Splunk Enterprise Security Reviews

The primary use case is for failed login attempts. I typically stick to the security use cases.

The risk-based alerting helped to decrease false positives. We would just get a bunch of email alerts every time a threshold was reached previously and we'd have to investigate them. We'd have to deal with alert fatigue, the standard scenario where no one believes in the alerts anymore. So risk-based alerting has helped us tune out some of the noisier issues and then tune into the alerts, endpoints, and users that are problematic.

The risk-based alerting is excellent. It was most helpful in decreasing the amount of false positives that help bubble up the most problematic users and assets for the analysts, and it's fairly easy to implement.

Splunk Enterprise Security provides end-to-end visibility into our environment. It's a ten out of ten for that capability. Everyone wants to know what's happening across their environment. The more difficult part is defining the visibility, as we can't we can't ingest the entire company into Splunk. So, the harder part is not necessarily gaining visibility. It's rather determining what visibility looks like. Oftentimes, it comes down to determining and prioritizing using the highest value.

Splunk Enterprise Security, when set up properly,  helps us find any security events across multi-cloud, on-premises, or hybrid environments. It helps with investigations and helps us find that needle in a haystack. 

While it doesn't necessarily help with data normalization, some pieces determine whether the data is usable and create that usability outside of enterprise security. It does assist in the process. 

Splunk Enterprise Security provides us with relevant context to help guide our investigations. The context helps with risk-based learning, which is one of the things I rely on fairly heavily. It also helps reduce false positives and increases visibility to the most problematic endpoints and end users.

The Splunk Enterprise Security Hub has reduced our mean time to resolve; however, how much is hard to quantify. The dashboard is color-coded, and it's easy to read for the analysts. I don't often have to explain anything to them. Red is bad, green is good. The dashboards are relatively self-explanatory and it helps reveal the most difficult, problematic parts.

The solution does help with resilience - a bit. What it does is help us discover problems and reactively fix them.

I've definitely seen improvement. However, assets and identity are probably some of the most important integrations for risk-based learning. So if there was a way to make it easier - and, again, I know there's been significant improvement - that is one of the more annoying friction points when setting up risk based alerting.

The Splunk platform is not unified. We have all of these different tools and they feel a bit disjointed.

I've used the solution for maybe six years.

It's a complex tool. Everything needs to be done proactively. That said, it's relatively stable. There's a lot of stability built in, and I don't have any problems with it.

I've worked in on-premises environments as large as 300 terabytes, and they return data very quickly. When it's done right, it can scale tremendously.

The customer service and technical support can be hit or miss. Sometimes you get someone that is really good and knows their stuff and is really helpful. Sometimes you are trying to be patient and help them through. That's hard when you have someone breathing down your neck to get things fixed. They're nice. However, sometimes, when I have pressure on my end, I don't need someone who is nice - I need someone who knows how to fix my issue 

I'm usually the one performing the setup work. I've been working with Splunk for a long time; it's relatively easy for me.

Enterprise Security is a beast. The best practice is to put it on its own search head. When setting it up, I'm asking for not only an additional light license for Enterprise Security. I have to ask for another server on top of it, too. It is quite a difficult task to ask when Splunk is already as expensive as it is. Then, there is technically setting it up and configuring it. It does take time to configure and normalize all the very foundational parts, such as the assets on identities, which is absolutely integral to getting security working. While I enjoyed the process, it took a lot of work. 

I am a consultant and do assist with the setup.

My work typically has to do with improving the quality of alerts or content and normalizing data. I don't usually get to the point where I'd be able to measure ROI.

I'm not the person that deals with pricing. I have heard there is sticker shock.

I'd give the solution an eight out of ten. There are a lot of great features. They're constantly increasing the value of Enterprise Security. However, they're leaving behind many smaller clients that don't have the knowledge or expertise and don't have professional services, which is another large expense. A lot of smaller clients just don't have the ability to set it up properly, and when that happens, they're only leveraging 30% to 40% of its capabilities. They're upset and wonder why this very expensive tool is not working for them. That said, when it works, it works great. 

I am a SOC lead, and we use Splunk Enterprise Security for alerting and working on incident review and incident response.

We have a hybrid environment. We have multiple clouds, and I am not sure if I know all of them. We have Azure Labs that we run for our students. We have cloud infrastructure. We have cloud applications on which we need visibility.

It is incredibly important that Splunk Enterprise Security provides end-to-end visibility into our environment. Especially being someone who goes through and reviews the work that my analysts are doing, I definitely need to be able to see what is happening all across different domains of our network.

We work for a large university, and we have different tenants. We have our students, we have our employees, and then we have our faculty as well. We definitely need to see what is happening across the domains and across all of those different tenants.

It saves so much time for the analysts, and it empowers analysts to carry out and triage an investigation, wherever needed. It is incredibly hard when you are working with different sources. I am sure everyone else knows that you cannot expect your analysts to be on the same page a hundred percent at the time. They might say, "Hey, I am going to go into this tool and look at these alerts here, or I am going to look at these learnings from this tenant." We need to be looking at all of those sources and all of those domain tenants at once. Being able to see that across the board and not having to jump through hoops to get the data that we want is extremely valuable. I do not have metrics for how much time it has saved because I do not know our life before Splunk. I know that it has done a great deal in saving time, and now with SOAR, that is exactly what we are looking into. We are looking into how we can empower that even more by combining it with Splunk Enterprise Security.

Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data. Splunk is definitely a leader. I cannot imagine leaving and going to another toolset and losing the capabilities that I have and the knowledge that I have. One of my favorite parts is that Splunk really does work. It seems to me that they work with actual users on a regular basis, so they know the pain points and they know what our issues or our primary concerns are.

In the beginning, it did not help to reduce our alert volume, but over time, it has definitely reduced that. Something that I am working on primarily with our SOC right now is increasing our alert volume because we are at such a low rate because of the work that we can do with Splunk's capabilities. We are looking into what areas in the network we are not alerting on. We have these out-of-the-box solutions, but there is more that we can build on. It is empowering our analysts to be SOC analysts, but the more advanced employees can work towards the threat detection engineering side or SOAR playbooks development side or even just on the backend of setting up and working with the configuration.

I wish I knew the metrics for the reduction in the alert column. I do not have any approximation, but our SOC is very manageable. We are a small team, and the number of alerts varies. On average, we get about 300 alerts a day on the high end and 150 alerts on the low end. If it is a very slow day, such as a vacation for everyone, and we do not have a lot of activity going on in the network on our endpoints, it is very manageable for a small team. Our SOC team has four full-time employees, and then we have intern/student workers because we partner with the university. We have three of them. Overall, there are seven, but, of course, students are only able to work a maximum of 15 or 18 hours a week or something like that, so the amount of man-hours that we have is pretty low.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. There could be a little bit more, but that also depends on the analysts and where they are in terms of maturity. I have a lot of capability to go and expand what I need to, but others do need a little bit more guidance. It is not easy on the first look for someone who has never done it before, but after being taught or learning about it themselves, it is pretty easy. It can still do a whole lot. If we are looking at an anonymous login, we are getting context from different sources. If there is an activity that is going on in the host machine, such as we have some login from Russia, which has never happened before, there is a firing of alerts from the EDR. We can see our email gateway firing alerts regarding their account. That allows us to contextualize and correlate the activity very easily.

Splunk Enterprise Security has helped improve our organization’s business resilience. We are able to take action immediately when we need to. Especially with risk-based alerting, we are able to understand what needs attention right now. We do work with young junior analysts a lot, and we are able to teach them how to identify what needs action right now or what needs to be investigated or triaged immediately. We are basically protecting our crown jewels first rather than some low-hanging fruit that we see everyday, but we cannot take a look at them because we have some important things going on in our network.

Being able to aggregate detection and alerts from various sources is valuable. Like everyone else, we have a wide range of tools in our shop. We are able to stop at one spot and look at all the data. All the data is able to come through, and we can then jump from source to source or index to index. We can dig deep whenever we need to and get a good high-level understanding.

The first thing that comes to mind is a little bit of UI improvement. It sometimes can be a little bit buggy or it can be a little bit slow, but that varies from customer to customer.

They can continue building out the Splunk community. They can give incentives for customers to collaborate and expand on what they are working on but also provide the tools to do that. There are good resources such as Splunktern. I love the Splunk education and training platform. It is amazing, but I wish there was a little bit more. Especially with the training and applications, they should give us real-world use cases and a little bit more specific scenarios. Splunk is doing a much better job than a lot of other organizations or technology platforms, but they can give more information. I know a lot of my Splunk users do not even realize the things that they can do. On the user end or analyst end, they need to be more proactive by giving more of a heads-up. For example, I found out about Splunk research today. I have been using Splunk for two years. I wish I had known about that more. They can reach out more. The incentives can be anything. Some people love stickers, and some people love shirts. They can create that community a little bit more.

I have been using Splunk Enterprise Security for two years.

I do not have much to compare it to, but it is stable. We hardly have any issues, and if we do, they are intermittent. 

The growth that we have seen in my time with our team has not been so much. However, we are adding more tools or trying to gain visibility into different areas of our network or applications that have already been there. Being able to throw some logs in and figure out that we should be monitoring this has been painless. We can just forward them all over. It takes an hour or so. We get the answers and the visibility that we need.

I have not used it very often. I have used it once or twice, but I would say that the engineers I have worked with have been extremely knowledgeable. They have helped so much. We were working on SOAR, and we were pretty new to it as a SOC. We were able to work all of that out with a Splunk engineer on a call. They were able to answer our questions. They knew our needs and goals, and they were able to guide us to meet those. That has been very effective for us. I would rate them a ten out of ten. I have not had any bad experiences.

Positive

We have had Splunk since I have been in this company.

Specifically, I cannot say what return on investment we are getting. However, when we look at other products, we know we are not going to have the same capabilities and we are not going to have the same response times and correlation capabilities. Even working with other vendors and getting their logs into Splunk can be a nightmare, and that is enough to make us say that we do not want to buy their product.

Personally, I have not evaluated other solutions. We do have some friends and family connections who use other solutions. Based on their stories, we will continue using Splunk.

I would rate Splunk Enterprise Security a nine out of ten. If it were a ten, it would do my job for me.

We use Splunk Enterprise Security as our SIEM solution.

The log sources are in multiple cloud environments, but the deployment of Splunk is on-premises.

Monitoring our AWS and Azure cloud environments with Splunk Enterprise Security is easy.

The visibility into multiple cloud environments is good. We have complete visibility because we integrate all our logs and sources into Splunk.

Splunk Enterprise Security's insider threat detection capabilities module runs on the backend and provides complete visibility into anomalous behavior and zero-day attacks.

