Splunk Enterprise Security Reviews

I am a SOC lead, and we use Splunk Enterprise Security for alerting and working on incident review and incident response.

We have a hybrid environment. We have multiple clouds, and I am not sure if I know all of them. We have Azure Labs that we run for our students. We have cloud infrastructure. We have cloud applications on which we need visibility.

It is incredibly important that Splunk Enterprise Security provides end-to-end visibility into our environment. Especially being someone who goes through and reviews the work that my analysts are doing, I definitely need to be able to see what is happening all across different domains of our network.

We work for a large university, and we have different tenants. We have our students, we have our employees, and then we have our faculty as well. We definitely need to see what is happening across the domains and across all of those different tenants.

It saves so much time for the analysts, and it empowers analysts to carry out and triage an investigation, wherever needed. It is incredibly hard when you are working with different sources. I am sure everyone else knows that you cannot expect your analysts to be on the same page a hundred percent at the time. They might say, "Hey, I am going to go into this tool and look at these alerts here, or I am going to look at these learnings from this tenant." We need to be looking at all of those sources and all of those domain tenants at once. Being able to see that across the board and not having to jump through hoops to get the data that we want is extremely valuable. I do not have metrics for how much time it has saved because I do not know our life before Splunk. I know that it has done a great deal in saving time, and now with SOAR, that is exactly what we are looking into. We are looking into how we can empower that even more by combining it with Splunk Enterprise Security.

Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data. Splunk is definitely a leader. I cannot imagine leaving and going to another toolset and losing the capabilities that I have and the knowledge that I have. One of my favorite parts is that Splunk really does work. It seems to me that they work with actual users on a regular basis, so they know the pain points and they know what our issues or our primary concerns are.

In the beginning, it did not help to reduce our alert volume, but over time, it has definitely reduced that. Something that I am working on primarily with our SOC right now is increasing our alert volume because we are at such a low rate because of the work that we can do with Splunk's capabilities. We are looking into what areas in the network we are not alerting on. We have these out-of-the-box solutions, but there is more that we can build on. It is empowering our analysts to be SOC analysts, but the more advanced employees can work towards the threat detection engineering side or SOAR playbooks development side or even just on the backend of setting up and working with the configuration.

I wish I knew the metrics for the reduction in the alert column. I do not have any approximation, but our SOC is very manageable. We are a small team, and the number of alerts varies. On average, we get about 300 alerts a day on the high end and 150 alerts on the low end. If it is a very slow day, such as a vacation for everyone, and we do not have a lot of activity going on in the network on our endpoints, it is very manageable for a small team. Our SOC team has four full-time employees, and then we have intern/student workers because we partner with the university. We have three of them. Overall, there are seven, but, of course, students are only able to work a maximum of 15 or 18 hours a week or something like that, so the amount of man-hours that we have is pretty low.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. There could be a little bit more, but that also depends on the analysts and where they are in terms of maturity. I have a lot of capability to go and expand what I need to, but others do need a little bit more guidance. It is not easy on the first look for someone who has never done it before, but after being taught or learning about it themselves, it is pretty easy. It can still do a whole lot. If we are looking at an anonymous login, we are getting context from different sources. If there is an activity that is going on in the host machine, such as we have some login from Russia, which has never happened before, there is a firing of alerts from the EDR. We can see our email gateway firing alerts regarding their account. That allows us to contextualize and correlate the activity very easily.

Splunk Enterprise Security has helped improve our organization’s business resilience. We are able to take action immediately when we need to. Especially with risk-based alerting, we are able to understand what needs attention right now. We do work with young junior analysts a lot, and we are able to teach them how to identify what needs action right now or what needs to be investigated or triaged immediately. We are basically protecting our crown jewels first rather than some low-hanging fruit that we see everyday, but we cannot take a look at them because we have some important things going on in our network.

Being able to aggregate detection and alerts from various sources is valuable. Like everyone else, we have a wide range of tools in our shop. We are able to stop at one spot and look at all the data. All the data is able to come through, and we can then jump from source to source or index to index. We can dig deep whenever we need to and get a good high-level understanding.

The first thing that comes to mind is a little bit of UI improvement. It sometimes can be a little bit buggy or it can be a little bit slow, but that varies from customer to customer.

