Splunk Enterprise Security Reviews

We use Splunk Enterprise Security to monitor the network. We use the solution wherever there's a problem with the cell phone tower.

When we see a problem, Splunk Enterprise Security provides many details you can use to diagnose and determine what needs fixing.

The solution's most valuable feature is the dashboard, which allows us to see everything on the same page and provides easy visibility into problems.

Splunk Enterprise Security has helped us find security events in our on-premises environment.

It has helped improve our organization's ability to ingest and normalize data. Splunk does a good job of identifying and solving problems in real-time.

We have reduce our alert volume by 80%.

The solution provides relevant context to help guide our investigations. Splunk provides pretty detailed information. Based on that information, we can assign it to different teams.

It has helped speed up our security investigations by 40%.

Splunk Enterprise Security has helped reduce our mean time to resolve. In most cases, we're able to solve issues in less than 45 minutes.

Sometimes, the data does not match what we're looking for, or the tool contains incorrect data.

I have been using the solution for two months.

Splunk Enterprise Security is a very stable solution.

The solution provides good scalability.

The technical support team responds quickly every time we contact them.

We have seen a return on investment with the solution because it has reduced the time it takes to fix our problems.

Overall, I rate the solution a nine out of ten.

We use Splunk Enterprise Security as the main SIEM system for our operation center. We use it for monitoring detection, and alert management.

We implemented Splunk Enterprise Security to help detect attacks on our network.

Splunk Enterprise Security is highly flexible, allowing us to create whatever we desire. This exemplifies its inherent power. The visibility it offers is notably robust. We can craft it to our needs and even utilize various frameworks within Splunk, prepackaged for security purposes. We possess distinct applications hosting diverse dashboards, catering to numerous security products, including those from different vendors.

The effectiveness of Splunk Enterprise Security insider threat detection capabilities, aimed at identifying unfamiliar threats, relies on whether we establish alerts based on the rules we formulate. If we construct rules incorporating user behavior criteria, the system functions optimally. It appears that there is an Extended User and Entity Behavior Analytics add-on available, which requires a separate license in addition to the enterprise security license. This add-on utilizes machine learning and encompasses multiple developed use cases. While it has limitations, it effectively serves the specific use cases it is designed for.

The threat intelligence framework within Splunk is also highly potent. We can ingest, link, and integrate external data feeds. Concerning IOCs, there are numerous pre-configured alerts within the system that rely on a feed of undesirable IPs. If one of these IPs triggers any of the alerts, such as those generated by our firewall's traffic logs, and the IP matches the bad IPs in the threat intelligence feed, the system correlates this information. If the flagged IP is detected within our network or appears in our firewall logs, an automatic alert is generated. We simply need to ingest the external feed. Subsequently, if the system identifies the IP anywhere, we will receive corresponding alerts.

I appreciate the new MITRE ATT&CK feature. I believe it's a valuable addition and reasonably priced. It seems the feature has been largely developed through marketing efforts, utilizing the capabilities of Splunk to display the MITRE ATT&CK map and the associated rules. This is important since MITRE ATT&CK encompasses over a hundred techniques. It presents the information to us based on the MITRE ATT&CK framework to illustrate ongoing activities. However, achieving a comprehensive understanding of each technique within the MITRE ATT&CK framework requires significant effort and adjustments.

Splunk Enterprise Security has enhanced our organization by offering increased visibility. If any adverse incidents occur, we are promptly informed. Even without configuring the custom rules, Splunk provides effective out-of-the-box rules that help prevent attacks. Consequently, it effectively halts these attacks. In fact, we have been able to detect and thwart potential attacks in their initial stages. This exemplifies the benefits it provides us.

Splunk Enterprise Security has helped to speed up our security investigations. We are now able to complete our investigations within three or four days. 

The most valuable features include agility and Splunk Enterprise Security's ability to quickly search for alerted items, as well as the capacity to create custom alerts using the SQL language employed by Splunk. This makes it a highly potent and versatile solution tailored to both user and company needs.

Splunk could enhance its services by providing more comprehensive professional assistance aimed at optimizing our investment. This aspect seems lacking as our expenses increase with higher data connectivity, seemingly without much consideration, as this translates to increased revenue for them. The challenge lies in the fact that we don't always require all the amassed data. Oftentimes, clients are uncertain about their actual data needs. Therefore, if Splunk integrated a service dedicated to system optimization and pricing, focusing on essential monitoring data while eliminating less crucial elements, it could potentially lead to cost savings for the customers. This strategic move would demonstrate their commitment to customers beyond just financial gain. It would highlight their genuine intention to provide support, streamline operations, and maximize the potential of this technology for individuals and their respective companies.

