Splunk Enterprise Security Reviews

I use the solution in my company to deal with certain migrations from a legacy SIEM solution to a new product like Splunk Enterprise Security or from on-prem to cloud migrations. Another use case involves implementing a new SIEM solution like Splunk Enterprise Security from scratch.

The most valuable features are its ability to transact in the cloud and its ability to onboard data easily with minimal connectors. Some of the new players in the market need to build new connectors to bring data into the SIEM solution. With Splunk Enterprise Security, you get built-in connectors, as it is a major platform.

The product's price may be an area of concern where improvements are required.

The metrics that I or my company's clients see in terms of the improvements from the use of Splunk stem from the fact that some of the metrics that the tool provides for senior leadership, specifically in the area of visibility when it comes to organizational split, considering that there are multiple lines of business. It would be a good feature in the tool if it could provide dashboarding for different lines of business in the product's next release.

One of the key areas where Splunk Enterprise Security can do better is if it integrates with AI solutions.

I have been using Splunk Enterprise Security for five years.

Our company's clients who use the solution like the fact that they can rely on Splunk Enterprise Security as a product, especially since it is not a new entrant in the market. Though the tool has moved from on-prem to the cloud, I feel that the fundamentals of Splunk Enterprise Security are strong. The support structure available for Splunk is good.

Scalability is of paramount importance to a lot of clients. Some of the clients value the scalability feature of the product, and they are also willing to pay more to use such features. There are some pharmaceutical clients my company deals with who like the scalability feature but do not like the increase in the price attached to the scalability part.

To be very fair, I have not been directly exposed to Splunk's support team since I deal with our company's clients. I have not heard any major complaint from our company's client regarding Splunk's support team, so I assume that it is pretty good.

Deployment of the product is easier than migration. It is always better to write on a clean board than write on a board where someone has already written something. If you migrate from one solution to another, you also have to migrate some of the use cases, and you need to fine-tune them. If you are deploying a product from scratch, it is easier. My company also recently dealt with one of the clients, and we had to onboard 28 log sources in ten weeks with no issues. We also had to deal with heavy forwarders, syslog, universal forwarders, and everything under the sun, which was a big mix, making it a difficult environment. There were no issues during the onboarding process. In general, I am happy with the product.

ROI depends on a lot of calculations, so my company does not consider it. Most of the complaints from our clients are related to the cost of the product. Our company's clients are happy with the features and reliability of the product. Cost is one of the major factors that companies are migrating from Splunk Enterprise Security to some other solution. I don't know if it is relevant or not, but I feel that the acquisition of Splunk by Cisco has spooked a few of the clients since they are unsure if they will receive any support if they don't have a Cisco-based infrastructure and instead have some other company like HP supporting their infrastructure.

Splunk is really expensive compared to all the other tools on the market, including Microsoft Sentinel. Some of the clients prefer to go for a data lake kind of solution because of Splunk Enterprise Security's prices. Some of the clients have also mentioned that the pricing of Splunk Enterprise Security is not visible for them and it is based on storage because of which they are not able to control various aspects associated with the pricing part.

In cases where I see the replacement of existing SIEM solutions from my company's customers' end, I have dealt with scenarios where Microsoft Sentinel replaces Splunk Enterprise Security. I have also dealt with implementations associated with Splunk Enterprise Security from scratch. I have managed migrations of Splunk Enterprise Security from on-prem to the cloud.

The primary reason customers are moving to a cloud-based solution is that products like QRadar and LogRhythm did not initially offer cloud versions. The other reasons why customers are moving to cloud-based solutions are the difficulty of configuring their use cases and the problem of finding the right resources to support them. With Splunk and Microsoft Sentinel, resources will be much more available to users in the market, but for LogRhythm, the market is going down. Training opportunities, the building of accelerators, available information in the outside world, and a lot of reasons have prompted customers to move to cloud-based products.

I would say that it is easy to configure the use cases, and also to correlate use cases, which in turn helps reduce alert volume. More importantly the product can provide good visibility in the area of dashboarding, metrics and security events.

Splunk Enterprise Security helps me find any security event across multi-cloud, on-premises, or hybrid environments.

Visibility across multiple environments or varied environments is absolutely important to our company's clients, and it is one of the key areas because most clients do not want to go and see multiple tools like CrowdStrike for endpoint protection. Our company's clients want to be able to see one dashboard with all the feeds coming in, along with all the alerts correlated to it.

