Splunk Enterprise Security Reviews

I work for a government agency and we use Splunk to monitor our Cisco equipment. I'm a senior network engineer and we are customers of Splunk. 

This is a very capable and flexible solution. It's based on Linux and even Windows installations use the Linux file structure. You can use it to gather syslog messages from anything; jet engines, fin-tech financial institutions, banking, regular enterprise, etc. You can gather the messages from network equipment, elevators, anything you can think of that generates syslog, and Splunk it. They also have a good API so you can write your own code to talk to it or interact with it. The solution has a lot of applications that people have written. It's the best solution on the market. 

It would be nice if they had a wizard to construct searches, including more complex searches that include math or statistics. 

I've been using this solution for 10 years. 

The product runs on Linux so it's very stable. It's important to have a well-run SAN environment to store the data. 

The solution can be scaled up to any size of enterprise or agency. I have heard of Splunk installations of over 100 terabytes of licensing.

We used Logrhythm previously but it was not a good fit for our environment. That is why we switched to Splunk.

The initial setup is fairly complex. There's a certain architecture that Splunk utilizes to handle its indexing and it also depends on the size of your deployment. If you have a relatively low amount of gigabytes per day, deployment is simple. And of course it scales to terabyte, so if you have a terabytes installation, there are a lot of additional services that need to be implemented such as licensing servers and clustering. We sometimes configure syslog NG servers to front end the date before it ends up at an indexer. If it's a large terabyte installation, you definitely want to use professional services.

This was implemented through a combination of in house and vendor developers.

n/a

Splunk charges on the basis of gigabytes of incoming log messages per day. Also I would recommend that funds be set aside for Splunk training and certification.

There is a large number of options for training and certification. The more training you have the more useful Splunk becomes. However, right out the gate you can do useful searches due to the search bar design.

I went to a cybersecurity boot camp through Penn University, and we went over this topic for a decent amount of time. It was more of a testing environment where they gave us different file formats that we had to go through. We would upload those files to Splunk, and it would give us good examples of what it would look like under different circumstances, such as when an organization is getting hacked, when there is a DDOS attack, and so on.

It is a good way of seeing the network traffic as a whole. With network traffic, there are a lot of things going on, especially in a big organization. It organizes the information and makes it more usable for average people. If you use Wireshark, you'll get a ton of information, and it is super easy to get lost in it. Even if you put Wireshark on for about 30 minutes, you can very easily get lost. Splunk simplifies the information, and it gives you charts and different means of seeing that information, making it easily understandable for people.

From my experience, the visual aid that it provides is most valuable. There are charts and other means to provide information.

Its user interface for everything other than the charts can be improved. Some parts of it can be simplified a bit, such as when importing documents that have the network traffic. When you're going through the information about the network traffic, you have to have the expertise, but even if a program is supposed to be for IT support, it is good to make it user-friendly because it gets easier to train people. When something goes wrong, the more difficult a program is in terms of UI, the harder it is to fix the issue.

I've been using this solution for a little while. 

In terms of stability, I really liked it. I didn't see any issues as far as stability was concerned. Whenever I needed it, it was there. It was available, and it worked. It was pretty good.

Its scalability seems pretty good. If you are working with a lot of information, it would be usable.

Its users would depend on the organization. Mostly network engineers, network analysts, and SOC analysts would be dealing with this. 

There were instructors who knew how to fix a lot of the issues. If there was an overarching issue, they would deal with it.

At the boot camp, we also used Kibana, which looked a little bit more friendly, but when we got into the details, I liked Splunk a little bit more. It was more intuitive, and it did a little bit more on its own rather than Kibana. With Kibana, it felt like I had to hold its hand all the way through the whole process. There were 20 people, and I know a number of people were leaning towards Kibana. It just came down to personal preference.

We saw some of the basics for deploying it within an environment, but it was very minimal. 

