Splunk Enterprise Security Reviews

Our use cases are for creating security analytics for our SOC team.

Splunk Enterprise Security is one of the Splunk tools we use to mature our security posture. We use it to be on top of potential threats to the organization.

The benefits include the easy integration with other Splunk tools including Splunk UEBA, Splunk ITSI, and Splunk Core. The ease of integration and the organization's experience and familiarity with searching and passing logs through Splunk are the main benefits.

Apart from the legal and compliance requirements for the bank, it's important that the bank is ahead of bad actors to be able to proactively detect and prevent threats to the organization. At the end of the day, the goal is to protect the organization, the stakeholders, shareholders, the bank's reputation, and the users and customers of the bank.

The Splunk incident response dashboard is pretty useful because it helps first responders triage incidents and properly escalate when necessary.

We find Splunk very useful on the enterprise level to detect and prevent security threats.

Splunk Enterprise Security has definitely helped improve our organization's ability to ingest and normalize data. We have many log sources and over ninety thousand staff. We have endpoints, servers, Syslog Data, and BYOT data. Splunk has been instrumental in maturing the security posture of the organization.

Splunk does a pretty good job at identifying threats in real-time. 

It provides us with the relevant context to help guide our investigations. During onboarding, once the log sources are properly onboarded based on Splunk's recommendation for SIEM compliance, we found real value in being able to aggregate different types of data and load them properly so that we can then pass on and access them very easily. 

It has improved my organization's business resilience. We've been able to mature our security program and posture over the years.

The ability to see everything from a single tool is very helpful. From the context of communication with our executives, being able to show them a unified dashboard to see the security posture has been very useful. For example, our executives can see the security posture or position of all of the branches of the bank from a single dashboard. Dashboards like that give them peace of mind to have that kind of visibility to know the state of things. Splunk is very instrumental in that. 

The incident response dashboard could be more user-friendly.

In the next release, I would like to see the integration of Splunk Enterprise Security with Splunk UEBA. That's a big one. We've spoken with the engineers working on a new UEBA integration with Splunk but right now Splunk UEBA is a separate setup entirely.

I have been using Splunk Enterprise Security for three years.

Splunk Cloud has its advantages. The company might be moving in that direction because you don't worry about infrastructure. But being on-prem part of what we worry about is the underlying infrastructure of Splunk, which is directly relevant to the stability. The resources used for search and load are tied to the infrastructure behind it. It's been stable. 

We've been able to scale rapidly to meet our needs. Splunk Cloud could be advantageous because it's a platform and it will cut out the worry and the need to manage infrastructure on your own. 

I work more with Splunk UBA. My experience with my rep has been good. 

I would rate support an eight out of ten only because everything has room for improvement.

Positive

It's an on-prem deployment. I have more experience setting Splunk up in a Linux environment. It's been a good experience.

I would rate Splunk Enterprise Security a seven out of ten because there's room for improvement. Splunk always positions itself as a market leader. This would involve understanding your competition, seeing their products, and seeing how you can improve to meet their customers' needs. 

From my experience, Splunk has done a good job at that because we have customer success reps who are concerned about how Splunk is meeting our needs. Splunk can definitely do better which is why I'm giving it a seven. 

Our security relies on Splunk Enterprise Security to analyze data models for malware, threats, and MITRE ATT&CK techniques. Pre-built dashboards and multiple correlation searches help us identify anomalies. Any suspicious events flagged by the MITRE framework are categorized and assigned as tickets to our engineers for investigation and mitigation.

Splunk has streamlined our incident response by automating key processes. For instance, alerts trigger upon exceeding three failed login attempts, automatically assigning tickets for review. Similarly, unauthorized access attempts from unfamiliar regions are automatically blocked. These automated data-driven responses significantly improve our overall incident response efficiency.

The customizable dashboards offer great visualization and extra add-ons.

Splunk Enterprise Security helps us to easily monitor multiple cloud environments.

Mission Control lets us monitor and manage our security from a single panel.

Based on my short experience, I would rate Splunk Enterprise Security eight out of ten for its ability to analyze malicious activity.

Splunk Enterprise Security helps reduce our alert volume.

Splunk Enterprise Security streamlines our security investigations by providing a central platform and offering a growing library of add-ons that expand our investigative capabilities.

Splunk Enterprise Security stands out for its ability to integrate with existing security tools, provide informative dashboards, and offer IT Service Assurance functionality that goes beyond basic threat detection to include service performance monitoring.