The product provides relevant context to guide our company in the investigation. When you have more context, L1 or L2 support finds it easier to investigate. I don't know if Splunk already has an AI-based plugin tool or not. If AI is present in the product, it would help L1 and L2 support resolving tickets in a much faster manner, and it is also an area where context helps.

I have seen a reduction in the mean time to resolve from the use of Splunk Enterprise Security by around 30 to 40 percent if it is able to deal with contextualization. L1 and L2 support teams look at a particular incident, and if they end up spending more time adding the context or going through multiple tickets, it adds up the time needed to resolve an issue.

The product helps speed up security investigations by around 30 to 40 percent. Collecting the context is the key step for resolving or investigating purposes.

It is not fair to state why a certain rating is being given to a product since a person rates a solution on certain aspects, and it could be in terms of the migration part. If I speak in terms of the performance and support parts of the solution, I would rate the product a nine. If I consider the cost of implementing and maintaining the product, I would rate other products much better than Splunk Enterprise Security. As a company, we have implemented Splunk Enterprise Security multiple times, and we see the business associated with the product growing higher. My company also provides training to people in relation to Splunk Enterprise Security. My company hopes to do more business with Splunk Enterprise Security. My company has 3,00,000 employees.

I rate the overall tool an eight out of ten.

Splunk Enterprise Security provides us with both log monitoring and alerting capabilities from a centralized interface.

Splunk Enterprise Security's detection capability is good. Real-time alerts are crucial for threat detection. When unknown traffic is identified, incidents are automatically created and alerts are sent to the monitoring team for prompt action.

Our mobile device ordering website experienced a fraud attempt. We identified a surge in traffic originating from the same IP address through Splunk Enterprise Security. This allowed us to swiftly block the suspicious activity, potentially saving millions of dollars.

Integrating Splunk Enterprise Security with other tools is easy.

It is easy for us to monitor our multiple cloud environments using Splunk.

Splunk offers good visibility across our multiple environments. We can monitor roughly 80 percent of our environment through Splunk.

Splunk is our primary tool for analyzing real-time logs to detect malicious activity. These logs are then used to create security incidents and trigger alerts for further action.

We can see the benefits of Splunk Enterprise Security quickly after deployment.

Splunk Enterprise Security reduces our alert volume because it is precise and customizable.

Splunk Enterprise Security helps us speed up our security investigations by sending alerts and providing a deep dive into the logs.

Splunk's visualizations make it easy for users to understand the data. Additionally, Splunk can ingest all our data, creating a centralized and informative platform. This combination is a powerful asset for data analysis.

Splunk Enterprise Security's pricing structure could be more accessible for smaller organizations. Licensing costs can be a barrier for those with limited budgets.

I have been using Splunk Enterprise Security for 5 years.

I would rate the stability a 9 out of 10. With a stable environment, we may encounter issues 2 percent of the time.

I would rate the scalability an 8 out of 10. 

Splunk now offers SmartStore, which automatically scales storage capacity without sacrificing performance.

The support team is supportive and quick to respond.

Splunk offers Platinum, Gold, and Silver support. With the Platinum package, they respond within two hours.

Positive

We transitioned from AppDynamics to Splunk Enterprise Security, which provides a valuable single pane of glass for managing and viewing security metrics.

The initial deployment is easy. The deployment for Splunk Enterprise Security is quick.

By automating our monitoring and alerting with Splunk Enterprise Security, we've achieved a significant return on investment. This has freed up over 190 days of manual monitoring effort by our team, resulting in overall cost savings of around 30 million dollars.

The licensing costs are high for Splunk Enterprise Security.

I would rate Splunk Enterprise Security 8 out of 10.

I highly recommend Splunk Enterprise Security to anyone looking for a comprehensive security solution. It's a single tool that can monitor and manage our entire security posture, including business metrics, IT infrastructure, and security alerts. Splunk also simplifies incident creation and log management, providing a central location for all your security data.

Splunk Enterprise Security is used by 30,000 people across multiple locations in our organization.

The widespread adoption of Splunk Enterprise Security requires regular maintenance to ensure optimal performance.

Organizations with low logging volumes can benefit from using the open-source ELK Stack.