It isn't complex, but there is a little bit of a learning curve. Once you get the hang of it, it is very easy to get in and do things, but there is definitely a learning curve. I am not speaking just for myself; other 20 or more students that were in that class at the time also had a difficult time getting the hang of it, but once you get the hang of it, it is smooth sailing. You can fly through the program. Making it a little bit more simplified would help.

I remember Splunk being relatively affordable. Kibana was more reasonable, but you get more with Splunk. If I was suggesting something, I would probably suggest Splunk because it is better to pay a little bit more and get a lot more.

I would advise making sure that your staff is very aware of how the program works. After one or two classes, I got the hang of it, and it felt like I knew everything that was there to know about it, but when we went into the next class, I realized that there is a lot more. So, if you are going to use the program, I would advise making sure that everyone is trained and everyone really understands it. You should take your time to go into the nitty-gritty. You can very easily think that you know everything, but when you make mistakes in Splunk, at least from my experience, it can get messy quickly. So, you want to make sure that everyone has a very good understanding of what they're doing so that you can keep everything organized and accurate.

I would rate it an eight out of 10. When we're getting into the nuts and bolts and looking at the data, it is an eight, but when we are just navigating through the website, it is a seven. Only its UI needs improvement. It isn't bad, but there is room for improvement. They should make it a little bit more user-friendly.

We use Splunk Enterprise Security for security log investigation. It is a SIEM platform. Many cybersecurity and technical alerts generated by Splunk turn out to be false positives. We then analyze these alerts to determine if they indicate a genuine security threat.

We will be ingesting logs from various sources, including firewalls, databases, Windows devices, and Linux devices. These logs will be used to investigate security incidents and troubleshoot system issues. Our use cases will be brief and focused, allowing us to leverage pre-defined queries in Splunk for efficient analysis. These queries will trigger alerts based on specific security or operational criteria within the predefined use cases. We will then investigate the triggered alerts by further analyzing the corresponding logs.

Splunk Enterprise has improved our incident response time. For instance, if an end user attempts to log in to a system with an invalid password from a device using an unusual port number, we will receive an immediate alert. This could be indicative of a brute-force attack aimed at stealing credentials, making it a suspicious activity. This is just one example of how Splunk Enterprise enhances our security posture.

Splunk's threat detection capabilities are strong, and Splunk is a leading platform for SoC monitoring. To maximize effectiveness, we need to develop strong query-building skills. Additionally, we have the flexibility to fine-tune existing queries or remove them altogether once an issue is resolved.

The customizable dashboards of Splunk are good for visualization. It gives a better understanding, and the graph is highly customizable.

I would rate Splunk Enterprise Security a nine out of ten for analyzing malicious activities.

Splunk Enterprise Security helped the organization control suspicious and malicious activities.

Splunk Enterprise Security has helped speed up our security investigations.

Splunk Enterprise Security's customization capabilities enable integration with other tools like EDRs, providing real-time event insights.

I like the Splunk dashboard and search engine.

Although the technical support is adequate, there is still room for improvement.

I have been using Splunk Enterprise Security for 2 years.

I would rate the stability of Splunk Enterprise Security 9 out of 10.

I would rate the scalability of Splunk Enterprise Security 9 out of 10.

The technical support is adequate.

Positive

I would rate Splunk Enterprise Security nine out of ten.

While I understand the desire for a cost-effective SIEM solution, prioritizing security over budget is crucial. In cybersecurity, even a seemingly minor breach can have significant consequences. Therefore, choosing the best SIEM for your needs, even if it has a higher upfront cost, can ultimately save money and protect your organization.

We have Splunk Enterprise Security deployed in four locations in one country.

Splunk takes care of the maintenance of the solution.

I recommend Splunk Enterprise Security to others.

Splunk Enterprise Security is used for security monitoring. It helps manage the governance of the security monitoring from the start of an incident to the resolution.

Splunk Enterprise Security offers excellent visibility across multiple environments. It's a flexible platform with virtually no limitations.

The actionable intelligence provided by the threat intelligence management feature is good.

Splunk Enterprise Security does a good job analyzing malicious activities and detecting breaches.

Splunk Enterprise Security helps us detect threats much faster than before.