Splunk Enterprise Security offers a vast amount of information to learn and comprehend, resulting in a challenging initial learning curve.

Extracting logs from Splunk for analysis in other applications is crucial for me. This would allow me to identify correlations between data sets and make informed decisions about next steps. Unfortunately, the current Splunk workflow seems to hinder data verification.

The licensing cost could be more competitive, as some of our competitors offer lower prices.

I have been using Splunk Enterprise Security for one year.

We have encountered issues when updating features where Splunk Enterprise Security doesn't work properly. I would rate the stability of Splunk Enterprise Security seven out of ten.

The technical support team is always supportive but their response time and knowledge can be improved.

Positive

The initial deployment was straightforward.

The license for Splunk Enterprise Security is expensive.

I would rate Splunk Enterprise Security eight out of ten.

We have Splunk Enterprise Security deployed across multiple locations.

The resilience Splunk offers is good.

I recommend Splunk Enterprise Security to others.

We use Splunk Enterprise Security for security correlation and event management.

Splunk Enterprise Security is deployed as a hybrid model where the core component is on the cloud and is integrated with an on-premises solution.

Splunk Enterprise Security offers strong visibility through readily available use cases and supports integrations with most standard log sources. Its search capabilities are also commendable. Compared to other tools, Splunk Enterprise Security delivers superior visibility.

While we haven't integrated UEBA yet, it's in our plans. As a proactive monitoring solution, UEBA offers several benefits. It can identify Indicators of Compromise based on historical threat intelligence and generate alerts for suspicious activities. This allows us to potentially detect compromised accounts or ongoing attacks before they cause significant damage.

Splunk offers its threat intelligence service, which helps prevent IP replication and malicious threats. This information can be integrated or configured for our specific use cases, delivering more relevant and high-value insights.

Threat topology and MITRE ATT&CK are frameworks used to understand and analyze attack patterns and techniques, which can then be used to formulate and refine IOCs.

Splunk Enterprise Security's effectiveness in analyzing malicious activities or detecting breaches depends heavily on its configuration and correlation settings. Therefore, it's impossible to definitively label any tool as inherently good or bad. Ultimately, its success hinges on the organization's implementation. This includes onboarding the tool with the appropriate block sources for security detection, employing a sound risk assessment methodology, and aligning the tool's capabilities with both business and security use cases. When configured correctly, Splunk Enterprise Security can undoubtedly contribute to improvements in MTTD and MTDL.

Splunk Enterprise Security helps us detect threats faster. It allows us to define use cases, integrate with multiple threat feeds, and even connect to vulnerability solutions. In essence, by configuring all relevant log sources and defining appropriate use cases, we can achieve the primary objective of any SIEM solution: reducing mean time to protection.

Splunk Enterprise Security has reduced our investigative time by 25 percent by consolidating all logs into a central console. This eliminates the need to log into individual tools for log retrieval.

Splunk Enterprise Security helps reduce the number of false positive alerts.

In terms of monitoring capabilities, Splunk Enterprise Security performs adequately. However, its user interface requires training for efficient use. Compared to competitors like IBM QRadar, McAfee Nitro, and RSA Security Analytics, Splunk has a steeper learning curve, making it feel less user-friendly.

I have been using Splunk Enterprise Security for almost four months.

We use a licensed third-party Splunk partner for support, and I haven't heard of any issues so far.

Compared to IBM QRadar, Splunk Enterprise Security offers faster alert resolution. Its superior indexing and searching capabilities deliver quicker query results. While QRadar boasts a more user-friendly interface, Splunk provides numerous pre-built use cases that effectively reduce false positives and feature comprehensive application dashboards.

For instance, I encountered a use case unavailable in QRadar which appears to utilize the Cyber Kill Chain framework. MITRE ATT&CK enjoys wider adoption, and Splunk leverages this framework whereas QRadar persists with the Cyber Kill Chain. Additionally, Splunk integrates with a third-party app exchange, offering functionalities like vulnerability dashboards, threat intelligence, correlation dashboards, and EPS dashboards. This extensive library of applications caters to diverse business use cases. Users can install these applications as needed, making Splunk a highly customizable and feature-rich solution. Although undeniably expensive, its capabilities justify the cost.

While Splunk is a powerful enterprise tool, I'm new to it myself. I've heard Splunk is often preferred over other options, but the cost can be prohibitive for smaller organizations.

