Splunk Enterprise Security Reviews

For incident detection, this is the main purpose for which I can use the product. That is the only use case for my team. It may be different for my team who is actually processing the incidents and a bit different for me, as I am a manager. For me, the most important aspect is making statistics over a period, seeing who did what, and extracting all the needed information. It is quite easy and intuitive.

Incident detection is the positive impact I have seen from Splunk Enterprise Security. It probably saved the company from financial losses because of the early detection of the incidents. I cannot say about ROI because I am not involved in financial matters, so I cannot estimate any kind of cost.

There are so many products and features that it may be quite hard sometimes to find something that you are looking for. Search capabilities or maybe some kind of AI assistant helping to find what you want would be beneficial improvements.

I have been dealing with the product for about seven years.

From time to time, there are some glitches with stability. Some logs are missing, and we have an external SOC team handling this license for us. Whenever there is something wrong with Splunk Enterprise Security, they need to raise a ticket, and it can be time-consuming to wait for them to reply; this is also a disadvantage.

It is easy to scale up or down if you have the money. The solution is quite pricey not only because of the license but also when scaling it and maintaining it.

I have not raised any ticket myself, but I have heard some not very good stories about technical support from Splunk Enterprise Security. Support did not provide quick enough help.

I have not been using any other competitors.

I have no idea about installation because I took no part in it.

We have a dedicated team that is doing all the configuration of Splunk Enterprise Security for us. We are just managing what has been prepared for us.

It saved the company from financial losses because of the early detection of the incidents. I cannot say about ROI because I am not involved in financial matters, so I cannot estimate any kind of cost.

I heard the solution is quite pricey.

I have not been using any other competitors.

Users should know what they are looking for. Splunk Enterprise Security is probably customizable enough that they could achieve their goals, but they need to know what they want to get from it. On a scale of 1-10, I would rate Splunk Enterprise Security an eight overall.

We use Splunk Enterprise Security to detect different anomalies and alerts based on our infrastructure. I work in the telecom industry. We have multiple network and security devices that collect logs. We create use cases to collect logs from all these devices.

The dashboards are very good in Splunk Enterprise Security. There are pretty good options to fine-tune the alerts, to wipe out false positives, and only get the correct alerts as per our requirements. The UI is pretty good and easy to use because it is integrated with different EDR tools. This integration is very helpful for identifying different malicious activities or malware for any of the endpoints, especially the critical servers.

The architecture of Splunk Enterprise Security is really good at collecting and parsing logs. Each detail, how it correlates, and all the features are up to the mark compared to other vendors. The indexing speed is pretty good in Splunk Enterprise Security. 

I used many of its machine learning automatic detections. It's really helpful to identify any malicious activity or the behavior of malware over time. There was a malicious activity that involved privilege escalation from the MITRE ATT&CK framework. It was very helpful in detecting that escalation, and due to Splunk Enterprise Security's machine learning capability, we tracked down the malware, remediated it, and prevented it from spreading further to other endpoints.

There should be more options for adding more visual experience in terms of dashboards. 

The integration feature with other applications, such as anti-DDoS application Arbor, needs to be more powerful.

I have been using it for almost three years.

Issues are very rare, near to zero with no downtime. 

It is highly scalable.

The tech support is really good. 

Positive

I use ArcSight as well. We did not fully migrate to Splunk Enterprise Security. We are using both solutions.

Splunk Enterprise Security has good refresh rates for getting alerts. I prefer Splunk Enterprise Security more compared to other competitors such as ArcSight or IBM QRadar. The health checks are very good. The dashboards, indexing speed, correlations, and machine learning are advantages of Splunk Enterprise Security. Even though other competitors offer the same features, the efficiency of Splunk Enterprise Security is the best.  Except for the price, I don't find any disadvantages compared to other vendors.

The migration process was complex because we were moving from one SIEM tool to another. In the telecommunications industry, there are several teams that we needed to collaborate with, and meetings were essential. Within the network team alone, there are numerous sub-teams to coordinate with.

In my current environment, this complexity made the process challenging. We weren't starting from scratch; instead, we were transitioning from an existing SIM tool to a new one. If we had been implementing the first SIM tool for our company, it would have been much easier. However, migrating from one SIM to another always presents difficulties.

Our company purchased through resellers.

It's somewhat pricey compared to other vendors. However, for big infrastructure companies such as telecom, the price is fair enough. Compared to the features and efficiency it offers, the price is good. For medium-sized companies, it's too pricey.

I would rate Splunk Enterprise Security an eight out of ten.

We have customized use cases for Splunk Enterprise Security as per our environment, due to our infrastructure related to cloud, virtualization, and a few application servers, along with Active Directory management, where we look for user interface and access management. We receive alerts related to any password breaches or unauthorized user access, or if any applications stop running. 

