Splunk Enterprise Security Reviews

I have used the solution in my company since I was an admin for Splunk. Most of the people involved in the use cases associated with the product are those in the SOC team.

The tool has helped us to identify and analyze the possible threats. The product helps identify threats and do further investigations.

In terms of the benefits I have seen from using Splunk Enterprise Security, I would say that we are still working on implementing Splunk tools.

The most valuable feature of the solution is correlation searches, which allow you to easily find threats and other such areas.

It is really important that Splunk Enterprise Security provides end-to-end visibility into our company's environment, as it can help save time and make the response faster.

Splunk Enterprise Security has helped improve our organization's ability to ingest and normalize data with the use of data models and Splunk CIM.

The tool has helped reduce our company's alert volume as the identification process is fast.

Splunk Enterprise Security provides our company with relevant context to help guide our investigations. Any incident can be resolved in a minimal amount of time than expected, and we can get more information about such incidents. It can be resolved mostly on the same day and even in a few hours.

Splunk Enterprise Security helped reduce mean-time resolve. It has also helped improve our organization's business resilience. Considering the tool's ability to predict, identify, and solve problems in real-time, I would say that it keeps our company safe.

Splunk's unified platform helps consolidate networking, security, and IT observability tools. I cannot provide too many details because I am not working directly on the analytics part.

I think in the near future, we want to have Splunk Enterprise Security complemented with Splunk SOAR because we have been checking the administrations. It is pretty cool, considering the things that you can do with Splunk Enterprise Security and Splunk SOAR together.

Resource usage can probably be described as an area with shortcomings in the product where improvements are required.

Our company just saw the latest version of the tool here in the Gulf. I am not sure, though, about it because what Splunk showed us was really impressive.

I have been using Splunk Enterprise Security for five years. My company is a customer.

It is a stable solution. At my company, there are two Splunk admins. Splunk is so stable that though there are two Splunk admins in the company, nobody complains that something is not working. Stability-wise, I rate the solution a nine out of ten.

Scalability-wise, the tool is awesome since you can add or reduce your resources in an easy way.

The solution's technical support offered to users could be much more. At times, I get answers related to Splunk from the support team, which I feel are available on Google. I rate the technical support a seven or eight out of ten. I feel that sometimes the tool's support team uses Google to provide me with answers.

I did not previously use a different solution.

It was harder to get it working and configured correctly in the past. Things have changed a lot since the first version of the tool was released. I honestly feel comfortable anytime the tool releases something new to be deployed or if there is a new upgrade.

The solution is deployed on an on-premises model. I use the cloud services offered by Azure and AWS.

I have not seen a return on investment.

Splunk Enterprise Security is not a cheap product, but I think it is worth every dollar that you pay.

Considering that the initial configuration is difficult, I rate the solution an eight out of ten.

I use the solution in my company, and most of the use cases are security-specific. My company uses it to transfer from our detection engineering team to our incident response team. For observability, our company is looking for security events within the tool, and we are logging all the critical security infrastructure and security-relevant logs to a platform for security operations.

The tool has helped to streamline our company's mean time spent in understanding security-relevant events and mitigating those risks.

Some of the tool's best features are RBA and UBA. I also like the tool's single point-of-view dashboard for incident response. The case management area is one of its good features.

The tool has reduced the mean time needed to resolve. The reason is that the dashboard offers a single point of view, especially in areas where people aren't spread out. Our company is getting all the relevant data in there, and we are able to identify the problem instead of having to go to multiple tools or different interfaces.

It is very important for our organization that Splunk Enterprise Security provides end-to-end visibility into our environment. It is our company's way of understanding what is going on in our environment, and then it is our way of handling security events, relevant events, mitigating risk, understanding risk, quantifying risk, producing metrics, and everything else.

Splunk Enterprise Security provides our company with the relevant context to help guide our investigations. The tool has allowed us to gain better visibility and accuracy into security events.

The tool has helped our company improve the resiliency of our security operations. This is based on the fact that we don't have full adoption of the tool for all users in our organization, especially not Splunk Enterprise Security.

My company uses the tool for security operations, and we have built our security operations around Splunk based on what it can do and its performance.

I think Splunk is already improving its products. Some of the features that Splunk has been bringing out, like Splunk Attack Analyzer, while covering some of the other areas, like regulatory compliance and asset security, are good. It is just a matter of the customers being able to see the new features introduced by Splunk and get a demo to see if it makes sense for their work.

