Splunk Enterprise Security Reviews

Splunk Enterprise Security serves as my primary tool for security monitoring and log aggregation, allowing me to write correlation searches. I also use it for anti-money laundering purposes and have developed several use cases around that functionality.

The entire platform of Splunk Enterprise Security provides significant value, though breaking it down into individual features is challenging. The out-of-the-box log ingestion and integration with other platforms stands out as one of the most valuable aspects because I can pass data from different sources, making it very easy for me to work with.

From using Splunk Enterprise Security, I have already seen benefits such as tracking alert fatigue in my team, especially with the SOC Operations dashboard and the Executive Dashboard. I can track how many alerts we are closing, how fast we are closing them, and understand what my team is doing and what is taking too much of their time. That visibility is valuable. One of the best things about Splunk is the ability to create my own dashboards very quickly, which makes reporting straightforward for me.

There is room for improvement for Splunk Enterprise Security. I moved away from Security Onion before switching to Splunk because Splunk was promising with Splunk AI, but now I am questioning if I made the right decision given that everybody is moving towards the AI aspect, especially since Splunk told me I cannot use Splunk AI on my platform and Security Onion already has the Gen-Sec SOC.

Honestly, we are not fully using the functionality of risk-based alerting in Splunk.

I have been working with Splunk Enterprise Security since around October 2022, so it has been almost two years.

So far, the product is very stable, and the support team is very accessible. If I have an issue, I can raise a ticket, and they either send an article or jump on a call, so they are very responsive.

As of now, we are yet to fully track scalability because the team has not matured enough to use Splunk alone. We have alerts from our WAF, alerts from the EDR, and alerts from the firewall itself. Splunk serves more as a correlation platform with all the other alerts from the other defensive mechanisms sent to us via Slack, but we primarily want to use it for correlation.

We went through a vendor for our Splunk Enterprise Security purchase.

I would definitely give my experience with technical support a rating of ten out of ten. I had an incident once, and the escalation started with a Tier 2 person and went all the way to staff engineers in a very short time, which was impressive.

Comparing Splunk Enterprise Security with the open-source SIEMs I have only used, I would rate it an eight. The reason is that creating the searches had a very long learning curve for my team to understand how to create and improve correlation searches. Compared to tools such as Elastic Security or Security Onion, creating detection rules is more straightforward in those tools, and their community resources are convenient for troubleshooting. However, Splunk is very strong in terms of integration and fetching data from multiple platforms, which is a significant advantage for Splunk, making it easy to ingest logs from different sources.

I took part in the deployment of Splunk Enterprise Security in my organization, and I am also the main administrator. I administer Splunk as well.

I had some issues here and there with most of the applications during the implementation of Splunk Enterprise Security, but I also worked with a consultant, and we eventually resolved them. The documentation was very helpful and quite thorough. Since it was my first time interacting with Splunk, getting around and understanding all the configuration files took some time, but I was comfortable running it by myself after the first three months.

We went through a vendor for our Splunk Enterprise Security purchase.

I have seen a return on investment with Splunk Enterprise Security. It was tough to handle the reporting aspect and control alert fatigue from the team, but now with the visibility that I have, it is becoming very easy. We have also decommissioned some tools, such as Wazuh, because the Universal Forwarder can do almost everything Wazuh can do, and we have streamlined our focus to one area instead of looking into multiple dashboards.

I find Splunk's pricing reasonable, but the fact that they do not disclose actual pricing makes it very hard to know whether we are overpriced, so it is difficult to know if they added a very large margin.

Unfortunately, because of the pricing aspect, I could not get the SOAR feature, so I cannot speak to that functionality.

I do not have a specific number as of now, but what I can say is Splunk has given me visibility and a way to track results. If I log in to my dashboard, I can see that since we started, the findings and false positives, the notables that create our false positives, have been reducing over time, so it gives me that visibility.

No other problems were found, and I have been satisfied. I would rate this review an eight overall.

My use cases for Splunk Enterprise Security are extensive in production. I utilize it for all available functions including observability, asset management, vulnerability management, threat detection, network security, identity management, and various other capabilities.

The solution does require a lot of customization for an organization. 

It is highly customizable, which is a significant advantage. It requires substantial customization and tailoring to particular organization requirements, meaning that out of the box, most features would need configuration.

The risk and notables component, particularly the two-tier system of picking something from risk into the notable, is one of the most problematic features. 

The GUI, now called Mission Control, which serves as issue management or ticket management, falls below what would be considered industry standards.