They can continue building out the Splunk community. They can give incentives for customers to collaborate and expand on what they are working on but also provide the tools to do that. There are good resources such as Splunktern. I love the Splunk education and training platform. It is amazing, but I wish there was a little bit more. Especially with the training and applications, they should give us real-world use cases and a little bit more specific scenarios. Splunk is doing a much better job than a lot of other organizations or technology platforms, but they can give more information. I know a lot of my Splunk users do not even realize the things that they can do. On the user end or analyst end, they need to be more proactive by giving more of a heads-up. For example, I found out about Splunk research today. I have been using Splunk for two years. I wish I had known about that more. They can reach out more. The incentives can be anything. Some people love stickers, and some people love shirts. They can create that community a little bit more.

I have been using Splunk Enterprise Security for two years.

I do not have much to compare it to, but it is stable. We hardly have any issues, and if we do, they are intermittent. 

The growth that we have seen in my time with our team has not been so much. However, we are adding more tools or trying to gain visibility into different areas of our network or applications that have already been there. Being able to throw some logs in and figure out that we should be monitoring this has been painless. We can just forward them all over. It takes an hour or so. We get the answers and the visibility that we need.

I have not used it very often. I have used it once or twice, but I would say that the engineers I have worked with have been extremely knowledgeable. They have helped so much. We were working on SOAR, and we were pretty new to it as a SOC. We were able to work all of that out with a Splunk engineer on a call. They were able to answer our questions. They knew our needs and goals, and they were able to guide us to meet those. That has been very effective for us. I would rate them a ten out of ten. I have not had any bad experiences.

Positive

We have had Splunk since I have been in this company.

Specifically, I cannot say what return on investment we are getting. However, when we look at other products, we know we are not going to have the same capabilities and we are not going to have the same response times and correlation capabilities. Even working with other vendors and getting their logs into Splunk can be a nightmare, and that is enough to make us say that we do not want to buy their product.

Personally, I have not evaluated other solutions. We do have some friends and family connections who use other solutions. Based on their stories, we will continue using Splunk.

I would rate Splunk Enterprise Security a nine out of ten. If it were a ten, it would do my job for me.

Splunk Enterprise Security offers a wide range of capabilities that benefit our organization. This includes user behavior analytics, which helps us identify suspicious activity. Additionally, Splunk Enterprise Security allows us to create custom alerts for various internal security needs.

Splunk has been instrumental in improving our incident response time, especially for user authentication issues. It excels at detecting anomalous behavior, such as brute force attacks or multiple login attempts from a single source. This allows us to quickly identify and address potential security threats, making Splunk a vital tool for our cybersecurity incident response efforts.

The asset and identity management feature strengthens our overall security posture. This system relies on the creation of security roles by administrators. These roles then determine access permissions based on the principle of Role-Based Access Control. In this way, access is carefully controlled and assigned based on specific job duties. It's important to note that administrators retain a high level of access and make final decisions regarding access permissions.

Splunk offers a variety of dashboards, including real-time dashboards that update continuously. These dashboards complement Splunk's real-time alerts by providing a visual overview of our system's health. They can be built to leverage different Splunk resources, like indexes, search clusters, and host clusters. This allows us to monitor key metrics and identify potential issues in real-time, helping us maintain a healthy and efficient system.

Our SoC and Analytics teams use Splunk to monitor multiple cloud environments.

The visibility into multiple environments is good.

The insider threat detection is valuable for our organization because it helps us identify unknown threats. While we leverage existing threat intelligence for known threats through signatures and endpoint protection tools, these methods have limitations. Since they rely on predefined information, they can't be readily integrated with Splunk to monitor for and generate alerts based on these known threats. Splunk's strength lies in its ability to detect anomalies and suspicious user behavior, which can be crucial for uncovering insider threats that might bypass traditional signature-based defenses.

Splunk Enterprise Security excels at analyzing malicious activity. Our team has created several use cases to identify such activity. These use cases focus on data patterns that might indicate malicious intent, such as a sudden increase in login attempts or logins occurring outside of regular business hours. Additionally, we can identify brute force attacks attempting to crack passwords through repeated login attempts. This allows us to effectively monitor for and respond to potential security threats.

It has improved our detection ability and has helped reduce our alert volume to a manageable level.

Splunk has helped speed up our security investigation.

