Splunk Enterprise Security Reviews

We use Splunk Enterprise Security for security monitoring.

Advanced correlation capabilities help to identify the patterns of malicious activities.

Machine learning capabilities in Splunk Enterprise Security have been effective for identifying and preventing incidents. Through machine learning, they correlate all the data and create notable events, which helps us identify malicious or suspicious traffic.

We have used the risk-based alerting a little bit. So far, it's been just fine. We haven't gone deep into it. Our other operations team hasn't utilized it to its full capacity, but it makes a pretty good filter overall.

The impact of automated responses provided by Splunk Enterprise Security has been very good on the efficiency of routine security operations.

The incident review in Splunk Enterprise Security seems to be the most helpful feature. 

It would be nice to have more advanced UEBA in Splunk Enterprise Security. Additionally, it would be beneficial if they offered more threat intel feeds for free. 

Furthermore, incorporating Attack Analyzer into the main product instead of having it as a separate paid purchase would be an improvement.

I have been using the solution for about three years.

I've had an issue only once with one of their products, but overall, it's been pretty good.

Its scalability is pretty good.

For Splunk Enterprise Security, it's been pretty good. For the regular Splunk Enterprise Platform, overall, it's like a C-minus. One thing that I probably dislike the most about the Splunk product is their support.

Neutral

I previously used LogRhythm. Splunk Enterprise Security is more advanced compared to other solutions, which makes it stand out as a better option.

I deployed Splunk Enterprise Security using professional services, and overall, it was good. My main responsibility was handling the coordination. The full implementation took about four months.

Approximately 90% of maintenance is done by Splunk.

The implementation was handled by myself.

We purchased Splunk Enterprise Security through a reseller called AccessIT.

Splunk Enterprise Security is a bit expensive overall, but it provides good value.

I would rate this solution an eight out of ten overall.

I would like to discuss Enterprise Security, and I explain that the main use case for the product is to protect our customers and support various attacks.

Regarding threat detection, I explain that during investigations, most of our SOC-related customers use Splunk Enterprise Security to identify threats.

In terms of benefits, Splunk Enterprise Security provides numerous advantages to end users, notably in reducing personnel needs for SOC operations.

Regarding pricing for Splunk Enterprise Security, I find it relatively affordable globally, although it seems costly in India due to currency exchange.

In my opinion, the functions in Splunk Enterprise Security that I find most valuable include unique features and tools that the product offers.

For improvement points, I think Splunk has several enhancements on the table right now to enhance Splunk Enterprise Security with functionalities and threat detection improvements.

I have been working with Splunk Enterprise Security for seven years.

For stability, I would rate it a 10, as Splunk Enterprise Security is generally stable, especially now with its latest version.

Regarding scalability, Splunk Enterprise Security is way ahead compared to other products, and I would score it at the maximum.

I would rate Splunk Enterprise Security's technical support as a 10, as they provide 24/7 assistance based on priorities and are accessible for queries.

Positive

In comparison to other products, I think previous tools such as IBM QRadar were competitors, but currently, I hear about CrowdStrike getting into the picture.

In general, I find that the initial setup for Splunk Enterprise Security is simple, especially with clear documentation from Splunk.

It depends on the client; if they have a qualified engineer with experience in Splunk Enterprise Security, they can handle the setup themselves.

The solution is deployed both on-premises and cloud-based, depending on the customer's domain.

My feedback regarding some processes of customizing, developing, and testing in Splunk Enterprise Security is that I am thinking from a customer perspective, focusing on the customizations they require.

I have experience with risk-based alerting in Splunk Enterprise Security, as we configure based on the priority of the instance, servers, or the endpoints.

During my experience with Splunk Enterprise Security, I have faced some significant challenges, particularly with customers adapting from version 7 to version 8.

Hybrid Cloud

I deal with the Palo Alto FO and then Cortex XSIAM. I work with Cortex XSIAM and Cortex EDR products. We recently adopted Cortex XSIAM from Splunk Enterprise Security as our SIEM product for log management.

I have two to three years of experience with Splunk Enterprise Security, but not continuously; this is just a tool used by me, not daily. We send logs from the firewalls to XSIAM and analyze the traffic logs to determine whether deny or allow for migration. We use both Splunk and Cortex XSIAM for log analysis. I have never dealt with Splunk support.

I have experience with Palo Alto, Cisco, and Fortinet products. Splunk Enterprise Security is more dedicated to logs, not a unified product like Palo Alto. Palo Alto Cortex has the same UI across Cortex EDR and Cortex XSIAM, so all the product family is in one UI, whereas Splunk Enterprise Security is more focused on log search.