AI assistance for security analysts to analyze notables and risks needs improvement. Although it exists, the demonstration is not yet sufficient for the required level. We need this as soon as possible to help security analysts. 

Splunk Enterprise Security is not cloud environment-friendly, especially when dealing with large cloud infrastructures. With significant AWS presence and multiple clouds, collecting asset data is challenging. The AWS add-on is particularly problematic, with most inputs requiring manual writing due to lack of out-of-box functionality.

Regarding the platform and Enterprise Security specifically, the lack of Git-friendly or Git-native integration is problematic. The recently introduced content management system is inadequate, attempting to implement an outdated concept of storing rule versions in an index while teams work with Git natively.

The storage of queries in savedsearches.conf prevents efficient work with query text. It should be structured as separate SPL files that can utilize intellectual add-ons for Visual Studio Code and work natively with GitHub. Content management is limited to applications within the Enterprise Security suite, excluding custom applications not starting with SA or DA.

I have been using Splunk Enterprise Security for more than five years.

The product is generally stable and forgiving.

When considering Enterprise Security in particular, it demonstrates good scalability.

I contacted their technical support recently. The support provided is decent, though they often reference their knowledge base. For publicly available solutions, this can be redundant as these solutions can be found through internet searches. Support becomes valuable when dealing with issues requiring access to their closed knowledge base for faster responses.

While support provides solutions, implementation can be complex. In a recent case, the provided solution was so complex to implement that I decided not to proceed. The support staff themselves are highly knowledgeable, polite, and responsive, with some being exceptional. The support team deserves a perfect score.

Positive

I have experience with similar solutions such as AlienVault and ArcSight, each with its advantages and disadvantages. The recommendation depends on the working environment. For cloud-native and GitHub-native organizations, the Enterprise Security solution should align with those principles.

I was solely responsible for the implementation.

It was one of the most difficult deployments I've ever handled. After we set up a cluster with consultants, we made it usable after a year and a half. 

Splunk Enterprise Security requires continuous maintenance, consuming approximately 50% of the time. The numerous data sources and constantly changing formats and source types demand ongoing work on data quality, detection rules, assets, and identities.

People are delegated for platform administration, though they currently need additional time to reach optimal performance levels.

We did work with consultants during the deployment. 

The pricing is currently managed by procurement. Even with substantial company discounts, it remains extremely expensive. This creates internal challenges when teams independently choose open-source or less expensive solutions for log dumping. Duplicating application logs becomes costly as teams may already use DataDog, ELK stack, Elasticsearch, or S3.

With data ingestion of two terabytes or more daily, Splunk Enterprise Security costs become significant. Cloud-native solutions, particularly in AWS, make it more practical to use native security detection mechanisms such as Security Hub, GuardDuty, and Inspector, using Splunk Enterprise Security as a data aggregator.

Many users prefer pre-processing data before ingestion using the Databricks platform for large data sources such as cloud trail logs. The on-premises pricing model based on data ingestion affects Splunk Enterprise Security's market position.

This product requires significant investment in learning as it is not easily understood. Organizations purchasing the solution should expect 6-12 months with a dedicated team before meaningful insights can be delivered.

On a scale from one to ten, Splunk Enterprise Security rates as a seven.

My use cases for Splunk Enterprise Security involve mostly standard use case detections. Essentially, whatever log sources we ingest into the platform, we define use cases for detecting anomalous behavior, with most of our use cases tied to that. 

Additionally, we utilize threat intelligence; we always use lookup tables or MISP integrations to enrich those use cases or create reports and dashboards to monitor them periodically, depending on how noisy those alerts are. 

Other use cases include compliance-based use cases for auditing purposes, as there are compliance policy breaches we want to monitor proactively on a 24/7 basis. We do that, often within a mix of MSSP environment versus in-house.

The specific features I find the most valuable in Splunk Enterprise Security include the amazing UI and good integrations, and I can say this from a practitioner standpoint. 

It is just comfortable. Splunk Enterprise Security is easy to use for an analyst, and the whole analyst experience is great; it is pretty insane. It is honestly very addicting. 

As I told my fellow colleagues, they love using Splunk Enterprise Security. Once you go to any other platform, it is similar to going through withdrawal sometimes. You have to set up use cases, update data models, and link the right use cases to the right data models for those detections to happen. 

In terms of challenges, there are none; Splunk Enterprise Security is one of the best vendors in the security analytics space.