Depending on the client and their configuration, Splunk Enterprise Security can help reduce their alert volume by under 50 percent.

Splunk Enterprise Security helps our clients expedite security investigations. It achieves this by streamlining the process of finding evidence and incident logs within Splunk's data module.

Splunk Enterprise Security offers two valuable features: the Common Information Model and arrangement modules. The CIM helps standardize data for efficient searches, while arrangement modules automate incident log processing by enriching them with contextual client information.

While Splunk offers SOAR as a separate product, integrating it into the next version of Splunk Enterprise Security as a unified solution would be beneficial.

I have been using Splunk Enterprise Security for 2 years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is scalable.

The technical support experience is moderate. It can take a long time to resolve issues, and I often need to explain the problem to multiple support representatives. Ideally, I would have a single point of contact assigned to my ticket throughout the entire process.

Neutral

The initial setup of Splunk Enterprise Security involves moderate complexity. Deployment time can vary significantly, ranging from one hour to one month, depending on the environment's complexity.

Splunk Enterprise Security is expensive.

I would rate Splunk Enterprise Security 7 out of 10.

I suggest integrating SOAR with Splunk Enterprise Security.

As a software analyst, I utilize Splunk Enterprise Security for security purposes, including threat hunting on developed and customized applications for vulnerability management. I also use it to display dashboards, analyze data, and address alerts.

We implemented Splunk Enterprise Security to consolidate all our security data into a single platform. This has enhanced our visibility into our security posture and the potential threats we face.

Splunk Enterprise Security enables us to monitor multiple cloud environments, which is crucial for receiving real-time email alerts in the event of critical incidents. However, directing me to the source can be time-consuming compared to the verified swim methodology used by SIEMs. For my application, I have approximately ten million records. Directing me to the service code takes two minutes to instruct them to view the file using VLOOKUP. However, sending it to the capital takes about half an hour.

The ability to monitor multiple environments is excellent. We have customers who use Splunk Enterprise Security both on-premises and in the cloud. Both options have their merits, depending on the specific needs of the customer. If a customer has the required resources, the cloud is often the most suitable solution.

The robust threat detection capabilities of Splunk are essential for our project. However, it's crucial to manage user access carefully. While we need to grant access to certain users, we must not provide them with unrestricted capabilities. Splunk's granular access control feature empowers administrators to customize user permissions, ensuring that only authorized users have access to the necessary features.

Splunk's threat topology helps us identify the scope of an incident. This is crucial due to the high likelihood of unauthorized data being compromised, necessitating prompt incident detection.

Splunk Enterprise Security has facilitated the timely detection of threats, enabling us to swiftly customize it to identify a wider range of threats and potential risks. We can incorporate external scripts for enhanced threat intelligence and threat-hunting capabilities.

Before implementing Splunk Enterprise Security, we relied on a patchwork of other tools, each requiring manual implementation for data collection, rule definition, and threat identification. This approach was not optimized and occasionally resulted in delayed threat detection. Limiting our focus to device security alone proved insufficient, as it lacked the real-time threat actor intelligence and activity insights provided by Splunk Enterprise Security. Our reliance on licensed development restricted us to pre-built alerts or manually uploaded scripts for mitigation and response.

Splunk Enterprise Security has helped reduce our alert volume.

Splunk Enterprise Security has helped speed up our security investigation time.

Three features stand out for me: the SDK for writing Python, the customizable and adaptable diagnostic dashboard, and the optimizer for collecting data.

The threat detection system has room for improvement. The critical aspect for an organization is the timely detection of incidents. If the rules are not defined correctly, threats may not be detected in real-time, resulting in incidents being detected months or even years after they occur.

I have been using Splunk Enterprise Security for almost seven years.

I would rate the scalability of the solution eight out of ten.

I would rate the resilience an eight out of ten.

I contacted Splunk support once for a separate product.