Splunk stands out for its extensive application integrations. It boasts a user-friendly interface with intuitive features that are easy to understand and navigate for technical users. This accessibility is a major reason why I find Splunk so appealing.

The user interface is not user-friendly for non-technical users. 

I have been using Splunk Enterprise Security for three and a half years.

Splunk Enterprise Security is extremely stable.

Splunk Enterprise Security is easily scalable.

We have only had minimal contact with Splunk technical support.

Neutral

The initial deployment is straightforward.

Splunk Enterprise Security is affordable.

While affordability is important, I recommend Splunk Enterprise Security over the cheapest option on the market. This is because Splunk offers a robust feature set that justifies its cost.

I would rate Splunk Enterprise Security nine out of ten.

We have Splunk Enterprise Security deployed across multiple locations.

Splunk Enterprise Security requires minimal maintenance.

I recommend Splunk Enterprise Security as a scalable and reliable solution for both on-premises and cloud environments. 

We use Splunk daily to find the root cause of attacks and analyze users attempting to access our system. We create incidents and address 5 to 7 simultaneously. Once we analyze and record the activity, we can delete the incident. Our admin team will verify whether it originated externally or internally. 

We use Splunk to respond to security incidents and for data analytics. We conduct custom correlations for the customer and write reports on any attacks. We set alerts for user behavior to discover threats, like if someone is constantly attempting to access our internal domain. The admin will identify that threat and block it. 

Splunk helps us be more proactive. We can take predictive action to identify and block threats so that nothing harmful gets into the system. With Splunk, we can monitor the entire environment from one place. It's a single point of control for all infrastructure, whether in the cloud or on-premise. Splunk has sped up our security investigations. 

I like Splunk's Notable Events. We have created several dashboards for our customers, where you can see the activity and number of alerts. The database receives data about the mask and domain IPs of any user trying to gain access.  We ingest logs from multiple antivirus products and firewalls and analyze them to prevent attacks and threat activities.

Splunk could have more built-in use case presets that customers can build on and customize. 

I have used Splunk for 9 years. 

Splunk is a stable product.

I rate Splunk technical support 8 out of 10. 

Positive

We previously used Dynatrace but switched to Splunk because it has more features. 

Splunk is easy to deploy if you have some basic knowledge. You need experience. It doesn't require any maintenance after deployment. 

Splunk is a good value for the features it provides. The license is costly, but it's better than the other tools. 

I rate Splunk Enterprise Security 8 out of 10. I would recommend Splunk to others. It's one of the most powerful tools available. It's a valuable tool for monitoring infrastructure. 

We use Splunk Enterprise Security for security correlation and event management.

Splunk Enterprise Security is deployed as a hybrid model where the core component is on the cloud and is integrated with an on-premises solution.

Splunk Enterprise Security offers strong visibility through readily available use cases and supports integrations with most standard log sources. Its search capabilities are also commendable. Compared to other tools, Splunk Enterprise Security delivers superior visibility.

While we haven't integrated UEBA yet, it's in our plans. As a proactive monitoring solution, UEBA offers several benefits. It can identify Indicators of Compromise based on historical threat intelligence and generate alerts for suspicious activities. This allows us to potentially detect compromised accounts or ongoing attacks before they cause significant damage.

Splunk offers its threat intelligence service, which helps prevent IP replication and malicious threats. This information can be integrated or configured for our specific use cases, delivering more relevant and high-value insights.

Threat topology and MITRE ATT&CK are frameworks used to understand and analyze attack patterns and techniques, which can then be used to formulate and refine IOCs.

Splunk Enterprise Security's effectiveness in analyzing malicious activities or detecting breaches depends heavily on its configuration and correlation settings. Therefore, it's impossible to definitively label any tool as inherently good or bad. Ultimately, its success hinges on the organization's implementation. This includes onboarding the tool with the appropriate block sources for security detection, employing a sound risk assessment methodology, and aligning the tool's capabilities with both business and security use cases. When configured correctly, Splunk Enterprise Security can undoubtedly contribute to improvements in MTTD and MTDL.

Splunk Enterprise Security helps us detect threats faster. It allows us to define use cases, integrate with multiple threat feeds, and even connect to vulnerability solutions. In essence, by configuring all relevant log sources and defining appropriate use cases, we can achieve the primary objective of any SIEM solution: reducing mean time to protection.

