Splunk Enterprise Security Reviews

The most valuable feature of Splunk is security information and event management(SIEM). Additionally, the solution is easy to use, has useful reports, and good interface.

I have used Splunk within the past 12 months.

Splunk is stable, and this is why many customers want it.

The scalability of Splunk is good. Customers can purchase 100 GB now and if they wanted more, they can immediately add an additional 100. The customer will have to only pay for additional licenses.

I hear that customers usually have support on time from the Splunk team. Generally, they are satisfied with the response they receive from Splunk.

The total time of the implementation depends upon the customer's requirement. The factors that affect the implementation time are the type of use case, the environment of deployment, one location or multiple locations, number of devices, and applications. The requirements play a large role in the time it might take for implementation. You cannot simply explain in one week or one month.

There are two to three people required for the implementation of Splunk.

The price of this solution is expensive. However, it has great features. If you want a great solution you need to pay a price matching the features.

If this solution matches the needs of your use case then I would give it a try.

I rate Splunk a nine out of ten.

I have some experience with the solution, since I am working with customers who are interested in part time help monitoring their network and have been helping them fine-tune the rules in the solution's platform. The way the primary task works is to watch for and then respond to the threat. Should there be a need, I usually work with a team in fine-tuning the rules on this platform. We are providing the products.

I recently started working primarily on the Playbooks of the Splunk Phantom, so I've been creating some of these to help the customer automate the process of responding to the threats.

What is nice about the solution is that it makes it easy to build the queries, search for the events and then do analysis. I recently have become involved in the Playbooks, since it is painful for the client to respond to the threat, be it positive or negative. As such, I currently see the Phantom component of the solution to be of great value. Otherwise, most other features seem to be similar to Netwitness, such as the monitor log, network, and endpoint capabilities. Importantly, the solution lacks endpoint options, as these are currently deployed on Cisco, which is okay, as it works fine with that bad side of the endpoint security. This translates into them building queries, rules and then Playbooks. 

The main advantage of the solution is that it provides an easy setup platform in the new environment. When set up afresh, it is also easy to build queries. Historical queries can be used to site for a new event, which makes it easy to use, deploy and understand.

Endpoint access is the only issue I can think to mention, even though the endpoint access we have with Cisco is fine. 

I have been engaged in the production environment of Splunk for around a year and have been reading up on it for a long time.

I would rate Splunk as one of the big five platforms. I would give it a high rating based on the efficiency of the platform. 

Splunk allows one to easily scale up this platform. One can add more interfaces to that platform if he gets more data. 

I usually rely on the Splunk community for information, such as discussions of incidents and other issues which others are facing. I feel the Splunk community to be an excellent source of information for me.

Out of the three platforms I have been dealing with, I feel the initial setup of Splunk to be the easiest. I found it a bit difficult to set up a new environment with RSA Netwitness. Splunk, on the other hand, I have found to be very straightforward and an uncomplex platform. 

I have been proposing to management to take the solution to be a primary product in our dealings with it. We do not encounter many issues involving the solution. One of the problems I have with the RSA Netwitness platform is its complexity. Splunk is straightforward for us when it comes to views and it provides us the network security posture.

The ability for the solution to work with Cisco shows that the solution can work with other products. The only thing is that when the solution is compared with other vendors, one sees that there is only a single other vendor that has endpoint security like this one, Netwitness platform having its component for the endpoint. This is why an integrated endpoint would be a nice feature, even though the solution works on Cisco. 

The main advantage of the solution is that it provides an easy setup platform in the new environment. When set up afresh, it is also easy to build queries. Historical queries can be used to site for a new event, which makes it easy to use, deploy and understand. 

When it comes to a data platform, there is RSA NetWitness, which may also be a good platform. I have not done much training of my own on Splunk, but have gained much experience through learning and working with clients that I support. This is because the platform is understandable. 

I would rate Splunk as one of the big five platforms. I would give it a high rating based on the efficiency of the platform. Clearly, I cannot include Wazuh in the top five categories, as its rating is not up there with Splunk, Qradar and LogRythm.

I cannot think of anything disadvantageous about Splunk, as we are talking about a product that I like. I feel the solution has beautiful features. 

The decision to go with Splunk would depend on the business needs of the individual. I know that Splunk has both a cloud and an on-premises option. Sometimes, such as when it comes to conferences, there is no need to move some of the data to the cloud for the purpose of complying with regional requirements. There may be a need to retain some of it and a person might wish for a mixture of on-cloud and on-premises capabilities.

I rate Splunk as an eight out of ten. It is a robust platform and easy to use. 

We employed Splunk Enterprise Security for one of our projects. Integrating it into our environment involved opening network ports and making necessary connections.

We had the opportunity to assess visibility in various environments, including on-premises. On-premises visibility has proven to be both satisfactory and advantageous.

We use the threat intelligence management feature. 

We have been considering implementing certain frameworks, such as MITRE ATT&CK or threat topology features.

It contributes value by enhancing resilience, crucial for adopting a Security Information and Event Management solution. Site resilience is imperative for our organization, meeting a key security requirement.

I have been working with it for three years.

It provides good scalability capabilities.