The threat intelligence management feature is a necessary tool in our environment. The actionable intelligence provided by the threat intelligence management feature is helpful. We can see the IoC to help with our investigation.

Splunk Enterprise Security does a good job analyzing malicious activities and detecting breaches.

Splunk Enterprise Security helps us detect threats faster.

Splunk Enterprise Security helps reduce our alert volume by whitelisting the false positives.

Splunk Enterprise Security has helped speed up our security investigations. Splunk uses user-friendly language and visibility to speed up our investigation times.

Splunk offers significant time savings for analysts compared to tools like Azure Sentinel, with analysts resolving alerts 30-40 percent faster. Additionally, Splunk's user-friendly dashboards simplify administration.  

Splunk Enterprise Security's value lies in its ability to collect and analyze security logs, providing insightful dashboards.

Splunk's high cost, despite its recognition in our region, prevents many organizations from adopting Splunk Enterprise Security, suggesting there's room for improvement in their pricing strategy. 

I have been using Splunk Enterprise Security for six months.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is designed for easy scaling.

Our organization is expanding our clusters day by day.

The technical support is collaborative. We do receive a response within the appropriate time.

Positive

While I have experience with Azure Sentinel and other SIEM tools, Splunk stands out for me. It provides a full SIEM experience with informative dashboards, clear language for easy analysis, comprehensive visibility across my systems, and a robust CIM for data organization.

The initial deployment was technical but not overly complex. We faced difficulties with the log process going down and not getting the results in the client console. The overall deployment took around three hours to complete.

Three people were involved in the deployment. 

The implementation was completed in-house.

Splunk differs from other SIEM solutions by using a gigabyte-based pricing model, rather than the agent-based licenses common with its competitors.

While Splunk Enterprise Security carries a higher cost and requires budgeting, cheaper SIEM, and open-source alternatives often have limitations. This makes the decision a matter of weighing the cost against the features most important to each organization's security needs.

I would rate Splunk Enterprise Security nine out of ten.

On paper, Splunk Enterprise Security is the top solution for detecting security threats in any organization, but Splunk Enterprise Security is expensive and most organizations don't have a proper budget to implement a SIEM solution. So they look for a more reasonable cost-effective solution. This is a hurdle for implementing Splunk Enterprise Security. It was originally designed for data science and modified for security. It is a top tool for SIEM and data analytics.

Splunk Enterprise Security stands out for its threat detection capabilities, but its cost can be a barrier for many organizations. Originally designed for data science, it excels in both security and analytics, but its price tag often pushes businesses towards more budget-friendly SIEM solutions.

Splunk Enterprise Security offers good resilience for our customers.

For organizations that don't have the budget for Splunk Enterprise Security, I would recommend Azure Sentinel.

There are lots of use cases such as finding threats, attack factors, and logs. It helps with rogue DNS or brute force attack detection. We have logs related to why a particular account was created. There is alerting. We can get some false positives, but by fine-tuning some of the things, we can reduce false positives.

Splunk is a security monitoring tool. It helps with incident handling, data logging, and observability of metrics. Splunk can handle all these things. Splunk Enterprise security is a premium app of Splunk through which we can have all the threat intelligence and incident reviews. It helps in finding all the attacks and Advanced Persistent Threats (APTs).

We also have dashboards. We can collect logs from different sources and applications. We can also troubleshoot issues. If we are having any issues with an application, we can go to that particular index to see what is the cause. If any application is failing or giving an error, we can troubleshoot the issue. We do not have to log into the server to find the error.

We monitor multiple cloud environments. We have GCP, Azure, and AWS. It is easy to monitor multiple cloud environments using the Splunk Enterprise Security dashboards. Splunk releases inbuilt apps, so by using those apps and add-ons, we can integrate it with our cloud environments. For example, for Azure, they have a Microsoft Cloud Services add-on. We need to register the app in Azure, and after registering the app, we have to use the tenant ID and set it up. There are a lot of inputs, and we can use all those inputs to onboard different logs from Azure. There is also the capability for HTTP event collection.

We have a hybrid environment, and that works best for us. For a lot of things, we cannot just go fully cloud. Hybrid is the best option for us. We are happy with the visibility that Splunk Enterprise Security provides. It is also about how we configure things. If we do not do it in the right way, we will not get visibility. We have to know what kind of tools we are using and what kind of data we are pulling. We cannot pull everything. We have to know what to pull. If we pull only what is required, we would not have any problems.

Splunk Enterprise Security comes with MITRE ATT&CK and Cyber Kill Chain frameworks by default. There are 12 processes in the MITRE ATT&CK framework. We just have to onboard logs, create the data models, and assign those ATPs to monitor all the kill chains. We can monitor all attack vectors and persistent threats that we want to monitor.

Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches. I would rate it a 9 out of 10 for that. It can also go to 10 for different clients based on different requirements.

Along with Splunk Enterprise Security, we also install another Splunk app that has all the threat intelligence. We then feed the data through a CSV file and create the use cases. We set up alerts for those. In the case of an event, an alert is generated and assigned to a particular SOC analyst. There can be some false positives, but with proper configuration and filtering, they can be reduced.

Splunk Enterprise Security has been very beneficial and valuable for us. Our application teams can use the indexes to troubleshoot the issues they are facing at their location.