Splunk Enterprise Security has implemented improvements that may help reduce false positives, as it has some amazing features that go underutilized, such as the machine learning toolkit. The gap in skill set within the SOC environment is the reason for this underutilization.

Splunk has some amazing features we are not utilizing. For example, ML. I have not specifically utilized AI-driven security initiatives or machine learning within Splunk Enterprise Security; even the ML toolkit is not related to advanced AI components. It operates more an advanced SQL query based on existing data trends without offering out-of-the-box advanced ML capabilities to provide significant value.

The dashboards for some default use cases are provided. Similarly, default dashboards and reports are provided. You can pivot off of these and drill down on your investigations. The Splunk query language is definitely very easy to understand and use on a regular basis. The learning curve is also very low. So, from a practitioner standpoint, you're not going to face so much struggle in learning the Splunk query language. In fact, for other solutions, you might need AI capabilities to translate natural language. 

Additionally, Splunk Enterprise Security claims to reduce data storage to a certain extent. I'm not sure if that's the case, however, I have heard that that was the case.

Lookup tables are very useful in Splunk. 

The effectiveness of threat detection and response in Splunk Enterprise Security depends on how the team leverages it. Splunk Enterprise Security is not something that automatically picks things; you have to set up use cases, update data models, and link the right use cases to the right data models for those detections to happen. This is SIM-tool agnostic. If you do not have the right use cases, nothing will be detected at the end of the day. 

One challenge under that note is if your company goes through some kind of digital transformation or major solutions being replaced, and all these logs are being ingested into Splunk Enterprise Security, the data models do not get updated proactively. Splunk Enterprise Security does not have a mechanism to identify that certain data models have stopped sending logs. How do we update our data models accordingly? This issue reflects back to our use case detections.

In discussing areas for improvement in Splunk Enterprise Security, I assert that their default threat intel is inadequate. When ingesting threat intel from other sources, it would be beneficial to have capabilities that enrich the information within Splunk Enterprise Security with less dependence on a threat intel platform. The default threat intel feeds create many false positives and noise, which is counterproductive.

The UEBA aspect of Splunk Enterprise Security should also see enhancement, as it lacks that functionality.

Splunk search can sometimes take a long time; it can even time out. You have to make sure your query is very specific. It would be useful if Splunk used AI to help you write queries. I'm not sure if AI is used this way just yet.

My experience with Splunk Enterprise Security is from within the last 18 months.

Regarding stability with Splunk Enterprise Security, I do not recall facing performance issues at the moment. 

The solution can scale. When your environment scales, the search operations can lag significantly.

One entity I worked with was a managed service company that managed companies of all sizes, up to 30,000 or 40,000 employees. We work with large firms. 

The technical support of Splunk Enterprise Security is quite good, and I would rate it a four out of five (eight out of ten) easily. They are responsive and effectively resolve issues. 

The community marketplace is also useful; often, you do not need to rely on Splunk Enterprise Security support due to the wealth of online documentation available—Splunk docs are truly beneficial.

Positive

I enjoy my work with Splunk Enterprise Security, and while I can say the same for Elastic, I have found other vendors such as QRadar, Exabeam, LogRhythm, and Sumologic not to be as impressive. I prefer ElasticSearch since it allows for quicker searches, making threat hunting and proactive activities easier, whereas Splunk Enterprise Security searches can take considerable time.

AlienVault's open-source solutions seemed inadequate compared to this, and QRadar was even worse. Thankfully, they are no longer relevant.

I was somewhat involved in the initial setup of Splunk Enterprise Security. That said, it was not complex enough for a clear comparison with larger environments. 

Deploying indexers and forwarders is straightforward, though human errors can potentially occur in the process. It is challenging for me to compare the implementation of other similar tools versus Splunk Enterprise Security, however, the clarity on implementation could be enhanced. 

Maintaining Splunk Enterprise Security on-premise is not difficult at all, especially compared to other platforms I have not maintained as extensively. Many resources are available in the market to help with Splunk Enterprise Security, so finding people skilled in it is relatively easy due to the market's maturity.

One area Splunk Enterprise Security fails to improve is the pricing aspect; while the initial pricing seems fine, the licensing cost can skyrocket over time, creating trauma for organizations.

It's really hard to justify the pricing. The only way it makes sense is if you reduce the number of nodes being ingested over time. If you can optimize that as you scale, it can stay affordable. 