There are cheaper SIEMs available, but they require much more manual configuration, typically by developers with scripting knowledge. Splunk does not require this manual configuration, and its parsing, indexing, and visibility are superior.

Based on the limited time I have been using the solution and the feedback I have received from other users, I would rate Splunk Enterprise Security a six out of ten.

Without a SIEM solution, we rely on individual point solution consoles. For example, logging into a firewall reveals only local logs. Imagine the firewall detects suspicious IPs generating unusual traffic. Confirming this as a true or false positive is difficult solely based on firewall rules. Conversely, a SIEM offers multiple options for correlation. Say the firewall denies traffic, and threat intelligence identifies the source IP as malicious. Additionally, web server logs might show suspicious activity or bad actors attempting an attack. With multiple logs and threat indicators, the chance of false positives drops significantly. Correlation enables confirmation of genuine traffic versus malicious activity. Without a SIEM, pinpointing true attacks from false positives becomes challenging.

We use the product mostly just to pull out the reports, medical investigations, et cetera. As a security analyst, we can look at and pull data. You can make a central hub for a lot of different sources, including servers and endpoints. It makes it easy to check logs for every device connected.

If you are a data analyst, security analyst, or anyone who basically requires a set of data in your database job, and you have to have normalized data represented or, just to check for any patterns, this is quite helpful. With Splunk, you can pull in the data, you can transform it, and represent the data via graphs or pull the data and export it into Excel and perform further investigations. The use cases are quite deep. 

With this product, you can go for an in-depth search or just perform a surface-level search. There are different modes in which you can perform searches, and that basically defines the speed of how fast you can get the data. If you are going for a more detailed version offered, it'll take a bit of time. However, they'll give you more and more data. There's also a fast mode in it. 

The data which you can pull, you can basically visualize it, you can normalize the data, evaluate it, and convert the data into tables. It's much easier to pull the data, organize it, and normalize it as you are performing the searches. That's quite helpful.

I prefer working with cloud infrastructure like this as you can increase the storage capacity or the license at any time and search for a number of different endpoints. If you want to ingest more and more data, having something like Splunk available on the cloud is preferable. 

I take advantage of the incident response part of the solution. If anything happens at the endpoint, if anything happens at the user system, servers, or something like that, my role is to look into the logs, go through other investigations, perform a time scan, and create a timeline of all the events. This helps do that job.

I'm also aware they have a Mission Control. I have actually attended a few surveys on that, however, I haven't really implemented it due to the fact that we are in the middle of a few of the projects, and things are at higher priority as of now. So we haven't really focused on that.

Using Splunk, we can check out what server versions we have. If we just cross-check with the database, we can see if we have any availability and then we can pull in the files. If you have a database, you can perform a query to check for any particular problems in the entire environment. For the threat notifications, it's quite helpful.

Indirectly, it's helped us reduce our alert volume. If you have a list of files, you can run it through the environment and, based on that, create rules and exceptions. This indirectly helps reduce alert amounts. You can go through false positives and sort them out as well and create a rule against them. 

It's helped speed up security investigations. Being a central hub of logs, we can jump into a different log or source and jump into any investigation. You don't have to jump from one tool to another. This automatically reduces the investigation time. 

There are lots of free learning materials on their website. 

Overall, things are quite easy. It's a simple solution. 

I haven't explored beyond the security aspect as a data analyst. I haven't noticed any shortcomings so far. 

I've been using the solution for more than a year now. 

There are different modules, and I haven't activated all yet, however, the stability is okay. I would rate it seven out of ten. If we run into issues, there are materials they provide and online support. You can even call them. 

The solution is deployed to one location. It's deployed across the entire environment. 

The level of scalability depends on the license you have. You can expand or reduce it based on the environment. It does cost more money to scale, however.

I would rate scalability seven out of ten. 

Support is quite responsive. They also offer 24/7 support services. 

Positive

I previously used Palo Alto XDR. 

I also used an email solution whose name I can't recall. You could check emails flowing into or out of your environment.

I wasn't involved in the deployment; the solution was set up when I arrived. 

That said, I did go through some setup videos, and the process does not look difficult. They provide the steps for every aspect. There's also always support you can reach out to if you have questions. 

There may be some maintenance required in terms of upgrading. When you upgrade the version, you may need to upgrade your sensors on the endpoints. However, Splunk is quite compatible with other devices, so it's not difficult. In our company, the administrators handle maintenance. 

