, let's say a user is accelerating some data through the email gateway, and the gateway isn't being monitored. Splunk can't do anything about that because it requires a gateway monitoring system to be installed. Splunk is only aggregating the events coming in, and it cannot find the exact DLP agent. The DLP logs need to be forwarded to this Splunk connector.

The ingestion happens quickly, so you can run up the data costs if you use the default settings. It isn't a problem for government agencies in the Saudi market, but many of the corporations in India are small or medium-sized enterprises that cannot afford that kind of ingestion system.  

Splunk needs to be tweaked in JSON so you can limit what is coming from the endpoints, especially the events. One needs to filter that out so that only certain events are ingested, like login failures, Active Directory changes, password reset requests, privilege modifications, etc. Each Windows machine generates about 310 KB of information per event, but we can tweak that down to about 50 KB.

I have been using Splunk for five years. 

Splunk is stable. We haven't had any downtime or performance issues. 

I rate Splunk support 10 out of 10. Splunk has lots of training materials online where our engineers can learn at their own pace. The courses are easy to understand and use simple language. You don't need to learn Java queries. The main reason we rejected QRadar was the fact that it is such a closed solution. If you want to learn something, you have to contact IBM support and request the materials. 

Positive

I have worked with ArcSight, and Palo Alto has a good SIEM solution. ArcSight's UI has some drawbacks, whereas Splunk is easier to integrate and implement. ArcSight's interface didn't impress me. I didn't like the way you have to write queries. It was a tedious solution to use, and it was not pleasing to the eyes. The charts and reporting were not visually appealing. 

ArcSight was also a costly solution, but the main reason I wanted to switch to Splunk was that it was easier to integrate. It has a drag-and-drop interface, so you don't need to know SQL or Java to construct a query on Splunk. The resolution time is about the same, but it took longer to discover the issue with ArcSight. Our previous solution took about an hour or more, but Splunk can do it within a few minutes or an hour at most. 

Splunk can be an expensive solution. It all depends on how we configure the alerts and the events from the endpoints. You can save some money if you do that correctly. If not, it becomes an expensive solution.

If you don't have the money, you can go for an open-source solution like RedELK, which is based on Elasticsearch. It's cheaper, but you have a lot of support issues. There are no security upgrades. Those are not well supported. If somebody has a basic understanding of the technology and the necessary budget, I would say stick with Splunk. Its ease of use is attractive to an engineer.

I rate Splunk Enterprise Security nine out of 10. There's always room for improvement. 

I am currently using Splunk Enterprise Security to gather various infrastructure metrics. This includes data from SQL databases, Oracle databases, applications, and APIs. All of this data is collected and sent to a Kafka stream, using a connector to feed it into Splunk. My responsibility is to analyze this data to meet observability requirements. For example, I need to visualize the data from Oracle databases and other applications to identify issues. Depending on the metrics, I aim to pinpoint servers that may be experiencing problems, such as high CPU usage, disk issues, or memory overload. By analyzing the Splunk dashboard, I can quickly identify the problematic server.

I am focused on creating a Splunk dashboard that allows users to easily identify issues at a glance. This will enable users or operations teams to promptly address any server problems. My work also involves using Excel queries and other tools to enhance this process.

I am also working on anomaly detection for one of the services we have, but that is just beginning. We have just started with the anomaly detection part where machine learning can be utilized, but it is still in POC work.

The best feature I've seen is the ability to easily change the query based on the dashboard or based on the chart we have to create, allowing any value or metric we want to add to that particular chart while keeping the rest of the dashboard settings intact. However, it's worth noting that Splunk Enterprise Security does not accommodate data from various products as Tableau does because Splunk Enterprise Security is primarily focused on infrastructure and application metrics.

Last week, while I was creating a dashboard, I encountered a feature known as cascading filters. This feature allows one filter's input to depend on another filter. For example, if you select two filters, such as Asia and Europe, the country filter should update to include the countries from both continents. However, achieving this in the dashboard was not directly possible due to certain limitations of Splunk XML, particularly in the simple dashboard I'm using. While cascading filters can be implemented in the advanced Splunk Dashboard Studio, the XML option has its constraints. I found some online resources suggesting the use of advanced JavaScript or lookup files to work around these limitations. However, relying on advanced JavaScript may not be feasible for users without experience in that area, and utilizing lookup files isn't practical at this stage of the project.

The optimization of filters, which is easily achievable in software like Tableau, is not as straightforward in Splunk XML. The client expressed a requirement for this functionality, and unfortunately, we currently need to either use lookup files, delve into advanced JavaScript or XML, or create a new dashboard using the Dashboard Studio, which is the advanced version of Splunk.

