Splunk Enterprise Security Reviews

I use Splunk for visualization, reporting, monitoring, log aggregation, and other security purposes. We gather various logs into one place and analyze them based on specific business use cases to get high-level insights that inform decision-making at every level of the organization. We also use it to aggregate other IT logs — not just security. 

Our organization is working in a massive on-prem environment. We're one of Splunk's oldest clients. It's convenient to migrate everything to the cloud, and we would have more flexibility. However, we currently have our resources and everything established to use Splunk on-premises, so we aren't switching to a cloud environment.

Splunk allows us to monitor logs and track suspicious activity in real time. With the help of the SOAR platform powered by AI and ML, we can respond quickly. Our security posture is better, and we can resolve security incidents quicker. Splunk has improved our visibility by providing critical security metrics in our dashboard and strengthened our security controls. 

The number of alerts we receive is similar to what we saw using our previous solution. While it hasn't necessarily reduced our alerts, Splunk is improving our resolution time and overall security.

I like Splunk's automated threat detection and orchestration capabilities. Splunk offers a single solution for analyzing, aggregating, correlating, monitoring, reporting, visualizing, etc. You can get all of these capabilities in one place. On top of that, it provides a cloud, testing, on-premise, and hybrid solution, giving customers more flexibility for their use cases. 

Splunk's real-time monitoring is one of its best features.  The user interface gives you a single dashboard to directly view all the high-level information. The security incident monitoring and investigation page is also very helpful. You can document an investigation step by step. Many investigators can work on a single incident also based on their shifts. Everyone can add notes on the investigation page. 

The incident response features are based on real-time data. The monitoring team can immediately take over an incident and prioritize tasks based on risk scores. We can assign multiple technicians to one security incident based on their skill, improving resolution time.  The incident review dashboard provides many useful details, like the indicators of compromise and risk scores.

We can get threat intelligence from multiple platforms, including the latest known IOCs, to support our response to security incidents. We store the threat data from various sources in a centralized place, and it updates every six to 12 hours. 

The MITRE ATT&CK framework feature is helpful for understanding which phase an incident is in and what the next steps are so a technician can prevent it from progressing. It gives us a detailed overview of other tactics it might be associated with, enabling us to stay vigilant. We can correlate with other simultaneous or sequential incidents and take action to strengthen our security based on these incidents.

We've sometimes faced issues with upgrades. The incident review dashboard sometimes breaks after updates. When we add a space or something in the description or anywhere in the SQL, the drill-down value may be reset with a blank value. Before rolling out any software, they should test it thoroughly and ensure clients won't have issues with the upgraded version. It should be compatible with all or most of the apps. All major issues must be addressed before rolling out the upgrade.

I have used Splunk for eight or nine years. 

I rate Splunk nine out of 10 for stability. 

I rate Splunk eight out of 10 for scalability. Scalability is always a challenge. The larger your environment, the more issues you'll have. There aren't many problems with Splunk on the cloud, but scaling can be challenging in an on-prem environment. If you're ingesting a significant volume of data, you need a proper maintenance routine to maintain your base architecture. Sometimes, it's a bucket application. It can take a few hours to reset those things, and network issues might contribute to that. 

I rate Splunk support eight out of 10. It varies based on your data volume and number of licenses. 

Positive

I have used several solutions for different clients, including QRadar, Palantir, and Microsoft Sentinel. Splunk has more capabilities than QRadar. It's also more flexible and user-friendly. You can modify and customize the solution to show you the information you want.

The deployment depends on the environment. It may take only a couple of weeks to deploy Splunk in a small environment, but a larger environment involves a detailed process that may take months. It helps to have a larger staff. It also depends on how process-oriented an organization is. Some organizations will take much more time in the planning and design phase. 

After deployment, Splunk requires a good deal of maintenance, depending on the volume of data you're ingesting and your user base. It may require multiple resources to manage this environment. 

Splunk improves our security controls, resolution time, and threat-handling capabilities. We're saving time and resources, meaning more money for our clients. 

