Splunk Enterprise Security Reviews

Splunk Enterprise Security provides more visibility into endpoints in our environment.

We only monitor AWS, but we also have SaaS services that are in our own clouds. So far, it is easy to monitor our cloud environment with this solution. As long as we ingest our data correctly and tune it, it will read it. It is very easy to use.

It provides end-to-end visibility into our cloud-native environment. This is critical for us because we are always one step away from a security incident, which could impact the company and cost a lot of money. That is our main point of focus.

It provides a risk score for each object, device, or user. We can then take action if they are at a higher risk.

The pricing can be better.

We have been evaluating Splunk Enterprise Security for the last eight months.

I cannot say anything about stability, but I am assuming it would be the same as Splunk. It is an app. It is going to work.

The technical support is above average, but they do not go into the details, so we have a contract with a third party to help us.

There might be more Splunk support tiers, but we are working with SP6. They will get their hands directly onto our Splunk environment, whereas Splunk support does not do that. Maybe there is a different tier that does that, but we do not have that. It is more of an email dialogue. They are not going to VPN into our environment. SP6 is more hands-on. I would rate SP6 a nine out of ten.

We did not use a similar solution. We have Carbon Black for endpoints, but this is going to be a lot bigger than that.

We are still evaluating it. We have not deployed it yet, but I was involved with the deployment of Splunk. 

It was very easy to set it up for evaluation. It is just an installer file. It is an add-on app for Splunk, and if you know how to install Splunk and add-ons, it is easy.

I am fine with the licensing, but in terms of the cost, it is expensive for the data that we have. We have an open discussion with our account rep about this.

We are not evaluating any solutions because we already have Splunk, and we do not want to leave Splunk. I like it, so it is just a matter of making the commitment.

The value that I get from attending Splunk Conferences is going to sessions and learning about what other people are doing and use cases that I have not really thought of. Also, I am able to talk directly to people about questions I have regarding our Splunk instances, and I can get some answers right away. It is very good to know what people are doing because sometimes we do something one way, but we do not know if we are doing it the right way. Here, we can get validation, or realize that we are doing it wrong and make the necessary changes. That is very valuable.

I would rate Splunk Enterprise Security a ten out of ten. Most customers at the conference have already implemented it, except for our company. It is a critical foundation app that allows you to explore other apps that Splunk is grading, and it works.

We use Splunk to monitor our private cloud, data center, and other applications.

I don't like Splunk very much and find that it does not have many useful features.

Splunk works based on parsing log files.

I don't like the pipeline-organized programming interface.

I find the graphical options really limited and you don't have enough control over how to display the data that you want to see.

I find that the performance really varies. Sometimes, the platform doesn't respond in time. It takes a really long time to produce any results. For example, if you want to display a graph and put information out, it can become unresponsive. Perhaps you have a website and you want to show the data, there's a template for that, or it has a configuration to display your graphics, and sometimes it just doesn't show any data. This is because the system is unresponsive. There may be too much data that it has to look through. Sometimes, it responds with the fact that there is too much data to parse, and then it just doesn't give you anything. The basic problem is that every time you do a refresh, it tries to redo all of the queries for the full dataset.

Fixing Splunk would require a redesign. The basic way the present the graphs is pipeline-based parsing of log files, and it's more of a problem than it is helpful. Sometimes, you have to perform a lot of tricks to get the data in a format that you can parse.

You cannot really use global variables and you can't easily define a constant to use later. These things make it not as easy to use.

I have been using Splunk for approximately one year.

I use Splunk at least a couple of times a week.

I'm not sure about scalability but to my thinking, it's not very scalable. I know that it's probably expensive because it relies a lot on importing log files from all of the systems. One of the issues with respect to scalability is that there's never enough storage. Also, the more storage you have, the more systems you need to manage all the log files.

Splunk is open for all of the users in the company. We might have 1,000 IT personnel that could access it, although I'm not sure how many people actually use it. I estimate that there are perhaps 200 active users.

I have not been in contact with technical support from Splunk.

In this company, we did not previously use a different monitoring solution.

I was not involved in the initial setup.

We have a DevOps team that is implementing Splunk and they are responsible for it. For example, they take care of the licensing of the product.

We have a team at the company that completed the setup and deployment.

The other product that I've seen is Elastic, and I think that it would be a better choice than Splunk. This is something that I'm basing on performance, as well as the other features.

