Splunk Enterprise Security Reviews

I use Splunk Enterprise Security for threat hunting.

The end-to-end visibility provided in the dashboards is great for our needs.

Splunk Enterprise Security allows monitoring across multi-cloud, on-prem, and hybrid environments.

Splunk does a good job of ingesting and correlating data.

Splunk provides real-time monitoring.

 The framework's features, such as the MITRE ATT&CK framework, are great.

Our MTTR has improved with Splunk. It has improved our investigation time.

The most valuable features of Splunk Enterprise Security are the enterprise search bar and the dashboards.

The threat intelligence management feature would benefit from a broader range of APIs for enhanced integration. This would facilitate seamless connection with various threat intelligence platforms, as some currently are missing APIs, making integration difficult.

The high cost of Splunk Enterprise Security prevented us from using its full capabilities. 

I have been using Splunk Enterprise Security for one year.

Splunk Enterprise Security has been largely stable, experiencing only a few brief periods of downtime.

We use Splunk and Sentinel for different purposes mainly due to cost factors not because one is better. For example, we use Splunk more for network traffic.

The price of Splunk Enterprise Security fluctuates based on the customer, but I believe it's quite costly, especially for our clientele. Furthermore, to access the full range of features, it's exceedingly expensive to have comprehensive log data.

When evaluating SIM tools and considering the cheapest option, Splunk Enterprise Security might be worth considering, especially for larger organizations. While cost is a factor, Splunk offers significant value, and I recommend it over focusing solely on price.

I would rate Splunk Enterprise Security seven out of ten.

The main use cases are with the firewall, DNS, and Windows events. These are the three basic ones to start with. Once they're done with all the compatibility and introductions, custom use cases will follow.

It's currently in the implementation phase. But, it will surely improve response time and make it easier to collect and check everything in one place. Instead of going to multiple dashboards and running multiple queries, all can be integrated into one dashboard. You can just click and then go drill down into deeper levels and get more information.

Splunk Enterprise Security provides end-to-end visibility into our environment. It's very important because: 

1. This tool is used as SIEM implementation. End-to-end visibility is really important in such a case; if something is missed, it's an error. 
2. Also, we belong to the retail sector with over 700,000 employees. We have a lot of endpoints and everything is open, so end-to-end visibility is essential.

It helped our organization to ingest normalized data. With Windows, DNS, firewalls, and the open use cases we've checked, we've gotten more data in. The compatibility with the add-ons helps us add more data in the same compatible format and use data models to elaborate and make it faster.

The investigation dashboard provides a lot of value. In the same dashboard, we get all the drill downs, raw events, and information about what the particular user is doing or where the vulnerability started, all in the same dashboard.

It helps us reduce our mean time to resolve. Now, we can see all the incidents on a single dashboard and it could be assigned to the analysts at the same time on the incident review. People can start working on it right away, so it does reduce the mean time to respond.

Splunk's unified platform helps consolidate networking, security, IT, and IT observability tools. But our major focus or use case is more on the security side. We don't use observability, so we just use logs, matrices, and other security-related features.

Incident review is pretty valuable. You can have everything in one place, review it, and assign things to analysts, and they can work on it. 

We also have different teams segmented; it is not one team. So, we brought that using the teams method in Enterprise Security, which I think most people are not using. This way, different users have different dashboards or lists of incidents.

One thing is multi-tenancy, which is not currently not there. The concept of Enterprise Security assumes only one team using Splunk, but in many companies, including ours, that's not the case. We have multiple security teams operating under one umbrella, with different people using it for different smaller companies. If multi-tenancy could be incorporated, it would surely help us. 

We started with it last year. We integrated it last year, and the SOC team is now handling it. They're making it SIM compatible, introducing the first few use cases, and working with the data. 

So, we bought the license nearly a year ago, and started implementing it about six months ago.

Stability is there, but every release has some bugs. For example, in this release, indexes were down, searches were down, and the monitoring console wasn't working. So, it's a bit tough.

It's still being implemented, and a lot of work needs to be done. But, considering the pricing and everything, I would give it a seven out of ten. It does have a lot of use cases, but a lot of work has to be done beforehand. Our data wasn't totally SIEM compliant because we used prebuilt solutions and changed the data format.

We use Splunk Operator on Kubernetes, so it's not on-prem or Splunk Cloud. Customer support is not good at all.

For example, we upgraded the system on Saturday and raised an incident. With Operator, you can only raise a P3 incident, so we needed to escalate it and get the developers involved. Support cannot handle such cases. We always have to get the developers involved to get the issues fixed. This happened very recently. But it is very common; the support for Kubernetes is zero.  