I don't know about Splunk's pricing because I work on the technical side, but I know it is a costly platform. There are cheaper products and some open-source ones, but Splunk costs a lot because of the features it provides. Still, the pricing is a concern for many of my clients, and more would use Splunk if they lowered the cost a bit. 

I rate Splunk Enterprise Security nine out of 10. I would recommend Splunk because it covers multiple services in one place. It also has a strong developer community. You can easily get help from community support. Splunk is a versatile product that competes well with leading security tools like Microsoft Sentinel.

We use Splunk for monitoring and investigation and recently integrated it with ServiceNow. It's a SOC tool, and any malicious activities on the client's side trigger an alert here. 

Splunk has improved our operations by giving us access to more information and allowing us to deploy more use cases. We have integrated Splunk with ServiceNow, so the information from the queries running on the back end is now directly forwarded to the analysts, reducing the manual work. We are pulling data from Splunk into ServiceNow, so the security analysts have all the user details to conduct their investigations. 

It's easy to monitor multiple environments with Splunk. The cloud model is better than the previous on-premises version. The custom dashboards are helpful. We have created multiple dashboards for user activity, logins, phishing, etc. If you miss an alert, you can check the dashboards. For example, if you need to check some user activity, we have a dashboard for Azure Active Directory, and Mimecast is integrated for monitoring email-based attacks like phishing. It throws the information up on the dashboard when we get an alert.

The monitoring aspect of Splunk could be improved. We have to do some queries to get as much information as CrowdStrike or other solutions provide. If you run a big query, you will see a delay. That is the only concern we have because it will take some time if you query large data sets. 

I have used Splunk for more than three years.

I rate Splunk 10 out of 10 for stability. 

Splunk is a highly scalable product. 

I rate Splunk support 10 out of 10.

Positive

Deploying Splunk is somewhat complex, and it requires maintenance afterward. 

Splunk is expensive based on our current requirements, but it's obviously worth what we pay. 

I rate Splunk Enterprise Security nine out of 10. I see Splunk as a monitoring tool, not as a security tool. It provides alerts, and we conduct an analysis and investigation based on the information we receive. I believe having another sandbox integrated with Splunk will be helpful for the investigator.

We use Splunk Enterprise Security to detect different anomalies and alerts based on our infrastructure. I work in the telecom industry. We have multiple network and security devices that collect logs. We create use cases to collect logs from all these devices.

The dashboards are very good in Splunk Enterprise Security. There are pretty good options to fine-tune the alerts, to wipe out false positives, and only get the correct alerts as per our requirements. The UI is pretty good and easy to use because it is integrated with different EDR tools. This integration is very helpful for identifying different malicious activities or malware for any of the endpoints, especially the critical servers.

The architecture of Splunk Enterprise Security is really good at collecting and parsing logs. Each detail, how it correlates, and all the features are up to the mark compared to other vendors. The indexing speed is pretty good in Splunk Enterprise Security. 

I used many of its machine learning automatic detections. It's really helpful to identify any malicious activity or the behavior of malware over time. There was a malicious activity that involved privilege escalation from the MITRE ATT&CK framework. It was very helpful in detecting that escalation, and due to Splunk Enterprise Security's machine learning capability, we tracked down the malware, remediated it, and prevented it from spreading further to other endpoints.

There should be more options for adding more visual experience in terms of dashboards. 

The integration feature with other applications, such as anti-DDoS application Arbor, needs to be more powerful.

I have been using it for almost three years.

Issues are very rare, near to zero with no downtime. 

It is highly scalable.

The tech support is really good. 

Positive

I use ArcSight as well. We did not fully migrate to Splunk Enterprise Security. We are using both solutions.