The technical support is among the best in the market. While we didn't have extensive interactions with the support team, we are satisfied with it. It offers support services locally in my country. I would rate it ten out of ten.

Positive

The initial setup was straightforward.

The integration and initial setup of Splunk were managed with the assistance of local support.

Overall, I would rate it eight out of ten.

We are currently using it with SIEM, and SOAR which is Security Orchestration, Automation, and Response.

Splunk is primarily used for security, incident response, and security analytics.

Using Splunk, give us the visualization we need, we can easily observe things such as user behavior analytics, irregular traffic, frequency, and any spikes in unusual activity inside the network.

The additional vendors we've brought on board, particularly the Elastic, have been quite beneficial.

It's a solid platform.

Other than the pricing modules, I have no issues with the product itself.

The configuration had a bit of a learning curve.

I would like to learn more about the Cloud solution, but I'm aware that it's lacking some core applications.

If they could bring on more vendors, you would be able to monitor a larger number of applications. We could have visualization with other applications we have with the infrastructure in our organization.

I did a POC, but we have recently procured it. We did a rudimentary setup to get an understanding of how it works. We are into our sixth month of using it now.

Splunk is a very stable solution.

This solution is quite scalable.

In our organization, we have 10 users, who use this solution but we have plans to increase our usage.

The technical support has been quite helpful.

The previous solution was limited in its functionality. 

We were looking at the additional controls that enterprise security may have, as well as visualization, to gain greater visibility.

Splunk offered us more visibility.

The initial setup was complex.

We had some assistance with the actual deployment, but while I was doing the POC, I was working with a vendor. There were things I had to do myself, such as the configuration, which was a bit challenging for me, it was a big learning curve.

For the installation, we received some assistance from the vendor.

It's too early to know if there will be a return on investment.

The pricing modules could be improved.

The licensing fees are paid on a yearly basis.

There is a standard license with provisions for more. As we are still exploring the functionality, there may be other departments that want to use it.

Those who are interested in implementing this solution should be prepared to dig deep into their pockets.

I would rate Splunk a nine out of ten.

Our primary use case was really as a client organization, like the government and the IT industries, we are in the telecoms sector. We analyze security reports. We use Splunk to order them and put them in a system and we use the various kinds of integration with Oracle Cloud which is helpful.

Every tool has a drawback. Some aspects of this solution are secure but getting clean data from the cloud takes time. Looking towards the future, I'm looking for a tool that is the most secure in the cloud environment. 

It's very flexible. If you look from the cloud implementation it is there. Reports are made quickly. Unlike other tools, it caters to all kinds of technical information on the front very easily. There's no need to put in any technical information. You can pull up the reports very easily, take action, and notify stakeholders.

I would like to see them develop integration with the help of a rack rest API. Which is an API that helps to secure communication with oracle cloud and pull down records from there.

This integration is currently missing in current version of splunk. I'm looking forward to see this feature getting implemented  in next version of Splunk and so that organizations can get benefit of this  feature in future.

Stability is very good. 

Scalability is good. It's scalable enough. You can play around with this tool. Scalability is one of the main criteria we look for when considering solutions. 

The setup depends on the organization. It is very simple here. You can easily install all of the businesses in the company network. Previously, it was suggested that this solution is not flexible enough. It does not give us permission to implement on-premise so we implement them on the cloud. 

We also looked at HP ArcSight and two other solutions. 

I would rate this solution a nine out of ten. I rated it a nine because every tool will have its drawbacks but ultimately it's a very good tool in comparison to HP ArcSight. If we can add on a scalability feature it would significantly improve the solution. 

I would advise someone considering this solution to use it at least for a year to get a hands-on and technical understanding because it's a good product. Then decide whether or not to move forward with Splunk - but I would advise to stick with Splunk. 

We use it for logging, essentially for auditing and troubleshooting errors in production and finding out what happened.

I have used the product personally for five years and at my current company for a year and a half.

I haven't had any problems with it so far.

There are a lot of plugins to integrate this. The client site login is pretty extensible and probably cost-effective. Plus, it is easy to configure.

I would like some additional AI capabilities to provide additional information about things going wrong and things going well.

It is very stable. We have not had any problems. 

We had to upgrade when it was on-premise, but then we went to cloud version, which is very good.

It is pretty scalability, even though we have a lot of logs. It runs well.

I assume that the pricing is reasonable, because if it was too costly, there are other alternatives. However, with some of the other solutions, you have to spend time on them and manage them yourself. It might also take you three times to get it right. So, Splunk may be more costly upfront, but in the long run, it saves on time and man-hours.

I would consider ELK Kibana a competitor for this solution. If you have time, and you want to do it yourself, you can save a little money going with Kibana. However, Splunk is pretty good and I would recommend an enterprise to switch to Splunk.

There is a lot that we monitor with it. We monitor outbound URLs. We monitor unusual traffic, unusual user logins, and excessive user logins. We monitor whether or not users are logging in from VPN or not, what IPs they are accessing, or whether a user is signing in from multiple IP addresses minus the VPN. 