Palo Alto has better speed and better visibility. I can see all the M-points from one UI and search the logs from this UI. I use disparate security solutions that integrate or import data into Splunk Enterprise Security, including different log sources from the endpoint, firewall, router, switches, and everything that needs logging for visibility.

Splunk Enterprise Security can retain logs for compliance purposes longer than the usual three months. The dashboard capability also allows Splunk Enterprise Security to create dashboards based on logs, which makes it really helpful for visibility.

I feel more comfortable using XSIAM now compared to Splunk Enterprise Security. Splunk Enterprise Security is already a mature product, so I do not have much to point out. It could be a little more user-friendly, which would be nice.

It could also expand the product family beyond security log search. Since it has the capability of indexing things, perhaps Splunk Enterprise Security could develop their own EDR agent like Palo Alto and create a product family with a unified dashboard. This would definitely help the enterprise.

Splunk Enterprise Security documentation exists, but compared to Palo Alto, Palo Alto has more knowledge base articles. Even though the concepts are the same and multiple engineers have written articles for cross-reference, I do not see this level of documentation in Splunk Enterprise Security.

I have two to three years of experience with Splunk Enterprise Security, but not continuously; this is just a tool used by me, not daily.

The switch to Cortex came from management, likely because the Palo Alto product family is already in our environment. We have been using Palo Alto GlobalProtect and other security products, so bringing XSIAM into the environment makes sense.

I do not see a real difference between XSIAM and Splunk Enterprise Security; they both have a search query functionality. Splunk Enterprise Security has Splunk query language, so it is just a different language and different way of searching logs. Eventually, we get the same logs including source, destination, port, and traffic allow and deny information.

I used to be a customer with Splunk Enterprise Security. I have hands-on experience but not extensive experience with Splunk Enterprise Security products in the past. I am more focused on networking than the security team. I do not have an answer about how long on average it takes SecOps teams to remediate security incidents using Splunk Enterprise Security.

I would rate this review an 8.

I work in a SOC team where I study threat hunting and threat determination. Most of my work is based on looking for malware traffic or suspicious traffic in Splunk Enterprise Security. I belong to the SOC team.

The best feature about Splunk Enterprise Security is its clean interface and the detail it provides. It helps us manage logs with a very clean interface, which is not available in other software. 

They also provide extensive learning resources on their official site that help us while performing tasks. Its documentation and community are very strong, making it a perfect SOC tool. If we come across any problem, we can search the community or consult the documentation for solutions. 

It is very clean and detailed, helping us detect threats easily. Splunk Enterprise Security performs 80% of our work on its own; we just have to do the remaining 20%, which gives us the freedom to explore and detect threats more effectively.

The machine learning capabilities of Splunk Enterprise Security are good, but they can be improved. In a changing threat landscape, its machine learning capability can be improved in behavior-based analysis because signature-based analysis does not work very well currently.

It can improve in detecting new types of attacks or IOCs through behavior-based learning capabilities. For example, if there are malware traffics incoming, it should detect them using network logs more precisely, as most malware traffic uses the same kind of port or attack.

There should be a community program or hackathon-type events where people can develop more advanced and sophisticated machine learning models for Splunk Enterprise Security to enhance its functionality. 

Adding a chatbot similar to GitHub Copilot in Splunk Enterprise Security would be beneficial. It would help write different kinds of sophisticated queries and assist in solving problems we encounter, similar to what we have in VS Code.

There is good scope for developing Splunk Enterprise Security for low-level systems such as Raspberry Pi. However, for server deployment, a robust server is essential. Development should focus on making Splunk Enterprise Security capable of running on devices such as Raspberry Pi.

I used Splunk Enterprise for a long time in previous organizations. I have also used the Community version for my personal projects, which is available for free. I have experience with both Splunk Enterprise Security and the normal Splunk Community version. I still use Splunk Enterprise Security quite frequently when working with SOC and related processes.

Splunk Enterprise Security is highly scalable, which is why approximately 95% of the industry uses it without experiencing scalability problems. It performs exceptionally well when discussing scalability.

I do not remember contacting technical or customer support. Whenever I faced any problem, I usually consulted the documentation or community, and 99% of my problems were solved that way.

I have used Wazuh, Elasticsearch, Kibana, and some basic Linux SOC management tools such as Zeek and Wireshark as alternatives to Splunk Enterprise Security. However, I find Splunk Enterprise Security to be much more advanced than those tools, as they lack automation and machine learning capabilities, requiring customization from the user. Splunk Enterprise Security is more refined and offers a better experience.