Splunk Enterprise Security has good refresh rates for getting alerts. I prefer Splunk Enterprise Security more compared to other competitors such as ArcSight or IBM QRadar. The health checks are very good. The dashboards, indexing speed, correlations, and machine learning are advantages of Splunk Enterprise Security. Even though other competitors offer the same features, the efficiency of Splunk Enterprise Security is the best.  Except for the price, I don't find any disadvantages compared to other vendors.

The migration process was complex because we were moving from one SIEM tool to another. In the telecommunications industry, there are several teams that we needed to collaborate with, and meetings were essential. Within the network team alone, there are numerous sub-teams to coordinate with.

In my current environment, this complexity made the process challenging. We weren't starting from scratch; instead, we were transitioning from an existing SIM tool to a new one. If we had been implementing the first SIM tool for our company, it would have been much easier. However, migrating from one SIM to another always presents difficulties.

Our company purchased through resellers.

It's somewhat pricey compared to other vendors. However, for big infrastructure companies such as telecom, the price is fair enough. Compared to the features and efficiency it offers, the price is good. For medium-sized companies, it's too pricey.

I would rate Splunk Enterprise Security an eight out of ten.

There are tons of use cases for Splunk, but our main one is insider threat.

It's easy to deploy Splunk, and mostly, we don't have to reach out to the customer after it's done. It's a simple tutorial with a couple of pages, and they can configure it themselves. The simplicity of deployment has been the greatest asset

Splunk has improved our customer's ability to ingest enterprise data. We don't have to have hands-on every customer's environment. We can farm that out to the local SAs. They find the install, and it's a simple firewall update. We're getting data.  

It provides an all-in-one resource. Before, we had one product for firewalls and one for our gateways. Pairing up with Cisco helped because a lot of our information is based on our network, firewall, or router. Having Splunk intertwined with them will ensure that it's one resource and one solution.

'The solution has helped to fine-tune false positives. Sometimes, out-of-the-box solutions aren't customizable, but Splunk is. It can clone, alter, and make it your own.

Before Splunk, we didn't have a tiered solution where there was some low-hanging fruit that was easily handled by the tier ones and higher-end stuff. It went from level two to level three bordering on level four CCNA. That's what I was looking for, a maturity model. We've developed into a progression from tier one to tier two, etc. At the high end, we have forensics for long-term solutions or advanced persistent threats.

A lot of things can be handled at the tier one level, and there are 12 to 24 hours before it floats to tier two. Resources are underutilized, and not everyone's working. You're not handing a tier-one ticket to a tier-four guy who's just like, "Dude, it's this." The tier-one guy is getting a tier-four ticket. It streamlines the resolution process.

I like the ease of setting up dashboards on Splunk. They're easy to create, manage, alter, and share. You can fine-tune them any way you see fit. One of Splunk's unique features is that you can customize it for your needs, especially if you've got homegrown solutions. It accepts whatever kind of logs and can be normalized at any point. With a one-off solution, you can work with the developer who created it, and they give you the features or key information you want to keep.

Many people are talking about deploying upgrades from the deployment server. It's necessary, particularly from the perspective of insider threat. You can see if something's breached. If you notice an anomaly at 2 a.m., we've got your rules firing, letting you know immediately. It's near real-time notification of any issues.

We have used Splunk for two years.

Splunk's stability is inherent to its scalability. It's malleable and adjustable. It's like pottery that you make to fit your needs.

It's easy to divert resources where they're needed. Often, we have several projects that have reached the end of their life, and we shift the resources. The fact that you can set up a new index or set of indexes and push some feeds into specific structured indexes makes it a lot easier instead of having everything in one giant database and trying to find what you're looking for.

With the streamlining, it's a lot easier for the end customers. They've noticed a quicker turnaround for low-level stuff, and the high-level requests get directed to the right people. We used to have a turnaround window of about a month. Now it's down to a week for most tickets. In the past, they sometimes put a ticket in, and it might be a week before someone even looks at it. Now, we have a system in place where they get a response within 24 hours.

We were using ArcSight but switched because our customer said they wanted to go to Splunk. ArcSight didn't have the reach, and the complexity of deploying it inhibited a lot of customers from using it.