I haven't witnessed an ROI in terms of how I'm using the tool. 

It's mostly for EDR. You can cover servers as well; however, that requires additional licenses. Pricing is based on usage. As an EDR specialist, I interact with the tools and perform investigations. I don't deal with licensing directly.

This is quite new to me. I've only recently started working with Splunk. I used to work in EDR. It took me two to three months to understand the internal architecture of the organization, and based on that, I can use Splunk for all kinds of searches. So, how long it takes to realize the benefits of Splunk depends on the person and the complexity of the environment. 

I did not evaluate other options. I adopted this tool when I joined my current organization. 

We're a Splunk customer. 

To those considering just going with the cheapest solution, it depends on your level of comfort with support. If you have a cheaper tool, the support would be addressed. With Splunk, that's the difference - their support response. If you have a tool with a good license, you will be able to get immediate help if there's any vulnerability.

I'd rate the solution eight out of ten. 

I'd advise others to take time to learn the solution and develop skills. It's all about DSL queries. If you are off on queries, it won't give you any results. You need to be accurate with your SQL commands.

We use the solution for tracking successful and unsuccessful logins. We track privileged account activities and also a variety of other things, like developing use cases for data exfiltration or integration with ETRs and other security tools for data analysis. 

We wanted to solve the issue of unauthorized access, brute force attacks, and exfiltration. It's helped with MITRE ATT&CK frameworks. 

The organization has been able to quickly triage issues and investigate if something is a true threat or not. Most times, it helps our security posture. The level of confidence we have is high. With Splunk, you can query accounts when you see some strange activity. 

It gives me notifications of notable events. 

The default dashboard is very good. We can see our security posture from there.

On-prem and cloud data analysis are good. You can aggregate it if you need to in order to get good data.

Splunk has proven to be great when tracking down anomalous behavior. The logs are excellent. It is the platform in the industry.  You can integrate anything. The amount of information and usability you get out of Splunk is very good.

We do use the Threat Intelligence Manager. It can be integrated with third parties. The actionable intelligence we get is useful. There is sequencing where you can gauge some actionable steps. 

I use the MITRE ATT&CK framework when I am developing a new use case. It helps us discover the overall scope of an incident. Using Splunk is essential in developing that. 

It's good for analyzing malicious activities and detecting breaches. I'd rate it highly in its capabilities. However, if you don't have the knowledge, it may be difficult. You might get a lot of false positives.

It's helped us detect threats very fast, in almost real time. 

We have reduced our alert volume. I'm not sure of the exact number, however, instead of having 100 to 200 false positives, we might get 20 to 30. 

It has helped us speed up our security investigation, although I don't handle it directly. I simply do triage, and it definitely helps there. 

There are a lot of false positives which can cause a lot of fatigue. 

Sometimes, there is latency in the logs. 

When you deploy Splunk, you need a high level of knowledge. You really need to know what you are doing. It requires a lot of things.

They need to come up with straight steps to get things done, to have a step-by-step process to achieve this or that. 

I've been using the solution since 2020.

The stability is okay.

Splunk would tell you, especially on the different licenses they have, your storage, and your level of ingesting, it can vary. 

Splunk needs to be more clear between storage and performance. 

We worked with a client where almost immediately their storage was already in red. They didn't understand their storage needs as that wasn't clear. 

The solution cuts across countries. I'm not sure how many end-users we have.

The scalability is okay. It scales well even though you have to consider your licensing and storage.

Technical support is good. 

Positive

I have used ELK previously. 

I have been involved in the deployment of Splunk in the past.

The initial setup is not so straightforward for those new to it. I'm accredited and have four years of implementation. You really need that level of knowledge. It's straightforward to make a feed, make it compliant, and do field mapping, however, there are many things you need to do before deployment. 

We had six to eight people deploying Splunk. They were all mostly Splunk professionals, who understood the product and devised a plan and timeline for implementation. We integrated the relevant stakeholders into the process. We were connecting to the Splunk Cloud. 

There is a little bit of maintenance required to maintain the infrastructure. 

We used all in-house resources to implement Splunk.

I have witnessed an ROI while using Splunk. There were some incidents previously in which the company lost millions of dollars. Bringing in Splunk has curbed that. 

The pricing is on the high side. It's not a solution for SMEs.

I'm not sure if any other options were evaluated by the company. 