Consequently, we created multiple customized use cases, and accordingly, we receive alerts on Splunk Enterprise Security. It integrates with other tools for threat intelligence and anomaly detection. We are enjoying a good experience so far, and our admins ensure that the use cases are well-maintained. Additionally, they perform fine-tuning as needed. 

We have some database servers integrated for alerting us about unused services. We communicate with our database admins regarding incidents related to data management issues. We suggest actions to the database admins based on these alerts for better data management.

Splunk Enterprise Security is highly customizable, which is an excellent feature. We are continually fine-tuning it to meet our requirements, and everything has been smooth thus far. We also have well-designed dashboards that allow us to visualize data from various use cases in comprehensive graphs, which is beneficial for management reviews, especially during inspections, to display the status of our environment.

We monitor multiple environments, and those environments are integrated with Splunk Enterprise Security, functioning effectively.

In terms of visibility, it offers insights into integrated devices such as firewalls, cloud infrastructure, and virtual machines. The extent of visibility corresponds to the number of devices we integrate with Splunk Enterprise Security. We have access management servers and Threat Intelligence integrated, enhancing visibility across various elements in our environments.

Splunk Enterprise Security provides good visibility into our environments.

Splunk Enterprise Security aids us in detecting threats faster. Over time, it has incorporated enhanced AI support that enables self-analysis and offers valuable feedback. It operates as an intelligent tool, parsing and generating relevant incidents effectively.

Splunk Enterprise Security significantly improves our organization's business resilience. Since my introduction to Splunk Enterprise Security in 2022, I have observed an increase in its intelligence levels, and I look forward to integrating more infrastructure with it. Our reliance is shifting more towards Splunk Enterprise Security for providing solid decision-making capabilities and easy integrations with multiple cybersecurity and IT infrastructure controls.

Splunk Enterprise Security has helped reduce our alert volume to a good extent. It goes beyond mere incident handling by providing feedback to IT infrastructure personnel and database administrators. The incident responses have enabled us to make several environmental corrections, reducing flaws and incidents over time. For instance, alerts related to unnecessary service account logins have prompted us to give feedback to admins, which reduces their workload. False positives are a notable aspect we address to minimize unnecessary alerts, while true positives associated with malware or MITRE framework indicators prompt effective management action.

Splunk Enterprise Security accelerates security investigations. The tool contains extensive data, and the key lies in how to extract that information, depending on the analyst's capability. Our company emphasizes obtaining Splunk Core admin and user certifications to enhance our understanding of the Splunk Enterprise Security product.

I find it beneficial that Splunk Enterprise Security easily integrates with other tools. Due to its excellent API capabilities, it facilitates connections with various cybersecurity tools. We utilize different controls, such as Anomaly and Threat Intelligence, and also integrate it with Data Diode, which assists in one-way communication for infrastructure. Splunk Enterprise Security can seamlessly receive logs from various infrastructures, including Data Diode and firewalls.

We utilize Threat Topology and MITRE ATT&CK features, as these aspects fall under the MITRE ATT&CK framework. They provide coverage for continuous user activities and password issues. The MITRE ATT&CK framework is beneficial for detection and outbound traffic, and it offers a good number of default use cases that we have implemented in our environment.

In terms of recommendations for improvement, when performance degradation occurs, we need to do a root cause analysis. The repeated tendency to inform us about memory utilization complaints encourages us to consider adjusting our query needs. Improving the infrastructure behind Splunk Enterprise Security is vital—enhanced cores, CPUs, and memory should be prioritized to support better processing power. When we execute heavy, resource-intensive queries over long periods, the performance dips. Our admin quickly intervenes to correct resource bottlenecks, allowing everything to function properly again.

I have been working with Splunk Enterprise Security for approximately two years now.

I find it easy to scale Splunk Enterprise Security for our environment, and I would rate its scalability an eight.

I have sought assistance from Splunk Enterprise Security support in the past, particularly during deployment, and they provide friendly and effective help.

Having experienced using QRadar from IBM, I find Splunk Enterprise Security more intelligent and supportive.

The deployment of Splunk Enterprise Security is straightforward, and integration with other security controls is quite easy after the initial setup.

Initially, we required the assistance of Splunk Enterprise Security consultants for the deployment process.

I have noticed a return on investment with Splunk Enterprise Security, as it delivers substantial value for money. This is why we are keen on expanding our infrastructure under Splunk Enterprise Security rather than other SIEM options.

We are currently using Splunk Enterprise Security for our SOC in our office, and as long as the office continues its use, we will still be using it.