Splunk provides automation for large-scale environments where numerous servers are present. Consequently, efficient management of these servers becomes imperative. Currently, our management server operates using a top-down approach. This involves establishing connections from the main management server to every individual leaf and subsequently, to each lower-level server.

However, this architecture lacks inherent security measures. In the current setup, Splunk employs multiple collectors to gather data. Subsequently, this data is relayed upward, filtered, and then once again transmitted to the main management server. Notably, data traffic consistently flows from external sources toward the central management hub. This design enhances security, as even if a hacker were to compromise or gain control of the management server, their influence would be limited. The data originates externally and travels inwards, preventing unauthorized access to the entire system. 

In contrast, the proposed approach for managing extensive infrastructures situates the management hub at the core. This central position allows us to establish connections from the hub to the various peripheral components, even if they are located on a secure network. However, this configuration carries significant risks. A security breach at the central hub could potentially grant an attacker elevated permissions. This would enable them to compromise the entire network by gaining access to all Splunk nodes within the company. This architecture is vulnerable and has room for improvement.

I have been using Splunk Enterprise Security for four years.

I would rate Splunk Enterprise Security's stability a seven out of ten. This is because the system lacks built-in protection against certain issues. It alerts us when there are problems in the system, which we then need to address. However, these issues are not always easily fixable, setting it apart from other systems. For instance, sometimes the system slows down while we're working. This can occur when a new alert is implemented, leading to high resource usage and system instability. We are then required to identify and rectify the specific cause of this problem. This might involve disabling or adjusting the alert to ensure it doesn't negatively impact the system's performance.

Splunk Enterprise Security's ability to scale is good. I rate the scalability an eight out of ten.

The technical support is good.

Positive

Previously, I used QRadar, McAfee, and ArcSight. However, Splunk Enterprise Security is a more modern solution. While ArcSight from HP is powerful, it is an older system with limited flexibility and complex architecture. Many companies implemented SIEM systems before Splunk became available. It seems that most large companies might still be using ArcSight, but other competitors have entered the market since then.

McAfee attempted to develop a similar system, but it lacked scalability and was better suited for small businesses rather than larger enterprises. QRadar, on the other hand, remains robust, but it lacks Splunk's flexibility. One of Splunk's notable advantages is its ability to generate alerts and then allow users to enter searches and queries to investigate network activities and log data. This process, known as threat hunting, enables users to conduct specific searches, such as identifying individuals who accessed a particular system and the internet between four and five o'clock on a Friday. Splunk promptly provides the desired results, typically within a few minutes, making it a strong choice for this purpose. Additionally, Splunk Enterprise Security features a highly effective filtering mechanism.

I participated in the planning and implementation of Splunk Enterprise Security, as well as the creation of all rulesets and alerts. I am also configuring it to align with our technical framework.

Individuals who market Splunk Enterprise Security often claim that it can be deployed within half a day, which is quite amusing. While it is conceivable to perform the installation in that timeframe, the real complexity arises when we must establish connections with numerous systems. This involves accessing each system external to our main setup, configuring it, and directing the system to send its logs to Splunk. On the Splunk side, we encounter the need to create parsing mechanisms that allow proper data reading. This entails installing applications capable of correctly parsing the data, and addressing issues where parsing is inadequate. We then proceed to work with the data. Although Splunk provides some pre-configured rules, we also need to develop our own rules to identify specific events and potential attacks. The process of rule creation demands a substantial investment in writing rule sets. Additionally, integrating a threat intelligence framework becomes essential. We aspire to leverage the micro-framework we have established. Splunk Enterprise Security undeniably possesses considerable capabilities. Nevertheless, it necessitates continuous effort to unlock its full potential and achieve ongoing enhancements.

The solution's complete implementation may require up to one year. Throughout most of the deployment, we had a team of two members, occasionally expanding to three.

For the implementation, we used two integrators and Splunk Professional Services.

Considering the fact that Splunk Enterprise Security aids in thwarting attackers from gaining access to our environment, I would correlate this with a return on investment.

Splunk Enterprise Security's pricing is high. Larger companies may afford it, but I believe that in the current market situation, where everyone is facing challenges, financial resources are tight. Even stock market tech companies are embracing cost-saving measures. Expenses are now more constrained compared to a few years ago when companies had greater spending capacity. Companies are reluctant to make hefty payments. While Splunk is cheaper than Microsoft Sentinel, QRadar is priced at half the cost of Splunk.