The resilience Splunk Enterprise Security offers is good.

As a Splunk engineer, I collect data from various sources, including Universal Forwarder, Heavy Forwarder, DB Connect, and Syslog to monitor application logs. This data is used to create dashboards that visualize application health and identify potential security incidents. Additionally, I configure alerts to notify teams via Slack or email when CPU or memory usage reaches critical thresholds, allowing for prompt resolution. Furthermore, I use Splunk to create KPIs and NDDs for various aspects of the organization, including a custom ITSI service for Microsoft 365. This service monitors child entities like Teams, Outlook, and Edge within a parent application, tracking metrics like team member logins and meetings, CPU usage, and memory usage. All this information is consolidated into a three-page ITSI report.

Splunk Enterprise Security helps us detect malicious activity, such as failed login attempts by unauthorized users. These attempts, whether brute-force attacks or phishing attempts, trigger alerts with detailed information about the incident mapped to the MITRE ATT&CK framework. This allows our security team to investigate and take appropriate action quickly.

We managed Splunk's large clustered environments, I oversaw data collection from roughly 750 applications via universal deployment clients. This experience, coupled with my nearly six years of Splunk expertise, made monitoring application logs and creating Splunk knowledge bases straightforward tasks. While processing task cut-off tickets from the application team could be time-consuming, the actual monitoring itself was easy to manage.

The end-to-end visibility provided by Splunk is important because our company uses applications like K-Connect and Splunk to monitor user activity across different sectors. Having previously worked in both healthcare and finance, I'm familiar with how this process works. We access user information including personal data to track their activity from start to finish within our systems. Splunk allows us to mark specific user data points for further analysis, ensuring we have a full view of user or patient activity within each organization we serve.

Splunk helps me find security events across multi-cloud and on-prem platforms. I would identify missing data by checking the last hour's timeframe (span=1h). If on-prem or cloud data was missing, I'd investigate which logs weren't being ingested, whether an indexer was down, or if a forwarder wasn't sending data. Additionally, I'd check if the application or event log volume was overwhelming the universal forwarder, requiring a queue to process the data effectively.

Splunk improves our ability to handle data from applications. This data is often unstructured or unavailable in a usable format. To make it usable, we used to normalize the logs manually through back-end commands and edit various Splunk consoles and platforms. This process transformed the data into a structured, human-readable event format, allowing us to extract the information we needed.

We can identify potential malicious activity through Splunk by analyzing database logs with SQL queries. For instance, a high number of failed login attempts within a short timeframe could indicate unauthorized access attempts. Additionally, with multi-factor authentication systems like Duo, a user logging in from two geographically distant countries within a short period might be suspicious. To address this, I've developed SQL queries that check for logins within a one-hour timeframe across different countries. These queries trigger alerts on a dashboard, allowing IT to investigate the user's IP address and determine if the login is legitimate.

Splunk has significantly improved our business resilience by providing a single pane of view for all our data. This visualization allows us to monitor for anomalies, including unusual application activity, unauthorized executables, and suspicious shell scripts running on both Linux and Windows servers. By triggering alerts for these events, Splunk empowers our organization to proactively identify and address potential threats, ultimately improving overall stability.

Splunk allows us to easily check the data for malicious activity. It also helps reduce the alert volume by allowing us to set thresholds for alerts. For example, we only receive an alert when the CPU usage exceeds 90 percent or the number of failed logs is more than 15.

Splunk helps us investigate by providing relevant context from system logs. We can search the Splunk logs for specific applications and timeframes, and then examine all the data fields for suspicious activity, failed login attempts, or any other anomalies.

It helps security teams investigate threats faster by providing a central platform to collect and analyze data from various security applications. This focus on enterprise security allows teams to identify and respond to threats across the organization, leveraging frameworks like MITRE ATT&CK to match attacker techniques and tactics.

Splunk's strength lies in its single-page view. This interface allows us to explore all our data, build dashboards with alerts, and visualize real-time information through various charts like column, bar, and pie formats, providing a full user experience.

Due to its high licensing cost, Splunk is out of reach for many organizations. Making their licensing more affordable would open up Splunk's solution to a wider range of users.

I have been using Splunk Enterprise Security for six years.

Splunk Enterprise Security is a stable solution.

Splunk Enterprise Security has excellent scalability.