Splunk Enterprise Security has reduced our investigative time by 25 percent by consolidating all logs into a central console. This eliminates the need to log into individual tools for log retrieval.

Splunk Enterprise Security helps reduce the number of false positive alerts.

In terms of monitoring capabilities, Splunk Enterprise Security performs adequately. However, its user interface requires training for efficient use. Compared to competitors like IBM QRadar, McAfee Nitro, and RSA Security Analytics, Splunk has a steeper learning curve, making it feel less user-friendly.

I have been using Splunk Enterprise Security for almost four months.

We use a licensed third-party Splunk partner for support, and I haven't heard of any issues so far.

Compared to IBM QRadar, Splunk Enterprise Security offers faster alert resolution. Its superior indexing and searching capabilities deliver quicker query results. While QRadar boasts a more user-friendly interface, Splunk provides numerous pre-built use cases that effectively reduce false positives and feature comprehensive application dashboards.

For instance, I encountered a use case unavailable in QRadar which appears to utilize the Cyber Kill Chain framework. MITRE ATT&CK enjoys wider adoption, and Splunk leverages this framework whereas QRadar persists with the Cyber Kill Chain. Additionally, Splunk integrates with a third-party app exchange, offering functionalities like vulnerability dashboards, threat intelligence, correlation dashboards, and EPS dashboards. This extensive library of applications caters to diverse business use cases. Users can install these applications as needed, making Splunk a highly customizable and feature-rich solution. Although undeniably expensive, its capabilities justify the cost.

While Splunk is a powerful enterprise tool, I'm new to it myself. I've heard Splunk is often preferred over other options, but the cost can be prohibitive for smaller organizations.

There are cheaper SIEMs available, but they require much more manual configuration, typically by developers with scripting knowledge. Splunk does not require this manual configuration, and its parsing, indexing, and visibility are superior.

Based on the limited time I have been using the solution and the feedback I have received from other users, I would rate Splunk Enterprise Security a six out of ten.

Without a SIEM solution, we rely on individual point solution consoles. For example, logging into a firewall reveals only local logs. Imagine the firewall detects suspicious IPs generating unusual traffic. Confirming this as a true or false positive is difficult solely based on firewall rules. Conversely, a SIEM offers multiple options for correlation. Say the firewall denies traffic, and threat intelligence identifies the source IP as malicious. Additionally, web server logs might show suspicious activity or bad actors attempting an attack. With multiple logs and threat indicators, the chance of false positives drops significantly. Correlation enables confirmation of genuine traffic versus malicious activity. Without a SIEM, pinpointing true attacks from false positives becomes challenging.

For incident detection, this is the main purpose for which I can use the product. That is the only use case for my team. It may be different for my team who is actually processing the incidents and a bit different for me, as I am a manager. For me, the most important aspect is making statistics over a period, seeing who did what, and extracting all the needed information. It is quite easy and intuitive.

Incident detection is the positive impact I have seen from Splunk Enterprise Security. It probably saved the company from financial losses because of the early detection of the incidents. I cannot say about ROI because I am not involved in financial matters, so I cannot estimate any kind of cost.

There are so many products and features that it may be quite hard sometimes to find something that you are looking for. Search capabilities or maybe some kind of AI assistant helping to find what you want would be beneficial improvements.

I have been dealing with the product for about seven years.

From time to time, there are some glitches with stability. Some logs are missing, and we have an external SOC team handling this license for us. Whenever there is something wrong with Splunk Enterprise Security, they need to raise a ticket, and it can be time-consuming to wait for them to reply; this is also a disadvantage.

It is easy to scale up or down if you have the money. The solution is quite pricey not only because of the license but also when scaling it and maintaining it.

I have not raised any ticket myself, but I have heard some not very good stories about technical support from Splunk Enterprise Security. Support did not provide quick enough help.

Positive

I have not been using any other competitors.

I have no idea about installation because I took no part in it.

We have a dedicated team that is doing all the configuration of Splunk Enterprise Security for us. We are just managing what has been prepared for us.

It saved the company from financial losses because of the early detection of the incidents. I cannot say about ROI because I am not involved in financial matters, so I cannot estimate any kind of cost.

