Splunk Enterprise Security Reviews

The use cases are mainly around monitoring for our clients' security operation centers and correlation of events and analytics for incidents that have been identified.

It has really improved things for our clients by reducing false positives. Most of the time, analysts end up wasting their time with false incidents, and that has been drastically reduced by Splunk.

It also definitely helps speed up your security investigations.

The dashboard and reporting are very good. Our clients monitor multiple cloud environments and Splunk helps because, in general, monitoring multiple cloud environments is definitely difficult and very complex. It provides very good visibility in a hybrid cloud environment, and you can build custom utilization APIs using Splunk.

The solution is also very good in its threat-hunting capabilities and anomaly detection. It uses an AI-based detection system to identify real-time anomalies and provides complete visibility into the network.

And you can feed multiple threat sources into Splunk and the Threat Intelligence Management feature gives you information about current or potential attacks. It provides complete security support in the threat intelligence space. It helps your administrator to correlate indicators of compromise from threat intelligence databases and feeds.

Also, the Splunk Mission Control feature, which is mainly for Splunk Enterprise Security cloud users, provides a unified and simplified security operations experience for SOC analysts.

We also use the solution's Threat Topology and MITRE ATT&CK framework feature. That's something you need for cyber breaches to contain a threat. This feature comes into play when you need to mitigate an incident in your environment.

While there aren't any major areas where the solution has to be improved, there are certain integrations that are still not available. I would specifically like to see legacy applications integrated. Splunk has integrations with AWS, Azure, and other cloud providers, but when it comes to legacy applications, it is difficult to do a Splunk integration.

We have been working with Splunk Enterprise Security for one and a half years.

It's a very stable solution. 

It is very highly scalable.

The technical support is very good.

Positive

I used IBM Security QRadar. The main reason for switching is that Splunk has the scalability to handle bigger enterprise logs. Log management is the biggest issue in any SIEM. Splunk is able to rapidly grow its capacity.

Our clients' implementations are mostly on-prem and in the cloud.

Splunk is definitely not a cheap solution. It is an expensive product.

If a customer is evaluating SIEM solutions and is considering cheaper products, it depends on the customer's budget and use cases. For a large, enterprise customer with critical infrastructure that needs to be monitored 24/7, obviously, the cheaper solutions may not have the capacity to handle the huge volume of data. Splunk has the SIEM and the scalability as well as visibility features. When you want to monitor your applications and how they are performing, that is where Splunk is very strong.

In terms of maintenance of Splunk, you need to have an IT administrator monitoring it at all times.

When it comes to a large, enterprise customer's critical infrastructure, Splunk is one of the best solutions to use in a security operations center. It has multiple advantages, such as the dashboard that provides complete visibility, and a threat detection system with very advanced features. It is very valuable for any company that wants a good protection system.

You should definitely consider Splunk as one of your options for your SOC.

We use the solution in our SOC to support SOAR. We use its alerting capabilities and integrate them with our SOAR platform. Additionally, we tie it in with cyber threat intelligence, cyber threat hunting, and adversary emulation tools to identify gaps in our environment and alert us to notable events.

The tool drastically reduces SOC overhead. Its integration with our tool suite is great and helps us correlate events. The solution is also a lot faster than our standalone instances. 

Splunk Enterprise Security helps address our customers' missions. We want to ensure that our environment is secure and safe and detects anomalies and threat actors as soon as possible. 

The solution helps my organization's ability to ingest and normalize data. It has also improved resilience.  

Enterprise Security is expensive. 

I have been working with the product for three years. 

Splunk Enterprise Security is very stable. 

The tool is very scalable. We can deploy agents seamlessly and get reports. 

We have had good success with customer support. We haven't had any issues contacting them and getting problems resolved. 

Splunk Enterprise Security's deployment is hit or miss. Recently, we got UBA. We were able to spin up an environment easily with Terraform. However, the recent upgrade caused many hiccups and slowdowns. We are working with support to resolve them. Some legacy code is choking the system and slowing us. 

We do market evaluation and continuous research every year to check for alternatives to our security tools. 

It seems like the tool is improving. It incorporates AI into the platform to streamline event identification processes. 

Splunk Enterprise Security does a good job. However, we need many analysts to correlate searches and populate data models, and some overheads are needed in any SOC environment. 

We have a lot of data to process from different sources. However, we have only limited data analysts. It takes time to find malicious threats or what we seek. 