Currently, we are just Splunk customers. 

We do not monitor various clouds; we only monitor one. However, they have a good solution in that we don't need to worry about maintenance if we do. 

We've never used the Mission Control feature.

If someone is looking for the cheapest SIEM solution, there are a lot of open-source options out there. However, Splunk definitely is an option. If a company is bigger, it would benefit from Splunk. They will be paying some money for it, however, it's worth it.

Resilience is important. To some extent, Splunk addresses this as we haven't had any issues. It's important to have resiliency. If your solution is not resilient, you risk security issues. 

I'd rate the solution eight out of ten. 

I would advise others to spell out what you really need and make it measurable so that you will understand if Splunk is right for you. If you are going to use Splunk, it's important to do your due diligence. 

Our SOC uses the solution to monitor our corporate and franchise environments.

Risk-based alerting is the most valuable feature. It really allows me to drive down the alert count and the alert fatigue for my analysts to make the alerts they see more valuable and actionable. The way that alerts are handled is better in Splunk. SPL is easier in Splunk. The UI of Splunk makes it easier for our analysts to move around and see what they need to see.

There are a lot of areas that are currently being improved that I want to be improved. Features related to content management must be improved. The product is adding more drill-downs.

When the tool was originally set up, things were not configured properly due to the rapid deadlines for installing everything. Now, we have to go back and recover a lot of things that aren't properly configured.

I have been using the solution for approximately four years.

I haven't seen any issues with stability. Most of the stability issues I've seen have actually been on the on-prem hardware.

We have no issues at all with scalability. The tool has high scalability and usability. The size of our environment is relatively large since it is an enterprise solution. We have around 5000 users and a franchise base.

I have never had an issue with Splunk’s support team. Every time I ask a question, I usually receive really quick responses. We are in the middle of a migration, and the engineers helping us migrate to Splunk Cloud have been fantastic every step of the way. They provide really rapid and complete answers when we ask questions.

Positive

I use LogRhythm a lot. I worked for an MSSP, so I have seen several products. So far, Splunk has been my favorite.

We have definitely seen an ROI on the solution. Any security tool has a fantastic ROI. A lot of companies don't like to budget for security until there's an incident or something goes terribly, terribly wrong. Just having that SIEM and having eyes on potential security issues is an ROI.

We are behind a few versions. So I hope that as we upgrade, I get more ideas for what I'd like to improve. We're still in the process of moving to the cloud.

The product has improved our organization's business resilience. The right tools are available to our analysts within the product, and we use them daily. It has drastically driven down our time to remediate, which is huge for us. It's huge for any company. We don't want four hours to find out that something has gone terribly, terribly wrong. Finding such issues before they turn into full-blown security incidents has been our biggest impact.

Splunk Enterprise Security empowers our staff. It is so user-friendly. It allows our analysts at every level to learn the tool and learn more about security through the tool. I progressed from level one. Now, I'm a content developer for enterprise security. The usability of Splunk is the best on the market. The solution has helped reduce our mean time to resolve.

As we add new features and applications into Splunk, time to value is pretty quick on most things. As long as we have someone that's willing to go through the effort to configure, the time to value is rapid. Adding applications to Splunk is a seamless experience. The UI of Splunk makes life so much easier. Some of my experience is based on technical debt in the organizations I worked with. I would probably rate the tool a ten if we didn't have so much technical debt.

By attending Splunk conferences, I get to learn about all the new tools and how to implement them. I use it for RBA and Machine Learning Toolkit. I develop content for our company. I am here to learn how to implement RBA and Machine Learning Toolkit better to reduce alert fatigue for my analysts.

Overall, I rate the product an eight out of ten.

I am the branch chief. I use Splunk Enterprise Security depending on how swamped the team is. I use it for anything from basic searches to DDoS attacks, which is a big thing right now. So, DDoS attacks and phishing emails are a lot of what I am using it for.

We had FireEye before and then we went to CrowdStrike. Splunk has definitely helped to have everything into the tool. It is a lot easier to complete the tickets. It saves, on average, a couple of hours a day. We just go to Splunk and then provide data and work with different people on the tickets, so it saves hours each day. We have been able to allocate these hours to other projects or things that are more of a priority. We are able to do different projects that were on the back burner. We can put those hours towards other things.

Splunk has improved our organization’s business resilience. We are able to give leadership updates through dashboards versus the actual metadata. It is easier for them to understand and provide leadership.