Being able to ingest data from all the tools and all the apps being used in the environment is valuable. Being able to create alerts when, for example, the CPU usage reaches 95% is also valuable. We can set up alerts and proactively fix the issues. Splunk helps with all these things, and Splunk Enterprise Security has almost 2,000 use cases. It follows MITRE ATT&CK and Cyber Kill Chain frameworks. There are certain notable events for which we can configure our security posture. We can onboard all the logs through indexes and create dashboards to view what is going on in the environment.

Overall, it is pretty good. They are improving it every day. They recently released SC4S for onboarding syslog data. However, the support and the pricing can be better.

It has been 8 years since I have been using Splunk. I am not a part of the core security team. I handle some parts of enterprise security, such as SIEM data models or the creation of some correlation searches and use cases. The majority of things, such as threat hunting or threat intelligence, are managed by our core security team.

We faced some issues, but we fixed them ourselves. We have around 10,000 knowledge objects running. All the knowledge objects should not be running all the time. They should be distributed over 24 hours so that the servers do not have any extra pressure at a particular time. We used to have an issue with our indexes going down. The CPU was being utilized 100%, and everything was getting stopped. We found the issue. We fixed that, and we are good now.

It is pretty easy to scale. For Splunk Cloud, we log a ticket with Splunk support, and they start the process. It does not take much time. However, there is a cost involved in that. 

We have been ingesting 40 TB a day. We have three locations: The USA, the UK, and France.

The SLA for Splunk Cloud support is not satisfactory for a customer. The turnaround time is a bit low. That should be fixed. I would rate their support a 9 out of 10.

Positive

I have not used any similar solution in my current organization.

In my previous organizations, I have used solutions such as Elk, IBM QRadar, and Microsoft Sentinel. Microsoft Sentinel is good. Splunk is better than QRadar. Splunk has a lot of capabilities. It makes it easier to do many things and do them correctly. It does not require as much effort as required in IBM QRadar and Microsoft Sentinel.

Splunk is a bit costly, but if we control our usage during our searches, its cost is okay. When not controlled, it becomes a bit costly.

To those evaluating Splunk and solutions, I would advise knowing the features they would be getting. Elk is open source, but there is an underlying cost of infrastructure. The cost almost becomes the same. You have to hire people who can work on Elk and then you have the underlying infrastructure cost.

We were on-premises, but we recently moved to Splunk Cloud. We have been using Victoria for the last eight months. When going from on-premises to Splunk Cloud, Splunk recommends engaging professional services. 

The migration was done by Splunk. For administration and maintenance, we have about eight people, but the number of users in the environment would be in the thousands.

The maintenance of Splunk Cloud is taken care of by Splunk. Customers do not manage the clusters. With the on-prem setup, we have to patch the servers, upgrade the servers, or restart them from time to time so that the rebalancing of the buckets happens properly. In Splunk Cloud, we do not have to do these things. We only take care of the data normalization part. All other things are managed by Splunk.

It does provide a return on investment.

It is a bit costly.

Be clear about what you want and try to filter out as much as possible. Create role-based rules and assign them to users rather than assigning every role capability to all the users. Also, everyone should not have access to all indexes. Only certain people should have access. For example, if someone is from the AD team, he or she should have access to the particular index logging the AD logs. They should not have access to all of it. There should also be some kind of training before you give access to people so that they know which searches to use and which ones not to use. They should understand the impact of various things.

I would rate Splunk Enterprise Security a 9 out of 10 based on my experience and the work that I do with the core security team. They are pretty satisfied with it.

The solution is used in my company to help the security operation center in work areas like detection, response, and investigation while maintaining cybersecurity standards.

My company has benefited from using Splunk Enterprise Security, which has helped us stay out of the headlines in newspapers. The tool helps detect threats early and respond to them effectively.

The solution's most valuable feature is that it helps with our use cases to detect anomalies in our data and it is important to my company since we have a lot of data on different logs on the systems. We need to be able to create insights that are indicative of malicious activities, which is one of the main purposes of having Splunk Enterprise Security in our company.

The product lacks cross-cutting capabilities. The features in Splunk Enterprise Security that were initially promised to our company are still not available. My company has been asking Splunk for some of these features to be provided in the product for years, and we have been promised that they will be introduced soon in the solution and be part of the product's next release.

I believe that the contract and the terms and conditions mentioned in it are areas where improvements are required.

I have experience with Splunk Enterprise Security.

When it comes to the on-premises version, the stability of the product was quite reliable. When my company moved to the product's cloud version, we faced some major issues related to availability and dealing with events like data corruption.

The product's scalability is okay. I do not think my company faced issues in the area of scalability.

The product's support services were not great initially, but now they are in really good shape. Whenever my company connects with the product's support team, they listen to our questions and queries, so I feel that we are in a much better place now. I rate the technical support as eight out of ten.

Positive

My company has experience with ArcSight. We switched to Splunk Enterprise Security because we couldn't get good answers to our questions from ArcSight, and it was just not functional.

The solution is deployed using the cloud services offered by Splunk. Recently, my company also deployed the tool on an on-premises model. In our company, we monitor both, cloud and on-premises, with our cloud instance.

In the beginning phase, I would describe the deployment experience as a costly and hard process. The migration process from on-premises to cloud was hard and took our company a year to complete. There were different kinds of roadblocks on our company's and Splunk's end. My company worked directly with the migration process associated with the product.

It is difficult to say whether I have seen an ROI since it is like trying to figure out how much an insurance policy works. I think that our company will receive a return on investment from the use of the solution since it helps the organization's cybersecurity team stay out of the newspapers. My company has always been able to deal with threats quickly with the product.