The technical support is good.

Positive

The deployment is complicated  because our organization works with on-prem servers. All the data needs to be duplicated and all the searches and indexes need to happen properly.

The Splunk licensing is high.

While more affordable, alternative SIEM solutions lack the flexibility and in-depth visualization capabilities offered by Splunk.

I would rate Splunk Enterprise Security nine out of ten.

While Splunk Enterprise Security offers a user-friendly interface, its true power lies in its ability to create highly customized dashboards that streamline investigations and reporting.

My role is to design and implement and manage a strong environment. I need to ensure the available insights can be extracted efficiently and I use the solution for that. I also configure the Splunk custom dashboard and optimize searches to meet specific business needs. We also do a lot of troubleshooting and upgrading.

The security part is useful as it helps secure the entire environment. I designed the security aspect of it for a lot of applications in my company. It's the security thread within the application that we build. I'm able to use Splunk to secure the applications. 

We use the solution to monitor multiple cloud environments. We can monitor even on Amazon products. It's a good source for monitoring all types of applications. 

I can manage and correlate different kinds of searches within my environment. It's good for performance monitoring as well. I can do auditing and reporting through Enterprise Security.

The solution gives us visibility into multiple types of environments. There's a good level of cost optimization as well. It's good for end detection and prevention. I can identify anomalies and get a data view of fraudulent activities. You can uncover the source type and the IP address from where things originate.

Splunk gives us the capability to handle insider threat detection. I'm able to create my own dashboard that will visualize the information. It does depend on how you handle the configuration and permissions. 

We do use the MITRE ATT&CK framework. It helps us discover the scope of the incidents. It helps us to target incidents immediately. We're able to quickly resolve it and stop it. We get data visibility to see what's coming in, which helps us act fast. 

We can work with data from any source as long as you configure it correctly.

The solution has helped us to reduce our alert volume. You can tune your alert thresholds. You can also create rules to define your alerts. It gives you the capacity to optimize queries as well. 

They didn't use to be able to integrate with Cisco. However, this has changed now. 

Some minor features could be added. However, I need to do more research. 

The user experience could be improved. It could be more intuitive.

There should be a way to do bulk visualization reporting. 

I've been using Splunk for 7 years. 

We haven't had any downtime. The only issues come up is if there is an extension of limits. If you extend beyond your license, you may get downtime. 

The solution is scalable. It's easy to manage. 

We have contacted technical support for troubleshooting. No solution or machine is perfect. We had an issue where a new hire misconfigured some servers and they were able to offer us support. They are helpful, however, they do need to be faster in response. They do provide a to of documentation that can be helpful. 

Neutral

I'm also familiar with CloudWorks. However, Enterprise Security has more features and can provide more insights. 

I'm familiar with Dynatrace.

Splunk was already in place when I arrived. I simply tried to implement different strategies in multiple environments. 

Splunk is pay-as-you-go. The pricing depends on your use case. You only really pay for the amount of data you are dealing with. 

I'm a Splunk customer. 

People shouldn't necessarily look for the cheapest pricing. You need to look at what will optimize costs and the time it takes to secure the data. The most important thing, before cost, is being able to successfully secure your data. You should choose your solution based on your use case as well. 

I'd rate the solution 8 out of 10. 

There are many use cases. Most of the use cases are related to security, data integration, and data sources. 

Splunk Enterprise Security helps with real-time detection. When we integrate any data source, if any external IPs or external devices are accessing that data source, we get notified. We get alerts based on the use cases we develop.

Splunk Enterprise Security has improved the incident response time a lot. Splunk is doing log ingestion, and it is also used to search the database for issues. It is ingesting and identifying. All that is happening in a single solution.

Splunk Enterprise Security is very easy to use. We can monitor anything. We can monitor and integrate any type of applications and servers. It is very easy and effective. I work with different security tools, but none of the security tools has these many features.

Splunk's documentation is clear. Irrespective of the environment we are working in, we have clear documentation.

One of our clients is using the Threat Intelligence Management feature. The actionable intelligence provided by the Threat Intelligence Management feature is very good.

I have been working with different vendors. Splunk Enterprise Security is a very effective and user-friendly tool. Whether it is Sentinel, LogRhythm, or QRadar, each one of them has its own limitations, but Splunk has all the features.