The company didn't have a SIEM solution. It was more of SOAR, so we used FortiSIEM for that. We still use it. 

Setup is not that difficult. You just have to install the search head cluster and a normal app. Data normalization is the main thing required for Enterprise Security. SIEM compatibility is the most important thing. If it's not there, then it won't work.

The deployment of the solution is pretty simple, if your data is SIEM compliant. If not, then you need to make it SIEM compliant. Otherwise, you cannot use the solution.

We have a Splunk partner that helps us with integration and other stuff.

Pricing is a bit costly. It always is.

We considered a couple of other brands. We ran a couple of POCs with other enterprise tools.

Since we've been using Splunk for nearly four years, it was easier to incorporate Enterprise Security. We did try other SIEM solutions like Fortinet, but since Splunk was already there in place and had all of our normalized data, it made more sense to use Enterprise Security.

We use Splunk Enterprise Security to ensure the security of our endpoints, including corporate workstations, tracking proxy logs, and all of the other benefits that Splunk Enterprise Security brings, including observability and visibility into the environment.

We run Splunk Enterprise Security on a single search head, and it talks to about nine separate clusters. It's a hybrid environment of on-prem and AWS. Ideally, we will migrate that to a search head cluster for Enterprise Security for high availability. Then, in the upgrade process, we generally have about two hours of downtime when we upgrade Enterprise Security. Ideally, moving to the cluster environment will allow us to mitigate that entirely. So, we did some assessments earlier in the year. We've gotta do some finalized testing, but we're hoping that will eliminate almost the entire two hours of downtime for our customers when upgrading. Then, it's two hours from start to finish to get the search head back up, and that does not include backfill time or anything like that. It could be a good full workday. So getting that workday back is going to be very important for us, and that's where I think we're gonna end up evolving for the Enterprise Security environment.

One benefit we have seen using Splunk Enterprise Security is keeping it all integrated, so no jumping between tools during investigations is the biggest benefit from the analyst's perspective. When we're setting up an investigation, it allows them to use one tool versus having to compartmentalize all the tools together, link it together, document it, and ultimately end up in one spot. Using Enterprise Security as it allows for integrated tracking for the investigations.

It's very important that Splunk Enterprise Security provides end-to-end visibility into our environment because not seeing something is a potential risk to the business. Having that visibility also assures the business, all the way up to the C Suite level, that there is coverage. And if not, we at least have that identified as an uncovered portion.

As long as we can point the data into Splunk Enterprise Security, it is easy to identify security events across cloud, on-premise, and hybrid environments. Getting it into Splunk is typically the challenge because it needs to be in a usable format. So once I've got it properly shaped and tagged, the rest trickles down. Generally, there are a lot of good TAs for getting data into Splunk around the cloud providers. So we don't have to customize it as much. It's just about getting it implemented, going through the checklist, and doing our due diligence to make sure we have the coverage we need. We will see events as long as they're flowing into Splunk. Once it gets into the data models in Enterprise Security, it will show up.

As far as ingesting data, Splunk Enterprise Security specifically hasn't helped. We shape and normalize our data to meet Enterprise Security's needs. So, we did that as a preemptive during our initial assessment. What does it come in as? What do we want it to look like? How can Enterprise Security more optimally use it? Will it hit the data models? Will it show up? Things like that. So, a lot of that is already there before Enterprise Security, but then using the data is where Enterprise Security shines. It makes the data more usable across all data sources. We don't have to know what to look for in each data type. We could go to the data model and view it.

We've increased our alert volume a little bit, not in a bad way, but getting new detections. The risk-based alerting has decreased. So what is happening elsewhere in the environment correlates with that event, and those risks are bubbling up to the top, whereas somebody getting locked out isn't as important as an account takeover. It's hard to portray that image with one event, but a series of events on the timeline makes it a little easier.

Splunk Enterprise Security lets us know who owns what hardware, who should access it, and who shouldn't, more specifically, during an investigation or escalation path. So we know there's a problem. Who do we talk to next to start that process and up the chain? We have a lot of that in there as well, which helps.

Splunk Enterprise Security has generally helped reduce our meantime to resolve. How much is hard to say because it depends on the investigation's scope and scale. It does help the analysts get a clearer picture of what's happening everywhere in the environment. 