Regarding the product's pricing, I think it has always been difficult to have a conversation with Splunk. Considering the contract thing and the whole legal area, it takes forever to get the contracts signed and to be able to agree to the terms and conditions for my company as well as for Splunk's team. I like the direction Splunk stays in by thinking with the customers about how to reduce costs and only have that data searchable or available, which you need at a particular time. I like the path Splunk is going on, specifically its current trajectory. I appreciate the efforts put in by Splunk in the area partnership, which is what my company expects.

My company uses Microsoft Sentinel. A multi-SIEM environment provides my company with the best of both worlds. Sentinel has some good features, like Microsoft Graph Security, that the tool uses for the whole Microsoft ecosystem. Microsoft Sentinel is a good option for my organization.

In my company, Splunk acts as a product that complements Sentinel because the former lacks some features. I think Microsoft is strong in the area of service delivery. Microsoft's EDR tools, like Microsoft Defender, use Servers from Microsoft Graph Security, and my company benefits from such a type of integration, and we are able to send alerts to Splunk. In our company, if we start to ingest all the data we usually ingest in Splunk by moving to Sentinel, it will become too expensive, so we have to choose where to keep our data.

My company has been able to reduce the mean time to resolve with Splunk Enterprise Security as it went down from a couple of days to hours.

My company has seen a significant reduction in alert volume. It was very noisy earlier, but lately, my company hardly sees any false positives.

It is super important that the solution provides end-to-end visibility of our company's environment because you can never know from where threats can materialize. The fact that users can correlate and ingest data makes sense and is crucial, considering the massive amounts of data.

Splunk Enterprise Security has helped improve our company's ability to ingest and normalize data, which is one of the tool's key benefits.

I would not say that Splunk Enterprise Security has helped solve problems in real-time scenarios, but it has helped solve problems on a near real-time basis. In my company, there is always some lag between the data that comes in and the ones being ingested and correlated. Splunk Enterprise Security aids in solving problems in a matter of minutes.

Splunk Enterprise Security provides relevant context to help guide our company's investigations, and it is very important and can be considered everything for our organization. In our company, we pull in data from assets and registries to give index-based alerts and be able to find owners quickly to notify them and respond to threats.

Splunk Enterprise Security's ability to help our company find any security events across environments is excellent. My company is really happy with Splunk Enterprise Security. The product helps our company find bad stuff when needed.

The truth is that it is very hard to deliver solutions that work at a certain scale. I think that one of the things I could say is that it is a solution that scales up at work. There are many organizations where solutions fail, and I can say that since I have been a part of the deployment of many other tools, it is hard to get many products to work. Splunk Enterprise Security works, and our company's analysts rely on it and trust it. I can only see improvements considering the strategies in terms of where the product's management team is going, and I believe that I will be able to rate the tool a nine out of ten pretty soon.

I rate the overall solution an eight out of ten.

We use Splunk Enterprise Security for threat detection on our network devices.

Splunk Enterprise Security excels at threat detection. We've developed multiple correlation searches leveraging security data. These searches identify threats and categorize them by urgency level, enabling our security analysts to prioritize and take swift action.

Splunk Enterprise Security has helped us improve our incident response time. We achieve this by ensuring our queries are completed in near real-time.

Access management focuses on storing and managing access controls, while identity management deals with user identities. For example, if we want to find IP addresses associated with CrowdStrike, we can use access management to look up their IP ranges. Then, we can check if any IPs match by adding them to a specific identity management lookup. Finally, by leveraging the combined identity and access management features of Splunk Enterprise Security, we can create correlations between these entities.

The security dashboard can be customized to display the information we need most quickly. It typically has seven to eight panels, each dedicated to reflecting specific data. While some initial data load time might be present, clicking on a specific panel will display its information as soon as possible. There can be delays in traditional dashboards when searching for specific data. To optimize this, we can create "base searches" within each panel. These predefined searches cover commonly used queries and fields. Alternatively, we can create a "summary index" that holds a longer span of pre-processed data. This summary index allows even large datasets to be displayed quickly when accessed through the dashboard.

Splunk enhances our team collaboration regarding security incidents. When a threat alert is received, we can click on it and choose "investigation in progress" from a dropdown menu. This selection redirects us to a dedicated investigation page for further details. For in-depth analysis, we can drill down into the logs to pinpoint the source of the issue. Additionally, the platform allows us to contact network devices to determine the root cause. Once the issue is resolved, we can close the investigation.

We monitor both AWS and GCP environments using Splunk Enterprise Security. 

Splunk provides threat intelligence capabilities that can be valuable. This, combined with the comprehensive set of dashboards available, allows us to effectively monitor for threats. We can also create custom apps within Splunk for threat detection. These apps can include custom dashboards or reports that display specific information. For example, we could create a dashboard that shows the number of users accessing unknown URLs or another that monitors a particular device for suspicious activity. An example of suspicious activity might be a device where the print command is being executed repeatedly but failing each time. This could indicate a malfunction or, potentially, a malicious attempt to exploit the system. Similarly, a sudden spike in activity, such as millions of clicks on a specific device within a short timeframe, could also be a sign of a threat. By monitoring these parameters within Splunk's threat detection features, we can identify and investigate potential security incidents.