I haven't faced any other difficulties apart from the CPU resource issues. I find Splunk Enterprise Security to be very customizable and user-friendly. The only consideration is that if we want to increase the volume of logs processed, we need to buy more licenses.

Maintaining Splunk Enterprise Security requires personnel, especially due to the existence of different search heads and various forwarders in our robust setup, supporting a centralized logging environment.

I find it easy to scale Splunk Enterprise Security for our environment, and I would recommend that potential users consider their capacity to invest financially based on the criticality of their infrastructure, as adoption comes with licensing costs.

I would rate Splunk Enterprise Security an eight out of ten.

The main use cases are with the firewall, DNS, and Windows events. These are the three basic ones to start with. Once they're done with all the compatibility and introductions, custom use cases will follow.

It's currently in the implementation phase. But, it will surely improve response time and make it easier to collect and check everything in one place. Instead of going to multiple dashboards and running multiple queries, all can be integrated into one dashboard. You can just click and then go drill down into deeper levels and get more information.

Splunk Enterprise Security provides end-to-end visibility into our environment. It's very important because: 

1. This tool is used as SIEM implementation. End-to-end visibility is really important in such a case; if something is missed, it's an error. 
2. Also, we belong to the retail sector with over 700,000 employees. We have a lot of endpoints and everything is open, so end-to-end visibility is essential.

It helped our organization to ingest normalized data. With Windows, DNS, firewalls, and the open use cases we've checked, we've gotten more data in. The compatibility with the add-ons helps us add more data in the same compatible format and use data models to elaborate and make it faster.

The investigation dashboard provides a lot of value. In the same dashboard, we get all the drill downs, raw events, and information about what the particular user is doing or where the vulnerability started, all in the same dashboard.

It helps us reduce our mean time to resolve. Now, we can see all the incidents on a single dashboard and it could be assigned to the analysts at the same time on the incident review. People can start working on it right away, so it does reduce the mean time to respond.

Splunk's unified platform helps consolidate networking, security, IT, and IT observability tools. But our major focus or use case is more on the security side. We don't use observability, so we just use logs, matrices, and other security-related features.

Incident review is pretty valuable. You can have everything in one place, review it, and assign things to analysts, and they can work on it. 

We also have different teams segmented; it is not one team. So, we brought that using the teams method in Enterprise Security, which I think most people are not using. This way, different users have different dashboards or lists of incidents.

One thing is multi-tenancy, which is not currently not there. The concept of Enterprise Security assumes only one team using Splunk, but in many companies, including ours, that's not the case. We have multiple security teams operating under one umbrella, with different people using it for different smaller companies. If multi-tenancy could be incorporated, it would surely help us. 

We started with it last year. We integrated it last year, and the SOC team is now handling it. They're making it SIM compatible, introducing the first few use cases, and working with the data. 

So, we bought the license nearly a year ago, and started implementing it about six months ago.

Stability is there, but every release has some bugs. For example, in this release, indexes were down, searches were down, and the monitoring console wasn't working. So, it's a bit tough.

It's still being implemented, and a lot of work needs to be done. But, considering the pricing and everything, I would give it a seven out of ten. It does have a lot of use cases, but a lot of work has to be done beforehand. Our data wasn't totally SIEM compliant because we used prebuilt solutions and changed the data format.

We use Splunk Operator on Kubernetes, so it's not on-prem or Splunk Cloud. Customer support is not good at all.

For example, we upgraded the system on Saturday and raised an incident. With Operator, you can only raise a P3 incident, so we needed to escalate it and get the developers involved. Support cannot handle such cases. We always have to get the developers involved to get the issues fixed. This happened very recently. But it is very common; the support for Kubernetes is zero.  

The company didn't have a SIEM solution. It was more of SOAR, so we used FortiSIEM for that. We still use it. 

Setup is not that difficult. You just have to install the search head cluster and a normal app. Data normalization is the main thing required for Enterprise Security. SIEM compatibility is the most important thing. If it's not there, then it won't work.

The deployment of the solution is pretty simple, if your data is SIEM compliant. If not, then you need to make it SIEM compliant. Otherwise, you cannot use the solution.

We have a Splunk partner that helps us with integration and other stuff.

Pricing is a bit costly. It always is.

We considered a couple of other brands. We ran a couple of POCs with other enterprise tools.

Since we've been using Splunk for nearly four years, it was easier to incorporate Enterprise Security. We did try other SIEM solutions like Fortinet, but since Splunk was already there in place and had all of our normalized data, it made more sense to use Enterprise Security.

There are tons of use cases for Splunk, but our main one is insider threat.