I heard the solution is quite pricey.

I have not been using any other competitors.

Users should know what they are looking for. Splunk Enterprise Security is probably customizable enough that they could achieve their goals, but they need to know what they want to get from it. On a scale of 1-10, I would rate Splunk Enterprise Security an eight overall.

My main use case for Splunk Enterprise Security is centered around threat detection and incident response. I’ve configured correlation rules and alerts within the SIEM to proactively detect suspicious activities. The environment includes multiple servers and security devices from which I collect log data using forwarders. These logs are ingested into Splunk, parsed, and analyzed to identify anomalies, security issues, and performance concerns. This setup helps streamline investigations and reduce response time to potential threats.

Splunk Enterprise Security has significantly improved our organization by centralizing log management, enhancing visibility into security events, and enabling faster detection and response to threats. The customizable dashboards, real-time alerts, and powerful correlation capabilities have streamlined our incident response process and reduced investigation time. It has also helped us meet compliance requirements more efficiently by automating reporting and audit trails.

Splunk Enterprise Security’s most valuable features include its powerful log aggregation from diverse platforms, flexible search and correlation capabilities, and customizable alerting system. It allows me to collect logs from virtually any source—servers, firewalls, cloud services—and create custom rules to generate meaningful alerts. The flexibility of Splunk’s Search Processing Language (SPL) makes it easy to build tailored dashboards, identify threats, and quickly pinpoint the root cause of issues, significantly improving operational efficiency and threat detection accuracy.

While Splunk Enterprise Security works well overall, improvements could be made in user management—particularly around simplifying role-based access controls and troubleshooting user account issues. Additionally, future releases could benefit from:

Improved UI/UX: A more intuitive interface for new users and simplified dashboard customization.

Built-in Use Case Library: More out-of-the-box security use cases and alert templates to reduce setup time.

Cost Optimization Tools: Better native tools to monitor and manage licensing usage and storage costs.

Enhanced Cloud Integration: Streamlined and more secure integration with major cloud providers for hybrid environments.

These enhancements would make the platform even more user-friendly and efficient.

I have been working with Splunk Enterprise Security for about two years.

I previously used Dynatrace and open-source tools like SigNoz. While Dynatrace excels in application performance monitoring, it requires an additional license fee for server-side log collection, making it less ideal for centralized log management and SIEM use cases. SigNoz, being open-source, offers basic log management but lacks the depth, scalability, and advanced threat detection features of Splunk Enterprise Security. I switched to Splunk Enterprise Security because it provides a comprehensive, all-in-one solution for security monitoring, log aggregation, and real-time alerting, which better fits enterprise-level security needs.

The initial setup of Splunk Enterprise Security was straightforward. I followed publicly available documentation, which was clear and easy to understand. The installation and configuration process went smoothly without any major issues. From initial setup to full deployment—including log collection, rule configuration, and dashboard setup—everything was completed in about two days, demonstrating how well-documented and accessible the deployment process is for users with a solid technical background.

I would rate Splunk Enterprise Security an eight out of ten.

There are a lot of use cases for Splunk Enterprise Security. The main one is when you are trying to detect an authentication attack. There are lots of people trying to get access to a system, so they are constantly trying to authenticate. Splunk Enterprise Security can quickly detect that through its correlation engine. If there is a specific attack of the anomalous amount of users trying to log into a system, it generates an alert. Our SOC is then able to analyze that alert and determine whether it is a false positive or a true event. If it is a true event, they can work towards containing that attack. If anything is a success, they can quickly provide that information to our incident response team.

The benefits that we have seen from using Splunk Enterprise Security have been faster response time and faster enrichment of information so that the analyst can act and respond in a more timely and efficient manner, which then provides more information to leadership, such as myself. We are then able to respond. We know how to present risks and how efficiently our SOC is doing to our senior leaders. There is a 30% to 40% improvement because, with the system we had before, the capability of figuring out what was going on to analyze the event was cumbersome. Splunk Enterprise Security has driven and given analysts the ability to analyze a lot more efficiently.

Splunk Enterprise Security provides end-to-end visibility into our environment. It is very critical for us.