Deploying Splunk was easy. We worked on developing the in-house solutions and passed them off to the customers, providing a network location to download what they needed and the instruction guides. After that, it was simple to unzip and configure the inputs and outputs. We were up and running.

We've probably tripled the amount of insight into our infrastructure and environment.

They looked at Elasticsearch and the ELK Stack—trying to do things with Kubernetes and Kafka. That can be used with Splunk. In terms of cost, complexity, and ease of deployment, Splunk is often on top. It gets the data out there as quickly as possible. The fact that Splunk is as vast as it is means it isn't hard to find a resource that's touched it and can use it.

I rate Splunk Enterprise Security eight out of 10. It's missing some features that other solutions have, such as the ability to upgrade the endpoint and perform endpoint universal forwarders from a deployment server instead of using a third-party solution, such as Puppet or Ansible.

Our primary use case is for detected malware. 

The end-to-end visibility into our environment that Splunk provides is impressive. We just need to use it better.

We are a small team. For us to look at all those logs ourselves would be difficult. There is some decent insight into what's going on. It's just a matter of actually utilizing that data and taking action on it. 

We would probably see more time savings if we used Splunk more. 

We're an on-prem network. During the installation, we found several issues that we should look into. We just need to utilize more.

Splunk has shown us some gaps where we need to ingest and normalize data, and we have built those gaps.

Splunk Enterprise Security provides us with context to help guide our investigation. It's a starting point to actually look at the logs and figure out what we need to look into. It's useful. 

It helped to consolidate networking security and IT observability tools. We use Splunk in general a lot for operations, and then we've been able to build dashboards.

I have been using Splunk Enterprise Security for two years. 

The stability is pretty good. It's fairly stable. I haven't had any issues with it so far.

Splunk support is difficult for us. There are gaps in the network. I work for a government entity so getting a classified rep to come out is difficult. 

I would rate their support a five out of ten due to their availability and talent. 

Neutral

It took what took us a while to groom all of our data correctly so that it worked well with ES. That took two weeks. As far as the finish, there's definitely room for improvement.

I would like more assistance with use cases and help with teaching us how to use it once it's installed. 

We deployed through professional services. 

We're a young team so we're still evaluating processes. We already had Splunk Core. It was already installed when I started working here. I was part of the installation team when they deployed Splunk Enterprise Security.

I would rate Splunk Enterprise Security a five out of ten because I'm still figuring it out.

We use the solution to find systems acting strange or having strange services and security attacks.

Splunk Enterprise Security helps us sift through tons of data to find relevant information we're looking for as far as activity goes.

The solution's most valuable feature is the aggregation of all the logs in one place, using enterprise securities built-in or ESCU use cases to find them.

The end-to-end visibility Splunk Enterprise Security provides in our environment is very important because we might not see everything or miss something without it.

Once you have it set up correctly, Splunk Enterprise Security works great for helping us find any security event across multi-cloud, on-premises, or hybrid environments.

Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data. The ability to identify and solve problems in real-time is pretty robust.

Splunk Enterprise Security has helped reduce our alert volume with RBA and has helped reduce our mean time to resolve. With correlation searches in risk-based alerting, you don't have to sift through information; it is presented to you.

The solution's case management system could be further improved to make it easier for analysts to manage cases. The only limiting factor is the amount of data you're sifting through and the overall size of the number of correlations you're looking for.

I have been using Splunk Enterprise Security for seven to eight years.

I rate the solution’s stability an eight out of ten.

I rate the solution ten out of ten for scalability.

The solution's technical support is awesome, and I love it.

Positive

I've deployed the solution a few times. The deployment is very labor-intensive and takes a lot of work.

Splunk Enterprise Security is an expensive solution.

I would recommend the solution to other users.

Overall, I rate the solution a nine out of ten.