Splunk’s ability to predict, identify, and solve problems in real-time is very good. It is proven. Every couple of weeks, it catches some of the things that our SOC team did not catch and provides alerts, so its real-time capabilities are very good.

Our team has overall benefited from Splunk. We had FireEye before, which was not that good. We are able to benefit from Splunk not only in terms of instant response. We also have other teams doing vulnerability management using the Prisma systems. It is important that Splunk provides end-to-end visibility into our native environment. We use it for Prisma and instant response. Without Splunk, we would not be able to do some of the things that we need to do unless we went to individual tools, and we do not have the resources for that.

Exporting is a good feature. It helps me out when I have to do reports. I do a lot of exporting and crunching of the numbers. Dashboards are okay for showing to the leadership, but for doing statistics and updating tickets, the export feature is very beneficial for me.

They offer training. That is a big part of it. If you do not understand the tool, they are able to provide everything that you need, which helps the business. When you have learned a tool, you are able to speed up the process meantime, so you are not wasting a lot of man-hours trying to figure things out. 

I do not have any areas that can be improved. It works as intended for us, and we are getting everything that we need out of it. If anything, its initial setup can be improved a bit. 

In terms of additional features, I am still learning SOAR and everything else, so I do not have any feature requirements at this time, but as we do these SOAR operations, there might be some additional features that we will need.

I have been using Splunk Enterprise Security since 2016.

It is very good as long as you have the scope of how many servers, processors, and other things you need. There was a learning curve of making sure our servers were beefy enough to handle the data. We had four terabytes of data coming in every day. We were maxing out our systems a little bit, so we beefed that up, and we have had no issues since. 

Its scalability is easy. On-prem was very easy, and on the cloud, you have to learn and adapt a little bit, but scalability is perfect. 

I only reached out to our Splunk contacts, but my team reached out to Splunk's support team. I have not had any issues where they told me that they did not get the support they needed. They might take time to figure out what the issue is, but overall, I would rate their support a ten out of ten. 

Positive

We used FireEye, which was our primary one, and then we had CrowdStrike. Splunk has definitely been wonderful for us. The biggest reason for switching was integration. It is very easy to get all the tools fed into Splunk. They also had a cloud version, which was another reason. We are doing a hybrid setup, so cost savings was also a big factor.

I was involved in its deployment. I am the system owner of it. I am in charge of it, so I oversaw the project deployment. There is a learning curve with the hybrid setup with the cloud and on-prem, but overall, I am pretty satisfied with it.

We have an on-prem and a cloud environment depending on the platforms we are using in the system, so we have both environments. The challenging part was getting everything set up and fed into Splunk, but once it is set up, there is no difference in using it on-prem or on the cloud. We do not notice any real difference in it. 

The initial setup could be improved a little bit. It depends on your local team, firewalls, and other things like that, so there was a learning curve for the teams to learn how to set it up. That part could be improved, but once you go through it, it is not an issue. 

We had the Splunk team, and they did wherever they needed to get everything deployed. Our experience with them was good. We have worked with Splunk for years now. Their support has been very beneficial. If I have a question, they jump right on and let me know. They walk me through it and give me updates, so I am pretty happy with Splunk.

We have seen an ROI in terms of the mean time to resolution and man-hours. We are able to allocate those hours to other things. We have not got there yet in terms of the upfront costs, but we will get there over time.

When it comes to the time to value, we are getting there. We have not got there yet, but over time, we will get to the time to value.

Its price is fair. Like with anything else, if you go into the cloud, different providers cost more, and you are able to throttle back or throttle up. The cost is comparable with anything else.

We evaluated other options. We had to evaluate the pros and cons in terms of the cost and the capabilities of each tool. A lot of that went into the proof of concept. We did our due diligence and determined that Splunk was the best fit for us.

I would rate Splunk Enterprise Security a ten out of ten. It gives us everything we need, and its capabilities keep on improving, so it is getting better. 