Now that Splunk Enterprise Security has been acquired by Cisco, I am uncertain whether it will retain its current traction or be dissolved in the coming years. 

I would rate Splunk Enterprise Security as a product an easy eight out of ten.

However, it is an easy eight as of now. Post-Cisco acquisition, the future remains uncertain. Would I recommend Splunk Enterprise Security to someone else? Absolutely. Splunk Enterprise Security is amazing. Despite all the issues, it simplifies the lives of everyone who uses it, and there is not a steep learning curve. 

Compared to other tools I discussed earlier, Splunk Enterprise Security is significantly better. Personally, I would choose Elastic and Splunk Enterprise Security over any other options.

We use Splunk Enterprise Security for security monitoring purposes, and we have many security use cases configured to detect cybersecurity-related risks. We have 100+ use cases related to brute force attacks, ransomware, credential access attacks, et cetera.

We use it for the extra security layer since we want to be very proactive and monitor our infrastructure fully end-to-end.

We now have a single platform where we can visualize our entire landscape. It's improved our security posture. We can see all the logs getting ingested, and if there are any anomalies, we're able to visualize that as well. The alerts help us be very proactive. We used to miss a few things happening in our organization. Now we get alerts on time. 

The best features I've experienced over the past six years with Splunk Enterprise Security are the ability to create use cases and the flexibility to customize searches and use cases based on our specific requirements. 

It's user-friendly. You don't need to be an expert to create a use case. Even a basic understanding will allow you to do the work. There are lots of knowledge articles as well. 

From a visibility perspective, the solution has significantly improved our organization by providing a single platform to visualize our entire IT landscape. This has also enhanced our security posture by enabling us to view all logs.

We do connect with a Splunk representative on a monthly basis. They can proactively provide us with solutions. 

Regarding room for improvement, I expect Splunk to provide information about new features on a regular basis, such as notifications about enhancements that may improve security posture. I want these notifications to come to us quite regularly, as we always want to improve our security posture. 

I'm interested in the notifications and alerts aspect, particularly since Splunk Enterprise Security's Mission Control feature was very proactive when it was rolled out.

I have been using Splunk Enterprise Security for the last six years.

I would rate the stability at eight out of ten; we never had any gap in monitoring. That said, there were instances of backend issues that did not impact our monitoring.

It is a scalable solution for our business, and I would rate it nine out of ten, as we have recently scaled it to monitor operational use cases.

I would rate the technical support as nine out of ten. They are always on top of resolving issues, providing technical account manager details for further assistance. 

Positive

We had tried IBM QRadar and Azure Sentinel previously.

If I need to set up Splunk from scratch, I don't have to do a lot of planning. It's pretty straightforward. 

It took about a month to deploy Splunk Enterprise Security, as we took many days to plan how to set up the architecture.

There is some maintenance required once it is set up.

The IT team exclusively uses Splunk Enterprise Security for assistance. The team is always there to assist.

I don't deal with pricing. I have a fair understanding based on the market research; from what I've witnessed, the pricing is competitive.

I rate Splunk Enterprise Security higher due to its user-friendliness. That is something on top of my list. 

Splunk Enterprise Security is on top in terms of how users or administrators can manage it. Everything else looks pretty fine regarding the support we get from Splunk Enterprise Security. 

I would rate Splunk Enterprise Security overall as eight out of ten.

My use cases include continuous security monitoring on our log management, forensic activity, and threat detection piece and analytics of Splunk Enterprise Security. We are using Cisco and Splunk all-in-one console, where I can get the indexes, forwarders, and logs to consolidate my data center security and cloud portions. All logs will move to Splunk Enterprise Security.

They are good at the detection piece and the analytics piece. I do not want to create a customized rule. The rules which they have on the analytics piece cover part of my use cases. For example, if I want to create a manual use case in my other product, Splunk Enterprise Security, QRadar, or FortiSIEM, I have to create a manual use case. Here, I do not want to create anything. The analytics plays a major role. They have 2,000 analytics use cases where I can deploy based on my use case and environment.

The only advantage I can communicate is that in threat detection, triaging, investigation, and response, I will get in a single platform. I do not want to go to multiple platforms. If I am using a SIEM product in one solution and a SOAR product in a different solution, I do not want to go to multiple management consoles. I want a unified console that I can use. That is Splunk all-in-one console.

SecOps only the product does. Most of my unified governance will be taken care of by SentinelOne Enterprise Security. It has artificial intelligence, it has a SOAR, it has a SIEM. They have agentic artificial intelligence where we can integrate in SecOps platform.