Enterprise Security will automatically correlate those events for us. When an analyst gets assigned to that investigation, it becomes looking at the picture and putting the puzzle together versus having to go through a threat hunt or find those indicators and then identify the account lockouts and takeovers. It's already in one pane of glass, and then that gets us to the meantime to resolution quicker. 

It has decreased our mean time to detection, especially for the high critical alerts. When we leverage that risk-based alerting, we can say, alright, multiple events have now happened to propagate this into a larger event instead of trying to correlate that as an individual or a team of analysts. Ad hoc is going to always be slower than automatic. Doing it in the back end means my analysts get there and get the job done quicker.

Splunk Enterprise Security has helped with our organization's resilience. We generally use observability metrics to determine the state of the hardware and the status of the environment at the time, so that has been a good point. It's definitely made us more resilient to figure out what happened post-incident and on what time scale and then go back and try to either remediate or mitigate that wherever possible. The historical context is just as valuable as their live real-time learning context.

The most valuable feature of Splunk Enterprise Security is the threat intelligence integration because essentially having to go out and correlate all the data on our own becomes convoluted. We don't have the resources, so having that included in the product makes it easier for us.

For us, the area that Splunk Enterprise Security can improve is performance optimization. Enterprise Security is so critical that right now, we're working on getting it to a clustered state to have high availability. The challenge there is hardware procurement and utilization. It's very resource-intensive. A type of performance optimization would generally be a huge improvement.

I have been using Splunk Enterprise Security for six years.

Splunk Enterprise Security seems stable to me. I haven't seen many issues, so I'm looking to try and test the latest version.

Scalability is a mixed bag. So, when we first started Enterprise Security, they told us not to cluster it. Now they're recommending we cluster it. We haven't gone down that road yet. I am looking forward to it. But if they say it can scale, they have customers that have done it. We gotta go through the growing pains of implementing it, rolling it out, and making sure it's ready to go. I think it's possible, but I have no formal experience yet. I am looking forward to it.

We started in Splunk, used it historically, and saw the product's value. It becomes the other data that would not be allowed for business reasons. How can we leverage that to provide value for the business? I know a lot about searchability this year, such as trace logs and metrics. These are generally good, but some trace stacks can be a lot of ingestion against our license. If we could put that in somewhere, that would not be as cost-effective, ideally. The trade-off is performance. Splunk is very performant. It does its job well. It's just a little pricey for the non-business critical logs.

The deployment is generally good. We must stand up the search heads, get them ready, tie them into the index clusters, and then deploy. Generally, we don't expose anything to the customers until it's production-ready. So deploying it was just getting it out there and built, doing some finalized testing to make sure it's ready to be used by the end customer. 

We implemented Splunk Enterprise Security ourselves. Through Splunk, we've engaged some professional services to ensure that our plan of attack is moving in the right direction. Professional services have also provided a lot of guidance.

We have seen a return on investment with Splunk Enterprise Security. Getting that holistic view. Splunk gives us a better picture of what's going on in our environment. Without it, we would have to go hunt for it. It's like Google searching for logs. It's easy, and everybody uses Google. So it's time-tested in the market. It's just about how much data we can get in, how we're storing it, retention, pulling it back, and what goes with that associated.

While Splunk offers generous developer licenses and obtaining annual licenses is straightforward, the cost is a major consideration. As open-source competitors become more sophisticated, Splunk will need to address this pricing issue in the future.

We have not used other SIEM tools in the past, but we are evaluating other tools. We don't want to migrate away from Splunk. We want to replicate it at a larger scale for non-security-based data, such as application and developer data. Anything they want to throw in and search is fine. But at Splunk's current cost, it is generally very expensive to do non-business-critical logs in that environment.

I would rate Splunk Enterprise Security eight out of ten. Things that could be better would be further integrations into other security tools. I know a series of threat intelligence feeds can be integrated, and I'm sure they are slated. It's just a matter of getting the resources to integrate them.  Splunk Enterprise Security is a solid product. I run it in my home lab as well. It's generally one of the better Splunk apps.

Splunk Enterprise Security serves as our primary tool for endpoint detection.

Our organization manages security across multiple cloud environments. Splunk Enterprise Security is a valuable tool in this process, offering a comprehensive dashboard that centralizes monitoring for all our cloud deployments. This unified view allows us to efficiently track security posture and identify potential threats from a single location.

Splunk Enterprise Security offers strong capabilities for detecting insider threats. This security platform excels at analyzing data from a variety of sources, allowing it to identify unusual user behavior patterns.

It does a good job of analyzing malicious activity and helps us detect threats faster.