Our SOC is using Splunk Enterprise Security as a SIEM. There are multiple use cases because it is the main tool for SOC analysts. We have plenty of use cases. It is being used for IT security monitoring. We also have some custom use cases for securing applications, and then we have some of our internal customers developing their own use cases, but the main purpose is for the SOC. 

We also have additional work that is much more tricky. It is related to using AI to detect insider threats.

We are incredibly increasing our coverage as per the NIST framework that we are using for our operations. We are always extending. That really took off after implementing Splunk. It was a big moment. I have been there from the very beginning when we started implementing Splunk. Like everything new, there was a little bit of difficulty, but after we implemented it, there was an incredible increase in our SOC efficiency.

Splunk Enterprise Security helped reduce our mean time to resolve based on my knowledge, but I do not know how much because I left the department one year ago. On the security monitoring side, we have very good MTTR globally due to Splunk and the processes that we have implemented. We have other kinds of tools. Compared to the other tools that we have, our MTTR is far better with Splunk. Compared to last year, it was reduced by half. It was already good, but it got reduced a lot again.

It is lovely to have everything we need in one tool. Everything is quite centralized.

AI is everywhere, and I feel we need to discover AI for cybersecurity. For the last five years, I myself have been setting up a product and evaluating AI, but I did not do it directly in Splunk because there was some fear about the performance on the platform. That is why we chose to build our own platform based on S3 and AWS to execute and run all the algorithms and send the data back into Splunk. We now have a good base with innovation. We have a better base to directly include machine learning use cases in Enterprise Security, but they need to provide more capability and autonomy to the customers because there is so much to do. When you are lucky enough to have a team of data scientists, they want to have free hands, so a balance has to be found between giving a lot of autonomy and putting enough control so that they do not do something stupid on the platform, which can impact the performance of the standard use cases as well. There is a compromise there. However, AI is growing so fast that you absolutely need to give autonomy to the team to manage and utilize AI. This means providing easy access to a new library to build machine learning. They need to give us some flexibility, and it seems that with the new toolkit, it would be okay. Data scientists love to have freedom.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations, but it would be interesting to add even more context, for instance, in order to raise the level of risk. That is something that can be implemented. For instance, when it comes to data loss prevention, it is known that somebody who is about to leave the company is much more likely to take data. If you have this information soon enough, because the person will tell HR in advance, you can increase the level of risk for data loss for that user, but you do not always get to know that in advance. In such cases, some indicators in the behavior of the users who are leaving could be connected to AI. For instance, if you are using natural language programming, you can grab emails with words like farewell. There are plenty of keywords that you can catch that would give you an indication that the person is about to live. When you have internal and external partners, they can leave at any time. You do not always get the information in advance, but there are always farewell parties or goodbye emails. You can use this kind of information to raise their risk on the specific alert. It is efficient in the sense that you decrease your false positive rate. To me, AI is something that can help them accelerate and improve on what they are already doing.

Splunk Enterprise Security is very costly. Pricing is probably its weakest spot.

I have been using Splunk Enterprise Security for five years.

It is difficult for me to answer this because I am no longer in charge now, but it has been stable from my point of view. 

Its scalability is good provided you have the right license agreements.

It depends on the situation. The problem at our end that is causing an issue with Splunk support is that we have a customized environment. All the problems that we submit are specific, and they can be a bit difficult to solve. Sometimes, their support is efficient, and at other times, we have to wait a bit too much. I would rate their support a seven out of ten.

Neutral

I arrived at the time of transition. We were probably using RSA. We switched to Splunk Enterprise Security because we needed to jump to another scale. At that time, there was a complete change in the organization. We went from the old-school cyber to Cyber 2.0. We had a lot more visionary managers who came from other companies where they were using Splunk. We had good guidance.

It was a bit difficult. The team that was developing the use cases did not have access to the real data because it was not ready yet. Developing a SOC use case without the data is something difficult. That is why it was difficult at the start, but it was not because of the tool. It was more of a matter of project management. After we moved on from the difficult stage, we were able to set up this use case factory where some of the users were themselves in a bit of self-service mode. This was a very good opportunity to enlarge our capability to cover all the applications in the best way.