No specific metrics are tracked, but we report this to our leadership weekly, focusing on continuous improvement. Regarding reducing the mean time to resolve, especially with our SOAR integration, we can swiftly address major issues by leveraging alerts to initiate tickets. This allows us to notify the teams and address issues immediately. 

I rate the overall product a ten out of ten. I don't think there is another alternative with similar capabilities. 

We're using the solution for log analysis and our internal infrastructure. We may use it for customer offering at some point, but currently, it's completely internal.

The solution's most valuable features are the granularity and analysis of the logs. Once you learn the syntax, it's a great tool. These features are important to us because they enable us to drill down to certain users doing certain things and perform trend analysis.

I have been using Splunk Enterprise Security for well over a year.

We’ve had no issues with the solution’s stability.

We have 90,000 users and deal with massive amounts of data volume.

The solution’s technical support is fantastic.

Positive

We were using IBM's TSM backup tool and our own internal tool. We switched to Splunk Enterprise Security because we wanted to be more of a cloud-forward company and didn't want to host everything on-premises.

We installed the solution mostly by ourselves, but we did have a little help. We installed heavy forwarders at a relatively low cost. Since we already had a VMware environment, we just set up the VMs for the forwarding.

We have seen a return on investment with the tool in terms of seeing what users are doing.

Splunk Enterprise Security incurs a significant cost because of the amount of data we send, but we are fine with the value we're getting for that price.

The tool provides much more insight into what users and our apps do. We also use the solution to monitor a lot of machine-to-machine traffic.

We have a hybrid environment. All of our internal tooling is in our internal data centers, but we also have a big cloud presence for some of our other tooling and mostly for our customers. Speaking from the internal side, Splunk Enterprise Security has been fantastic in helping us find all kinds of security events every day.

Splunk Enterprise Security has helped improve our organization's ability to ingest and normalize data. The solution has helped us have everything in one place and grab everything at once. The tool has also helped us solve problems in real time. The Ops team will approach us when they are stuck with a problem ticket. We can look instantly, see what's happening, and track it down.

The solution provides us with the relevant context to help guide our investigations. This context information makes things easier and faster for us. We get more information about exactly what's going on.

Splunk Enterprise Security has helped us save around 50% of our time.

Splunk Enterprise Security has helped reduce our mean time to resolve by 50%.

Overall, I rate the solution ten out of ten.

The solution is used to detect and protect against threats using a hypervisor infrastructure that works with artificial intelligence. 

There are a lot of third-party applications that can be installed. You get a lot of good visibility on your infrastructure regarding risk. It's very data-driven, and it integrates into systems well. 

We are able to monitor multiple cloud environments with Splunk. Each data source has different stuff that requires monthly payments. 

I have used its threat intelligence management function. It can be a very useful feature for customers. 

The MITRE ATT&CK framework is helpful for helping uncover the scope of incidents. It offers a good level of simplicity.

Splunk Enterprise Security is great for analyzing malicious activities and detecting breaches.

It's costly. 

The data speed between apps could be improved. It could be faster. 

I've been using the solution for 2 years.

The stability is mostly fine. 

I haven't attempted to scale the solution. I'm not 100% sure of how well it scales. 

The technical support is very good. They also offer a lot of basic resources. 

Positive

I'm also familiar with Microsoft Sentinel, and I find Splunk to be better. That said, although I have more experience with Splunk software, I find it a bit slow. Sentinel is much faster. 

The setup is pretty straightforward. It's not overly complicated. I don't have too much experience with the setup, as I'm currently involved as a consultant and only help with support. 

The cost is very high. It's got a fairly high price point in terms of price range. 

I work in cybersecurity consultation. 

I'd recommend the product to others. I'd rate the solution overall 9 out of 10. 

As a software analyst, I utilize Splunk Enterprise Security for security purposes, including threat hunting on developed and customized applications for vulnerability management. I also use it to display dashboards, analyze data, and address alerts.

We implemented Splunk Enterprise Security to consolidate all our security data into a single platform. This has enhanced our visibility into our security posture and the potential threats we face.

Splunk Enterprise Security enables us to monitor multiple cloud environments, which is crucial for receiving real-time email alerts in the event of critical incidents. However, directing me to the source can be time-consuming compared to the verified swim methodology used by SIEMs. For my application, I have approximately ten million records. Directing me to the service code takes two minutes to instruct them to view the file using VLOOKUP. However, sending it to the capital takes about half an hour.