It's easy to deploy Splunk, and mostly, we don't have to reach out to the customer after it's done. It's a simple tutorial with a couple of pages, and they can configure it themselves. The simplicity of deployment has been the greatest asset

Splunk has improved our customer's ability to ingest enterprise data. We don't have to have hands-on every customer's environment. We can farm that out to the local SAs. They find the install, and it's a simple firewall update. We're getting data.  

It provides an all-in-one resource. Before, we had one product for firewalls and one for our gateways. Pairing up with Cisco helped because a lot of our information is based on our network, firewall, or router. Having Splunk intertwined with them will ensure that it's one resource and one solution.

'The solution has helped to fine-tune false positives. Sometimes, out-of-the-box solutions aren't customizable, but Splunk is. It can clone, alter, and make it your own.

Before Splunk, we didn't have a tiered solution where there was some low-hanging fruit that was easily handled by the tier ones and higher-end stuff. It went from level two to level three bordering on level four CCNA. That's what I was looking for, a maturity model. We've developed into a progression from tier one to tier two, etc. At the high end, we have forensics for long-term solutions or advanced persistent threats.

A lot of things can be handled at the tier one level, and there are 12 to 24 hours before it floats to tier two. Resources are underutilized, and not everyone's working. You're not handing a tier-one ticket to a tier-four guy who's just like, "Dude, it's this." The tier-one guy is getting a tier-four ticket. It streamlines the resolution process.

I like the ease of setting up dashboards on Splunk. They're easy to create, manage, alter, and share. You can fine-tune them any way you see fit. One of Splunk's unique features is that you can customize it for your needs, especially if you've got homegrown solutions. It accepts whatever kind of logs and can be normalized at any point. With a one-off solution, you can work with the developer who created it, and they give you the features or key information you want to keep.

Many people are talking about deploying upgrades from the deployment server. It's necessary, particularly from the perspective of insider threat. You can see if something's breached. If you notice an anomaly at 2 a.m., we've got your rules firing, letting you know immediately. It's near real-time notification of any issues.

We have used Splunk for two years.

Splunk's stability is inherent to its scalability. It's malleable and adjustable. It's like pottery that you make to fit your needs.

It's easy to divert resources where they're needed. Often, we have several projects that have reached the end of their life, and we shift the resources. The fact that you can set up a new index or set of indexes and push some feeds into specific structured indexes makes it a lot easier instead of having everything in one giant database and trying to find what you're looking for.

With the streamlining, it's a lot easier for the end customers. They've noticed a quicker turnaround for low-level stuff, and the high-level requests get directed to the right people. We used to have a turnaround window of about a month. Now it's down to a week for most tickets. In the past, they sometimes put a ticket in, and it might be a week before someone even looks at it. Now, we have a system in place where they get a response within 24 hours.

We were using ArcSight but switched because our customer said they wanted to go to Splunk. ArcSight didn't have the reach, and the complexity of deploying it inhibited a lot of customers from using it.

Deploying Splunk was easy. We worked on developing the in-house solutions and passed them off to the customers, providing a network location to download what they needed and the instruction guides. After that, it was simple to unzip and configure the inputs and outputs. We were up and running.

We've probably tripled the amount of insight into our infrastructure and environment.

They looked at Elasticsearch and the ELK Stack—trying to do things with Kubernetes and Kafka. That can be used with Splunk. In terms of cost, complexity, and ease of deployment, Splunk is often on top. It gets the data out there as quickly as possible. The fact that Splunk is as vast as it is means it isn't hard to find a resource that's touched it and can use it.

I rate Splunk Enterprise Security eight out of 10. It's missing some features that other solutions have, such as the ability to upgrade the endpoint and perform endpoint universal forwarders from a deployment server instead of using a third-party solution, such as Puppet or Ansible.

Our primary use case is for detected malware. 

The end-to-end visibility into our environment that Splunk provides is impressive. We just need to use it better.

We are a small team. For us to look at all those logs ourselves would be difficult. There is some decent insight into what's going on. It's just a matter of actually utilizing that data and taking action on it. 

We would probably see more time savings if we used Splunk more. 

We're an on-prem network. During the installation, we found several issues that we should look into. We just need to utilize more.

Splunk has shown us some gaps where we need to ingest and normalize data, and we have built those gaps.

Splunk Enterprise Security provides us with context to help guide our investigation. It's a starting point to actually look at the logs and figure out what we need to look into. It's useful. 

It helped to consolidate networking security and IT observability tools. We use Splunk in general a lot for operations, and then we've been able to build dashboards.

I have been using Splunk Enterprise Security for two years. 

The stability is pretty good. It's fairly stable. I haven't had any issues with it so far.

Splunk support is difficult for us. There are gaps in the network. I work for a government entity so getting a classified rep to come out is difficult. 

I would rate their support a five out of ten due to their availability and talent. 