My understanding is that as a company, we are migrating to Azure. When this happens, Splunk will be decommissioned.

Overall, I don't think that this is a very good product and I don't recommend it.

I would rate this solution a five out of ten.

The primary use case is computer network defense.

It is very important that Splunk ES provides end-to-end visibility in our environment. Part of the solution is bringing the user closer to the resolution.

The integration with other risk-based solutions, such as the risk matrix applications included with Splunk, is helpful. It helps us identify the risks without having to delve into other resources.

Splunk helped improve our company's ability to ingest and normalize data. That's the primary use of Splunk Enterprise or Core. For ingestion, we've been using Splunk Enterprise for about six or seven years before we had ES. So, that was the primary reason we got it.

In terms of the risk-based part, Splunk improved our ability to ingest and normalize data. Initially, we used Splunk Enterprise Core for aggregation and correlation. We didn't have the risk-based reporting.

I'm very impressed with Splunk's ability to identify and solve problems in real time. And I look forward to the new version improving the product.

We've been able to discover things we didn't see before. So, there's more that we discover now.

Splunk ES provides us with the relevant context to help guide our investigation. It goes back to the time to resolution. We have to do much less investigation because it's already built-in alerting. 

Risk-based reporting and anomaly detection are valuable features.

The biggest advantage is the reduced time to resolution. Before, it took us up to days to resolve issues, and with Splunk, we've been able to move that down to hours or even minutes in some cases.

I was just at the conference, and they spoke about and demoed a new version of Splunk. It looked like some pain points are resolved in the new solution, such as not having to go to so many different panels. Like to streamline or improve the UI. 

In terms of training. I find that some things about Splunk aren't well-explained. I see features and then go to the website but don't find good explanations. However, I can always call support and get help.

We purchased ES four years ago.

If properly built, I'm very impressed with the stability of Splunk ES. We initially stood it up on a single server, and to make it more robust, we had to break out of that single server concept to make it more resilient. 

The scalability is very good. That comes from our experience of having to scale out, and Splunk's documentation on scaling up is very good.

Every time we've used Splunk support, it's been very good. We don't have any in-house Splunk engineers, but headquarters has some they can send to assist us, so I can call on them. It's a very good support chain.

If there is some room for improvement, it is in terms of training. I find that some things about Splunk aren't well-explained. I see features and then go to the website but don't find good explanations. However, I can always call support and get help.

Positive

My company is very impressed with Splunk. We've used several SIEMs before, and Splunk has been the most efficient one.

There was one called Intelotactic, and another was called Secureworks. I believe both of those are gone now.

Initially, with Splunk, we had a steep learning curve. It went from a fairly low ingestion point to figuring out how much data we needed to get to a certain level. Even when we got to a level we were happy with; we found that we were ingesting a lot of noise in the data. We had to figure out ways to reduce that noise.

We bought the maintenance along with Splunk ES and used Splunk engineers to assist us in the setup. It was a very good process. It worked out very well for us.

The knowledge of the individual sent to us was impressive.

Deployment model: Ours is all on-prem currently, but we are headed towards a cloud solution.

I would rate it a nine out of ten. 

We use the solution to build correlation searches around insider threats and exultation of data. We also use it for DLP (data loss prevention) and to get more visibility on what's happening in our environment that could increase risk.

The solution's data aggregation has allowed our organization to unify a lot of inputs from various tools in one space and to be able to search from there.

The solution's most valuable feature is risk-based alerting, focusing on building out user risks for individuals throughout the enterprise.

It is important to our organization's security that Splunk Enterprise Security provides end-to-end visibility into our environment.

Splunk Enterprise Security's ability to find any security event across multi-cloud, on-premises, or hybrid environments is good. It's more about how you configure it and how well your company is equipped to provide and allocate resources to make the best use of the tool.

It has helped reduce our mean time to resolve.

The tool should include more real-world use case examples built out either through videos or in the community. These should not just be examples of how it can be implemented but of how previous solutions have been transitioned to new solutions and how they provide a different and better approach.

I have been using Splunk Enterprise Security for one to three years.

Splunk Enterprise Security is a very stable solution.

The solution’s scalability is based on the cost.

Splunk Enterprise Security is just a tool you can use, and then it's really up to the customer how they leverage it best.

Overall, I rate the solution a six out of ten.

We use it in our company to log everything. We use tools like XSOAR to take appropriate actions to mitigate threats.