I already have Splunk Enterprise Security set up. My company is interested in seeing Splunk Attack Analyzer, and that is why we are dealing with Splunk's point of contact right now.

The area of concern revolves around the fact that Splunk is an expensive product. Splunk's expensive nature is an aspect where improvements are needed.

I have been using Splunk Enterprise Security for six to seven years.

It is a very stable solution. I never really had a hiccup with the tool. Even for migrations or anything, our company has never had to use Splunk's partners, and it has been a seamless process.

The tool's scalability has been good, but it depends on the organization and how Splunk is being adopted there.

The solution's technical support can be hit or miss, but it is mostly positive. I can't give you all the scenarios, but the one thing that I do like about Splunk is that if there ever is a hiccup, a simple phone call from our end can ensure that Splunk's technical team takes care of our problems. I rate the technical support a ten out of ten.

I have used many products in the past, but they were not in my present organization. It has been a long time since I used some products, as it was done back during my engineering days. I used to use HPE ArcSight. I have been through McAfee products, such as McAfee Nitro, back in the day. I have been an active Splunk business owner for almost a decade now.

The product's initial setup phase has been perfect since our company uses the cloud services offered by Splunk.

The solution is deployed on the cloud services offered by Splunk.

The reseller that my company gets in touch with to help with the implementation part is called GuidePoint Security. My company's experience with GuidePoint Security has been good.

I think that based on my experience in the organizations that I have been in with Splunk, the tool definitely fetches a return on investment because it allows us to streamline security-relevant events that we need to take care of quickly. Overall, the tool saves us from any impact on our finances and business.

Most of Splunk's customers are trying to find ways to keep the pricing from the ingest licensing model of Splunk down. What that comes down to is that we have to manage the platform. For our company, being a security enterprise and using it for security-relevant data allows us to streamline and control the ingest licensing model because we don't put in a lot of stuff in the tool. We have other things that we output to different data lakes. Splunk has always been on the expensive side.

The ease of deploying the tool, its great customer service, and the development you can do within the tool is very seamless, so I would recommend the product to my peers since it is a great solution.

I rate Splunk Enterprise Security a ten out of ten.

We use the solution for monitoring and detection and for threat hunting.

On the threat-hunting side, we can easily hunt down what we're looking for because Splunk's language parses the data coming in and allows us to utilize it to filter down through the data we need.

I very much enjoy Splunk's robust search nature, which enables me to find the data I want within the data I have. It's helpful for doing an investigation, whether that's an incident response or threat hunting.

It is important to our organization that Splunk Enterprise Security provides end-to-end visibility into our environment. That way, we can see where the data is throughout the entire process, depending on where we are in the incident.

Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data.

Splunk Enterprise Security has, by far, the best search capabilities. It ties that into alerts and notables, allowing you to refine what you want to see in your data.

There's been a big push for SBC compute over the ingestion model, which will hamper us. We're trying to increase our search counts with things like risk-based alerting, and I think that change will hinder our process.

I have been using Splunk Enterprise Security for eight years.

Splunk Enterprise Security is a stable solution.

Splunk Enterprise Security is a scalable solution.

I think we recently switched to the SVC pricing compared to the ingest pricing. I don't know if that was the right move for us.

Overall, I rate the solution an eight out of ten.

Our use cases are mostly for security and detection, basic use cases. It's always been a security use case. We never used it for observability or ITSI. 

Our analysts use it a lot.

I like that it's a review panel, you can see all of your alerts. Another valuable feature is that it integrates with other apps like UBA and SOAR. 

I also like the guided alert creation. The guided alert creation is useful, especially for new people who don't know CPL. 

It's a premium app, it's easy to use and intuitive. 

Enterprise Security has one pane of glass for all of our alerts. We still use the Enterprise Security page where we keep track of everything. 

It's very important to us that Splunk offers end-to-end visibility into our environment. It has the ability to identify any security events or if data is reingested, we'll get an alert for that. End-to-end visibility is very important for a mature security program.  

Splunk helped to ingest and normalize data. Anytime that we put data in, we always normalize the SIEM model. ES runs off of that so it helps us to dot our I's and cross our T's. It helps us to use our data effectively.

It has tools to reduce our alert volume. We get a lot of alerts. It's more of a tuning thing than anything that the app can help with. 