Neutral

It took what took us a while to groom all of our data correctly so that it worked well with ES. That took two weeks. As far as the finish, there's definitely room for improvement.

I would like more assistance with use cases and help with teaching us how to use it once it's installed. 

We deployed through professional services. 

We're a young team so we're still evaluating processes. We already had Splunk Core. It was already installed when I started working here. I was part of the installation team when they deployed Splunk Enterprise Security.

I would rate Splunk Enterprise Security a five out of ten because I'm still figuring it out.

We use the solution to find systems acting strange or having strange services and security attacks.

Splunk Enterprise Security helps us sift through tons of data to find relevant information we're looking for as far as activity goes.

The solution's most valuable feature is the aggregation of all the logs in one place, using enterprise securities built-in or ESCU use cases to find them.

The end-to-end visibility Splunk Enterprise Security provides in our environment is very important because we might not see everything or miss something without it.

Once you have it set up correctly, Splunk Enterprise Security works great for helping us find any security event across multi-cloud, on-premises, or hybrid environments.

Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data. The ability to identify and solve problems in real-time is pretty robust.

Splunk Enterprise Security has helped reduce our alert volume with RBA and has helped reduce our mean time to resolve. With correlation searches in risk-based alerting, you don't have to sift through information; it is presented to you.

The solution's case management system could be further improved to make it easier for analysts to manage cases. The only limiting factor is the amount of data you're sifting through and the overall size of the number of correlations you're looking for.

I have been using Splunk Enterprise Security for seven to eight years.

I rate the solution’s stability an eight out of ten.

I rate the solution ten out of ten for scalability.

The solution's technical support is awesome, and I love it.

Positive

I've deployed the solution a few times. The deployment is very labor-intensive and takes a lot of work.

Splunk Enterprise Security is an expensive solution.

I would recommend the solution to other users.

Overall, I rate the solution a nine out of ten.

Our SOC is using Splunk Enterprise Security as a SIEM. There are multiple use cases because it is the main tool for SOC analysts. We have plenty of use cases. It is being used for IT security monitoring. We also have some custom use cases for securing applications, and then we have some of our internal customers developing their own use cases, but the main purpose is for the SOC. 

We also have additional work that is much more tricky. It is related to using AI to detect insider threats.

We are incredibly increasing our coverage as per the NIST framework that we are using for our operations. We are always extending. That really took off after implementing Splunk. It was a big moment. I have been there from the very beginning when we started implementing Splunk. Like everything new, there was a little bit of difficulty, but after we implemented it, there was an incredible increase in our SOC efficiency.

Splunk Enterprise Security helped reduce our mean time to resolve based on my knowledge, but I do not know how much because I left the department one year ago. On the security monitoring side, we have very good MTTR globally due to Splunk and the processes that we have implemented. We have other kinds of tools. Compared to the other tools that we have, our MTTR is far better with Splunk. Compared to last year, it was reduced by half. It was already good, but it got reduced a lot again.

It is lovely to have everything we need in one tool. Everything is quite centralized.

AI is everywhere, and I feel we need to discover AI for cybersecurity. For the last five years, I myself have been setting up a product and evaluating AI, but I did not do it directly in Splunk because there was some fear about the performance on the platform. That is why we chose to build our own platform based on S3 and AWS to execute and run all the algorithms and send the data back into Splunk. We now have a good base with innovation. We have a better base to directly include machine learning use cases in Enterprise Security, but they need to provide more capability and autonomy to the customers because there is so much to do. When you are lucky enough to have a team of data scientists, they want to have free hands, so a balance has to be found between giving a lot of autonomy and putting enough control so that they do not do something stupid on the platform, which can impact the performance of the standard use cases as well. There is a compromise there. However, AI is growing so fast that you absolutely need to give autonomy to the team to manage and utilize AI. This means providing easy access to a new library to build machine learning. They need to give us some flexibility, and it seems that with the new toolkit, it would be okay. Data scientists love to have freedom.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations, but it would be interesting to add even more context, for instance, in order to raise the level of risk. That is something that can be implemented. For instance, when it comes to data loss prevention, it is known that somebody who is about to leave the company is much more likely to take data. If you have this information soon enough, because the person will tell HR in advance, you can increase the level of risk for data loss for that user, but you do not always get to know that in advance. In such cases, some indicators in the behavior of the users who are leaving could be connected to AI. For instance, if you are using natural language programming, you can grab emails with words like farewell. There are plenty of keywords that you can catch that would give you an indication that the person is about to live. When you have internal and external partners, they can leave at any time. You do not always get the information in advance, but there are always farewell parties or goodbye emails. You can use this kind of information to raise their risk on the specific alert. It is efficient in the sense that you decrease your false positive rate. To me, AI is something that can help them accelerate and improve on what they are already doing.