Splunk Enterprise Security has aided our organization in the way it provides great visibility and helps with what our company's users do with it.

I like how easy it is to integrate the logging of all of the various nodes. The product also offers nice connectors. Other features include the product's ability to allow users to customize their dashboards, signatures, metrics, and other elements, making it a very valuable and reliable tool for my organization.

I don't know if there is a need for any improvements in the product since it is one of my peers and not me who is directly responsible for Splunk Enterprise Security in our company, so I will have to ask him if there are any requirements associated with the product.

The price may be an area of concern where improvements are required. Splunk Enterprise Security doesn't indulge in whitewashing, but Cisco does it too much.

I have been using Splunk Enterprise Security for two years.

I have not seen any outages in the product in the past two years that it has been running in our company, so I think it is good when it comes to the stability part. I have had an experience with the vendor during which there were two products, one from the vendor and the other from Splunk Enterprise Security, and we saw that one of them was not able to capture all the logs appropriately, after which our company had to figure out whether it was Splunk API or the vendor's tool.

I have never used the product's customer support. My peer has contacted the product's technical support team, and it has worked very well for him.

My company used to use one of the spin-offs from IBM. My organization has used IBM QRadar.

Though I am not sure about the deployment model, I feel that since it may not be on Azure, the product must be deployed with the help of AWS.

I have experienced an ROI revolving around the product's dashboards, metrics, and other such related stuff, but I don't know how to quantify them. My peer would be the best person to speak about the product's ROI.

My peer would be aware of the product's pricing part.

There was a pre-vendor selection approach my company followed, but I don't remember the names of the products involved.

It is pretty important how the solution provides end-to-end visibility in our company's environment because it provides opportunities for shadow IT and for people to do things that they should be doing. If one is appropriately logging in, the product gives us a view and helps our company discover things that we didn't know about.

In terms of Splunk Enterprise Security's ability to help our company find any security events across multi-cloud, on-prem, or hybrid environments, I will have to say that since we are still using it, it has to be effective. If it wasn't effective in the aforementioned area, my peer would have found something else in the product. I don't have enough personal insight into Splunk Enterprise Security's ability to help our company find any security events across multi-cloud, on-prem, or hybrid environments.

Splunk Enterprise Security has helped to reduce my company's alert volume. Our organization does get alerts, and we are trained for them. I will have to ask my peer to give me the exact number associated with the alerts my company receives.

The solution provides the relevant context that helps guide our company's investigations. The context information has impacted our company's investigation process as it definitely speeds it up because we have only a single source from which we can get that, and it helps us understand what may have taken place in a particular incident that we are looking at in our organization. In our company, if we look at any of the other services, we can see whether a particular or specific user touched just a single system or ten different systems.

The solution has helped reduce my company's mean time to resolve, but I don't have numbers to explain it.

The reason why I rate the tool a nine is because of the flexibility it provides to go back to the dashboards. The flexibility to be able to customize standard dashboards and other standard things that I want to be able to grab and have them pop out and then be able to create some sort of an action against those kinds of things that I want, of which the first is the standard reporting part, which is very valuable.

To those planning to use the solution, I would suggest that they need to get Splunk to work hard on the pricing part. People also need to encourage Splunk to stay true to its roots because I have seen what has happened to some of the other tools in the market. Splunk has been acquired by Cisco. You want Splunk because of its capabilities, not because of what Cisco wants to give you.

If I consider my company's needs, I rate the overall product a nine out of ten.

The use cases are mainly around monitoring for our clients' security operation centers and correlation of events and analytics for incidents that have been identified.

It has really improved things for our clients by reducing false positives. Most of the time, analysts end up wasting their time with false incidents, and that has been drastically reduced by Splunk.

It also definitely helps speed up your security investigations.

The dashboard and reporting are very good. Our clients monitor multiple cloud environments and Splunk helps because, in general, monitoring multiple cloud environments is definitely difficult and very complex. It provides very good visibility in a hybrid cloud environment, and you can build custom utilization APIs using Splunk.

The solution is also very good in its threat-hunting capabilities and anomaly detection. It uses an AI-based detection system to identify real-time anomalies and provides complete visibility into the network.

And you can feed multiple threat sources into Splunk and the Threat Intelligence Management feature gives you information about current or potential attacks. It provides complete security support in the threat intelligence space. It helps your administrator to correlate indicators of compromise from threat intelligence databases and feeds.