Splunk Enterprise Security helps us find any security event across multi-cloud, on-premises, or hybrid environments. It helps in all of this. We have multi-cloud environments. We have all four main cloud environments. We also have our on-prem environments. We have also set up a hybrid environment. It has improved our ability to detect and find needles in the haystack that we were not able to see before. There are lots of things they have been able to detect. People were installing things and misusing AUP violations that we were not able to see before.

Splunk Enterprise Security helped reduce our alert volume with the implementation of risk-based learning. When you are doing risk-based learning, you can definitely reduce the volume, but initially, when you move from one SIEM to Splunk Enterprise Security, you do not really reduce volume. You are generating more. Because you are getting better visibility, you are generating more information for the analysts to look at, and then over time, as Splunk Enterprise Security and the team learn the environment, you are able to tune down and then use the risk-based alerting to help reduce a lot of false positives.

Splunk Enterprise Security provides us with the relevant context to help guide our investigation. There are limitations, which is where Splunk SOAR helps with the enrichment of the information, but it definitely provides good context. In the notable alerts, it provides a lot of key information that you need, and then there is the ability to drill in to see what the actual events were, so it really helps.

Splunk Enterprise Security is efficient at predicting, identifying, and solving problems in real time. With the correlation rules, the ability to have adaptive responses, and the ability to tie in even machine learning into that, we are able to do real-time analysis and quickly gather and detect.

Splunk's unified platform helps consolidate networking and security tools, but sadly, our organization does not use IT observability tools. We are purely from a security perspective.

It has so many features. The incident review pane is the best part of it because that is where the SOC lives. It is the heartbeat of what the SOC needs to do. You are able to start the investigative process. As you are sitting in the incident review pane, you see the alert, and from that one alert, which is called a notable alert, you can drill in and see all the different specific details that are tied to that. You then have adaptive response action that can be taken automatically on that, or you can even drill in to look at what events drove that alert to be created. You can then start doing more hunting and querying that way. There is so much information contained in the notable alert itself in that panel. It helps to drive the direction of where the engineer should go.

I am looking forward to seeing what is coming out in the new release that was announced, but case management is an important thing. Being able to have a one-stop shop where you have the alert, but then you can generate the case right there from Splunk Enterprise Security instead of having to pivot to another tool such as Mission Control. You do not have to keep bouncing between them, so if you could do it all in one place, that would be great. The new release is supposed to start getting in that direction.

I have one environment that has been using Splunk Enterprise Security for two years in the Splunk Cloud. I am currently in the process of migrating my on-premise corporate environment to Splunk.

At this point, Splunk Enterprise Security is very stable.

It is very scalable. Particularly, when you do search and clustering, you are able to scale rapidly to be able to meet the demands of what is needed for your SOC. The data model setup helps to quickly drive and get rules created without having to need a new data source or a new rule. You just send that new data source to one of the data models, and you already have the rules there, and it automatically starts generating alerts based on those existing rules.

I would rate their support a seven out of ten. Sometimes, you get some solid people, but other times, it takes a bit of effort to get across what the actual issue or situation is. This is a challenge for any help desk organization particularly when you have lots of customers calling in and all of them with unique situations.

Neutral

We were using another tool previously. There were many reasons for switching. One big reason was the ease of integration of data into the tool. With the previous tool, to integrate a normal log source, such as an identity access tool, into the SIEM, we had to pay for PS engagement in order to even get the information in. Splunk has native integration with all these different apps. It is natively tied to all the different IDAM and ID tools out there. It is very easy for the team to implement it themselves. They do not have to go and get extra help to do it. They can install the app, get the keys and authentication set up between the two new tools, and then it just works.

Our deployment experience was just fine. I deployed Splunk at other companies before, so it was not new to me to do it with this company. The pricing and everything else went smoothly. The Splunk team was super helpful. They were very engaging. They helped to build it. We were able to get access to Splunk engineers who worked for Splunk, and they helped define the sizing. They went through and evaluated what our current solution was and helped us build out what we needed in order to meet and exceed that capability. Splunk has been super helpful.

For one environment, I am using the public cloud, and then for my other environment, I am using an on-premise setup. We have the AWS cloud.

We did use professional services to help with this. At my previous company, I would not have used professional services because I had a team of Splunk architects who knew what they were doing and knew how to do it. In this company, we were moving from a different technology to Splunk. My teams were not as familiar with Splunk, so I needed the extra help. We had the help of Splunk professional services and third-party professional services. We used Verizon.