I have been working with Splunk Enterprise Security for three months since I recently joined the Wipro organization and got enrolled in this project where they utilize Splunk Enterprise Security. 

Splunk Enterprise Security was already implemented when I started working at my current company. I got onboarded to the project where they wanted data analysis skills, and they selected me because I had previous skills in Tableau for visualization purposes, and they needed someone who could visualize infrastructure metrics. They brought me into their project as a Splunk Enterprise Security observability analyst.

Splunk Enterprise Security is quite stable, and I have never experienced a breakdown with it. Sometimes, I only need to refresh the dashboard or refresh the URL from the browser, and everything resets. In terms of stability, everything we update in UAT or development reflects quickly, and I haven't encountered significant issues with the stability of Splunk Enterprise Security.

I can rate Splunk Enterprise Security a seven out of ten in terms of scalability because it is purposefully designed for logs and metrics.

I haven't had discussions with technical support for Splunk Enterprise Security as I've never needed to escalate issues. There is a separate team for Splunk Enterprise Security administration on the project, but I've had very little direct interaction with them.

I referred to documents and guides that were included in the project guidelines. Additionally, for creating dashboards, I primarily used YouTube videos as reference.

Neutral

I was a data analyst in my previous organization where I utilized Tableau, so I am familiar with its benefits and can differentiate between the capabilities of both UIs. Splunk Enterprise Security is limited to metrics, traces, and logs data, whereas Tableau can handle any kind of data. This leads to a similar brainstorming process for various visualization needs. When it comes to Tableau and the healthcare industry, we encounter different kinds of data related to aspects such as insurance, patient information, and diseases. If we look at cloud products, we find that there are various offerings associated with the cloud. The dashboards created for these products are designed based on cloud data. For example, in the automotive industry, we observe a different approach. In Splunk Enterprise Security, we tend to focus on a single type of data. In contrast, Tableau, Power BI, and other tools allow us to utilize various types of data to address different types of problems more effectively.

Splunk Enterprise Security is much more feasible as it is directly connected within the cloud servers, and whatever charts or dashboards we have to create can be easily tracked and created compared to Tableau. Some useful features from Tableau, such as cascading filters, are not available in the Splunk XML dashboards. In Splunk Enterprise Security, we use two types of dashboards: Dashboard Studio and simple XML Studio, with some limitations in the simple XML dashboard.

My team has used the risk-based alerting feature of Splunk Enterprise Security. We recently discussed the alerting system concerning particular servers that can be triggered after assessing the risk, so that particular email or any generated data, charts, or everything associated, could be directly sent to the respective POCs. It will help in prioritizing security incidents for my team because there is another team utilizing this feature, allowing people to recognize which data or server is experiencing problematic issues, which helps enhance server inspection without always referencing the dashboard. Every morning, at a selected time based on the time zone, individuals can identify which server has a problem.

I would rate Splunk Enterprise Security a six out of ten.

I have created various correlation searches to develop use cases for detecting security threats. For example, I have created use cases to identify brute force attacks, unauthorized access, denial of service attacks, and distributed denial of service attacks. To date, I have developed a total of 190 use cases for our environment using Splunk Enterprise Security.

The end-to-end visibility provided by Splunk Enterprise Security is crucial. Its user-friendly interface makes it easy to navigate and configure. The intuitive options allow for simple customization, enabling users to easily select and configure settings. This feature, combined with the excellent support from the Splunk team, makes it a valuable tool for addressing enterprise security issues and creating or modifying use cases.

Splunk's website provides a variety of simple commands for identifying security events. These commands and pre-built security fields make it easy to detect real-time attacks, monitor environments, and identify security threats. Splunk offers a more straightforward and efficient approach than other monitoring tools.

Splunk automatically ingests and normalizes data, eliminating the need for human intervention. When data is ingested, it is automatically converted into index-friendly formats within most source pipes.

The MITRE ATT&CK framework is a valuable tool for security teams, and its integration with Splunk Enterprise Security offers significant benefits. By mapping specific MITRE ATT&CK tactics to Splunk use cases, analysts can quickly identify the root cause of security incidents and access relevant information for remediation. For example, if a brute force attack occurs, an analyst reviewing the incident can quickly determine the corresponding MITRE ATT&CK tactic and access detailed information about the attack, including potential solutions, mitigation strategies, and potential future actions. This seamless integration between MITRE ATT&CK and Splunk empowers security teams to respond to threats more effectively and efficiently.