Also, the Splunk Mission Control feature, which is mainly for Splunk Enterprise Security cloud users, provides a unified and simplified security operations experience for SOC analysts.

We also use the solution's Threat Topology and MITRE ATT&CK framework feature. That's something you need for cyber breaches to contain a threat. This feature comes into play when you need to mitigate an incident in your environment.

While there aren't any major areas where the solution has to be improved, there are certain integrations that are still not available. I would specifically like to see legacy applications integrated. Splunk has integrations with AWS, Azure, and other cloud providers, but when it comes to legacy applications, it is difficult to do a Splunk integration.

We have been working with Splunk Enterprise Security for one and a half years.

It's a very stable solution. 

It is very highly scalable.

The technical support is very good.

Positive

I used IBM Security QRadar. The main reason for switching is that Splunk has the scalability to handle bigger enterprise logs. Log management is the biggest issue in any SIEM. Splunk is able to rapidly grow its capacity.

Our clients' implementations are mostly on-prem and in the cloud.

Splunk is definitely not a cheap solution. It is an expensive product.

If a customer is evaluating SIEM solutions and is considering cheaper products, it depends on the customer's budget and use cases. For a large, enterprise customer with critical infrastructure that needs to be monitored 24/7, obviously, the cheaper solutions may not have the capacity to handle the huge volume of data. Splunk has the SIEM and the scalability as well as visibility features. When you want to monitor your applications and how they are performing, that is where Splunk is very strong.

In terms of maintenance of Splunk, you need to have an IT administrator monitoring it at all times.

When it comes to a large, enterprise customer's critical infrastructure, Splunk is one of the best solutions to use in a security operations center. It has multiple advantages, such as the dashboard that provides complete visibility, and a threat detection system with very advanced features. It is very valuable for any company that wants a good protection system.

You should definitely consider Splunk as one of your options for your SOC.

We primarily use the solution for monitoring, intrusion detection, and prevention. It is mostly a lot of security and network and server monitoring.

It automated the way we look at intrusion detection and prevention. It automatically picks up intrusion attempts within our environment.

The monitoring and the security functionality are the most valuable aspects of the solution.

It is easy to set up.

It is very scalable. 

You can basically make it do whatever you want, from log management and monitoring security, intrusion detection, prevention, and linking to your antivirus to report to it. Having kind of a single point where everything feeds in and create dashboards however you like is useful and works with how many ever systems you want in that dashboard.

I've not come across any areas that need improvement.

I'd like to see more integration with more antivirus systems.

We've used the solution for roughly, one year and a half years.

The solution is highly scalable.

We have four people that use the solution and they were split between infrastructure and security.

We don't have a plan to increase usage as we're almost at capacity with our servers, for our purposes. I don't think we're going to scale it as we're using everything we can from anything we need. However, it's intensely used for security purposes.

Technical support is perfect.

Positive

The initial setup was straightforward. It was done by Splunk entirely. After that, the configuration took a bit of time, however, we bought professional service days from them to help us build the configuration.

The full deployment took about five months due to the fact that we have quite a lot of servers.

I'd rate the experience a five out of five in terms of ease of execution. 

The amount of people you require for deployment and maintenance depends on the complexity of the environment. It can be run and managed by a single person if the environment is not highly complex. If you're talking about probably less than 200 servers, and a couple of network endpoints, one person can manage it easily after it's been configured. Otherwise, I wouldn't be able to say. In more complex environments where you've got several geographical locations, several data centers in geographical locations, and so on, you'd probably need more than one.

Splunk handled the implementation. It was a joint effort between them bringing the knowledge and us doing the actual work.

It's a great investment, especially if you want to strengthen your security stance.

It's yearly a yearly license on a three-year contract. On a three-year contract, you get a discount basically - rather than putting it on a rolling yearly contract.

On pricing, if I base it on the functionality of the system out of the box, I would rate it five out of five.

They have several prepackaged modules you can purchase. For example, for the security type, they have Security Enterprise, with the default products getting security essentials. With Infrastructure, the same. We've got an ITOps enterprise, which again, is payable on top of the standard license. 

It's pretty much how much you can actually build in-house. The difference between AT&T, LogRhythm, and Splunk, while AT&T and LogRhythm are pretty out of the box (it's click and configure), Splunk is highly configurable. 