For Splunk, we use AWS. We have a private cloud. We have difficulty using cloud-managed services.

Pricing is probably its weakest spot. As compared to some competitors, Splunk is really expensive. The problem is that Splunk is like Rolls-Royce. It, for sure, is the best one. Gartner says it, and the customers say it, but sometimes, you do not need a Rolls-Royce to get to the supermarket.

The problem is that the licenses that we have are based on the volume of data that we ingest in a day. The data that we ingest is only growing. We have initiatives right now for better management of data. It makes sense in terms of storage and sustainability. The pricing model, especially for Europe, is difficult. I am just out of the negotiation for the renewal of the license. We bought it for three more years. This is good news for Splunk and us as well, but it was difficult to discuss with the sales and explain that we do not want to increase the cost because it is already too high, and if it could decrease, it would make sense. It is very difficult to have this understanding from the salesperson. It was difficult for my Splunk account partner, but we succeeded in the negotiation. It was a win-win situation.

They need to be fair and adjust the price as per the usage. If the price goes too high, we would just have a no-go from the top level of the company, which would be a pity. It can happen. It has happened in the past. At some point, we had a big contract with Microsoft for Office, and we are now with Google. It was a shock for the partners and people inside the company, but we did it. We now have Google and we are happy with it. We still have a bit of Microsoft. It is important to keep the balance.

We are looking at the data usage with Splunk's team. We are looking at whether the data onboarded and dashboards that were developed are really being used to avoid wastage. If any data is not necessary in Splunk, we just stop onboarding it. We have other data to onboard anyway. My idea is to be much more efficient in the way we are managing the data and not to go the way we did it in the past.

I did not evaluate other solutions but the company surely did.

Splunk's unified platform has not helped consolidate networking, security, and IT observability tools, but it is not due to the tool. It is due to our company's structure. I have been part of the two teams. Previously, I was a part of the cybersecurity team, so I was mainly using Splunk Enterprise Security. Now I am leading the monitoring team, so I am much more on the SOC side of it. My team provides service to the cybersecurity team that is using Splunk Enterprise Security. In the end, we would like to have one solution, which would be Splunk. I would like to have IT monitoring and observability with ITSI in the future. This centralization would bring efficiency. One log being used for cybersecurity purposes can also be used for other purposes. Everything centralized would give us the most efficient way to access the data and limit duplication. It would be helpful for efficiency, cost control, and data governance.

It is absolutely crucial for us to have end-to-end visibility. For our cybersecurity needs, we should be able to reach anything. We even have this concept of Watch the Watcher, so visibility is absolutely key. We have the opportunity to audit the activities of even cyber analysts, so visibility at every stage is absolutely key. For example, all the SIEMs could be under attack, which would be a nightmare. Imagine it being an insider threat where the attacker knows what exactly we are monitoring. With AI, these kinds of risks are even higher. That is why we are all in for AI for Cyber and Cyber for AI. We need absolute visibility, but we also need protection.

Splunk Enterprise Security has not helped us reduce our alert volume. We are not at that level of maturity at this point. It is still growing.

I would rate Splunk Enterprise Security a nine out of ten. It is a good product. It needs some progress with AI, but based on what I have seen in the presentation for version 8, it seems promising.

We use Splunk Enterprise Security for our security analysts for them to be able to view incidents. They are not 100% dependent on Splunk Enterprise Security as their incident source. They do have other tools that they use and other things like whois data, threat intel, and lookups for our domain. They are able to quickly look at the activities done for the assets that we have.

I am not from the management or the leadership, but I do feel that it has been helpful for us Splunk engineers who are responsible for looking at all the data and logs. Splunk Enterprise Security quickly gives us a view of an endpoint or a user or identity. If I want to look for an identity or an asset, I just quickly go into Splunk Enterprise Security. I know where to go and get a quick analysis for a respective object. The analysts have their dashboards, and they have their action items. They use it differently. They follow all the common procedures.