Its benefits can be realized very quickly. It does not take lots of days or months.

Splunk Enterprise Security has helped to reduce our alert volume. There is a 60% to 70% reduction.

Splunk Enterprise Security has helped speed up our security investigations.

It is user-friendly. It is more effective than other solutions. The support and help for troubleshooting and the documentation from Splunk make it very effective.

It has multiple features. It has data integration, search, reporting, and alerting.

It does not need any advanced programming. It only requires basic programming.

In terms of features, it does not need any improvement. Everything is good so far. The only improvement I am expecting is the cost of the licensing. Clients are going to other solutions just because of the cost.

I have been working with Splunk for more than 7 years. I have worked with Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, and on-prem Splunk.

It is very stable. We never had any issues or bugs.

Its scalability is good.

The support from the Splunk side is very good. They provide the best support.

Positive

I have used Sentinel and QRadar. I switched because of the advanced features, support, and good documentation. It is very effective. It is the best solution. The only problem is the cost.

I have worked with cloud deployments and on-prem deployments. Its initial setup depends on the environment. It is sometimes complex, and sometimes, it is very easy. We also get good support from them.

Our implementation strategy has 3 phases. We first go for development, and then we go for Pre-Prod. After that, we move to Prod.

Currently, I am the only one handling the deployment, but when it comes to operations, we need at least two to three people.

It requires maintenance. Generally, 2 people are required, but for my clients, I am the only one who is taking care of the maintenance.

We have seen an ROI.

It is expensive. I work for multiple clients. I am working for more than 5 clients, but most of the clients are switching from Splunk to Sentinel because of the cost. Even though Sentinel is very limited, clients are moving to Sentinel.

I would recommend Splunk Enterprise Security to anyone who is looking for a similar solution. This is the only solution with all these features.

I would rate Splunk Enterprise Security a 9 out of 10. It is stable, user-friendly, and feature-rich. It is very helpful. Even though it is expensive, the stability, support, and technical documentation make it very effective.

I work in security and use Splunk for endpoint and application security, use case development reports, etc. I haven't used Splunk much for threat intelligence. We have a threat intel feed configured, and we create use cases based on those and the recommendations by the threat intel team. If something isn't covered, we create a use case for it. For example, if an application has an authentication interface enabled, we check all their authentication mechanisms and all the login policies. 

Splunk speeds up our incident response by enabling us to automate some of the investigation steps, such as finding information about the user or the source of the incident on machines. We can then move directly into the remediation phase and assign those tickets to the remediation team. It also triggers automatic email alerts to the recipient user. If our security analyst wants to see the alert logs or anything, they can easily drill down to identify any information required.

It allows us to configure use cases involving our machine-learning toolkit, and we have an adaptive threshold in ITSI. Using these tools, we can eliminate false positives and do some whitelisting to weed out users who are performing benign activities. Removing the false positives reduces the incident response time.

We can start to see results immediately once we have achieved a steady state. For instance, we can easily show how much our mean resolution time for incidents has fallen and provide metrics in a way that is easy for our clients to understand. 

Splunk's interface is user-friendly, and it has apps and add-ons for most applications. We can easily normalize the data to make it readable and understand the logs. We easily get all the field extractions and enrichment done by using the apps and add-ons. This helps us understand the application logs because the raw data is useless unless we extract some useful information from it. These add-ons make it so much easier.

Dashboards are useful when we present things to management. They want the numbers and the results. The leaders aren't interested in what we are working on. We need some visualization for our presentations. Splunk has beautiful and useful visualization and dashboard alerts. We can easily create visualizations using the available options and create different types of charts, reports, and graphs that are easy for management to understand. We can also provide our leaders direct access to the dashboards, so they don't need to reach out to our team to get this data or we can automatically send them the reports via email. 

Splunk has several useful features, like asset and identity management. If we integrate our asset and identity management properly in this log, it's effortless to identify the user, device, or asset. We can get all the details if we integrate those things into the lookup engine.

It would be nice if Splunk reduced the cost of training. Their training sessions are way too costly.

We have used Splunk for around seven years.

Splunk is highly stable if you meet all the prerequisites and have enough physical memory for your local storage. 

If you use the cloud version you can scale as much as your licensing allows. It's easy to scale, upgrade, or add instances according to your needs. 