Splunk provides valuable visibility across multiple environments. Whether we have an on-premises or cloud architecture, Splunk offers self-monitoring capabilities. Additionally, depending on our environment, we can leverage existing monitoring tools. For on-premises deployments, we can utilize the Martin Console alongside Splunk for comprehensive monitoring. Cloud environments often come with built-in monitoring handled by the cloud provider's support team. In such cases, Splunk can focus on applications and custom log data for deeper insights.

The threat topology provided by Splunk gives us a comprehensive overview of potential threats. By analyzing queries or notable events, we can identify and neutralize these threats.

Splunk does a good job of analyzing malicious activities.

Splunk has improved our organization's decision-making by centralizing all the information in our environment and allowing us to access multiple dashboards and reports in one place.

Splunk has helped us reduce our alert volume. By using Splunk, we can identify the root causes of failures, which in turn leads to a decrease in alerts.

Splunk accelerates our security investigations by enabling us to resolve issues and document them in Standard Operating Procedures or knowledge-base articles. This facilitates a swifter response to similar incidents in the future.

Splunk Enterprise Security's dashboards are a key asset. They offer comprehensive visibility across our entire environment, allowing us to diagnose and address security issues directly from the interface.

I would like Splunk to offer a quicker and easier way to run queries.

Splunk could improve its cost-efficiency for our organization by offering pre-built architectures tailored to specific environments. This would provide a clearer picture of required licenses and their implementation, ultimately reducing licensing costs.

The presence of multiple layers creates a significant challenge for monitoring across cloud environments.

I am currently using Splunk Enterprise Security.

Splunk Enterprise Security is a very stable product, but there are occasional bugs that can appear.

We can scale Splunk Enterprise Security up or down depending on our demands.

The Splunk support team is helpful. For complex issues or on-demand requests, we raise cases with them. On-demand requests requiring impactful solutions are paid. However, for UK-based users, standard support is free and usually resolves issues efficiently. In some cases, the support team rushes to provide a solution without even looking at the issue.

Positive

The initial deployment can be complex. It involves creating multi-site clusters for each location and configuring a cluster master for each. This is because the cluster master will replicate data across multiple sites, making the environment more complex.

Four people were required for the deployment.

I would rate Splunk Enterprise Security 6 out of 10 because of the complexities that occur at times.

I highly recommend Splunk Enterprise Security for organizations seeking comprehensive security monitoring. Splunk offers a centralized platform to collect and analyze vast amounts of security data. This empowers us to gain full visibility across our entire IT environment, including applications, user activity, and potential security threats. Splunk provides insightful dashboards, reports, and real-time alerts to help proactively identify and address security issues.

While cost is a consideration, prioritizing features over functionalities for SIEM solutions can be risky. It's best to identify your business needs first and then choose an SIEM that offers the most relevant benefits to address those needs.

Splunk Enterprise Security is deployed across multiple locations and departments within our organization.

Splunk Enterprise Security required maintenance.

There are many use cases. Most of the use cases are related to security, data integration, and data sources. 

Splunk Enterprise Security helps with real-time detection. When we integrate any data source, if any external IPs or external devices are accessing that data source, we get notified. We get alerts based on the use cases we develop.

Splunk Enterprise Security has improved the incident response time a lot. Splunk is doing log ingestion, and it is also used to search the database for issues. It is ingesting and identifying. All that is happening in a single solution.

Splunk Enterprise Security is very easy to use. We can monitor anything. We can monitor and integrate any type of applications and servers. It is very easy and effective. I work with different security tools, but none of the security tools has these many features.

Splunk's documentation is clear. Irrespective of the environment we are working in, we have clear documentation.

One of our clients is using the Threat Intelligence Management feature. The actionable intelligence provided by the Threat Intelligence Management feature is very good.

I have been working with different vendors. Splunk Enterprise Security is a very effective and user-friendly tool. Whether it is Sentinel, LogRhythm, or QRadar, each one of them has its own limitations, but Splunk has all the features.

Its benefits can be realized very quickly. It does not take lots of days or months.

Splunk Enterprise Security has helped to reduce our alert volume. There is a 60% to 70% reduction.

Splunk Enterprise Security has helped speed up our security investigations.

It is user-friendly. It is more effective than other solutions. The support and help for troubleshooting and the documentation from Splunk make it very effective.

It has multiple features. It has data integration, search, reporting, and alerting.

It does not need any advanced programming. It only requires basic programming.

In terms of features, it does not need any improvement. Everything is good so far. The only improvement I am expecting is the cost of the licensing. Clients are going to other solutions just because of the cost.

I have been working with Splunk for more than 7 years. I have worked with Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, and on-prem Splunk.

It is very stable. We never had any issues or bugs.

Its scalability is good.

The support from the Splunk side is very good. They provide the best support.

Positive

I have used Sentinel and QRadar. I switched because of the advanced features, support, and good documentation. It is very effective. It is the best solution. The only problem is the cost.

I have worked with cloud deployments and on-prem deployments. Its initial setup depends on the environment. It is sometimes complex, and sometimes, it is very easy. We also get good support from them.

Our implementation strategy has 3 phases. We first go for development, and then we go for Pre-Prod. After that, we move to Prod.

Currently, I am the only one handling the deployment, but when it comes to operations, we need at least two to three people.

It requires maintenance. Generally, 2 people are required, but for my clients, I am the only one who is taking care of the maintenance.

We have seen an ROI.

It is expensive. I work for multiple clients. I am working for more than 5 clients, but most of the clients are switching from Splunk to Sentinel because of the cost. Even though Sentinel is very limited, clients are moving to Sentinel.