Positive

The initial deployment was straightforward for me, likely due to my extensive experience using Splunk. When implementing the solution, we begin by defining customer needs and requirements to optimize Splunk. This involves identifying the systems necessary for daily use and ensuring the protection of the integrated licenses and external apps in the Splunk environment. This protection encompasses program security, cloud-based security, and data analysis for specific apps. Additionally, we configure personal authentication for private applications.

The deployment time is dependent on the specific requirements and can range from two to ten days.

The implementation was completed in-house.

Splunk Enterprise Security has delivered a return on investment through its effective threat detection and vulnerability response capabilities. We have successfully demonstrated this positive impact on our customers through comprehensive reports.

I would rate Splunk Enterprise Security nine out of ten.

While there may be cheaper solutions available, they lack the optimizer, dynamic dashboard, and security APIs that Splunk offers. These capabilities are not found in other solutions.

Maintenance is minimal for updates only.

When using Splunk Enterprise Security, ensure that optimization is performed correctly to minimize response times and resource consumption.

We mainly use the solution as a reseller. We give our users the latest version of the product. 

The solution is the market leader.

Our customers are always looking to partner with market leaders as you can't go wrong with them.

Customers can monitor cloud environments. 

The threat detection capabilities are quite fast and efficient based on my customer's feedback. 

We've used the MITRE ATT&CK feature and it's good. It's pretty standard and comparable to IBM. Most products offer this as well. 

It's good for analyzing malicious activities. It's good as an overall platform. It's good at detecting threats. It's a basic feature that is quite effective.

Splunk can help to reduce alert volume if you configure it properly.

They are a market leader in a lot of areas in terms of features and functions. 

It helped us speed up security investigations. I'm not sure of the exact percentage it helped us speed up by, however.

It has a lot of basic and standard features. 

It is a full-fledged solution that provides everything a company needs.

When it comes to malicious activities, however, it's rather overpriced. There are cheaper ways to detect.

There are quite a lot of security platforms on the market that do the same thing in a similar way at a cheaper rate. 

The pricing could be a lot lower. I'm from Asia, and they need to provide Asian pricing. They should price better for the region they are in. Once companies see the price, it puts them off. 

The integration could be a bit better. They charge for certain integrations. 

I've used the solution for about a year or more. 

It is a stable product.

The solution is used across multiple departments, not locations. That said, it would support multiple locations. 

We've had no issues with scalability. We usually have a solution that lasts three to five years and have had no issues scaling in that time.

I do not directly deal with technical support. 

We previously used many solutions, such as IBM. The implementation times are about the same. There are some ways that IBM is faster and other ways Splunk is faster. However, Splunk offers a more modern look.

The initial setup is very easy. It's quite straightforward. The process is similar to IBM. The deployment takes less than one day. It is done by a different team. I don't handle the initial implementation process.

The maintenance needed is very minimal. We have at least ten people that can handle deployment and maintenance. 

The solution is quite expensive compared to the competition. It's considered a premiere security option. 

We also looked at Dynatrace before choosing Splunk. 

I'm a registered partner of Splunk. 

We are using the latest version of the solution. 

We haven't used the threat intelligence management feature. We usually use another product.

The mission control feature hasn't been used. I'm not familiar with it.

For those looking for a cheaper product, I'd suggest, if they had a limited budget, to go cheaper. Likely a cheaper option that can do the same work as Splunk. At the end of the day, whether you choose a Toyota or a Rolls Royce, you get from A to B the same. The price is the differentiation. 

I'd rate the solution eight out of ten. It's a good product overall. 

I used Splunk ES when I worked for a retail company. I worked mainly in the security operations center. I have also worked in healthcare and federal spaces.

Splunk ES provided the organization with overall visibility.

Incident Review and correlation search are valuable features. These features help us create correlations and have good actions afterward. The product provides visibility and enables us to correlate data and generate alerts.

The product could be cheaper.

I have been using the solution since 2014.

The tool is very stable. Once we set it up properly, it's reliable.

The solution's scalability is good. When we started, we had two servers and two indexers. By the time I left, it was up to 11 or more. It's not very hard to add additional components.