Its deployment is difficult. I remember when I first started learning, I faced several challenges, especially when deploying VMware in a virtual environment. It was quite a difficult task. However, when deploying on a server, I would consider it to be at a medium level of difficulty. On the other hand, if you're deploying for a learning lab or something similar, it’s pretty much on the hard side.

For personal home labs, it is a one-person job, meaning a seasoned professional can handle it. For enterprise-level deployment, a person managing operations and a person handling server management is sufficient. After the initial deployment, one person is enough for a mid to low-level company, while a higher-order company requires a team to operate Splunk Enterprise Security.

Splunk Enterprise Security requires very little maintenance on my end, as it has improved significantly. If there are no frequent changes in the server, there is not much maintenance required. I have not invested much time in updates or maintenance, so once deployed, you just need a good professional to use it; maintenance is not much of a concern.

The pricing of Splunk Enterprise Security is fair for what it provides. If someone wants everything for free, it is not a reasonable expectation. Everything comes at a price, and I find it to be affordable, which is why every industry uses it. Its pricing is fair, and the community version works well for learning purposes.

I would rate Splunk Enterprise Security an eight out of ten.

On-premises

My main use cases for Splunk Enterprise Security are responding to alerts, looking for logs, and for investigations.

The features I appreciate the most about Splunk Enterprise Security are the basic search capabilities, seeing what I input into the search and what results I receive, such as the charts and their visibility. These features benefit my organization by helping with our investigations; when we receive something, we're able to quickly find its source and nature. Everything I'm seeing now in Splunk Enterprise Security is effective, especially the AI and the Attack Analyzer, which I found particularly impressive.

The most significant challenge I face when using Splunk Enterprise Security for advanced threat detection is not with Splunk itself, but with our own asset management and knowing what our assets are, particularly regarding visibility.

I have been using Splunk Enterprise Security for about a year.

I have experienced maybe one downtime, crash, or performance issue.

I would describe the stability and reliability of Splunk Enterprise Security as good, with only a couple of issues that were within our own team.

Splunk Enterprise Security has been good so far in scaling with the growing needs of my organization; we haven't been growing too much to where it's a problem, but it's been performing well.

I would say we haven't seen any return on investment with Splunk Enterprise Security because we are still maturing and trying to get everything situated, and we're experiencing roadblocks with other teams not wanting to give us what we need.

Splunk Enterprise Security handles problems in real-time. 

When rating Splunk Enterprise Security overall, I'd give it a nine out of ten. I appreciate that it has a good UI that looks good and works well. I would recommend Splunk Enterprise Security.

Public Cloud

My use cases for Splunk Enterprise Security involve both security as well as data analytics.

Splunk Enterprise Security has helped greatly improve the organization's business resilience.

The features of Splunk Enterprise Security that I appreciate the most include the recent AI feature and the MITRE mapping feature.

AI helps in analyzing a certain detection within Splunk Enterprise Security and assists with some tasks that I might require internet or other tabs to work on, while MITRE ATT&CK helps me to map the attacks and provides coverage for my attacks.

I would appreciate improvements in the licensing aspect, especially with the SVC-based license, as there is no proper view on top of it regarding how much CPU and usage is being done on the SVC-based license, along with updates to the SOAR version.

The experience with alerts, specifically risk-based alerts, is good, but it might need some improvement as there might be some deviation or false positives, so I think implementing AI over there might increase the feasibility or view around it.

I think the pricing aspect of Splunk Enterprise Security is quite high compared to other products, which I hear from most of my customers.

I have been working with Splunk Enterprise Security for approximately 3.5 years.

I would assess the stability and reliability of Splunk Enterprise Security as very good, with not much downtime or crashes, as it depends on the hardware used and the kind of setup done, which is primarily based on misconfiguration or not predicting something.

I have not faced any significant challenges when using Splunk Enterprise Security; there is not much that I cannot solve.

Splunk Enterprise Security scales very well with the growing needs of my organization and my clients' organizations.

Expanding usage with Splunk Enterprise Security consumes time and effort, but the end result is actually good.

I would evaluate customer service and technical support as good but not very good.

On a scale of one to ten, I would rate them somewhere around seven to eight.

Positive

I would describe my experience with deploying Splunk Enterprise Security as good, pretty easy, straightforward, and with plenty of documentation.

I have not faced any challenges during the deployment aspect; even if I did, I figured it out using Splunk Community and Splunk documentation.

It does bring measurable benefits in terms of return on investment for clients; specifically, for banking or finance customers who wish to contain their data within their environments, they would definitely go for Splunk Enterprise Security compared to CrowdStrike, but less mature organizations might prefer other products.