It provides us with the relevant context to help guide our investigations. It's really useful in that aspect. 

It hasn't reduced our MTTR. SOAR would do that. It has helped our mean time to detect. 

It has increased our business resilience. It's a top-of-the-line SIEM security product. It's the best tool for our security analysts which helps them do their job better. That then protects our company from adversary actors. 

I have been using Splunk Enterprise Security for about five years. 

I've never had too many issues with the stability. Years ago we had indexes crash but that was more on us. We didn't understand how to properly size Splunk. If you work within the required parameters, it's stable. 

Their support is great. I've never had any issues with them.

Positive

The setup was pretty straightforward unless you add a search head cluster. Then it becomes a lot more complicated very fast. Other than that, it's not too bad. It's pretty simple and intuitive. I've done it before and it's not difficult especially if you have the docs to help you. 

I can't speak to the dollar amount but we see ROI in the way that it helps the analysts to better do their work. It helps keep track of things and having one pane of glass for all things data. 

I would rate Splunk Enterprise Security a nine out of ten. It's a top-of-the-line product. It allows analysts to do their jobs better. It's a single pane of glass. It's a fantastic tool that we couldn't do our work without. 

We use Splunk Enterprise Security for a lot of use cases. We use the predefined use cases and dashboards for AWS, notable events, endpoint detection network, and audit notable events.

The most valuable function is the notable events. When I joined the team, I asked them what they could currently see, and they said nothing. I was pretty shocked. I know that they were using Enterprise Security or at least they had purchased it. I told them that there are several dashboards within Splunk that we can leverage. There is also notable events where we can see potential incidents or potential alerts about the infrastructure and the network itself. 

The dashboards give us numbers for malware infection. So long as those dashboards are actionable, they help the SOC team a lot.

It's important to respond to incidents in a timely manner. Having end-to-end visibility across the board equips the team to make sure that whatever incident happens, it has a very minimum impact on the business. It also allows us to fix things that need to be fixed immediately. That's the asset of having end-to-end visibility across the board.

Enterprise Security really helps us normalize our data because it comes with predefined dashboards, so we only need to ingest the logs and Splunk will do the work to display what we need to see on a day-to-day basis.

When we started using Splunk, we had tons of false positives. We reduced our alerts by 90%. Most of our alerts now are actionable.

I would like to have fraud detection features. Fraud is within the same turf as with security operations. Fraud and cybersecurity work hand in hand. I would like to have detection capabilities, or at least dashboards in Enterprise Security for fraud. 

There's already a fraud offering from Splunk for fraud use cases but it's different. I need to get professional services for me to get that feature. It would be much more cost-efficient for customers if all those dashboards could be readily available within ES.

I have been using Splunk Enterprise Security since I joined my company in 2019, so it's been roughly five years.

Cisco just acquired Splunk so I expect the stability to still be the same since Cisco is established. 

I would rate support a nine out of ten because there's always room for improvement. 

Positive

I would rate Splunk Enterprise Security an eight out of ten. To make it a perfect ten, I would like to see them implement the fraud detection features. 

Our security relies on Splunk Enterprise Security to analyze data models for malware, threats, and MITRE ATT&CK techniques. Pre-built dashboards and multiple correlation searches help us identify anomalies. Any suspicious events flagged by the MITRE framework are categorized and assigned as tickets to our engineers for investigation and mitigation.

Splunk has streamlined our incident response by automating key processes. For instance, alerts trigger upon exceeding three failed login attempts, automatically assigning tickets for review. Similarly, unauthorized access attempts from unfamiliar regions are automatically blocked. These automated data-driven responses significantly improve our overall incident response efficiency.

The customizable dashboards offer great visualization and extra add-ons.

Splunk Enterprise Security helps us to easily monitor multiple cloud environments.

Mission Control lets us monitor and manage our security from a single panel.

Based on my short experience, I would rate Splunk Enterprise Security eight out of ten for its ability to analyze malicious activity.

Splunk Enterprise Security helps reduce our alert volume.

Splunk Enterprise Security streamlines our security investigations by providing a central platform and offering a growing library of add-ons that expand our investigative capabilities.

Splunk Enterprise Security stands out for its ability to integrate with existing security tools, provide informative dashboards, and offer IT Service Assurance functionality that goes beyond basic threat detection to include service performance monitoring.

Splunk Enterprise Security offers a vast amount of information to learn and comprehend, resulting in a challenging initial learning curve.