Splunk Enterprise Security helps reduce our alert volume and helps speed up our security investigations.

In our financial institution client environment,  The insider threat detection capabilities allow us to closely monitor credit and debit card transactions for any signs of compromise. By leveraging Splunk's capabilities, we can proactively identify and address potential security threats that might impact our client's financial data.

We have improved our incident response time with Splunk.

Splunk Enterprise offers a variety of apps that cater to different needs. These apps provide features like directory management, add-on and data model control, report dashboards, and alerts. Notably, some of these functionalities are available in the free version. Additionally, there are separate apps for security purposes. Our EMEA region has its own set of apps, allowing them to upgrade, maintain, and manage separate dashboards specific to their requirements.

Dashboards can be customized to allow users to easily monitor specific data relevant to their needs. This might include data segmented by country, region, or even customer credit card information. By customizing the view, users can quickly identify trends and gain insights into areas of particular interest. Additionally, dashboards can be configured to automatically display default information or alerts upon opening, further streamlining the monitoring process and ensuring users can find the specific data they need right away.

Splunk Enterprise Security is a valuable tool that allows us to monitor data from the APS daily. This monitoring focuses on the success or failure of APS calls. Successful calls are identified by a status code of 200, while unsuccessful calls are indicated by a status code of 400 or any other code. By monitoring these codes, we can proactively identify situations where the intended data retrieval fails due to backend server issues. This distinction is important because it helps us differentiate between failures caused by backend server problems and those resulting from issues with the monitoring team's ability to send requests. This clear separation allows a dedicated team to investigate these specific backend server failures and implement resolutions.

Data profiling, data onboarding, and data maintenance are all crucial steps in ensuring the quality and usability of our information. However, encountering missing files disrupts this process. When files are absent, troubleshooting becomes difficult, and performance issues inevitably arise.

I have been using Splunk Enterprise Security for many years.

Splunk Enterprise Security is stable.

The initial deployment is straightforward.

I would rate Splunk Enterprise Security eight out of ten.

Splunk Enterprise Security is a powerful security solution that offers flexibility. This flexibility empowers our team to adapt and respond to evolving threats. With Splunk Enterprise Security, we have the tools and adaptability to effectively address whatever security challenges we encounter.

I recommend Splunk Enterprise Security as the most suitable solution for monitoring and protecting our data.

We use Splunk Enterprise Security to monitor the network. We use the solution wherever there's a problem with the cell phone tower.

When we see a problem, Splunk Enterprise Security provides many details you can use to diagnose and determine what needs fixing.

The solution's most valuable feature is the dashboard, which allows us to see everything on the same page and provides easy visibility into problems.

Splunk Enterprise Security has helped us find security events in our on-premises environment.

It has helped improve our organization's ability to ingest and normalize data. Splunk does a good job of identifying and solving problems in real-time.

We have reduce our alert volume by 80%.

The solution provides relevant context to help guide our investigations. Splunk provides pretty detailed information. Based on that information, we can assign it to different teams.

It has helped speed up our security investigations by 40%.

Splunk Enterprise Security has helped reduce our mean time to resolve. In most cases, we're able to solve issues in less than 45 minutes.

Sometimes, the data does not match what we're looking for, or the tool contains incorrect data.

I have been using the solution for two months.

Splunk Enterprise Security is a very stable solution.

The solution provides good scalability.

The technical support team responds quickly every time we contact them.

We have seen a return on investment with the solution because it has reduced the time it takes to fix our problems.

Overall, I rate the solution a nine out of ten.

I am the branch chief. I use Splunk Enterprise Security depending on how swamped the team is. I use it for anything from basic searches to DDoS attacks, which is a big thing right now. So, DDoS attacks and phishing emails are a lot of what I am using it for.

We had FireEye before and then we went to CrowdStrike. Splunk has definitely helped to have everything into the tool. It is a lot easier to complete the tickets. It saves, on average, a couple of hours a day. We just go to Splunk and then provide data and work with different people on the tickets, so it saves hours each day. We have been able to allocate these hours to other projects or things that are more of a priority. We are able to do different projects that were on the back burner. We can put those hours towards other things.

Splunk has improved our organization’s business resilience. We are able to give leadership updates through dashboards versus the actual metadata. It is easier for them to understand and provide leadership.

Splunk’s ability to predict, identify, and solve problems in real-time is very good. It is proven. Every couple of weeks, it catches some of the things that our SOC team did not catch and provides alerts, so its real-time capabilities are very good.