My organization was already using Splunk Enterprise Security when I was brought in, so I cannot say how it has improved the organization, but I can see that if they did not have Splunk Enterprise Security, there would be a significantly more workload. They would definitely need more manpower. Splunk Enterprise Security definitely helps with a lot of the prebuilt dashboards and other things that come with it out of the box.

Splunk Enterprise Security has reduced our mean time to resolve by 50% to 75%.

Being able to track impossible travel logins and things of that nature is valuable. We can track user logins from various IPs, various countries, and at various times to see if everything adds up. We can check to see if it makes sense that someone logged in from China and in the US within an hour.

There is machine learning with Splunk Enterprise Security, and based on the keynotes at the Splunk conference, there is going to be some AI involved as well. My biggest struggle with Splunk, in general, is memorizing all the commands. If I want to know which users have logged in between certain hours, I cannot write that query out. It would be helpful to have AI so that I can explain in simple terms what I want and then the search gives that back to me. I am waiting for that. That is going to be my bread and butter because my big thing is that I just cannot remember all those commands.

If you have a dashboard that is too large with too many searches, it tends to get bogged down. If you create various different dashboards, you can bypass the issue of not having enough resources to load all the things you need to load.

I was brought onto the team recently. They have been using it for about two years, so I am just catching up in learning as I go. All in all, my experience with Splunk and AWS is about ten months to a year.

It is very scalable.

I have not had to interact with Splunk support. Most of the issues that I ran into can be solved by reaching out to a team member.

I have not used any other similar solution previously. Prior to working with Splunk, it was just basic IT administration work involving monitoring with different tools, such as Trellix FireEye. I am not sure how to compare them with Splunk.

My organization had Splunk Enterprise Security before I got in.

I have not seen an ROI because I am not at level two, but I am sure my bosses have seen an ROI.

We have definitely seen a time to value in terms of being able to take what Splunk Enterprise gives us and view it. It gives us more information in an easier way versus us doing everything ourselves. That alone saves time. If we save one second a day over a year, we are going to save minutes, so these little bits of time add up.

The price can always be lower, but it is fair at the moment.

The cost efficiencies depend on the licensing and how much data we are bringing in. We have a fairly large footprint, so it is cost-effective.

Being at the Splunk conference and seeing all the ways in which Splunk can be used versus the way that I use Splunk is mind-blowing. It is a Pandora's box of tools. One of the things I saw today was manufacturing and the types of data that manufacturers can receive from Splunk within the technologies that they have. It is mind-blowing. Splunk is awesome.

Overall, I would rate Splunk Enterprise Security a nine out of ten.

As there is no SIEM solution here at present, we are building it up through the assistance of a vendor. In the past I worked in the Splunk Cloud, which was seven-point something. With QRadar I worked on version 7.3. 

We use Splunk Cloud as a SIEM solution and to monitor traffic and the network for detection purposes. We can create use cases so that if the solution picks up on anything entering our organization, the malicious IP can be blocked. 

In respect of ones which are suspicious, based on the logs we pull from the data source, we can build the use cases accordingly and have our analysts work on these. 

In the several years I have worked with the solution, I have felt there to be a need for practice of queries and understanding. As with other areas needing practice, the more one learns and practices, the easier things become. 

While this is not terribly difficult, it is so when compared with QRadar. This holds true when we don't know the queries at all. Other than this, it is a great tool. 

The solution should also have more advanced capabilities in comparison with QRadar, which offers Watson. The product should have add-ons. 

The solution is stable and reliable. 

The solution is easy to scale, to add on and to integrate with other solutions. I am familiar with app integrations. Many solutions can be integrated with Splunk Cloud, such as CrowdStrike or Symantec. 

The solution's response time is not that fast. The experience of some of my peers is that the vendors have actively offered help. By contrast, when I tried Splunk Cloud's technical support I did not receive a response. 

We have not yet undertaken deployment. For the moment, we are on the EPS and discussing the proposed structure with the vendors. Our team is conducting talks with the vendors of QRadar. 

We are exploring multiple avenues in search of a one-SIEM solution. 

I am not in a position to comment on the pricing. 

By comparison, I feel QRadar to be better than Splunk Cloud, since it comes with Watson. 

Another advantage is that QRadar works like a threat intelligence tool. It, also, does not require queries, which Splunk Cloud does. It is important that we have an understanding of the queries for the purpose of pulling the logs which we seek. I feel QRadar to be better than Splunk Cloud, as it does not require us to work on the queries. 

I have worked on Splunk Cloud in the past, as well as on QRadar. As there is no SIEM solution in my current organization, we have plans to build it up. This is an ongoing process. I have suggested QRadar to my team and others are considering Sentinel. 

The solution is deployed on-cloud. 

I would recommend the solution to others since there are a couple of companies with many clients that are looking for Splunk Cloud, with which they are familiar. We must consider client demands when it comes to attracting projects. 

Even in India, most of the companies employ Splunk Cloud as the most prevalently used SIEM solution. Then comes QRadar, which is easier. So too, Splunk is less cost-effective than QRadar, although it is more in demand. There are a couple of companies with call centers that request Splunk Cloud. 

I rate Splunk Cloud as a seven out of ten.