Splunk Enterprise Security Reviews

The typical use case for Splunk Enterprise Security is to meet regulations and requirements for critical infrastructure. It is used to audit changes and authentication logs. The second purpose is for security operation center management and security management.

The most valuable features of Splunk Enterprise Security are the main component, which is the correlation engine that can specify detailed conditions such as how many events there need to be, what notification I will get, and if I get it per event or one per batch. 

There is also throttling; in basic Splunk, there is no throttling at all. In Splunk Enterprise Security, there is an additional layer of control of these alerts. I appreciate the correlations and the alerts in that product.

The asset management is particularly useful. We can enable asset lookups to show in every event. We define one, and it will translate to all events, allowing asset management to be easy. 

Splunk Enterprise Security helps to reduce alert volume because the language is similar to SQL with Google-style functionality above it. We can use these terms to specify what is in the allow list. We can specify what's in lookups, what should be there, and what's not. It definitely helps to reduce the numbers of full score.

Splunk Enterprise Security helps to speed up security investigations. When the finding is created, there are many correlations. You can quickly see what asset it is, what identity is involved, and you see the historical progress of what happened. Right from the findings, you can call VirusTotal and other resources, which is definitely helping.

I assess Splunk Enterprise Security's insider threat detection capabilities for helping to find unknown threats and anomalous user behavior as great. It regularly checks new events through the correlation search and compares them with threat intelligence. The threat intelligence is refreshed regularly, downloading new threat information. Splunk has a special research team for security content and intelligence, which distributes its own threat list to Splunk Enterprise Security.

It's great for finding anonymous threats. It checks new events and also works with the latest threat intelligence. At least once a day, it develops new threat information. In Splunk, there is a special research team. They are also distributing their own threat lists. The solution is capable of very good threat detection.

In basic SPL, with the Splunk query language, we can detect brute force without threats. It scans every event, and if it finds patterns, IOCs, it can trigger notable events, which are now called findings. The new version includes an internal Git repository, so when the SOC team makes improvements to the correlation search and makes changes, it automatically keeps a history of that correlation search, what was changed, when, by whom, and you can revert if it breaks.

The value that Splunk Enterprise Security offers in resilience is vital. It helps customers distributing gas across the Slovak Republic, ensuring that critical infrastructure, such as operational pipelines, are running. If there were an outage that delayed recovery, the economic impact could be significant. 

It's good for analyzing malicious activities and detecting breaches. The interface sometimes can be very essential.  

Splunk has helped us reduce alert volume. We can use terms to specify what is whitelisted and we can search like we would on Google. 

We've been able to speed up security investigations. We a finding is created, there are many correlations. You can quickly see the asset, the identity involved, the history, et cetera. 

My use cases for Splunk Enterprise Security involve mostly standard use case detections. Essentially, whatever log sources we ingest into the platform, we define use cases for detecting anomalous behavior, with most of our use cases tied to that. 

Additionally, we utilize threat intelligence; we always use lookup tables or MISP integrations to enrich those use cases or create reports and dashboards to monitor them periodically, depending on how noisy those alerts are. 

Other use cases include compliance-based use cases for auditing purposes, as there are compliance policy breaches we want to monitor proactively on a 24/7 basis. We do that, often within a mix of MSSP environment versus in-house.

The specific features I find the most valuable in Splunk Enterprise Security include the amazing UI and good integrations, and I can say this from a practitioner standpoint. 

It is just comfortable. Splunk Enterprise Security is easy to use for an analyst, and the whole analyst experience is great; it is pretty insane. It is honestly very addicting. 

As I told my fellow colleagues, they love using Splunk Enterprise Security. Once you go to any other platform, it is similar to going through withdrawal sometimes. You have to set up use cases, update data models, and link the right use cases to the right data models for those detections to happen. 

In terms of challenges, there are none; Splunk Enterprise Security is one of the best vendors in the security analytics space.