I would recommend Splunk Enterprise Security to anyone who is looking for a similar solution. This is the only solution with all these features.

I would rate Splunk Enterprise Security a 9 out of 10. It is stable, user-friendly, and feature-rich. It is very helpful. Even though it is expensive, the stability, support, and technical documentation make it very effective.

I work in security and use Splunk for endpoint and application security, use case development reports, etc. I haven't used Splunk much for threat intelligence. We have a threat intel feed configured, and we create use cases based on those and the recommendations by the threat intel team. If something isn't covered, we create a use case for it. For example, if an application has an authentication interface enabled, we check all their authentication mechanisms and all the login policies. 

Splunk speeds up our incident response by enabling us to automate some of the investigation steps, such as finding information about the user or the source of the incident on machines. We can then move directly into the remediation phase and assign those tickets to the remediation team. It also triggers automatic email alerts to the recipient user. If our security analyst wants to see the alert logs or anything, they can easily drill down to identify any information required.

It allows us to configure use cases involving our machine-learning toolkit, and we have an adaptive threshold in ITSI. Using these tools, we can eliminate false positives and do some whitelisting to weed out users who are performing benign activities. Removing the false positives reduces the incident response time.

We can start to see results immediately once we have achieved a steady state. For instance, we can easily show how much our mean resolution time for incidents has fallen and provide metrics in a way that is easy for our clients to understand. 

Splunk's interface is user-friendly, and it has apps and add-ons for most applications. We can easily normalize the data to make it readable and understand the logs. We easily get all the field extractions and enrichment done by using the apps and add-ons. This helps us understand the application logs because the raw data is useless unless we extract some useful information from it. These add-ons make it so much easier.

Dashboards are useful when we present things to management. They want the numbers and the results. The leaders aren't interested in what we are working on. We need some visualization for our presentations. Splunk has beautiful and useful visualization and dashboard alerts. We can easily create visualizations using the available options and create different types of charts, reports, and graphs that are easy for management to understand. We can also provide our leaders direct access to the dashboards, so they don't need to reach out to our team to get this data or we can automatically send them the reports via email. 

Splunk has several useful features, like asset and identity management. If we integrate our asset and identity management properly in this log, it's effortless to identify the user, device, or asset. We can get all the details if we integrate those things into the lookup engine.

It would be nice if Splunk reduced the cost of training. Their training sessions are way too costly.

We have used Splunk for around seven years.

Splunk is highly stable if you meet all the prerequisites and have enough physical memory for your local storage. 

If you use the cloud version you can scale as much as your licensing allows. It's easy to scale, upgrade, or add instances according to your needs. 

I rate Splunk support 8 out of 10. They're good, but I think there is room to improve because Splunk is the market leader, and they should strive to provide the best possible support. 

Positive

I previously used QRadar and ArcSight. Splunk is one of the top products. Compared to Sentinel or QRadar, Splunk is the market leader in features and security. You can integrate application, physical, or cloud security and onboard those logs into Splunk, then tailor it to your requirements. 

I've worked on multiple deployment models for Splunk, including hybrid, cloud, and on-prem. The deployment is straightforward. We do a POC and then scale it based on our requirements. 

I feel like Splunk is worth our investment. 

The cloud version of Splunk is somewhat expensive, but it does provide some flexibility because you do not need engineers to manage the system. Everything is hosted in the cloud because it is a SaaS service. It depends on the usage. It is costly, but everything good thing comes at a price.

I rate Splunk Enterprise Security 9 out of 10. 

We provide comprehensive infrastructure support and ingest mine data in three ways. The first is Agent-based where the information is sent from client machines to an agent. The second is TCP port forwarding where data is sent to Splunk through an open port. The third is the HEC token. We then use the Splunk DB Connect app to ingest data as per the client's requirements.

We are currently onboarding data from AWS to GCP. We are moving data from on-cloud to our production and deployment level environment. Additionally, the data is being added to the services on those machines. To forward the logs to Splunk, we have created a default index, which is a way of storing data in a particular way. We have created the index based on the requirements of the data storage.

Currently, we are ingesting all kinds of government security PI data. Similarly, we can ingest any kind of confidential data into Splunk using masking. This allows us to filter the data and mask sensitive information. For example, if a user account number has ten digits, we can mask out the first six digits so that only the last four digits are visible. We ingest this kind of confidential data into Splunk, and we also ingest PI data and Splunk governance data.

We are using the threat intelligence management feature. We have a separate security team, called a soft team, which is responsible for finding vulnerabilities, threats, and malware alerts in our Splunk environment. We use the threat intelligence management feature to identify any suspicious activity that may be coming from outside users. The soft team continuously monitors these alerts and creates proxy alerts to identify any potential threats.

Splunk's insider threat detection capabilities help us to easily identify threats by using Splunk queries. We have predefined Splunk Insight and are also using the one in the app, which is configured on top of Splunk machines. This allows us to quickly identify how many unknown IPs are syncing into other machines, and we can use this information to identify threats.

We use threat pathology and MITRE ATT&CK. I am currently supporting a financial institution with its infrastructure, which is split into two teams: one for complete infrastructure support, including hosting and operations, and the other for security-related matters. My team is continuously investigating new security threats, so we will take care of the onboarding process. As part of the infrastructure support team, I am responsible for handling all onboarding tasks. If I encounter any security concerns, I will escalate them to the SOC team.