We are on-prem. We are not on the cloud. As of now, Splunk Enterprise Security does not provide us with end-to-end visibility, which is one of the drawbacks of why we need to use other tools. It is not that Splunk Enterprise Security cannot do it. It is just the way it is configured right now. We are working with Splunk engineers. We have a lot of professional service hours that we spend with them bringing all parties into the picture and doing working sessions.

Right now, Splunk Enterprise Security is in the middle in terms of helping us find any security event across our environment. Based on the way the configuration is done in our environment, it would not be right to say that the incident would be reported accurately from Splunk Enterprise Security. That is because not a lot of data is being put into Splunk Enterprise Security to make something a notable event and report about it. If we configure it better and have more data models normalized, and then we use it, it will be more helpful. It has been a long-term goal, but we will reach there soon.

Splunk Enterprise Security has helped improve our organization’s ability to ingest data.

Splunk's unified platform has not helped consolidate networking, security, and IT observability tools. I am an engineer, and I am more into administration and creating user interfaces on Splunk Enterprise itself, not Splunk Enterprise Security. We have done some work on Splunk Enterprise Security and then left it with analysts. It is up to the analysts now. Splunk Enterprise Security is not 100% configured. Some basic data models have been set up. They are generating notables, and we are generating alerts out of it, but it is not 100% there. They do have to use other tools such as their networking tools to get a full picture for incident reporting.

One of the most popular features that I personally like is that in the case of an event, I should be able to run a desired action for that on a threshold, but that is not how we are using it right now, unfortunately. We have a pretty manual process. We have an operating procedure, and we follow that. I would like to see it automated. I do not want analysts to decide whether the action needs to be done or not. It should be done provided the policy says so. If the policy says it needs to be done, it should be an automatic process rather than a manual process.

At Splunk .conf24, I saw a demo for Splunk Enterprise Security 8. All the things that they have done in Splunk Enterprise Security 8 are what it can be better at. They have put Mission Control as a part of the notable or finding itself. The investigation shows the findings, and the findings allow us to do everything that we are doing in Mission Control right there on that same screen. That is what we want now. They said it is going to be released in two to three months. We are hoping that we will be able to use it. I was hoping that I would be able to see version 8 when I am here at Splunk .conf24, and when I go back, I would be able to help them implement it, but it is still 7.3.

I have been using Splunk Enterprise Security for two years.

It is pretty stable.

It is pretty scalable. We have a huge deployment. It is good.

We are a huge agency. It is in the public sector. We have 15 terabytes of data.

They are good. We have a huge team of Splunk engineers within our company. Some of them are contractors, and some of them are employees. They are pretty responsive.

Based on my interaction, I would rate them an eight out of ten. Some engineers do not understand what is there to solve, and they start pushing their perspective on the customer, which is not how it should be because it is not their environment.

Positive

We did not use any similar solution previously.

The deployment of Splunk Enterprise Security was very simple.

We have professional service hours. We worked with Splunk engineers, and we had live working sessions. We were doing it like that. We did it for over a period of time, but that did not give us the full power of Splunk Enterprise Security. For that, we need to be able to configure our own data models and normalize the data. That is not happening 100%.

It is quite expensive.

We did not evaluate any similar solutions.

At this time, I cannot assess Splunk Enterprise Security in terms of the ability to identify and solve problems in real time, but we do use regular Splunk to pinpoint a lot of problems. It helps us a lot. We are able to pinpoint a lot of things, whether they are vulnerabilities or pointing to some logs in the firewall or authentication logs. All the analysts use it very frequently to write searches.

Splunk Enterprise Security has not helped improve our organization’s business resilience because we are not 100% dependent on it. 

Splunk Enterprise Security can provide us with the relevant context to help guide our investigations. However, the input is not 100% perfect, so the output is not 100% perfect.

I would rate Splunk Enterprise Security a ten out of ten.