The ability to monitor multiple environments is excellent. We have customers who use Splunk Enterprise Security both on-premises and in the cloud. Both options have their merits, depending on the specific needs of the customer. If a customer has the required resources, the cloud is often the most suitable solution.

The robust threat detection capabilities of Splunk are essential for our project. However, it's crucial to manage user access carefully. While we need to grant access to certain users, we must not provide them with unrestricted capabilities. Splunk's granular access control feature empowers administrators to customize user permissions, ensuring that only authorized users have access to the necessary features.

Splunk's threat topology helps us identify the scope of an incident. This is crucial due to the high likelihood of unauthorized data being compromised, necessitating prompt incident detection.

Splunk Enterprise Security has facilitated the timely detection of threats, enabling us to swiftly customize it to identify a wider range of threats and potential risks. We can incorporate external scripts for enhanced threat intelligence and threat-hunting capabilities.

Before implementing Splunk Enterprise Security, we relied on a patchwork of other tools, each requiring manual implementation for data collection, rule definition, and threat identification. This approach was not optimized and occasionally resulted in delayed threat detection. Limiting our focus to device security alone proved insufficient, as it lacked the real-time threat actor intelligence and activity insights provided by Splunk Enterprise Security. Our reliance on licensed development restricted us to pre-built alerts or manually uploaded scripts for mitigation and response.

Splunk Enterprise Security has helped reduce our alert volume.

Splunk Enterprise Security has helped speed up our security investigation time.

Three features stand out for me: the SDK for writing Python, the customizable and adaptable diagnostic dashboard, and the optimizer for collecting data.

The threat detection system has room for improvement. The critical aspect for an organization is the timely detection of incidents. If the rules are not defined correctly, threats may not be detected in real-time, resulting in incidents being detected months or even years after they occur.

I have been using Splunk Enterprise Security for almost seven years.

I would rate the scalability of the solution eight out of ten.

I would rate the resilience an eight out of ten.

I contacted Splunk support once for a separate product.

Positive

The initial deployment was straightforward for me, likely due to my extensive experience using Splunk. When implementing the solution, we begin by defining customer needs and requirements to optimize Splunk. This involves identifying the systems necessary for daily use and ensuring the protection of the integrated licenses and external apps in the Splunk environment. This protection encompasses program security, cloud-based security, and data analysis for specific apps. Additionally, we configure personal authentication for private applications.

The deployment time is dependent on the specific requirements and can range from two to ten days.

The implementation was completed in-house.

Splunk Enterprise Security has delivered a return on investment through its effective threat detection and vulnerability response capabilities. We have successfully demonstrated this positive impact on our customers through comprehensive reports.

I would rate Splunk Enterprise Security nine out of ten.

While there may be cheaper solutions available, they lack the optimizer, dynamic dashboard, and security APIs that Splunk offers. These capabilities are not found in other solutions.

Maintenance is minimal for updates only.

When using Splunk Enterprise Security, ensure that optimization is performed correctly to minimize response times and resource consumption.

At a high level, its use cases are related to security monitoring, log aggregation, and a little bit of analysis related to incidents or fraud.

Splunk Enterprise Security has created better visibility for us on the cybersecurity type of events and issues. We are still maturing, but where we have seen some growth is getting better data, knowing what data to look at, and how to understand that data.

It has end-to-end visibility into our cloud-native environment. This is extremely important for us because of the type of business we do. We have a lot of PII data and a lot of compliance data on which we have to maintain very tight controls, so it is extremely important that we are able to put that in the cloud and monitor and watch our environment very closely.

It has reduced our mean time to resolve, but we are still maturing. We have got a lot of maturing to do. We have got a lot of growing to do. We have also been limited on the staff to be able to get the full realization of what we can get out of it yet, so that is a place where we are continuing to grow.

It has improved our business resilience. We have been able to identify things that could have presented a larger problem for us financially or legally through various events. We have been able to leverage the data there. We have been able to maintain that data and support that data. It does the job. It meets the needs.

Splunk has not helped to predict problems in real time because we have not yet matured to that place, but we need to. Generally, it has been helpful, but we know that we have got a lot of growing up there. We still have not got everything identified and captured in the space we want to be able to do better analysis.

Its ability to provide business resilience by empowering our staff is really high. Empowerment is great, but we have a resource problem, so we have not quite realized where we could be. 

We monitor multi-cloud environments. We have three of them. It is difficult to monitor them currently with Splunk. We are living in a highly regulated stack and a very little regulated stack and the ability to get a single pane of glass for all of that is very difficult.