The key differences, both pros and cons of Splunk Enterprise Security in comparison to CrowdStrike, are that I am a Splunk enthusiast and I love Splunk Enterprise Security, but CrowdStrike is good in search and detections due to its status as a threat intel partner, which offers good detections, while customization done in Splunk Enterprise Security might take too much time on CrowdStrike and there are fewer integration options with CrowdStrike.

I don't have much idea on disadvantages of Splunk Enterprise Security apart from the pricing.

I am currently working with Splunk products.

I work with Splunk Enterprise and Splunk Enterprise Security.

The process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security is pretty easy for me as an expert, but I'm not sure for a new user; being a Splunk architect, I feel it's a little easy and the customization is very helpful.

We have it integrated with various disparate solutions including RSA, CrowdStrike, AWS, Google, Microsoft, Docker, firewalls, switches, and multiple other technologies.

This integration supports my security operations by fetching logs about user activity and audit logs and actions taken by the user; for normal products, this allows me to analyze, detect, and correlate two or three different datasets to build up a use case from which I can deduce some information, and with the queries I have using SPL queries, I can get some data analytics or alerts or reports based on which I can take action.

I use risk-based alerting in Splunk Enterprise Security.

My experience with risk-based alerting, while not mainly focused on the SOC part of Splunk Enterprise Security, provides support to my engineering efforts.

I am not currently using any new threat detection features in Splunk Enterprise Security; I have no idea about that part of it.

My impressions of Splunk Enterprise Security's capability to predict, identify, and solve problems in real-time depend on what kind of data is being received and the use cases being written; it is not straightforward, but because Splunk Enterprise Security is an analytics platform without AI on top of it, it feels that some data sources are less predictable, yet for jobs that are repetitive or similar, Splunk Enterprise Security works well.

I would rate this product a 9 out of 10.

Hybrid Cloud

Other

My use case for the project is thin.

What I appreciate about Splunk Enterprise Security is creating the newest SPL for network traffic. I use the risk-based alerting feature. The risk-based alerting helps my organization by allowing me to learn more information about Splunk every day because it is a big platform.

I think that Splunk Enterprise Security is a very good platform, but the price is very high. I don't know how to explain what else can be improved in Splunk Enterprise Security aside from pricing. Support is important for improvements. My thoughts on better support include better knowledge base and better response time; it encompasses both aspects.

I moved to Splunk Enterprise Security and learned it for two to three years, but in the last year, I worked with my friends on one project.

I rate the stability as a five. I encounter issues such as downtime, bugs, glitches, and unbox errors.

Only two users use Splunk Enterprise Security.

Support is important for improvements. My thoughts on better support include better knowledge base and better response time; it encompasses both aspects. I rate support as a five.

Positive

I think it was easy to install, but this platform has many components I must learn. It took me months to deploy.

I am reviewing Splunk Enterprise Security today, and I am working on one simple product and creating simple SPL. My thoughts on customizing, developing, testing, deploying, and refining detections are focused on detection. The testing is just the last component. My thoughts on the testing feature in Splunk Enterprise Security involve the network traffic to Cisco traffic, Uniper, or low car infrastructure. I am using new threat detection features in Splunk Enterprise Security and would work on big projects in the future. I do not use disparate security solutions that integrate or import data into Splunk Enterprise Security. I am wanting to learn more because I create simple SPL, and my friends are not Splunk Enterprise Security expert admins. I would recommend Splunk Enterprise Security to other users because it is a platform for monitoring all traffic, network infrastructure, hardware, software, and everything.

I rate the solution overall as a five out of ten.

Public Cloud

Microsoft Azure

My main use cases for Splunk Enterprise Security are detections and security.

The feature I appreciate the most about Splunk Enterprise Security is Search Processing Language. These features have benefited my organization by making searching data a lot easier than other tools I've used.

Improvement for Splunk Enterprise Security is hard to address because I'm not on version 8 yet. The main thing was integrating all the different pages we have into one, which they have accomplished in version 8.1.2. I'm looking forward to using it.

I have been using Splunk Enterprise Security for two years.

I would assess the stability and reliability of Splunk Enterprise Security as having no issues so far.

Splunk Enterprise Security appears to scale with the growing needs of my organization. We haven't expanded usage at all yet.

I would evaluate customer service and technical support as seven or eight out of ten. They're normally great. Sometimes talking through email isn't the most effective method, as they go through troubleshooting steps we've already taken, which requires additional back-and-forth communication.

Positive

I would imagine we have seen return on investment with Splunk Enterprise Security.

My advice to other organizations considering Splunk Enterprise Security is that it is definitely worth implementing, but it must be done properly. Make sure you have all preparations complete before getting the implementation package. I rate Splunk Enterprise Security eight out of ten.

Public Cloud

Amazon Web Services (AWS)