The support team is usually very receptive and answers quickly.

Positive

The initial setup was easy because I had done it many times before.

I used the solution until December last year. It was not very hard to monitor multiple cloud environments using the product because getting data into Splunk is not very hard. It also provides add-ons that we can use to pull data from other places.

Splunk was the brain of the whole process in our organization's security operations center. Without Splunk, we wouldn't have had any way of seeing what was going on. The tool helped reduce our mean time to resolve. We got alerts faster and responded to them faster.

The biggest value of the conference is the community. The conferences help me interact with people, get insights and up-to-date information, and also get opportunities to present my work. There's always room for change.

Overall, I rate the tool a nine out of ten.

Splunk helps us to be proactive and it integrates with many devices. It offers visibility from many different levels, areas, zones, and devices rather than from a single system. We can use this intelligence to create correlations, system solutions, etc. Splunk reduces the risk factors and helps us in many ways beyond just collecting logs. Though Splunk is costly, it has many features like threat intelligence which is very useful. It helps us be proactive about reducing risks.

Splunk incorporates a lot of elements that help to reduce security risks. For it to reach certain compliance, we need to have some security insight. Splunk is a very good SIEM, it’s a top solution, but the best feature is its cost of visibility. We have all the most important features to detect vulnerabilities or risks.

Customers cannot manage or maintain the servers on the cloud since they are all deployed. Since there are platforms, they can become a little bit hectic. One of my other observations is that the applications that are available on the store are not updated as much as those available on on-prem.

Moreover, I have had issues with the Splunk store. I believe that the developers in the Splunk store are external and I can see that the level of maturity of these developers ranges between low and medium. I have never seen the maturity go up higher. The applications are not maintained regularly and it can cause issues in the visibility dashboard. I would suggest to Splunk's tech team to keep the store private, so that Splunk creates its own applications without the interference of external developers.

I have concerns about the architecture as well since I can see it is not very well defined. However, this is not the case with on-prem. We were able to manage and do whatever we wanted on the server level without opening a case or anything else. Moreover, the applications are updated every six months.

Splunk is a stable solution.

Splunk is a scalable solution. I am also impressed with the integrity of the solution. It is very good at collecting logs.

To resolve issues in the Splunk platform, you need to wait in a queue and then open a ticket with the support team. I find it a bit time-consuming since it takes time to call tech support and get what you need.

I have used Wazuh. From my point of view, Wazuh is a simple and basic SIEM solution compared to Splunk in terms of features. I don’t see Wazuh as a competitor to Splunk. Wazuh relies greatly on human tactics. It is best suited for cloud environments and maybe smaller ones. I have issues with Wazuh’s stability as well because I have found scenarios where it was working for one instance and not for another. These issues might be because it is open-source.

Wazuh is not actively working on their platform. I opine that they need to integrate many components and have many aspects automated so that the solution does not depend on its users. I have found issues with the language of Wazuh as well. It requires a lot of resources and time to learn the language. These issues make me think that Splunk is better than Wazuh.

The initial setup process for Splunk was simple. The language used in Splunk is very easy to pick up and you can rely on any person using it to be able to learn it quickly. The language and picking up logs are easier with Splunk.

I implemented Splunk through a POC.

Splunk is costly but it’s worth it due to the high-end features.

I have worked with Wazuh and ManageEngine Endpoint Central.

I would rate Splunk Cloud a 6.5 out of 10, but plugged on time, I would give it 8.8 out of 10. The maintenance of Splunk is a bit difficult due to the time-consuming tech support.

I would recommend Splunk. I cannot compare Splunk with any other SIEM solution because I have worked with many different solutions and logarithms, like the ManageEngine Endpoint Central, and Wazuh. I have used Splunk for two years and I can see Splunk as really the best SIEM solution that can be used for work. I totally recommend it even though I gave some negative feedback, it's because I am coming from a product perspective. We have to also take into consideration the security perspective. I am not talking about only visibility in which they should take a lot of care, but the way the solution is handling and even manipulating the data. This is the most valuable thing.