Triaging is part of risk-based solution. Risk-based alerting will reduce the alert volumes around 30% to 40%. They committed something, but at least I could see the risk-based alerting. From 30%, alert volumes are off now. Basically, it is reducing my manual L1 work.

Normally on traditional SIEM, they will pull all the logs and send all the 100% volumes. All alerts will go to my SIEM console and manually we have to find the alerting. We have to create a use case and offense and see that. But they have an artificial intelligence piece. The NLP-based thing will give risk-based alerting which will reduce more than 50%, but I could see only 30%. They committed something. Probably it is only a matter of time. We can also leverage their threat intel platform. That is one of the major use cases and a decision factor while we are going with that product.

I have recently adopted the product. Six months ago I did the testing. Three months ago I started implementing the product.

I have faced issues only while I was doing my UAT environment, not the production piece. While I was testing, I could see something.

I have recently implemented the product. I do not want to give wrong commitment or wrong information. As of now, I have not come across any negative feedback or lack of services. I am not able to see anything. Because I am using it for last three months, if you are calling me after two months, probably I can explain better.

I have been using the solution for three months only.

There has been no downtime so far, but I am using it for the last 90 days only. I have not faced any issues.

The customer service has been excellent.

We have not done Cloud Security Posture Management.

It is a great solution for risk-based alerting. It is reducing my 30% workload currently.

For me, time is the most important factor. If you are saving time, definitely you are saving money also.

Splunk Enterprise Security is what I am currently using. We discussed Distributed Services only, but not other products from F5. Regarding Zscaler Internet Access, I am not using that product. Regarding Unified Vulnerability Management, I told you no and I am not using that product. I am using Splunk Enterprise Security, which is a SIEM solution. SentinelOne is another product I have integrated. I integrated firewall logs, app gateway logs, and EDR logs. Threat detection capability is a unified threat detection, which is a basic one we are having. That is part of my SOAR platform. The artificial intelligence-powered security options gives a more fine-tuning alert mechanism where I can get the threat detections. I can do alerting and triaging. My whole incident response is based on that. Definitely it is a leading product. I would say analytics is the most valuable currently. I am comparing it with my Microsoft Sentinel. The proof of concept validations and concepts do take time while you are doing them. I have tested FortiCNAP, but I am not using it. I have tested the product but did not buy it. I am using FortiGate, which is a next-generation firewall. I am also using FortiRecon, FortiManager, FortiAnalyzer, and FortiSIM, and I am using FortiGate firewall on cloud. I am using eight to nine products from Fortinet. My review rating for this product is 9 out of 10.

My main use cases for Splunk Enterprise Security include cybersecurity threat, incident response, and security events.

The features I find most valuable in Splunk Enterprise Security are Incident Review, Security Essentials, Asset and Identity Management, and Machine Learning Toolkit. 

We are enriching data from Asset and Identity Management, and we have more data for our incident response and investigation with Splunk Enterprise Security when we need more data to investigate.

I use disparate security solutions that integrate or import data into Splunk Enterprise Security. The integration currently supports my security operations as it's now on a POC, however, it's not in production right now. 

I have expanded usage, and that process was very smooth. I assess the stability and reliability of Splunk Enterprise Security as very good.

Splunk Enterprise Security can be improved with more AI in the commands and more help in the commands, as not all people know how to write code in SPL, and we need more help in this area. 

That additional features such as AI command help and more flexibility in the search should be included in the next release to make it more simple.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection involve correlating data from multiple assets and networks simultaneously, as our network is very complex and we have not yet properly collected all the data from our various data centers within my environment.

I have been using Splunk Enterprise Security for five years.

I have not experienced any downtime, crashes, or performance issues; it is very redundant.

Splunk Enterprise Security scales very well with the growing needs of my organization.

I evaluate customer service and technical support as very good.

Positive

Prior to adopting Splunk Enterprise Security, I was not using another solution to address similar needs.

I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security very simple and straightforward.

I have yet to see an ROI.

I'm not famiiar with the pricing. 

My organization does not use risk-based alerting yet. My security ops team takes 60 or 70% longer to remediate security incidents with Splunk Enterprise Security compared to our previous solution.

The advice I would give to other organizations considering Splunk Enterprise Security is to design, design, design, and design. Expanding on what that means, you need to be very organized with what you want and what you want to achieve from the product because the deployment is very crucial; once you install it, it's very hard to change the topology and to add more tenants or search heads, which is very complex. The vendor can contact me with any questions or comments about my review. 