I rate Splunk support 8 out of 10. They're good, but I think there is room to improve because Splunk is the market leader, and they should strive to provide the best possible support. 

Positive

I previously used QRadar and ArcSight. Splunk is one of the top products. Compared to Sentinel or QRadar, Splunk is the market leader in features and security. You can integrate application, physical, or cloud security and onboard those logs into Splunk, then tailor it to your requirements. 

I've worked on multiple deployment models for Splunk, including hybrid, cloud, and on-prem. The deployment is straightforward. We do a POC and then scale it based on our requirements. 

I feel like Splunk is worth our investment. 

The cloud version of Splunk is somewhat expensive, but it does provide some flexibility because you do not need engineers to manage the system. Everything is hosted in the cloud because it is a SaaS service. It depends on the usage. It is costly, but everything good thing comes at a price.

I rate Splunk Enterprise Security 9 out of 10. 

We use Splunk Enterprise Security to enhance our overall security posture by proactively managing our threat profile across the enterprise. This enables us to see valuable insights and effectively monitor all OEM devices.

It is easy to monitor multiple cloud environments using Splunk Enterprise Security. This helps with DLP and security across our SAM solutions.

Although I favor the cloud's convenience for credential management, Splunk Enterprise Security's visibility remains consistent across multiple environments.

Splunk's insider threat detection reveals daily threat events and highlights anomalous behavior on the dashboard.

The threat intelligence management feature continuously monitors activities across cloud, on-premises, and hybrid environments, and informs stakeholders of any suspicious activity.

Splunk Enterprise Security has endpoint security protection to analyze malicious activities and detect breaches through the analysis of new log content.

Splunk Enterprise Security helps us detect threats two to three hours faster.

Splunk Enterprise Security has helped improve our incident review times, security posture, network protection, and endpoint protection. We saw the benefits within the first month of use.

A decrease in false positives has enhanced our risk analysis, security posture, and the speed of our alert investigations, resulting in daily time savings of four hours. 

Splunk Enterprise Security has saved us two hours per day of investigation time.

The ability to manage large amounts of generated data and to protect all devices from unauthorized use are the most valuable features.

The threat detection library needs to increase the frequency at which the playbooks are updated. 

I have been using Splunk Enterprise Security for two years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is scalable.

The technical support is good.

Positive

The initial deployment was straightforward. We wanted to cover all of our endpoints. Two people were required for the deployment.

The implementation was completed in-house.

I would rate Splunk Enterprise Security an eight out of ten.

Splunk Enterprise Security is a leader in the market and provides great visibility into an organization's security posture.

We have 100 people that are using Splunk Enterprise Security.

The continuous visibility and SOC requirements of the resilience Splunk offers are a benefit to any SIEM. Resilience is important for organizations that run a hybrid environment.

Splunk Enterprise Security use cases drive the workflow from threat detection all the way through to incident response, giving an approach mirrored with technology. Depending on use cases, whether having a tool drive some approach or conducting discovery, or looking to facilitate an operational security operations role at your company, it is very much driven heavily on the scheduler, setting things up and then looking and deep diving when necessary. Splunk Enterprise Security does well by giving a good framework.

Risk-based alerting is enabled in Splunk Enterprise Security. However, because of custom applications, a lot of times it works but doesn't work. Some discovery on our own is required, conducting our own campaigns to do that.

The time it takes the SecOps team to remediate any security incidents with Splunk Enterprise Security depends on the situation. Splunk skips over the whole trying to figure out how to use the tool. That is the biggest thing. Using Elastic SIEM and using other SIEMs, there is a learning curve, whereas with Splunk Enterprise Security, even if there is no one on the team who has mastery in Splunk, there is enough support and enough tooling and things that people have done before to really deep dive right in immediately.

Splunk Enterprise Security helps tell a story and helps focus at the customer level. As a managed service provider, I can only speak from the security side of it.

As a managed service provider, consolidating networking, security, and IT observability tools with Splunk Enterprise Security can be difficult, especially when providing those tools yourself. What Splunk does, and really is why it is a choice platform, is that it speaks all of those languages, no matter what IT discipline you are in. You are able to surface and view data in a quantitative manner and also get insights into what you are looking for. That is a very strong aspect of a tool where it does consolidate.