We use Splunk Enterprise Security for various security use cases, including writing correlation searches. This has significantly improved both our use cases and correlation searches. We can leverage existing resources, making modifications as needed, rather than starting from scratch each time. Splunk Enterprise Security provides diverse use cases across different environments, including AWS, Azure, and multi-cloud setups, while also integrating with Microsoft Sentinel. Additionally, we can integrate Splunk's service orchestration product for further automation. Overall, this allows us to automate tasks that security analysts previously performed manually, such as reviewing incident dashboards. We can fine-tune alerts based on analyst feedback. Splunk's research team ensures that use cases are updated with the latest security content, enabling us to understand and implement necessary steps while customizing them to fit our company's needs. This is what makes Splunk Enterprise Security so popular; it streamlines processes compared to legacy security products that often rely on manual scripts. Clients, including government agencies and banks, are transitioning to Splunk Enterprise Security due to its reduced training requirements and comprehensive features. Everything is consolidated, simplifying training and certification. Additionally, integrating Splunk's service orchestration product further automates tasks and improves response times. The substantial investment in Splunk indicates its staying power; no other product on the market currently offers comparable capabilities. Cisco's acquisition of Splunk reinforces its potential for success, combining APM, data logging, and security portfolios. In one financial project involving 600,000 users, we were able to monitor all incoming traffic, identify security activities, and distinguish between legitimate and malicious traffic, including phishing attacks and potential identity-based threats. Splunk enables tracking individual identities, crucial for detecting attacks where perpetrators hide behind compromised identities, often leading to data breaches and other security incidents.

We implemented Splunk Enterprise Security to assist with AWS security, which includes GuardDuty, CloudTrail, CloudWatch, and Inspector. These AWS components generate compliance and security alerts, which we correlate and use to create dashboard reports and identify security events for various use cases. We then enable the out-of-the-box use cases and send notable events to the dashboard. The implementation is currently in its early stages.

Splunk Enterprise Security operates based on incoming data, making monitoring multiple cloud environments relatively simple due to data availability and integration capabilities. Data from cCloudRail, CloudWatch, Azure, and other diverse environments can be incorporated. While occasional patching might be necessary, most integrations are readily available, offering extensive coverage without customization. Specific customizations might still be required, but most functionalities are pre-built, leveraging code developed by Splunk. This efficient approach involves analyzing data from vendors like Palo Alto and applying add-ons to apply code and automate parsing.

Our visibility into various environments depends on how much data we incorporate; therefore, the more we scan, the better our visibility.

Splunk Enterprise Security's insider threat detection capabilities act as a secondary approval and vetting process, helping our organization ensure there are no unauthorized users.

The MITRE ATT&CK framework allows us to identify criticality levels, helping us respond to incidents. We might integrate incident response with a REST API, where a notable event triggers the creation of a ServiceNow ticket. Information flows from ServiceNow back to Splunk, which then feeds other systems, enabling bidirectional incident management. These processes are largely out-of-the-box, as Splunk integrates well with ServiceNow, except for any customizations. We understand the data integration requirements and leverage Splunk's extensive integration capabilities.

Splunk Enterprise Security does a good job of analyzing malicious activities and detecting breaches. The amount of information the research and threat detection teams receive from Splunk enables faster threat detection of up to 60 percent, eliminating the need to consult numerous sources. This efficiency is a key benefit of Splunk, as its significant investment in security allows for expedited processes.

I have seen the older legacy product where they have this manual process to identify issues, run scripts, try to identify the output, and then go through ten systems to collect data. This could take days. Now, with Splunk, we have everything correlated with multiple use cases, and we have a correlation search between multiple systems, along with application data. Splunk Enterprise Security can stitch all this information together and show it in a single pane of glass, which makes decision-making faster and allows us to focus on the relevant issues instead of wasting time on non-relevant ones. They have done this well.

Splunk Enterprise Security significantly reduced our alert volume. The initial challenge was dealing with a legacy IBM system that generated a massive amount of unfiltered noise, making it difficult to identify relevant events to send to the incident dashboard. This process was time-consuming and inefficient, and the value of the system wasn't apparent. To address this, we fine-tuned both the SOAR system and Splunk by applying filters and conditions to focus on relevant data. Ultimately, Splunk reduced the alert noise from 1,000 events in two hours down to ten, which were then grouped into a single notable event. Despite potentially having hundreds of background events, Splunk condensed this information into a single, actionable item, allowing us to focus on investigating the most relevant issues.

Splunk Enterprise Security accelerates our security investigations by reducing noise, allowing us to focus on relevant use cases. Everything is categorized as high, medium, or low priority, and people immediately start investigating high-priority issues connected to PagerDuty. Sometimes, this leads to on-call situations, sometimes immediate action. Service orchestration and playbook scenarios enable automated responses, like instantly blocking unauthorized access to a system. The possibilities for security use cases with playbooks and service orchestration are vast, and I'm excited to explore them further in the coming days.