Splunk Enterprise Security is very costly. Pricing is probably its weakest spot.

I have been using Splunk Enterprise Security for five years.

It is difficult for me to answer this because I am no longer in charge now, but it has been stable from my point of view. 

Its scalability is good provided you have the right license agreements.

It depends on the situation. The problem at our end that is causing an issue with Splunk support is that we have a customized environment. All the problems that we submit are specific, and they can be a bit difficult to solve. Sometimes, their support is efficient, and at other times, we have to wait a bit too much. I would rate their support a seven out of ten.

Neutral

I arrived at the time of transition. We were probably using RSA. We switched to Splunk Enterprise Security because we needed to jump to another scale. At that time, there was a complete change in the organization. We went from the old-school cyber to Cyber 2.0. We had a lot more visionary managers who came from other companies where they were using Splunk. We had good guidance.

It was a bit difficult. The team that was developing the use cases did not have access to the real data because it was not ready yet. Developing a SOC use case without the data is something difficult. That is why it was difficult at the start, but it was not because of the tool. It was more of a matter of project management. After we moved on from the difficult stage, we were able to set up this use case factory where some of the users were themselves in a bit of self-service mode. This was a very good opportunity to enlarge our capability to cover all the applications in the best way.

For Splunk, we use AWS. We have a private cloud. We have difficulty using cloud-managed services.

Pricing is probably its weakest spot. As compared to some competitors, Splunk is really expensive. The problem is that Splunk is like Rolls-Royce. It, for sure, is the best one. Gartner says it, and the customers say it, but sometimes, you do not need a Rolls-Royce to get to the supermarket.

The problem is that the licenses that we have are based on the volume of data that we ingest in a day. The data that we ingest is only growing. We have initiatives right now for better management of data. It makes sense in terms of storage and sustainability. The pricing model, especially for Europe, is difficult. I am just out of the negotiation for the renewal of the license. We bought it for three more years. This is good news for Splunk and us as well, but it was difficult to discuss with the sales and explain that we do not want to increase the cost because it is already too high, and if it could decrease, it would make sense. It is very difficult to have this understanding from the salesperson. It was difficult for my Splunk account partner, but we succeeded in the negotiation. It was a win-win situation.

They need to be fair and adjust the price as per the usage. If the price goes too high, we would just have a no-go from the top level of the company, which would be a pity. It can happen. It has happened in the past. At some point, we had a big contract with Microsoft for Office, and we are now with Google. It was a shock for the partners and people inside the company, but we did it. We now have Google and we are happy with it. We still have a bit of Microsoft. It is important to keep the balance.

We are looking at the data usage with Splunk's team. We are looking at whether the data onboarded and dashboards that were developed are really being used to avoid wastage. If any data is not necessary in Splunk, we just stop onboarding it. We have other data to onboard anyway. My idea is to be much more efficient in the way we are managing the data and not to go the way we did it in the past.

I did not evaluate other solutions but the company surely did.

Splunk's unified platform has not helped consolidate networking, security, and IT observability tools, but it is not due to the tool. It is due to our company's structure. I have been part of the two teams. Previously, I was a part of the cybersecurity team, so I was mainly using Splunk Enterprise Security. Now I am leading the monitoring team, so I am much more on the SOC side of it. My team provides service to the cybersecurity team that is using Splunk Enterprise Security. In the end, we would like to have one solution, which would be Splunk. I would like to have IT monitoring and observability with ITSI in the future. This centralization would bring efficiency. One log being used for cybersecurity purposes can also be used for other purposes. Everything centralized would give us the most efficient way to access the data and limit duplication. It would be helpful for efficiency, cost control, and data governance.

It is absolutely crucial for us to have end-to-end visibility. For our cybersecurity needs, we should be able to reach anything. We even have this concept of Watch the Watcher, so visibility is absolutely key. We have the opportunity to audit the activities of even cyber analysts, so visibility at every stage is absolutely key. For example, all the SIEMs could be under attack, which would be a nightmare. Imagine it being an insider threat where the attacker knows what exactly we are monitoring. With AI, these kinds of risks are even higher. That is why we are all in for AI for Cyber and Cyber for AI. We need absolute visibility, but we also need protection.

Splunk Enterprise Security has not helped us reduce our alert volume. We are not at that level of maturity at this point. It is still growing.

I would rate Splunk Enterprise Security a nine out of ten. It is a good product. It needs some progress with AI, but based on what I have seen in the presentation for version 8, it seems promising.

We deploy Splunk for law enforcement agencies facing attacks from threat actors in China, Iran, and Pakistan. It helps plug the gaps because Splunk can easily identify malicious traffic.