Splunk Enterprise Security has implemented improvements that may help reduce false positives, as it has some amazing features that go underutilized, such as the machine learning toolkit. The gap in skill set within the SOC environment is the reason for this underutilization.

Splunk has some amazing features we are not utilizing. For example, ML. I have not specifically utilized AI-driven security initiatives or machine learning within Splunk Enterprise Security; even the ML toolkit is not related to advanced AI components. It operates more an advanced SQL query based on existing data trends without offering out-of-the-box advanced ML capabilities to provide significant value.

The dashboards for some default use cases are provided. Similarly, default dashboards and reports are provided. You can pivot off of these and drill down on your investigations. The Splunk query language is definitely very easy to understand and use on a regular basis. The learning curve is also very low. So, from a practitioner standpoint, you're not going to face so much struggle in learning the Splunk query language. In fact, for other solutions, you might need AI capabilities to translate natural language. 

Additionally, Splunk Enterprise Security claims to reduce data storage to a certain extent. I'm not sure if that's the case, however, I have heard that that was the case.

Lookup tables are very useful in Splunk. 

We are an MSSP, and some of our customers have Splunk Enterprise Security, and we run it for them.

Splunk Enterprise Security is very good for helping us find any security event across multi-cloud environments.

Splunk's unified platform works very nicely to help consolidate networking, security, and IT observability tools.

It helps speed up security investigations. There is a 25% to 30% improvement. There is also a 25% reduction in the mean time to resolve, but we are also using a SOAR tool, which reduces that by 70% to 80%. 

After the acquisition by Cisco, we are focusing on our partnership with them as a Gold Partner and Tier One reseller. Following the acquisition, we also shifted our focus to Splunk. I am a system integrator implementing Splunk for customers in their environments.

Splunk has a vast integration with multiple vendors, which makes it easy for our customers to integrate various cloud environments. 

Splunk provides complete visibility when integrated with all installed appliances and applications.

The threat intelligence management feature is a good add-on for startups, especially given its affordability.

Splunk allows organizations to ingest and normalize data effectively.

Splunk simplifies real-time problem identification and resolution by seamlessly integrating existing customer and vendor systems. Its customizable dashboards can be tailored to map and reflect specific environmental needs precisely.

The threat topology and MITRE ATT&CK framework features can help discover the full scope of a security incident, provided they are fully integrated into the customer's environment.

Splunk's comprehensive log visibility enables efficient investigation of malicious activities and breaches. By generating a dashboard that collects logs from firewalls, emails, proxy endpoints, and threat intelligence, Splunk can provide access to critical information within seconds, significantly reducing investigation time compared to other vendors or solutions. This streamlined process, facilitated by Splunk's ability to gather and analyze diverse log data, ensures swift identification and resolution of security incidents.

It helps our customers improve their organization's business resilience.

The unified platform helps consolidate networking infrastructure and security. This single-platform approach offers the advantage of combining multiple technologies and features, streamlining operations and enhancing efficiency.

Implementing Splunk with SOAR capabilities, along with machine learning and AI for alert filtering, can significantly reduce alert volume without constantly interrupting administrators. This streamlined approach ensures that only alerts requiring approval are sent to administrators, optimizing their workflow and efficiency.

The analysts using Splunk, even the free edition, are very satisfied with the information it provides for their investigations.

Splunk has helped customers accelerate their security investigations by integrating AI and machine learning into its platform. This integration automates many basic tasks and saves valuable time.

Splunk helps reduce our customer's mean time to resolve. 

We primarily used Splunk Enterprise Security for data and cloud ingestion. We also leveraged it for enterprise security use case engineering, which encompassed malware analysis, threat management, detection, and the integration of threat and vulnerability intelligence, culminating in comprehensive reporting and dashboards. This was the principal use case for our SIEM platform. In recent years, we have also employed Splunk for user behaviour analytics to bolster insider threat protection.