Splunk Enterprise Security's licensing is typically determined by the data throughput we handle. Additionally, they offer an alternative pricing model which involves payment based on CPU usage. This newer model was introduced as a response to Elastic Security. However, Splunk enforces licensing in either scenario. 

I rate Splunk Enterprise Security a nine out of ten.

We do not monitor the cloud environments with Splunk. While we have several cloud environments, we avoid using Splunk for this purpose due to its high cost. To utilize Splunk, it would be necessary to place the Splunk engine in the cloud and gather all the logs from various cloud sources, resulting in substantial expenses due to the large volume of logs. As a result, our primary usage of Splunk is on-premise. Instead, we employ different systems to monitor the cloud, generating alerts through various security mechanisms. These alerts are then processed in Splunk, reducing both data traffic and costs.

Splunk Enterprise Security's capabilities to analyze malicious activities and detect breaches are similar to those of other systems. Its effectiveness depends on the rules we develop within it. To truly maximize its value and tailor it to the organization's needs, a significant amount of additional work and utilization of professional services are required.

The reduction of the alert volume presents a challenge due to the X number of personnel in the security alert center. They can effectively handle only Y alerts per day without experiencing fatigue. When the volume surpasses this limit, they tend to merely open and close alerts without thorough investigation. It's as if they've become weary of the process. Therefore, we must determine the optimal number of alerts per day and adjust the rules accordingly. The primary objective is to achieve a statistically reasonable number of alerts per day. This number should be somewhat higher than the current rate, but not three times greater, as exceeding this threshold would render their efforts ineffective. Conversely, if the number of alerts is too high, the personnel's capacity to take action is undermined, resulting in a lack of meaningful outcomes. Striking a balanced middle ground is imperative. This approach enables us to effectively identify and address crucial matters while ensuring our personnel can thoroughly investigate each alert.

Depending on the goals an organization aims to achieve, if their sole focus is on finding the most economical solution and they do not prioritize comprehensiveness, then QRadar would suffice. However, if they seek instant access to answers, I would recommend Splunk Enterprise Security.

Splunk Enterprise Security is deployed across our entire network.

Maintenance is necessary for the system, and updates are needed periodically. Whenever we acquire a new system, we must connect it to Splunk.

Resilience constitutes a crucial component of Splunk Enterprise Security, contributing significantly to the safeguarding of our system.

I recommend Splunk Enterprise Security for organizations that have the budget, time, and skill to properly utilize the solution. I do recommend paying for Splunk Professional Services.

I am the branch chief. I use Splunk Enterprise Security depending on how swamped the team is. I use it for anything from basic searches to DDoS attacks, which is a big thing right now. So, DDoS attacks and phishing emails are a lot of what I am using it for.

We had FireEye before and then we went to CrowdStrike. Splunk has definitely helped to have everything into the tool. It is a lot easier to complete the tickets. It saves, on average, a couple of hours a day. We just go to Splunk and then provide data and work with different people on the tickets, so it saves hours each day. We have been able to allocate these hours to other projects or things that are more of a priority. We are able to do different projects that were on the back burner. We can put those hours towards other things.

Splunk has improved our organization’s business resilience. We are able to give leadership updates through dashboards versus the actual metadata. It is easier for them to understand and provide leadership.

Splunk’s ability to predict, identify, and solve problems in real-time is very good. It is proven. Every couple of weeks, it catches some of the things that our SOC team did not catch and provides alerts, so its real-time capabilities are very good.

Our team has overall benefited from Splunk. We had FireEye before, which was not that good. We are able to benefit from Splunk not only in terms of instant response. We also have other teams doing vulnerability management using the Prisma systems. It is important that Splunk provides end-to-end visibility into our native environment. We use it for Prisma and instant response. Without Splunk, we would not be able to do some of the things that we need to do unless we went to individual tools, and we do not have the resources for that.

Exporting is a good feature. It helps me out when I have to do reports. I do a lot of exporting and crunching of the numbers. Dashboards are okay for showing to the leadership, but for doing statistics and updating tickets, the export feature is very beneficial for me.

They offer training. That is a big part of it. If you do not understand the tool, they are able to provide everything that you need, which helps the business. When you have learned a tool, you are able to speed up the process meantime, so you are not wasting a lot of man-hours trying to figure things out. 

I do not have any areas that can be improved. It works as intended for us, and we are getting everything that we need out of it. If anything, its initial setup can be improved a bit. 

In terms of additional features, I am still learning SOAR and everything else, so I do not have any feature requirements at this time, but as we do these SOAR operations, there might be some additional features that we will need.