Extracting logs from Splunk for analysis in other applications is crucial for me. This would allow me to identify correlations between data sets and make informed decisions about next steps. Unfortunately, the current Splunk workflow seems to hinder data verification.

The licensing cost could be more competitive, as some of our competitors offer lower prices.

I have been using Splunk Enterprise Security for one year.

We have encountered issues when updating features where Splunk Enterprise Security doesn't work properly. I would rate the stability of Splunk Enterprise Security seven out of ten.

The technical support team is always supportive but their response time and knowledge can be improved.

Positive

The initial deployment was straightforward.

The license for Splunk Enterprise Security is expensive.

I would rate Splunk Enterprise Security eight out of ten.

We have Splunk Enterprise Security deployed across multiple locations.

The resilience Splunk offers is good.

I recommend Splunk Enterprise Security to others.

Splunk Enterprise Security is used for security monitoring. It helps manage the governance of the security monitoring from the start of an incident to the resolution.

Splunk Enterprise Security offers excellent visibility across multiple environments. It's a flexible platform with virtually no limitations.

The actionable intelligence provided by the threat intelligence management feature is good.

Splunk Enterprise Security does a good job analyzing malicious activities and detecting breaches.

Splunk Enterprise Security helps us detect threats much faster than before.

Depending on the client and their configuration, Splunk Enterprise Security can help reduce their alert volume by under 50 percent.

Splunk Enterprise Security helps our clients expedite security investigations. It achieves this by streamlining the process of finding evidence and incident logs within Splunk's data module.

Splunk Enterprise Security offers two valuable features: the Common Information Model and arrangement modules. The CIM helps standardize data for efficient searches, while arrangement modules automate incident log processing by enriching them with contextual client information.

While Splunk offers SOAR as a separate product, integrating it into the next version of Splunk Enterprise Security as a unified solution would be beneficial.

I have been using Splunk Enterprise Security for 2 years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is scalable.

The technical support experience is moderate. It can take a long time to resolve issues, and I often need to explain the problem to multiple support representatives. Ideally, I would have a single point of contact assigned to my ticket throughout the entire process.

Neutral

The initial setup of Splunk Enterprise Security involves moderate complexity. Deployment time can vary significantly, ranging from one hour to one month, depending on the environment's complexity.

Splunk Enterprise Security is expensive.

I would rate Splunk Enterprise Security 7 out of 10.

I suggest integrating SOAR with Splunk Enterprise Security.

Through Splunk Enterprise Security, we have implemented extensive login integration. This allows us to monitor and restrict access for sensitive accounts, such as superuser and master accounts when password rotations occur. If a login attempt is made for such an account, Splunk triggers a real-time workflow that automatically generates a P1 ticket for the Help Desk and IAM Operations teams to investigate and take necessary action.

Beyond real-time monitoring, we have established additional security measures. We utilize locks within JBOS to control manual account check-ins and user server activity, such as password verifications. Splunk ingests logs from any configured PAM solutions, enabling auditors and our technical team to readily access and analyze all privileged activities. We can also generate reports for session management, session logs, and audit logs.

Splunk Enterprise Security can enhance our organization's detection capabilities. While SIEM solutions are essential for most companies, choosing the right one is crucial. Splunk Enterprise Security is a popular option, and its benefits extend beyond technical teams. It can empower audit teams and provide visibility into user activities, including data sharing and out-of-the-box reports. Splunk's strength lies in its flexibility. It can integrate with other tools to fill any gaps in its capabilities. However, relying solely on one tool like Splunk isn't ideal. PAM tools often have built-in auditing and reporting features, but they may not offer the same level of customization or enterprise-wide visibility. This is where Splunk comes in. It provides a complementary solution, offering multiple ways to generate reports and gain insights.

We recently focused on enhancing Splunk Enterprise Security's identity correlation capabilities. This involved integrating it with several chosen applications. One key integration involved moving from Puppet to Ansible for managing privileged access management and performing virtualization tasks. Ansible allows for agentless management, meaning we don't need to install agents on every server. For broader asset management, we leverage CI/CD tools for efficient deployment across all servers. These tools significantly reduce the manual effort required.