We have a lot of operations using the Mission Control feature in Splunk.

Splunk helps us analyze malicious activities and detect breaches. We are using a Splunk SaaS application in a multi-class environment. To maintain high availability with zero downtime, we have maintained close to 70 indexes and 50 searches. Splunk provides us with alerts from the entire infrastructure, which helps us maintain our service. We use Splunk Mission Control to iron out any issues. For any special needs, we can go to Mission Control to verify and mitigate alerts.

Splunk Enterprise Security has helped us reduce our alert volume. Splunk currently ingests five terabytes of data, and we can set parameters to exclude rotational works and backlogs to reduce the number of alerts.

Splunk Enterprise Security has helped speed up our security investigations.

Splunk has a wide range of features that customers use to find and analyze all kinds of logs. For example, they can use SQL queries to identify vulnerabilities. Additionally, they can create dashboards to visualize and filter their data, and to create real-time alerts when thresholds are exceeded. Splunk Vision is a popular tool for data modeling and visualization and is used worldwide.

The price has room for improvement.

I have been using Splunk Enterprise Security for five years.

We are maintaining a multi-cloud environment across multiple regions, and for the last two years, Splunk Enterprise Security has maintained a 99.999 percent uptime.

We open cases on behalf of our customers with Splunk. If the technical support resolution is not up to par, we request a meeting call to work with the support team and resolve the issue for our client.

We also use the Red Hat OpenShift enterprise Kubernetes container platform. OpenShift is a more popular container tool with excellent support, but all of our OpenShift deployments are on-premises, along with production clusters around the world.

For the deployments, we scan the data to ensure that the Splunk machines can support it. If we identify anything on the machine, we ask the customer to remediate the issue by upgrading the version of Splunk. Most of our customers are using version 8.3.3.

I would rate Splunk Enterprise Security nine out of ten.

Organizations that value their security should not choose the cheapest SIEM solution. They should expect to invest in a SIEM solution that can meet their specific needs, even if it means spending more money.

Monthly patching maintenance is required. 

We gather all the security logs from all the endpoints, network appliances, and the security filter. We have set up automatic alerts that are sent to system administrators, so we have pretty much real-time alerts about anything that happens. 

Splunk Enterprise Security has definitely improved my organization. First of all, it helps with compliance. Our organization has something called scorecard requirements. It is an annual self-check checklist. Having alerts set up is one of the requirements, and secondly, we have a local administrator who gets the alerts. That makes our job a lot easier. So, we pretty much know what is going on in a real-time setting.

We are the judicial branch of the government, so we are pretty much into our private cloud. We do have a setup to monitor our private cloud but not outside our organization. If we can monitor one cloud, multiple clouds will not be hard at all. It is easy.

Splunk has absolutely reduced our mean time to resolve. Knowing on time and having firsthand information is very helpful for any organization. We are able to capture what is going on, and the visibility of it is absolutely tremendous. I cannot provide the metrics, but it has saved a lot of time.

Splunk has absolutely improved our organization’s business resilience. We have been using Splunk for the last six or seven years, and I cannot imagine a life without Splunk. 

In terms of Splunk’s ability to predict, identify, and solve problems in real-time, this is something that we will look into. We have not yet looked into machine learning, AI, and all of Splunk. Currently, we are more in the reaction mode, but we are trying to get more in the protection mode or have more proactive measures. We have not got to that point yet, but we will definitely be there.

I am not into the administrator type of setup. I am more like an advanced user. The most useful feature for me is the ability to create different kinds of alerts and set a different kind of denominator that will capture the real event. That is helpful for a power user like me.

Splunk conferences are very helpful for networking and talking to folks who have a similar situation. It would be helpful for customers if they could create some real-world cases, and we can find a case study to align with. I know that Splunk has tremendous potential. We only include a tiny piece of it. There is a lot of stuff that we need to learn. If Splunk can provide more real-time examples, that will be helpful for customers.

It has been six or seven years. 

Splunk has a reputation for being scalable. You can start small, and if your demand increases, you can scale your platform. Splunk does a good job. It allows customers to have scalability so that they can expand their capacity. I would rate it a ten out of ten in terms of scalability.

In our company, we have a Splunk consultant who is very good at providing a solution. So far, I have not had any problem that is unresolved. I would rate their support a ten out of ten. In this industry, there is good support, and there is bad support. Splunk's support is more like Cisco's support. It is pretty good.

Positive

We used something else, but I do not remember the name. Splunk is what we have been using for a long time. It is more advanced in terms of IT security. There is more scalability and the capability to do a lot of different things on multiple platforms. This is where it is more advanced than other products.

I was not in the deployment team, but I was involved in the early stage of evaluating all different kinds of products.

There are a lot of things for which you can measure a return on investment, but security is something on which it is hard to put a dollar value and measure how much return you have got. However, in terms of helping the administrator or helping the company to put security in place, Splunk does a great job. I cannot imagine a life without Splunk.

The pricing is a little bit on the higher side, but looking at what Splunk provides us, it is reasonable.

We evaluated what was on the market, and fortunately, we picked Splunk. Looking back, it was the right decision.

Splunk is moving in the right direction and providing better and more mature products. This is my fifth conference, and I see the progress. I see Splunk bringing in all new products. They are pretty much in line with the security trends. They have improved a whole lot to meet customers' needs.

I would rate Splunk Enterprise Security a ten out of ten.