Splunk has significantly enhanced my business resilience and problem-solving capabilities. Due to the urgency of different issues, there are four types of Splunk support cases: P1, P2, P3, and P4. P1 cases are incredibly critical and require immediate attention. If a business-critical issue arises, I can open a P1 case, and the Splunk support team will respond within 15 minutes. This rapid response has enabled me to resolve critical issues promptly. For P2 cases, the support team typically connects within two to three hours. P3 cases receive a response within 24 hours. Overall, the Splunk support team consistently resolves issues efficiently.

After deploying the use case, we immediately observed the benefits of Splunk Enterprise Security. We can instantly monitor enterprise security use cases in our environment without delay. However, as a precautionary measure, we deploy use cases and monitor them for seven days. If the use case does not generate excessive noise within this period, we deploy it to the final environment. Otherwise, we refrain from deployment. Splunk's capability allows us to deploy use cases within seconds.

Splunk helps me consolidate all the data, such as networking and cyber security data. If there are other types, such as behaviour analysis, we can perform them with the help of Splunk. But I'm mainly in the cyber security field, so I am more concerned with Splunk for cyber security data only. For example, in my PhD, I created my thesis based on medical performance monitoring. I monitor the performance health condition of one million people with the help of Splunk. So, this is not a cybersecurity use case I'm creating there. I monitor the health condition with the help of a Splunk Enterprise. If a health condition is significant, the alert immediately goes to the doctor, physician, and their relative.

My alert volume has decreased significantly. Splunk is a machine that generates alerts based on specific use cases or service queries. Before implementing a new use case or alert, we must analyze how many alerts it will trigger. If it generates fewer than one alert per day, it's acceptable. However, I will only deploy it if it generates one daily alert. This approach allows me to reduce the alert volume effectively using Splunk Enterprise Security.

Splunk streamlined my security investigations by consolidating logs into a single repository. The Splunk community provided invaluable assistance, enabling me to quickly find answers to my security-related questions and address concerns promptly. By leveraging the collective knowledge of the global community, I expedited my security processes and enhanced overall security measures.

Splunk reduces the mean time to resolve because it enables L1 SOC analysts to view relevant data in the power role field directly. For example, when a brute force attack alert triggers, analysts can easily see the source IP, time of the alert, user, destination IP, and other critical fields. This immediate access to information allows for swift preventive measures, countermeasures, and efficient resolution of cybersecurity issues. Splunk's clear and intuitive interface empowers even junior analysts with only one year of experience to effectively apply their knowledge and address security challenges.

The two features I like most in Splunk Enterprise Security are the content management system and the inter-incident review dashboard. The incident review dashboard allows us to directly view significant events triggered by the use cases I've configured within the content management system.

I suggest that Splunk provide the same resources on its platform, as on other websites through Google. For instance, they could offer pre-built search queries for everyday use cases like brute force attacks, DDoS attacks, and other security threats. These queries would be generated based on my specific data, saving me the time and effort of creating them manually. This would be incredibly beneficial and align with the AI capabilities already present in Splunk Enterprise Security.

I have been using Splunk Enterprise Security for eight years.

In the eight years I have used Splunk Enterprise Security, I have experienced no stability issues. There has been no downtime or crashing. The only problems I have encountered were temporary interruptions in some features, lasting approximately 15 minutes.

Splunk Enterprise Security is highly scalable. For example, I currently have one terabyte of data to deploy, and tomorrow, I need to deploy ten terabytes. In that case, the system can easily accommodate the increased load without compromising performance. It is extremely fast and efficient, ensuring no issues even as the input data volume grows. The system adjusts quickly to meet the demands of expanding data requirements.

I have contacted Splunk technical support three times in the past fifteen days due to various issues encountered while using Splunk. Each time I reached out, they responded promptly and assisted me in resolving the problems.

Positive

I have used several alternatives to Splunk, such as AppDynamics, Dynatrace, and Oracle Enterprise Manager. However, I have found Splunk Enterprise and Splunk Enterprise Security the most effective tools for my needs. These platforms are easy to use, allowing for flexible parameter customization and dynamic adjustments to meet specific requirements.

The initial deployment of Splunk Enterprise Security was straightforward due to my prior experience learning and using various tools. I found it to be significantly easier to implement than similar software.

I set up my lab independently, being new to the environment at the time and eager to learn. I visited the Splunk website and discovered the free courses they offer. Using these courses, I successfully configured my lab. Splunk provides valuable assistance for setting up personal labs and offers a 60-day trial version. This version allows for direct log setup and hands-on practice of Splunk skills without cost.