The environment that we had set up has been running for two years. I had planned that initially for a certain amount of growth, but within the first year, we had already doubled the size of the data. It was able to handle the information so much more efficiently that a lot of the groups that were not integrated into the SIEM before started saying that they needed their data monitored as well, so we started growing quite quickly. It has helped us exponentially.

I evaluated several SIEM solutions before choosing Splunk. With Splunk, we had the ease of integration of data because getting the data in as quickly as possible and making use of it is important. Another area is that in certain tools, you have to generate one rule per data source, whereas Splunk has the data modeling capability where you have all the data sources going into the data model, and then you create one rule per data model instead of per data source. It helps reduce the workload for the system, so there was that aspect of more performance than any other solution.

I would rate Splunk Enterprise Security a nine out of ten. It is a market leader from an SIEM perspective. It has bells and whistles, but it does not let you get lost in those bells and whistles. It helps drive the analyst into what is the most important thing that they need to focus on, and that is protecting the company. They are able to be more efficient. They are able to help do what the mission of the company is, and that has enabled the company to not worry about the security part. Without a risk, they are able to do their business and help their customers.

I'm part of the Splunk operations team, which means I support Splunk functionality and occasionally conduct threat management onboarding. We assist various teams with threat-related tasks. If they need help bringing log sources into Splunk, we guide them through the process. Once the logs are onboarded, we create correlations to identify threats, troubleshoot issues, and help mitigate potential risks.

We handle incidents through a queue configured in our event management system. This includes automated incidents for our Splunk infrastructure, like server health checks, and user-reported issues where functionalities like the fetch score aren't working. We address all incidents, whether automated or user-raised, through this system.

We've made significant improvements to our Splunk infrastructure to support our internal teams. This ongoing effort focuses on helping application teams onboard logs from various applications for their review and troubleshooting. We've streamlined the onboarding process, improved data quality, and ensured smooth data consumption for our internal users.

Splunk Enterprise Security offers multi-cloud environment monitoring capabilities that we can utilize for our users if they require it.

We can build a dashboard in Splunk to centralize the monitoring of critical information. This dashboard can display key metrics for onboarding methods and LogSources we actively track, providing a clear view of our entire monitoring environment.

While Splunk Enterprise Security offers good threat detection capabilities, our current process limits visibility into user activity. When users request correlations, we create the code and configure everything on our end, and then they test and work on it from theirs. This lack of transparency extends to threat management, as we can't directly see tickets in their separate ServiceNow system. If they encounter issues, they share details in a document for us to review and address.

It comes with a large collection of correlation searches, but we'll need to review them to find the ones that match our specific needs for monitoring malicious activity. Once we've identified the relevant searches, we can customize or recreate them within the correlation settings to best suit our environment.

Splunk Enterprise Security helps us detect threats faster.

Splunk Enterprise Security is a good monitoring tool that allows us to track specific details by creating custom queries. For instance, to monitor a particular organization's infrastructure, we would first onboard their logs and then create queries to capture relevant information. This way, any suspicious activity, attacks, or other events would be easily identified within the infrastructure. Additionally, Splunk's checkup operation minimizes the chance of missed alerts by automatically identifying detections, ensuring near-complete coverage of around 99 percent unless there are outages or limitations with global agents.

Splunk Enterprise Security helps us speed up our security investigations.

The customizable dashboard for our security operations is a good feature.

The most valuable features in Splunk Enterprise Security are the cluster capabilities.

The licensing price is high and has room for improvement.

I have been using Splunk Enterprise Security for four years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security can scale according to our needs.

The technical support has been successful in resolving the majority of our cases.

Positive

While the deployment process itself is simple, the number of personnel needed varies depending on the infrastructure size and user base. A small deployment for 50 users can be completed by two people, while larger deployments supporting over 500 users may require up to 15 people.

The Splunk Enterprise Security license is expensive.

I would rate Splunk Enterprise Security eight out of ten. Splunk improves user efficiency by streamlining workflows and enabling the detection of anomalies within data.

Splunk Enterprise Security is deployed across multiple locations in our organization.

To ensure our data remains secure, Splunk servers require monthly maintenance. This maintenance includes installing security patches that address vulnerabilities and prevent unauthorized access to our information.