Integration with the cloud is pretty important and good for us. We found the integration with a lot of tools, not all tools yet, valuable. It does make the transfer of data, log files, and other things easier for us.

Its pricing is extremely high. There are other tools out in the market that are competitive. They do not necessarily have all the functionality, but they are competitive. The professional services we have used have been high as well in comparison to the market.

In terms of scalability, it is hard to forecast where you are going. There is room to improve there.

I have been using this solution for about five or six years.

I would rate it eight out of ten in terms of stability. Where there has been ambiguity for me is that I recently had system stability issues that were beyond my control. They were part of my solution, and I was not aware that Splunk was accountable for it. It got quickly resolved, but there was a gap there that created pain for my business.

We have not had any issues. We also have not had any detriment, but it is hard to forecast based on where you are going from a business perspective, at least with the models and the account teams that I have been working with. There is room to improve there. 

It has been a rocky road. I have been through a road where I have had limited to little engagement or support. I am on the cusp of a large turnaround, meeting with my client team and dialoguing through it. Based on the history, I would probably rate their sales support a four out of ten. Going forward, I would rate their sales support an eight out of ten. They are in the right direction. I would rate their technical support a nine out of ten.

Positive

We have been using the same solution for five or six years. It was selected before I joined, so I do not know.

I joined after it was implemented. What I am working on now is the technical depth. I am spending a lot of time with the teams there for direction strategy. Splunk has done a great job there, specifically in pulling the right resources to bear. I had executive briefings directly with executives today where we had an opportunity to talk about different components of our solutions and our stacks, and it has been very good.

We are in a growth state right now. We have seen an ROI, but anticipating any point in the future is a little difficult, so it is a mixed response. Our scale is not quite clearly defined to be able to put it to a metric or to tie it back to consumption use. There is a little bit of autonomy in there to over-adjust and still find that we can true-up in a better space. That has been good for us, but if you let that run away from you, then you start to get in trouble. 

We have not seen any cost-efficiency. We have seen our usage and needs grow, so we have seen Splunk go up in cost for us. We have not quite realized any efficiencies yet. It is also indicative of our maturity model.

The licensing is good, but the pricing absolutely needs some work. It is very high. One thing that they put in a contract, but they do not emphasize it enough is true-ups on usage based on the quarterly consumption. They do not follow that methodology. They let a customer use, use, and use, and then at some point, a true-up occurs, and it is a large cost. There is an opportunity to do a quarterly track type of true-ups as per the agreements out there. That would put them in a position where customers are able to plan on, forecast around, and work through volume adjustments that may occur in their environment. 

The other place where Splunk could spend time is the scale-up and scale-down model. Scale-up is easy where you get more business, and it is easy to add more capacity, whether it is storage or SVUs, but when you need to scale down because of a change in a business, it does put customers in a position where they are locked in, and there is no way to maneuver around that. 

We do an evaluation annually. It is important for us to do a market comparison and make sure we are looking at options in our work. What makes Splunk Enterprise Security competitive is the variabilities that they bring to the table for the overall solution. It has things like APIs that you can tie into. There is also the bonus functionality of being able to do analytics there. User behavior analytics is important for us.

I would rate Splunk Enterprise Security an eight out of ten.

Enterprise Security has reduced our mean time to detection to results. It used to take 25 to 30 minutes and now it's down to less than ten minutes. 

Our customer has been far more satisfied with our incident response and remediation since we adopted Splunk several years ago.

Our time to value was within a few weeks to a month.

The most valuable feature is the incident dashboard, and the extensive use of correlation searches, which isn't available with a standard Splunk search package. This feature is important to me because it enables SOC analysts to do their job more efficiently and be able to investigate or mediate incidents at a faster pace.

Another benefit is the expansion of the use of ITSI, SOAR, and now Mission Control being able to holistically monitor an environment with one tool. Also with Mission Control, we have the ability to have one interface.

It's very easy to monitor a single cloud with ES solutions. I've worked with several other SIEM tools before and Splunk does it better.

Splunk's ability to predict, identify, and solve problems in real time is good. They do it better than other tools.

I am looking forward to their expansion of the use of AI. Using AI in the user interface will go a long way because one of the challenges in my organization is getting other people to use Splunk. A lot of people are averse to using new tools so if they make it even more user-friendly than it already is, I think that could go a long way.

I have been using Splunk Enterprise Security Enterprise for three and a half years. 