Splunk Enterprise Security's pricing is competitive. For instance, the cost typically increases proportionally with the daily license volume. For example, purchasing a 100 GB license per day is less expensive than buying one GB per day. A discount is offered for larger volume purchases.

I would rate Splunk Enterprise Security eight out of ten.

The use cases depend on how you want detections to be set up. For example, you can have specific use cases for Office 365 alerts, Carbon Black, or more extensively towards MITRE ATT&CK framework. You can enable different analysis stories and alerts based on these use cases. You can individually go ahead and enable them. 

It is really important that Splunk Enterprise Security provides end-to-end visibility into our environment because there are multiple levels of hierarchy within an organization. 

We need easy visibility starting from L0 analysts to the SOC manager and director. So, if it is easily visible, it makes the operations easy to teach the basic analyst or also to show the upper management what we have in the current scenario or how an investigation is going on. Visibility is very important.

Splunk Enterprise Security helped improve our organization's ability to ingest and normalize data. We have different teams approaching us to use Splunk, ingest their logs, and aggregate their logs.

The system helped us reduce our alert volume mostly because a lot of false positives had been fine-tuned. That was my last two months of work consolidated. I had to go in, check on all the alerts, see what was using a huge spike in alerts, and make sure the false positives were reduced and the alerts had come down. 

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. It makes investigations much easier. With more information and the right applications, I break down the investigation in such a way that I can build a timeline. Once I have a timeline, I can build a story around it and make a report around it. Splunk definitely has helped a lot.

Splunk Enterprise Security helped reduce our mean time to resolve. Using the identity investigator and asset investigator applications definitely reduces the meantime for an investigation. I can see all the authentication logs, changes made, and threat IDs by simply inputting a username or asset name. It reduces investigation time by about 60 to 75%.

We currently use it for our security team. The next step is to pitch it to different teams and get it integrated for them as well.

The most valuable features include the incident review and Dashboard Studio. My job involves building dashboards, so it's easy to visualize and explain the environment using Dashboard Studio. 

Incident review with my SOC job helps me check all the incidents and alerts coming in.

Having analysts put their notes directly within the investigation feature in the incident review would be beneficial. To make notes. 

We have to go to multiple tabs for each dashboard, for each incident, or each application within Splunk, so if there is a way to consolidate all the tabs or everything into one app for that particular organization where an analyst could just click on that and everything is there. That would be a really good feature.  

I've been using Splunk for about five years now. I started at my previous job right after my master's. I was working for Santander Bank, where I used Splunk extensively for three years. I was a SOC analyst there.

Now at the current company, I've been here for about a year, so I've been using it here as well.

Cisco being Cisco, just bought Splunk. I would give it some more time to see how things go. 

Prior to Splunk's acquisition by Cisco, Splunk was really good. 

Overall, the customer service and support were very good. At times, we had difficulties reaching out for your questions but most of the time, they were answered. Due to the time constraints, we had just 100 hours working with the consultant. So some things kind of took some time with that.

Positive

When I joined this current company, they had Rapid7. It was horrendous and horrible. It was not easy to use. I'm kind of partial to Splunk because I started off with Splunk, so, we switched. 

I joined last July and asked my manager about the current solutions. He was not happy with how Rapid7 was working either. We evaluated different vendors, including Microsoft Defender and Sentinel. My preference for Splunk played a role in our decision.

We had a consultant for the integration process. They were very helpful. We had a consultant named Sayed who guided us through the process. They provided step-by-step instructions (kinda baby steps), walked us through analytics and restoring, and different aspects of Splunk. It was a really helpful experience.

It's only been about two and a half to three months. It's still fairly new to our environment. I would give it three to four more months before assessing ROI.

We evaluated Sentinel, Palo Alto, and Splunk, along with Rapid7, which was already in the environment. So, we evaluated these four options. 

Splunk gave us the opportunity to take in or put in the logs whatever we wanted and plug in different applications, whichever we wanted to have the visibility. 

We didn't have that flexibility with Palo Alto and Sentinel. We didn't have the investigation ease with the others; the investigation ease within Splunk is very easy. 

I could build an SQL query within a minute, or I could just open up different documents to have it right there. But if I go to Palo Alto, it's not there. 

Defender was quite a good competition. Like Sentinel, it was a good competition, but Splunk stopped where the investigation time was considerably less compared to Sentinel.

Overall, I would rate it a nine out of ten because we haven't integrated a lot of applications like SOAR and stuff. Once we have everything in place, it might be a ten. But right now, I would go with a nine.