I have been using Splunk Enterprise Security since 2016.

It is very good as long as you have the scope of how many servers, processors, and other things you need. There was a learning curve of making sure our servers were beefy enough to handle the data. We had four terabytes of data coming in every day. We were maxing out our systems a little bit, so we beefed that up, and we have had no issues since. 

Its scalability is easy. On-prem was very easy, and on the cloud, you have to learn and adapt a little bit, but scalability is perfect. 

I only reached out to our Splunk contacts, but my team reached out to Splunk's support team. I have not had any issues where they told me that they did not get the support they needed. They might take time to figure out what the issue is, but overall, I would rate their support a ten out of ten. 

Positive

We used FireEye, which was our primary one, and then we had CrowdStrike. Splunk has definitely been wonderful for us. The biggest reason for switching was integration. It is very easy to get all the tools fed into Splunk. They also had a cloud version, which was another reason. We are doing a hybrid setup, so cost savings was also a big factor.

I was involved in its deployment. I am the system owner of it. I am in charge of it, so I oversaw the project deployment. There is a learning curve with the hybrid setup with the cloud and on-prem, but overall, I am pretty satisfied with it.

We have an on-prem and a cloud environment depending on the platforms we are using in the system, so we have both environments. The challenging part was getting everything set up and fed into Splunk, but once it is set up, there is no difference in using it on-prem or on the cloud. We do not notice any real difference in it. 

The initial setup could be improved a little bit. It depends on your local team, firewalls, and other things like that, so there was a learning curve for the teams to learn how to set it up. That part could be improved, but once you go through it, it is not an issue. 

We had the Splunk team, and they did wherever they needed to get everything deployed. Our experience with them was good. We have worked with Splunk for years now. Their support has been very beneficial. If I have a question, they jump right on and let me know. They walk me through it and give me updates, so I am pretty happy with Splunk.

We have seen an ROI in terms of the mean time to resolution and man-hours. We are able to allocate those hours to other things. We have not got there yet in terms of the upfront costs, but we will get there over time.

When it comes to the time to value, we are getting there. We have not got there yet, but over time, we will get to the time to value.

Its price is fair. Like with anything else, if you go into the cloud, different providers cost more, and you are able to throttle back or throttle up. The cost is comparable with anything else.

We evaluated other options. We had to evaluate the pros and cons in terms of the cost and the capabilities of each tool. A lot of that went into the proof of concept. We did our due diligence and determined that Splunk was the best fit for us.

I would rate Splunk Enterprise Security a ten out of ten. It gives us everything we need, and its capabilities keep on improving, so it is getting better. 

Most times I use Splunk Enterprise Security for log analysis, and I also use it to create alerts for any security incidents. There are some alerts I set up on my endpoint, and once the alert is triggered, I get a notification. I also use it for visualization. I create my own dashboard to send to my managers for analysis, for reports, and all of that.

The ability to easily aggregate data and make meaningful reports is what makes Splunk Enterprise Security excellent. If I want to search for the number of failed passwords, I can go to my index, write my query, and create a report quickly. When my manager wants me to create a report concerning a particular incident, I go to my dashboard, type my query, create my dashboard from there, and everything works out smoothly.

They should put out more educational resources for users to learn how to use Splunk Enterprise Security. If they could have a manual or guide similar to Linux, where users can search and see various commands for different searches, it would help users navigate their way around the product more easily so it wouldn't be so complex.

I have been using Splunk Enterprise Security for over two years now.

There was one instance when I was trying to use the Forwarder and it wasn't working properly. Apart from that, Splunk Enterprise Security has been perfect for me.

When trying to connect to other endpoints using the Splunk Enterprise Security Forwarder, I encountered connectivity issues. This occurred while setting up for a company, and the connection wasn't working properly.

I have used Wazuh.

The pricing could be reduced to make it more accessible.

I would rate Splunk Enterprise Security an eight out of ten.

The primary use case is for failed login attempts. I typically stick to the security use cases.

The risk-based alerting helped to decrease false positives. We would just get a bunch of email alerts every time a threshold was reached previously and we'd have to investigate them. We'd have to deal with alert fatigue, the standard scenario where no one believes in the alerts anymore. So risk-based alerting has helped us tune out some of the noisier issues and then tune into the alerts, endpoints, and users that are problematic.

The risk-based alerting is excellent. It was most helpful in decreasing the amount of false positives that help bubble up the most problematic users and assets for the analysts, and it's fairly easy to implement.