Our team has overall benefited from Splunk. We had FireEye before, which was not that good. We are able to benefit from Splunk not only in terms of instant response. We also have other teams doing vulnerability management using the Prisma systems. It is important that Splunk provides end-to-end visibility into our native environment. We use it for Prisma and instant response. Without Splunk, we would not be able to do some of the things that we need to do unless we went to individual tools, and we do not have the resources for that.

Exporting is a good feature. It helps me out when I have to do reports. I do a lot of exporting and crunching of the numbers. Dashboards are okay for showing to the leadership, but for doing statistics and updating tickets, the export feature is very beneficial for me.

They offer training. That is a big part of it. If you do not understand the tool, they are able to provide everything that you need, which helps the business. When you have learned a tool, you are able to speed up the process meantime, so you are not wasting a lot of man-hours trying to figure things out. 

I do not have any areas that can be improved. It works as intended for us, and we are getting everything that we need out of it. If anything, its initial setup can be improved a bit. 

In terms of additional features, I am still learning SOAR and everything else, so I do not have any feature requirements at this time, but as we do these SOAR operations, there might be some additional features that we will need.

I have been using Splunk Enterprise Security since 2016.

It is very good as long as you have the scope of how many servers, processors, and other things you need. There was a learning curve of making sure our servers were beefy enough to handle the data. We had four terabytes of data coming in every day. We were maxing out our systems a little bit, so we beefed that up, and we have had no issues since. 

Its scalability is easy. On-prem was very easy, and on the cloud, you have to learn and adapt a little bit, but scalability is perfect. 

I only reached out to our Splunk contacts, but my team reached out to Splunk's support team. I have not had any issues where they told me that they did not get the support they needed. They might take time to figure out what the issue is, but overall, I would rate their support a ten out of ten. 

Positive

We used FireEye, which was our primary one, and then we had CrowdStrike. Splunk has definitely been wonderful for us. The biggest reason for switching was integration. It is very easy to get all the tools fed into Splunk. They also had a cloud version, which was another reason. We are doing a hybrid setup, so cost savings was also a big factor.

I was involved in its deployment. I am the system owner of it. I am in charge of it, so I oversaw the project deployment. There is a learning curve with the hybrid setup with the cloud and on-prem, but overall, I am pretty satisfied with it.

We have an on-prem and a cloud environment depending on the platforms we are using in the system, so we have both environments. The challenging part was getting everything set up and fed into Splunk, but once it is set up, there is no difference in using it on-prem or on the cloud. We do not notice any real difference in it. 

The initial setup could be improved a little bit. It depends on your local team, firewalls, and other things like that, so there was a learning curve for the teams to learn how to set it up. That part could be improved, but once you go through it, it is not an issue. 

We had the Splunk team, and they did wherever they needed to get everything deployed. Our experience with them was good. We have worked with Splunk for years now. Their support has been very beneficial. If I have a question, they jump right on and let me know. They walk me through it and give me updates, so I am pretty happy with Splunk.

We have seen an ROI in terms of the mean time to resolution and man-hours. We are able to allocate those hours to other things. We have not got there yet in terms of the upfront costs, but we will get there over time.

When it comes to the time to value, we are getting there. We have not got there yet, but over time, we will get to the time to value.

Its price is fair. Like with anything else, if you go into the cloud, different providers cost more, and you are able to throttle back or throttle up. The cost is comparable with anything else.

We evaluated other options. We had to evaluate the pros and cons in terms of the cost and the capabilities of each tool. A lot of that went into the proof of concept. We did our due diligence and determined that Splunk was the best fit for us.

I would rate Splunk Enterprise Security a ten out of ten. It gives us everything we need, and its capabilities keep on improving, so it is getting better. 

Most times I use Splunk Enterprise Security for log analysis, and I also use it to create alerts for any security incidents. There are some alerts I set up on my endpoint, and once the alert is triggered, I get a notification. I also use it for visualization. I create my own dashboard to send to my managers for analysis, for reports, and all of that.

The ability to easily aggregate data and make meaningful reports is what makes Splunk Enterprise Security excellent. If I want to search for the number of failed passwords, I can go to my index, write my query, and create a report quickly. When my manager wants me to create a report concerning a particular incident, I go to my dashboard, type my query, create my dashboard from there, and everything works out smoothly.

They should put out more educational resources for users to learn how to use Splunk Enterprise Security. If they could have a manual or guide similar to Linux, where users can search and see various commands for different searches, it would help users navigate their way around the product more easily so it wouldn't be so complex.