Stability is excellent. It is the most stable SIEM solution I've worked with.

Scalability is excellent. If you need to add more capacity, you can add more indexes, and more search heads as you need. The environment stays stable as you're doing it if you do it the right way. 

My environment is about nine indexes, four search heads, and about 800 GBs a day.

Their support is excellent. Every case I ever had to put in has been handled and resolved in a matter that I would hope for many support tickets.

I would rate them a ten out of ten because they are much more responsive than a lot of other vendors I've worked with.

Positive

There are mostly pros when comparing Splunk to its competitors because it collects data and analyzes it. It analyzes data better and in a more detailed, documented, and organized fashion than any other SIEM that I've worked with.

I have worked with Microsoft Sentinel and ArcSight.

I was involved in the initial setup with the help of their professional services. It was complex at first because my colleagues and I did not know the application that well. There was definitely a learning curve but once we started to understand how to design it the proper way and how to manage it the proper way which made things a lot easier.

It's more expensive than the other tools but it's worth it. Every penny is worth it. They do analytics better. They do security investigations better. They do everything better.

I would rate Splunk Enterprise Security a ten out of ten. I have worked with other SIEM solutions before and Splunk is the best one.

The biggest value I get out of attending a Splunk conference is getting to network with other people within my same account under my same account manager. I appreciate the ability to go to sessions about different support products that my organization doesn't use and try to help myself understand how some of these tools are used and how I could encourage my organization to use them.

We use Splunk Enterprise Security as our primary security event manager. We collect data from various log sources into our Splunk SIEM to build context around what is happening in our environment. We then use the capabilities of Splunk Enterprise Security and other tools to enrich this data and help us manage the data, events, and detections.

Splunk Enterprise Security helps us focus on security. It provides us with data and a number of pre-built learnings that allow us to view the content in very useful ways. We can apply filters to the data to get more value out of it. This is the primary use case for Splunk Enterprise Security: to help us analyze and leverage the content we have.

Monitoring multiple cloud environments can be relatively easy, but it depends on the vendors. There can be challenges, such as ensuring that all of the data is ingested and aligned correctly. This is because vendors, especially in the cloud, can change their log formats at any time. Additionally, some vendors may not provide the same log feeds in the cloud as they do with on-premises solutions. As a result, it is important to be aware of these potential challenges and to take steps to mitigate them.

Splunk Enterprise Security provides reasonable visibility into multiple environments by harnessing the power of Splunk and the data it ingests to unify and provide a consistent view.

Splunk Enterprise Security's threat detection can help our organization find unknown threats and anomalous user behavior. We are early adopters of the user behavior piece, so we are still working to normalize our data. Splunk is working with developers to ensure that they can intake our data. We use Windows Log Forwarding for a lot of our host-based logs. We are leveraging this with an on-premises GPO. The gathering mechanism is a little bit different than what Splunk has seen, but it is still within the realm of acceptable. We are working through this issue.

We have a few different STIX and TAXII feeds that are being processed by the Threat Intelligence Management feature. We are members of a few different organizations that provide these feeds, and we use them as needed. The feeds also feed into some of our security products.

Actionable intelligence provided by Threat Intelligence Management is valuable, but it is important to be aware of its limitations. Threat intelligence can help organizations to correlate and build context around security events, but it is important to remember that the information provided is often brittle and can change quickly. For example, an IP address that is associated with a threat actor today may be used by a legitimate user tomorrow. Additionally, some threat intelligence feeds may be contaminated with false positives, which can lead to false alarms. It is important to carefully evaluate the quality and reliability of the threat intelligence before taking any action. Organizations should also have a process in place to verify and validate any threat intelligence before using it to make security decisions.

Splunk Enterprise Security is a valuable tool for analyzing malicious activities and detecting breaches. I am glad we added it to our security stack. Previously, we ran for a year or so without it, and while we had some capabilities, we were truly missing out on some things by not having Enterprise Security. It definitely added value for us, and I would not go back to not having it. I think it has been a solid addition to our security posture.

Splunk Enterprise Security helps us detect threats faster, but the lion's share of the work is still in the process of customizing it to our needs. Taking enterprise security and modifying it to apply to our needs is where we see the biggest bang for the buck. From that perspective, it is probably better for us.