In this instance, Splunk was only deployed for a specific department, not the entire ministry. However, this department has multiple cloud clusters for their operations, storage, and computing. Splunk is monitoring all of these clusters. It started as an on-premise solution, but then the department decided to go for cloud-based services that require a connector. Now, it's more of a hybrid solution.

 We face a lot of government-backed threats from India's neighbors, so threat intelligence can provide us with the information to take preemptive steps to stop the attacks. We were able to configure our network and the gateway firewalls. So that helped us overall.

We use the threat topology and MITRE ATT&CK features to compile our quarterly reports, but the leaders of the government departments are hardly concerned with these things.  They only respond to certain keywords if you highlight them. However, if you explain that something is an IOC according to the MITRE ATT&CK framework, they won't understand the jargon. They don't have the technical knowledge to comprehend MITRE ATT&CK. A private organization might have that capability. Government agencies may go for a full-fledged enterprise solution, but there are many features they don't understand or want to use. 

We still need to use manual techniques to investigate threats. Once, we had to look for devices that were infected, and we manually located the threat because the attacker had used a particular telecom handle to steal the data. In that sense, we did it manually but used Splunk to find the threat actor and the credentials used in the attack. The investigations were also quicker because we had the necessary information on hand. 

Resilience is essential, but it's something that can't fall entirely on a solution. Information security is the responsibility of every employee. While a cloud system doesn't go down easily, on-prem environments are more vulnerable.

Splunk has an excellent threat intel feed, so we can get the latest IOCs. The threat intel service enhances the threat detection capabilities because the solution is purely based on threat intel. They gather each threat intel from the dark web and the other areas of the internet. Once the integration is done, it's much more helpful than the traditional Splunk features, which may yield limited visibility. Splunk isn't purely a threat intelligence solution, but it may not have feeds at that frequency.

The threat detection capabilities are excellent, but it depends a lot on the configuration. If we can't configure the indicators of compromise correctly, then it becomes difficult for Splunk to evaluate a threat. For example, let's say a user is accelerating some data through the email gateway, and the gateway isn't being monitored. Splunk can't do anything about that because it requires a gateway monitoring system to be installed. Splunk is only aggregating the events coming in, and it cannot find the exact DLP agent. The DLP logs need to be forwarded to this Splunk connector.

The ingestion happens quickly, so you can run up the data costs if you use the default settings. It isn't a problem for government agencies in the Saudi market, but many of the corporations in India are small or medium-sized enterprises that cannot afford that kind of ingestion system.  

Splunk needs to be tweaked in JSON so you can limit what is coming from the endpoints, especially the events. One needs to filter that out so that only certain events are ingested, like login failures, Active Directory changes, password reset requests, privilege modifications, etc. Each Windows machine generates about 310 KB of information per event, but we can tweak that down to about 50 KB.

I have been using Splunk for five years. 

Splunk is stable. We haven't had any downtime or performance issues. 

I rate Splunk support 10 out of 10. Splunk has lots of training materials online where our engineers can learn at their own pace. The courses are easy to understand and use simple language. You don't need to learn Java queries. The main reason we rejected QRadar was the fact that it is such a closed solution. If you want to learn something, you have to contact IBM support and request the materials. 

Positive

I have worked with ArcSight, and Palo Alto has a good SIEM solution. ArcSight's UI has some drawbacks, whereas Splunk is easier to integrate and implement. ArcSight's interface didn't impress me. I didn't like the way you have to write queries. It was a tedious solution to use, and it was not pleasing to the eyes. The charts and reporting were not visually appealing. 

ArcSight was also a costly solution, but the main reason I wanted to switch to Splunk was that it was easier to integrate. It has a drag-and-drop interface, so you don't need to know SQL or Java to construct a query on Splunk. The resolution time is about the same, but it took longer to discover the issue with ArcSight. Our previous solution took about an hour or more, but Splunk can do it within a few minutes or an hour at most. 

Splunk can be an expensive solution. It all depends on how we configure the alerts and the events from the endpoints. You can save some money if you do that correctly. If not, it becomes an expensive solution.

If you don't have the money, you can go for an open-source solution like RedELK, which is based on Elasticsearch. It's cheaper, but you have a lot of support issues. There are no security upgrades. Those are not well supported. If somebody has a basic understanding of the technology and the necessary budget, I would say stick with Splunk. Its ease of use is attractive to an engineer.

I rate Splunk Enterprise Security nine out of 10. There's always room for improvement. 

We have an engineering team working on the back end to receive data, they do data modeling, and create dashboards. That's been pretty useful.

Splunk Enterprise Security helped our organization a lot. In the past, we relied on every single product that had its own kind of audit trail information. We needed to go and look for it, for example, in the Windows environment. We have to use the event viewer a lot to look for certain things, like system applications and security logs. In Linux, we have to use the log file, and under certain applications in the Linux environment, we have to look at the logs for that as well.