Splunk Enterprise Security has helped mainly when it comes down to the data science part. If you have a strong data science background, it is easy to detect anomalies. Some of the toolkits that are deployed with Splunk Enterprise Security and ML Toolkit allow you to do a lot more upfront than you typically would be able to do.

Splunk Enterprise Security has helped to improve the ability to ingest and normalize data.

The impressions of Splunk Enterprise Security's ability to identify and solve problems in close to real-time are that the different ingest methods that it provides are critical to finding out and looking at the breadth of data that comes in through machine data. In some parts, some people call them logs, some people call them metrics, some people call it telemetry. Having an aggregator at the ingest level like Splunk is amazing because it does not matter what you want to send, you can send it. It does not need to be in a particular format. A lot of the data brought in is not log data, it is programmatic from APIs and customer activity and things that need to be looked at as a whole picture. So when it comes to security, to be able to look at that in real-time requires compute and less structure because you need to be able to see there are payloads coming in that are typically not in this correct format, and the tool should not miss that because fields are not necessary. Splunk's ability to do schema on search is immensely powerful and that does aid in the ability to get results faster.

Threat topology and the MITRE ATT&CK framework features for helping discover the overall scope of an incident in Splunk Enterprise Security are pretty good. In this particular discipline when it comes to security, applying knowledge and then having a tool support that knowledge and drive forward, the integration paths of those particular types of things are very helpful. The more data that you bring in across your topology, if you will — network, user activity, user behavior activity, authentication, and application errors — you get this full landscape that you can see. With that, if a type of MITRE ATT&CK comes along and you understand what it is, you can see where the attack entry point was, the activity that was performed, and then start the incident response.

The biggest thing with Splunk is making sure that the documentation is maintained. There is a gap where if you search for an issue, a lot of times it is in the community. There should be a path that moves community answers into documentation or into an FAQ that allows people to not use the community answers to drive results. For instance, when you can use Splunk this way and this solves your problem, but if there is a better solution, that should be presented as an FAQ. Just working with Splunk for an immense amount of years, it is usually necessary to try to figure something out. The docs tell you where you can figure it out, as in a configuration file, but it does not really help you get to the end result. More complete documentation would be beneficial.

There has never been any instability with Splunk Enterprise Security. Some core dumps appear from time to time, but it really depends on your architecture. If you are really good at architecting Splunk, you should not ever run into that. Splunk is solid, and that is almost a ten.

Splunk Enterprise Security's scalability is huge. If you were to take one thing from Splunk that is probably really amazing, it is the scalability. With a handful of users now, coming from a shop where there were 5,000-plus users in Splunk and it was pretty stable, the scalability is immense. It is one of the things that separates it from other tooling, and if not, it is the most scalable solution out there.

Technical support or customer support at Splunk has been contacted.

The quality and speed of the support at Splunk are interesting. As an expert in the field, the work is really far beyond what customer support can probably handle. They are pretty good when it comes to that, especially if you have a Sev 1 ticket. The support team overall at Splunk, the people that have been interacted with, are fine, but typically if there is a problem, someone like a specialist needs to be spoken to. This one is hard to answer because of being such a niche customer.

If Splunk support were to be put on a scale from 1 to 10, it would receive a seven. This has been discussed with them and it is fair feedback. The reason for giving seven is simply because the first contact is not necessarily able to answer most of the problems that have to be submitted.

Positive

Alternatives to Splunk have been used. In the past, ArcSight has been used, of course managed service provider tools that you typically get with the big cloud providers, and then Elastic.

Splunk Enterprise Security is just an app that sits on top of Splunk. There really is not much to it. It is pretty straightforward and about as easy as production enterprise software that has ever been seen. It is super easy.

Implementation was automation, probably a couple of minutes and a button click.

There is not anything that is close to Splunk Enterprise Security as of right now. Splunk has taken this weird leap ahead of everybody else. It is also the most expensive tool out there. It is kind of like buying a luxury SUV or a used entry-level SUV. There is a difference for a reason. That is not saying that any of the other tools mentioned are that. It is just that Splunk is ahead, so there is really not a fair comparison.

Splunk Enterprise Security has not been upgraded to 8.0. Splunk Enterprise Security does require maintenance between patching and upgrades. Professional services are available and have been done on behalf of another customer, but it is done mainly personally. The overall review rating for Splunk Enterprise Security is an eight.