We implemented Splunk Enterprise Security to improve security monitoring, threat detection, and incident response.

Although Splunk is not the only tool we use, it is essential that it provides end-to-end visibility into threats in our environment.

Splunk is effective for helping find security events across multiple cloud, on-premises, or hybrid environments.

Splunk helps improve our organization's ability to ingest and normalize data.

Splunk helps us identify threats in real-time.

We integrated 50 percent of the MITRE ATT&CK framework's techniques to enhance our incident detection capabilities.

Splunk Enterprise Security effectively analyzes various security events and has helped improve my organization's ability to ingest and normalize data.

Splunk helped us detect threats faster. 

Splunk Enterprise Security reduced the investigation time by consolidating datasets for quick access.

Splunk Enterprise Security enhances business resilience and assists with threat detection by centralizing security data.

I have a positive impression of Splunk's ability to predict, identify, and solve problems.

Splunk Enterprise Security helps reduce our mean time to resolve.

We use it for real-time monitoring and alerts for all instances and servers on our sub-prod instances. It helps in monitoring, getting alerts for specific errors, and identifying various logs. We also use it for log analysis, which is very beneficial.

My use case is more related to production issues. Threat detection is taken care of by another team.

It is our go-to tool for monitoring multiple cloud environments. The difficult part initially is to understand how the logging is happening for particular applications or instances. Once you have an understanding of what you want to see and how they are getting generated, you can just write queries, and you can create exhaustive dashboards for anybody to look at and understand how things are.

Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches. Its threat detection capabilities are good. We can look at the exact activity and task. We can look at a trace and understand what is happening. It gives a very granular understanding. I see emails from the security team mentioning what they have identified, so it seems to be helpful for threat detection.

Based on the org mail that we received, they were able to block almost 95% of threats in real time. That is a pretty good number.

Splunk Enterprise Security helps to reduce alert volume because you can understand patterns, such as where your requests are going and how everything is happening. There has been a 40% to 50% reduction.

Splunk Enterprise Security has helped speed up our security investigations by 40% to 50%. It has helped the security team to get a head start and understand where the issue is originating and where the problem is. We are operating in a very dynamic environment, so any time lost costs the company money.

The use cases depend on how you want detections to be set up. For example, you can have specific use cases for Office 365 alerts, Carbon Black, or more extensively towards MITRE ATT&CK framework. You can enable different analysis stories and alerts based on these use cases. You can individually go ahead and enable them. 

It is really important that Splunk Enterprise Security provides end-to-end visibility into our environment because there are multiple levels of hierarchy within an organization. 

We need easy visibility starting from L0 analysts to the SOC manager and director. So, if it is easily visible, it makes the operations easy to teach the basic analyst or also to show the upper management what we have in the current scenario or how an investigation is going on. Visibility is very important.

Splunk Enterprise Security helped improve our organization's ability to ingest and normalize data. We have different teams approaching us to use Splunk, ingest their logs, and aggregate their logs.

The system helped us reduce our alert volume mostly because a lot of false positives had been fine-tuned. That was my last two months of work consolidated. I had to go in, check on all the alerts, see what was using a huge spike in alerts, and make sure the false positives were reduced and the alerts had come down. 

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. It makes investigations much easier. With more information and the right applications, I break down the investigation in such a way that I can build a timeline. Once I have a timeline, I can build a story around it and make a report around it. Splunk definitely has helped a lot.

Splunk Enterprise Security helped reduce our mean time to resolve. Using the identity investigator and asset investigator applications definitely reduces the meantime for an investigation. I can see all the authentication logs, changes made, and threat IDs by simply inputting a username or asset name. It reduces investigation time by about 60 to 75%.

We currently use it for our security team. The next step is to pitch it to different teams and get it integrated for them as well.

I have created various correlation searches to develop use cases for detecting security threats. For example, I have created use cases to identify brute force attacks, unauthorized access, denial of service attacks, and distributed denial of service attacks. To date, I have developed a total of 190 use cases for our environment using Splunk Enterprise Security.