That's just part of the operating system. It is not the infrastructure, like network devices. When we centralize logs, we put everything in one location. 

Our advanced users can do the SPL query anything they want. Executives or higher-up management users need to look for certain things, like how many systems are missing patches for this month or who logged in today from where, what they did, and how often they re-authenticated to the systems. 

We have a lot of data from businesses, data from our devices, and more. When we put it all in the ES, it gives us the ability to look at certain functions. It provides more insight into our data, where it's traveling from, between endpoints, and what they're doing with it. 

We also look into performance. We use other monitoring tools as well, and that data is also piped into Splunk. We have a centralized platform that we can navigate to look for everything we need rather than having to go to each individual system, like Cisco Syslog or we have to go to the Forcepoint console to look for it. It is a centralized platform that gives us more insights into our data or what's happening in general. 

It is very important that Splunk Enterprise Security provides end-to-end visibility into our environment because, at any given point in time, we want to know what's happening to the data. Data privacy is the primary concern. We want to make sure that authorized users get access to what they are authorized to so that data would not leak out or travel from a different path. Again, we get a lot of data in there. We understand more about our data to improve the business in certain aspects.

We know that during certain times of the day, a lot of people access a server or website.

Then it'll give us more insight about where we need more network bandwidth or where we need to upgrade network devices. We understand more about our data, like how many people access the data lake house. And that's just for performance. 

On the security side, we would know who's accessing it from where. Are they authorized to do so, or is there any weird access pattern in locations that they're not supposed to be in?

So again, we get the data, we centralize it, and we can do data mining. We can pull out anything from there rather than looking all over the place, like, "I want to find out if he's working today if someone's using his account, or from which devices he accessed data from two different places."

From Splunk Enterprise, we can either do it manually or have our engineers create an audit dashboard. Or, if you are an advanced user, you can do SPL queries that will give you anything you need.

The alert volume depends on the users. If they do what they're supposed to, then there's nothing to talk about. If not, it's more or less on how you manage the data, educate your users, and control your system. Based on that, Splunk might play zero, fifty percent, or seventy-five percent role.

In a way, it has helped improve our organization's business resilience. It's a way for us to predict the pattern of data access and other things going on.

Knowing a way to do that, if we have enough resources to do it, is fine because we have so much data, but no one's really monitoring it. If we get alerts in the middle of the night and we don't have anyone to handle it, it's not going to help.

It's another aspect that we worry the most about, where our data is floating. 

Now that we've centralized our log information into Splunk, we want it to be secured well because now users can predict a pattern of data access from where, and from whom. 

We put all of our logs and data into Splunk, like network switches, firewalls, and web-based protection. In general, every component within the infrastructure sends data to Splunk. 

Then, we have an engineering team transforming, manipulating, and analyzing the data to create a front-end dashboard in a meaningful way.   

With the new announcement of version eight, it's going to give us a single point-and-click. On the front page there, that will give us a whole lot of information that we need to look into on the right panel without navigating down or going to more details, clicking here and there.

We've been using it for quite a few years now.

The solution of choice depends on the engineers and teams. If they manage Linux, they're comfortable with certain tools to read the logs. In a Windows environment, it depends on the engineers. They favor any certain tool; they would do it, but it would be to cut down costs and consolidate all the software strings.  

Splunk was not that big years ago. But then we started seeing that they put more investment into it and made the tool more useful.

We're not using the cloud version yet. This is just the enterprise product on-premises.

Splunk can improve the pricing. People like certain features, and sales use the features that they provide, the automated features, to hook customers into paying for the big-price license.

Everyone does it, like Microsoft and Cisco. Initially, you try out the free version, but once you get it in your shop and turn it into production, you start relying on it and don't want to get out. You start paying a lot more for it.

Splunk is on the right path. It's good, but it does not provide everything that we need. There's a lot more to it. I look at it as ideal for detecting in real-time, but we're always behind and just look at the log information. 

If you have a network device, a Splunk Enterprise instance, and you have to send data to it. You're relying on network connections. 

If you're using a cloud service or anything where Splunk is not on-premises, there's high latency. If that network connection is down, that's it. You don't know what's going on. So even if you have it on-prem, you're still relying on it after the fact. 

When you look at Splunk, you're looking at things that have already happened. It's nothing that's actively going out there and doing something for you. 

If you had to give it a number, from one to ten, since they've gone this far, I'd give it a five or six. Because locking or monitoring is just a part of business, and how you're going to receive those alerts and act on them is another part of it, when I look at the overall infrastructure and infrastructure management.