The dashboards and reporting capabilities help to aid our security analysis.

We have integrated Splunk Enterprise Security with various services to streamline our security operations. This integration allows us to leverage diverse data sources for creating lookups, data models, knowledge objects, and regular expressions. By automating the development of use cases and regular expressions, we can apply them to data more efficiently, enabling faster implementation and analysis. This approach enhances our ability to detect and respond to security threats effectively.

Splunk Enterprise Security has enhanced our organization's security posture by providing comprehensive security compliance dashboard reports.

I appreciate how Splunk Enterprise Security connects users to the research team and threat documentation, providing access to current events impacting other clients, security vulnerabilities, and relevant use cases. The platform's daily updates offer valuable insights for enhancing our security posture.

Splunk Enterprise Security allows us to create custom dashboards by changing fonts and modifying widgets. Those familiar with XML coding can further personalize dashboards to align with frameworks such as MITRE. Alternatively, we have the option to use the pre-built dashboards.

I've noticed that onboarding data from various multi-cloud sources and diverse products, such as security network devices, can be challenging. Although Splunk has simplified data onboarding with features like data managers, they need to improve their out-of-the-box parsing capabilities. While they've made significant progress, covering about 70 percent of common products, there's still a 30 percent gap where manual configuration is required. This forces us to spend time understanding and writing custom parsing rules instead of focusing on data analysis. With Splunk's recent acquisition by Cisco, I'm hopeful they will prioritize enhancing this functionality and increasing their coverage to 90 percent or more.

I want to see Splunk Enterprise Security dashboards incorporate more features, such as out-of-the-box AI and user behaviour analytics, which are accessible within a single dashboard.

The technical support response time has room for improvement.

I have been using Splunk Enterprise Security for three years.

Splunk Enterprise Security has stability issues, especially with large data volumes, increased data intake, complex dashboards, custom models, and processing that significantly impact performance. Many customers experience this; even with demos using small datasets, performance degrades with millions of data points. This necessitates capacity planning, dedicated teams, and enforced best practices. These practices include restricting complex searches, blocking problematic users, and providing training to prevent performance degradation. Constant vigilance and proactive measures are crucial to maintaining a stable Splunk Enterprise Security environment. I would rate the stability of Splunk Enterprise Security five out of ten.

I would rate Splunk Enterprise Security's scalability six out of ten. We need to add more shared CPU memory and increase the capacity, and scaling requires a lot of planning and effort.

Splunk's support quality has declined in the past five years. Response times are now slower, and resolving an issue can take weeks. Submitting a ticket and connecting with the appropriate support agent often requires numerous emails and calls.

Neutral

To improve security coverage and user experience, we replaced our outdated legacy solution with Splunk Enterprise Security.

Our Splunk Enterprise Security cloud deployment utilizes a DevOps approach with a fully automated CI/CD pipeline. This automation has significantly improved our deployment speed, reducing the process from a week to a few minutes. Changes are made in the development environment and then automatically pushed to production after a click-through approval process. This streamlined workflow eliminates the previous manual process and associated delays, resulting in a faster and more efficient deployment cycle.

Splunk Enterprise Security's pricing is based on data volume, which generally suits large enterprises.

I would rate Splunk Enterprise Security eight out of ten.

Splunk is widely used across larger organizations. While large organizations often have extensive teams dedicated to Splunk projects and upgrades, smaller organizations can also use Splunk, taking advantage of more affordable pricing options like the free tier for limited data. Cost isn't a significant concern for larger organizations, who prioritize Splunk's security features and are willing to invest in its capabilities.

Splunk Enterprise Security is deployed across all departments, processing millions of data points. Over 500 people manage this data: building dashboards and reports, working with Enterprise Security, discussing use cases, and creating custom data models. This represents a massive effort for any large organization where every department utilizes Splunk.

Government departments are transitioning to Splunk, with daily onboarding increasing the current user base of 5,000.

Because the deployment is cloud-based, the Splunk DevOps team handles maintenance.

Splunk offers a resilient SIEM solution with comprehensive capabilities for research and a wide range of use cases. It is constantly updated, ensuring it remains a valuable and comprehensive SIEM package.

I recommend Splunk Enterprise Security. It is an excellent tool widely used by many organizations, making it a valuable choice for security information and event management.