The end-to-end visibility provided by Splunk Enterprise Security is crucial. Its user-friendly interface makes it easy to navigate and configure. The intuitive options allow for simple customization, enabling users to easily select and configure settings. This feature, combined with the excellent support from the Splunk team, makes it a valuable tool for addressing enterprise security issues and creating or modifying use cases.

Splunk's website provides a variety of simple commands for identifying security events. These commands and pre-built security fields make it easy to detect real-time attacks, monitor environments, and identify security threats. Splunk offers a more straightforward and efficient approach than other monitoring tools.

Splunk automatically ingests and normalizes data, eliminating the need for human intervention. When data is ingested, it is automatically converted into index-friendly formats within most source pipes.

The MITRE ATT&CK framework is a valuable tool for security teams, and its integration with Splunk Enterprise Security offers significant benefits. By mapping specific MITRE ATT&CK tactics to Splunk use cases, analysts can quickly identify the root cause of security incidents and access relevant information for remediation. For example, if a brute force attack occurs, an analyst reviewing the incident can quickly determine the corresponding MITRE ATT&CK tactic and access detailed information about the attack, including potential solutions, mitigation strategies, and potential future actions. This seamless integration between MITRE ATT&CK and Splunk empowers security teams to respond to threats more effectively and efficiently.

Splunk has significantly enhanced my business resilience and problem-solving capabilities. Due to the urgency of different issues, there are four types of Splunk support cases: P1, P2, P3, and P4. P1 cases are incredibly critical and require immediate attention. If a business-critical issue arises, I can open a P1 case, and the Splunk support team will respond within 15 minutes. This rapid response has enabled me to resolve critical issues promptly. For P2 cases, the support team typically connects within two to three hours. P3 cases receive a response within 24 hours. Overall, the Splunk support team consistently resolves issues efficiently.

After deploying the use case, we immediately observed the benefits of Splunk Enterprise Security. We can instantly monitor enterprise security use cases in our environment without delay. However, as a precautionary measure, we deploy use cases and monitor them for seven days. If the use case does not generate excessive noise within this period, we deploy it to the final environment. Otherwise, we refrain from deployment. Splunk's capability allows us to deploy use cases within seconds.

Splunk helps me consolidate all the data, such as networking and cyber security data. If there are other types, such as behaviour analysis, we can perform them with the help of Splunk. But I'm mainly in the cyber security field, so I am more concerned with Splunk for cyber security data only. For example, in my PhD, I created my thesis based on medical performance monitoring. I monitor the performance health condition of one million people with the help of Splunk. So, this is not a cybersecurity use case I'm creating there. I monitor the health condition with the help of a Splunk Enterprise. If a health condition is significant, the alert immediately goes to the doctor, physician, and their relative.

My alert volume has decreased significantly. Splunk is a machine that generates alerts based on specific use cases or service queries. Before implementing a new use case or alert, we must analyze how many alerts it will trigger. If it generates fewer than one alert per day, it's acceptable. However, I will only deploy it if it generates one daily alert. This approach allows me to reduce the alert volume effectively using Splunk Enterprise Security.

Splunk streamlined my security investigations by consolidating logs into a single repository. The Splunk community provided invaluable assistance, enabling me to quickly find answers to my security-related questions and address concerns promptly. By leveraging the collective knowledge of the global community, I expedited my security processes and enhanced overall security measures.

Splunk reduces the mean time to resolve because it enables L1 SOC analysts to view relevant data in the power role field directly. For example, when a brute force attack alert triggers, analysts can easily see the source IP, time of the alert, user, destination IP, and other critical fields. This immediate access to information allows for swift preventive measures, countermeasures, and efficient resolution of cybersecurity issues. Splunk's clear and intuitive interface empowers even junior analysts with only one year of experience to effectively apply their knowledge and address security challenges.