On a scale of one to ten, I would rate Splunk Enterprise Security overall an eight.

Splunk Enterprise Security is mainly used for detecting and monitoring, log analysis, threat detection, and incident investigations. It can also be used for failed login detection, where multiple failed login attempts from the same source IP can trigger an alert called a brute force attack. Splunk Enterprise Security's use cases extend to visualizing data on dashboards, threat hunting, incident triage, and Windows event log analysis in SOC environments.

Splunk Enterprise Security is a fast and popular SIEM tool used in SOC environments. It offers centralized log management, real-time monitoring, faster incident investigation, and powerful search capabilities. Splunk Enterprise Security's AI-driven detections can automatically identify suspicious patterns, abnormal logins, and malware behavior. It also provides a comprehensive visualization dashboard, allowing users to easily analyze data in various formats including pie charts and holograms.

Splunk Enterprise Security can be improved with better AI integration, improved alert tuning, faster search performance, enhanced automation, and better visualization to understand the data. There are complexities in writing SPL queries, which can be difficult for beginners. The SPL language itself can be hard to understand, making it challenging compared to other tools. Further improvements could be made regarding the platform's cloud optimization and AI capabilities.

I have used this tool for the last two years.

During deployment, I was involved in areas such as security operation, threat monitoring, log management, and cloud monitoring. Charges for Splunk Enterprise Security depend on data ingestion volume and the number of users in the environment. Small deployments are charged in thousands of USD per year, while enterprise deployments can reach lakhs or crores in Indian rupees annually.

The cost of Splunk Enterprise Security deployment depends on several factors such as data ingestion volume, EPS count, and the number of users. Costs can be significant, ranging from thousands of USD per year for small deployments to several lakhs or crores in Indian rupees for enterprise-level deployments.

To start with Splunk Enterprise Security, I recommend beginning with basic log ingestion, SPL query writing, dashboard setup, and alert configuration. Practicing regularly with labs and real logs can improve SIEM and threat detection skills. For better feature understanding, one should familiarize themselves with the MITRE ATT&CK framework and the use of threat topology. I would rate this product highly based on my overall experience.

My main use case for Splunk Enterprise Security is getting observability and insights in order to meet compliance objectives.

I appreciate the integrations with the SOAR architectures and the expandability that can be used throughout the entire ecosystem of Splunk Enterprise Security. They've improved my threat detection capabilities.

The system can be intimidating, and sometimes the concepts conveyed in the documentation require adjustment. The product is mature and continuing to mature. There could be a better opportunity to let larger groups outside of the community know about the ease of deploying the product.

I'm finding that newer generations, including my own, don't respond well to TL; DRs that often come from third parties and are often incorrect. If there was more of a quick answer, perhaps with Splunk AI, they could start implementing that on the documentation page to let people who have trust in that get a quicker answer.

Professionally, I have been using Splunk Enterprise Security in the last one to two years. Personally, I've used it several times as a hobby product and competitively in cyber games.

The product is mature. 

I don't directly deal with technical support.

Positive

Prior to adopting Splunk Enterprise Security, I was using another solution to address similar needs, however, I can't go into details.

I would describe my experience with deploying Splunk Enterprise Security as one that needs some more hand-holding. Some aspects of the language and understanding can be challenging for individuals unfamiliar with Splunk. There are opportunities to improve that dissemination.

With training, I find deployment relatively easy. There's some self-service that has to be done as a user in terms of learning and understanding the product. Once you understand those workflows, it presents as a relatively easy and intuitive product to expand and grow into.

I have seen a return on investment with Splunk Enterprise Security. It's a useful system, and I would highly advocate it with any Splunk deployment.

I'm not involved on the licensing side. 

The features that have been demoed and debuted in Splunk Enterprise Security are of particular interest, and I'm interested to see where that journey continues. I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security relatively easy with training.

My advice to other organizations considering Splunk Enterprise Security is to try it. I would suggest getting a demo from Splunk as that's the worthwhile approach. It's better to see all the powers that this tool can bring in terms of those capacities rather than trying to figure it out on your own journey.

I would rate Splunk Enterprise Security an eight out of ten. The only reason for this rating is, from an outside-in perspective, as someone who hasn't spent time either deploying it themselves or learning more of the nuances of how clustered designs work, it can be an intimidating experience and requires a lot of hand-holding. This creates a barrier to adoption.