I have been using Splunk Enterprise Security for over two years now.

There was one instance when I was trying to use the Forwarder and it wasn't working properly. Apart from that, Splunk Enterprise Security has been perfect for me.

When trying to connect to other endpoints using the Splunk Enterprise Security Forwarder, I encountered connectivity issues. This occurred while setting up for a company, and the connection wasn't working properly.

I have used Wazuh.

The pricing could be reduced to make it more accessible.

I would rate Splunk Enterprise Security an eight out of ten.

The primary use case is for failed login attempts. I typically stick to the security use cases.

The risk-based alerting helped to decrease false positives. We would just get a bunch of email alerts every time a threshold was reached previously and we'd have to investigate them. We'd have to deal with alert fatigue, the standard scenario where no one believes in the alerts anymore. So risk-based alerting has helped us tune out some of the noisier issues and then tune into the alerts, endpoints, and users that are problematic.

The risk-based alerting is excellent. It was most helpful in decreasing the amount of false positives that help bubble up the most problematic users and assets for the analysts, and it's fairly easy to implement.

Splunk Enterprise Security provides end-to-end visibility into our environment. It's a ten out of ten for that capability. Everyone wants to know what's happening across their environment. The more difficult part is defining the visibility, as we can't we can't ingest the entire company into Splunk. So, the harder part is not necessarily gaining visibility. It's rather determining what visibility looks like. Oftentimes, it comes down to determining and prioritizing using the highest value.

Splunk Enterprise Security, when set up properly,  helps us find any security events across multi-cloud, on-premises, or hybrid environments. It helps with investigations and helps us find that needle in a haystack. 

While it doesn't necessarily help with data normalization, some pieces determine whether the data is usable and create that usability outside of enterprise security. It does assist in the process. 

Splunk Enterprise Security provides us with relevant context to help guide our investigations. The context helps with risk-based learning, which is one of the things I rely on fairly heavily. It also helps reduce false positives and increases visibility to the most problematic endpoints and end users.

The Splunk Enterprise Security Hub has reduced our mean time to resolve; however, how much is hard to quantify. The dashboard is color-coded, and it's easy to read for the analysts. I don't often have to explain anything to them. Red is bad, green is good. The dashboards are relatively self-explanatory and it helps reveal the most difficult, problematic parts.

The solution does help with resilience - a bit. What it does is help us discover problems and reactively fix them.

I've definitely seen improvement. However, assets and identity are probably some of the most important integrations for risk-based learning. So if there was a way to make it easier - and, again, I know there's been significant improvement - that is one of the more annoying friction points when setting up risk based alerting.

The Splunk platform is not unified. We have all of these different tools and they feel a bit disjointed.

I've used the solution for maybe six years.

It's a complex tool. Everything needs to be done proactively. That said, it's relatively stable. There's a lot of stability built in, and I don't have any problems with it.

I've worked in on-premises environments as large as 300 terabytes, and they return data very quickly. When it's done right, it can scale tremendously.

The customer service and technical support can be hit or miss. Sometimes you get someone that is really good and knows their stuff and is really helpful. Sometimes you are trying to be patient and help them through. That's hard when you have someone breathing down your neck to get things fixed. They're nice. However, sometimes, when I have pressure on my end, I don't need someone who is nice - I need someone who knows how to fix my issue 

Positive

I'm usually the one performing the setup work. I've been working with Splunk for a long time; it's relatively easy for me.

Enterprise Security is a beast. The best practice is to put it on its own search head. When setting it up, I'm asking for not only an additional light license for Enterprise Security. I have to ask for another server on top of it, too. It is quite a difficult task to ask when Splunk is already as expensive as it is. Then, there is technically setting it up and configuring it. It does take time to configure and normalize all the very foundational parts, such as the assets on identities, which is absolutely integral to getting security working. While I enjoyed the process, it took a lot of work. 

I am a consultant and do assist with the setup.

My work typically has to do with improving the quality of alerts or content and normalizing data. I don't usually get to the point where I'd be able to measure ROI.

I'm not the person that deals with pricing. I have heard there is sticker shock.

I'd give the solution an eight out of ten. There are a lot of great features. They're constantly increasing the value of Enterprise Security. However, they're leaving behind many smaller clients that don't have the knowledge or expertise and don't have professional services, which is another large expense. A lot of smaller clients just don't have the ability to set it up properly, and when that happens, they're only leveraging 30% to 40% of its capabilities. They're upset and wonder why this very expensive tool is not working for them. That said, when it works, it works great.