A lot of the prebuilt capabilities in Splunk Enterprise Security are extremely beneficial because they cover all the use cases. I think another important aspect is the consistency of their approach and how methodical they are. This is very helpful because it sets a structure for how we view our data and what we can leverage from it. This page clearly drives us to what is happening and what we need to do, and it has a workflow associated with it. This also helps to reinforce the process. When we deal with security issues, this can always be a challenge. We are dealing with a fire drill, and we need to be able to react. We don't want to make mistakes, and it is easy to do so if we are trying to wing it. However, the structure of this approach helps to reinforce that. I think this is another area that is beneficial in terms of the workflow and how it approaches what it does.

Splunk Enterprise Security helps us reduce the volume of alerts we receive. However, we still have to take action on a number of items. Splunk Enterprise Security helped us to do this by ensuring that our input data is accurate and reliable. We are still evolving and maturing in our use of Splunk Enterprise Security, and we believe that it will continue to help us to reduce the volume of alerts we receive and improve our security posture.

Splunk Enterprise Security helps speed up our security investigations to a degree. The workflow is improved, and when we encounter an incident, we can take ownership of it, manage it, dive into individual facets of it, run queries, and expand on them. It makes some items easier to access or understand.

The varied prebuilt feature is the most valuable because it ensures that we have complete coverage over all of the key questions. By seeing how others analyzed the data, we can develop new dashboards and approaches. It is always helpful to see how someone else used a tool to spark ideas about how we can enrich our items based on our specific needs. This feature covers a lot of our core general questions and is helpful, but it also allows us to see what someone who is really focused on this area has done and how we can tune and tweak it to our needs.

It is important to make sure that everything is built off of the threat models and all the underlying items within Splunk. This includes making sure that the log feeds are aligned correctly so that when we look at data and alarms, everything makes sense. Sometimes, I see alarms that are caused by data sources that have snuck in. For example, if my firewall says something about AV, it might get mapped into antivirus. This can happen because firewalls are multipurpose devices, and they can end up in models that aren't really applicable. Part of the problem is the infrastructure within Enterprise Security with how they group data types. For example, authentication data, firewall data, network data, and user-based data are all gathered in different ways. This can lead to confusion, especially when multifunction devices are involved. For example, if a firewall says that antivirus is not enabled, it might still detect something as if it was antivirus-related. This can blur the incidents and the information we have. It is important to identify items that creep in or issues that need to be cleaned. This will help us identify problem areas and their root causes more effectively and quickly. We can then clean up the data model, make sure the lines are correct, and get higher-quality alarms.

I have been using Splunk Enterprise Security for over a year. We have used Splunk as a security SIEM for at least three to four years.

We previously used free Splunk apps.

I believe that Splunk Enterprise Security is worth the price, but it is expensive. I am always trying to balance the need for security with the need to be cost-conscious.

I give Splunk Enterprise Security an eight out of ten.

Using a SIEM is not cheap, no matter how you slice it. So, the first question I would ask is, what are we trying to do with our SIEM? In my opinion, Splunk, including ES shines when we are willing to invest in learning and modifying our SIEM, our solution, and our environment to align it with what we do and how we do it. If we are willing to make that investment to contextualize the security and visibility, then Splunk is a tool that can help us do that. If we are looking for a turnkey solution, where we can just throw logs at something and then pull the arm of the slot machine and get things out, then Splunk is not necessarily the right tool for us. We can get there, but it will be a pricey slot machine. I think we will get the most value out of Splunk if we want to get things that are more contextual to us. We may need to enhance or build off of the Splunk dashboards that ES includes, and that will help us to create dashboards that are extremely relevant to our environment. If we are comfortable with creating Splunk queries, then we will have a lot of power at our fingertips.

To those looking into the solution, I would ask: What are they looking for? What are they willing to invest in? Do they want to understand queries? Do they want to build the knowledge around how to structure them? Are they willing to put in the effort to get the real power out of it, or are they expecting something to tell them what is going on? They need to realize that it is never going to be built for them at that point. So they are going to be getting something generic. They have to consider their specific situation, such as how many people they have on their team, etc. They should also probably take a good stock of what they are trying to log and how long they have to retain it. I have been very happy with our Splunk Cloud instances. They have been very reliable. I think it has been incredibly powerful for us. I think that is also another aspect of whether they are going to have their SIEM in their environment or outside of their environment. They need to think about some of these items. Obviously, Splunk can go either way. They have to make their decisions there. We have been very happy with our Splunk Cloud instance. So that's what's been really good for us. And, also, it takes some of the administrative aspects and puts them on somebody else. That's valuable for us too.