You can make it do whatever you want to, as long as you know how to edit the configuration files. What ITOps and Security Enterprise do, instead of you having to build all that from the ground up, so the dashboards, the logic behind it, the configuration files, and so on, become prepackaged and pre-installed.

We did test AT&T and LogRhythm as well. We chose this solution as a balance between cost and functionality.

AT&T was a great security tool, however, it lacked a lot of the infrastructure things that Splunk does, in terms of server monitoring and network monitoring. LogRhythm did have a dose, however, at a very prohibitive price. It was almost twice the cost of Splunk.

We've got a version of Splunk Cloud. I'm not sure of which version.

I'd advise users to get more professional service days. You get five professional service days with the product, when you buy the license, usually. Definitely get at least ten more.

You need to have some strategy before. You definitely need a strategy. Before you do your PS days, definitely have a look at your strategy and make sure you've arranged your questions rather diligently. Based on how you think you're going to use the system, where you are where you want to be, just box them into separate parts - security, infrastructure, and monitoring. It's going to make life a lot easier when you talk to consultants as the consultants are very, very knowledgeable. However, you need to ask the right questions.

I'd rate the solution ten out of ten.

Our primary use cases are for detection and remediation.

The benefits we've seen from Splunk is that we can promote it to our customers. The second benefit is that it works. It does what it's purported to do, and the support is more than adequate. 

The most valuable feature is that it brings all of the components necessary to identify, analyze, and respond together.

It's pretty important that Splunk provides end-to-end visibility into your environment. As in any product that one purchases to fulfill a function, we want to recognize where it came in, who it affected, and what the challenges are that need to be met in order to resolve something, both immediately and also to make sure that it doesn't replicate in the future. Splunk does a good job of being able to do the former half. Dealing with issues requires tier-three support and above and it takes time. You can work through it with the help of your vendor team.

I would rate them an eight out of ten. It's not so much the problem of the application itself, although there are always improvements that can be done. There are a lot of moving parts that need to be added in and if you don't have the information that you need, especially within identity and inventory, then that can be an added challenge when you have to start making imprints based on what you do know.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. There are a number of different standards that can be presented, which is beneficial. Some customers like to have the information that they receive in one format. The driving factor is that when you work with federal customers, some of them want it in one format. The response will be in one format as opposed to another. 

Splunk has helped to improve my company's business resilience. It's an active component in ensuring that we are vigilant against intrusion and detecting it.

Splunk is such a large product. Allowing it to be more easily used by people who have not had a lot of training on it would be an improvement. That's something that they're accomplishing with their current version, although I haven't had an opportunity to learn much about it. With AI capabilities coming on board, a lot of that will alleviate the minutiae that people need to know in order to resolve problems as they come up.

Splunk's ability to predict, identify, and solve problems in real-time is a work in progress.

I have been using Splunk Enterprise Security for the past four years.

Aside from the fact that it can be a resource hog, I'm satisfied with the stability. I don't have too many problems except for a few occasions when we have a threat intelligence file blow up a drive because there's not enough room. It might be because a complete configuration has not been implemented. 

I like the fact that it can be tweaked, but a lot of the various configurations for how long data is held or how long particular components of investigation are held. 

I encourage users to use the vendor management team and cultivate a relationship with them. I have worked with companies who had support that I would rate 11 out of 10. I would rate Splunk an eight out of ten because as any large growing company, they have challenges with keeping the talent necessary, who are not only educated to evaluate a problem and pass it on or solve it themselves.

Positive

The largest challenge with the setup is that it has so many different components. The environment that we're in is a multi-tenant. Enterprise Security with all of its components is huge. If you're using something like a deployment server you can't break it up. It makes it rather unwieldy. I'm sure that there are workarounds that have not been implemented in-house.

Splunk provides more than the people who pay for it realize. I had a few exercises in presenting ROI and benefit-cost analysis and I have been able to demonstrate where it has performed superior to other options.

I was deeply distressed when they went away from their perpetual license.

We evaluated Splunk's typical competitors. We went with Splunk because Splunk has the underlying capability of not only ingesting anything and storing it using their bloom filters and whatnot in order so that you can do sparse and large searches relatively quickly. It also has a wonderful presentation layer, which can basically plug into many other systems. I find Splunk to be a veritable Swiss Grey knife of capabilities.

I would rate Splunk Enterprise Security an eight out of ten because there's always room for improvement and because it can be difficult to learn.