Splunk Enterprise Security offers good visibility into multiple environments. However, certain applications in the financial sector, particularly for high-risk activities, still face regulatory or compliance restrictions that prevent them from migrating to the cloud. Despite these limitations, we see forward-thinking institutions like JPMorgan Chase taking the initiative to move lower-risk applications to the cloud. This trend extends beyond finance, with other sectors like healthcare already embracing cloud adoption.

In my assessment, Splunk Enterprise Security earns an eight out of ten for its ability to detect malicious activities and breaches, but only a seven out of ten for taking action.

Once we have an enterprise version set up, Splunk handles the initial identification steps of potential threats, saving us manual effort. I'd even rate Splunk a perfect ten for this initial phase. However, subsequent action items still require manual intervention – a bottleneck we can minimize with additional tools like endpoint security threat analytics that integrate with Splunk. This would enable complete threat modeling, including asset identification and mitigation directly within Splunk. Unfortunately, our company hasn't invested heavily in threat modeling, with a limited team compared to the larger IAM and risk groups. Thankfully, the industry is recognizing the importance of threat modeling, leading to increased hiring in this area.

Splunk Enterprise Security has significantly reduced our alert volume. This has freed up a substantial portion of the IM operations team, who were previously tasked with continuously monitoring for threats and anomalies across various applications, not just spam. By leveraging these threat detection tools, we anticipate being able to reduce IM operations staff by at least 50 percent.

Splunk Enterprise Security facilitates the acceleration of our security investigations, reducing the required time from one week to one day.

One of the features I appreciate most is privileged account threat detection. It identifies suspicious activity associated with fraudulent accounts detected on the endpoints of target systems.

Furthermore, the platform offers threat analysis and reporting that leverages Splunk data. This allows for the detection of irregular user access from machines directly. This functionality is crucial in large PAM environments with thousands of users, as it identifies inactive accounts.

For scenarios where users might not access the PAM portal to change passwords, different policies are implemented. Splunk plays a key role in detecting irregular user activity. By establishing a three-month threshold, we can identify cases where users haven't used their accounts despite not being on leave or vacation. Such instances warrant investigation to determine the continued need for privileged access.

We can automatically suspend or terminate suspicious sessions. We have also customized reporting within Splunk.

There are limitations with Splunk not detecting all user activity, especially on mainframes and network devices. This is because Splunk relies on agents, which cannot access certain workstations. In these cases, we have to rely on application data. For example, with mainframes, manual reports are generated and sent to Splunk, limiting visibility to what's manually reported. This lack of automation for specific platforms needs improvement from Splunk. Additionally, API access is limited for other applications that rely on API calls and requests. This requires heavy customization on Splunk's end. These are the main challenges we've encountered.

Monitoring multiple cloud platforms, like Azure, GCP, and AWS, with Splunk Enterprise Security presents some challenges. While Splunk provides different connectors for each provider, consolidating data from two domains across distinct cloud environments can be complex. However, leveraging pre-built templates and Splunk's data collation capabilities can help overcome these hurdles. Despite initial difficulties, I believe Splunk can effectively address this task, earning it an eight out of ten rating for its multi-cloud monitoring capabilities.

While Splunk Enterprise Security offers insider threat detection capabilities, its effectiveness could be enhanced by integrating with additional tools, such as endpoint security solutions. This integrated approach is particularly crucial for financial institutions, which often require dedicated endpoint security teams. While using multiple tools is valuable, further improvements within Splunk itself are also necessary. Considering both external integration and internal development, I would rate its current insider threat detection capabilities as three out of ten.

Threat detection is where Splunk falls behind. While it offers tools, other use cases require additional work. PAM is an enterprise tool that centralizes information about users, servers, and everything else. It needs real-time monitoring, which I haven't seen in any of the companies I've worked for. They only rely on Splunk for alerting, but real-time monitoring should be handled by the endpoint security team's tools. This means there's no detection or analysis at the machine or endpoint level. Additionally, threat analysis reporting is also absent.

I currently use Splunk Enterprise Security.

Splunk Enterprise Security's scalability and ability to handle large data volumes is great. Splunk can manage a lot of users and applications. I would rate the scalability a nine out of ten.

The technical support is a bit expensive but they respond quickly.

Positive

Splunk Enterprise Security is expensive but the solution is equipped with a lot of features.

My rating for Splunk Enterprise Security depends on the type of logs being analyzed and the company's specific environment and setup. If a company is actively comparing Splunk to competitors and their environment aligns well with Splunk's strengths, then a score of nine out of ten is justified.