Splunk Enterprise Security provides end-to-end visibility into our environment. It's a ten out of ten for that capability. Everyone wants to know what's happening across their environment. The more difficult part is defining the visibility, as we can't we can't ingest the entire company into Splunk. So, the harder part is not necessarily gaining visibility. It's rather determining what visibility looks like. Oftentimes, it comes down to determining and prioritizing using the highest value.

Splunk Enterprise Security, when set up properly,  helps us find any security events across multi-cloud, on-premises, or hybrid environments. It helps with investigations and helps us find that needle in a haystack. 

While it doesn't necessarily help with data normalization, some pieces determine whether the data is usable and create that usability outside of enterprise security. It does assist in the process. 

Splunk Enterprise Security provides us with relevant context to help guide our investigations. The context helps with risk-based learning, which is one of the things I rely on fairly heavily. It also helps reduce false positives and increases visibility to the most problematic endpoints and end users.

The Splunk Enterprise Security Hub has reduced our mean time to resolve; however, how much is hard to quantify. The dashboard is color-coded, and it's easy to read for the analysts. I don't often have to explain anything to them. Red is bad, green is good. The dashboards are relatively self-explanatory and it helps reveal the most difficult, problematic parts.

The solution does help with resilience - a bit. What it does is help us discover problems and reactively fix them.

I've definitely seen improvement. However, assets and identity are probably some of the most important integrations for risk-based learning. So if there was a way to make it easier - and, again, I know there's been significant improvement - that is one of the more annoying friction points when setting up risk based alerting.

The Splunk platform is not unified. We have all of these different tools and they feel a bit disjointed.

I've used the solution for maybe six years.

It's a complex tool. Everything needs to be done proactively. That said, it's relatively stable. There's a lot of stability built in, and I don't have any problems with it.

I've worked in on-premises environments as large as 300 terabytes, and they return data very quickly. When it's done right, it can scale tremendously.

The customer service and technical support can be hit or miss. Sometimes you get someone that is really good and knows their stuff and is really helpful. Sometimes you are trying to be patient and help them through. That's hard when you have someone breathing down your neck to get things fixed. They're nice. However, sometimes, when I have pressure on my end, I don't need someone who is nice - I need someone who knows how to fix my issue 

Positive

I'm usually the one performing the setup work. I've been working with Splunk for a long time; it's relatively easy for me.

Enterprise Security is a beast. The best practice is to put it on its own search head. When setting it up, I'm asking for not only an additional light license for Enterprise Security. I have to ask for another server on top of it, too. It is quite a difficult task to ask when Splunk is already as expensive as it is. Then, there is technically setting it up and configuring it. It does take time to configure and normalize all the very foundational parts, such as the assets on identities, which is absolutely integral to getting security working. While I enjoyed the process, it took a lot of work. 

I am a consultant and do assist with the setup.

My work typically has to do with improving the quality of alerts or content and normalizing data. I don't usually get to the point where I'd be able to measure ROI.

I'm not the person that deals with pricing. I have heard there is sticker shock.

I'd give the solution an eight out of ten. There are a lot of great features. They're constantly increasing the value of Enterprise Security. However, they're leaving behind many smaller clients that don't have the knowledge or expertise and don't have professional services, which is another large expense. A lot of smaller clients just don't have the ability to set it up properly, and when that happens, they're only leveraging 30% to 40% of its capabilities. They're upset and wonder why this very expensive tool is not working for them. That said, when it works, it works great. 

We use Splunk Enterprise Security for insider risk and security operations centers.

Splunk Enterprise Security primarily reduces our lead time for identifying risks and threats. Since a lot of the work is being outsourced or we depend on those new threat intelligence feeds, we're able to identify and triage them quicker. So, it leads to a quicker incident response.

The solution's most valuable feature is threat intelligence correlations. It's too hard to stay up-to-date on all the different data feeds yourself. So, having a tool that does it for you is very beneficial.

Splunk Enterprise Security has increased our alert volume because we now have new data to work with, and we're writing more alerts. We don't use the solution a lot for observability. Usually, our primary use case for Splunk Enterprise Security is cybersecurity.

It is extremely important to our organization that Splunk Enterprise Security provides end-to-end visibility into our environment. That's the primary reason we use it. We want the ability to do everything from one tool without having to trash back and forth and take that precious time.

Splunk Enterprise Security has helped reduce our mean time to resolve. We're at least twice as efficient with Splunk Enterprise Security at identifying risk, following up, tracing it throughout the chain, and resolving it. We still have various toolings, but over time, the goal is to nest everything into Splunk Enterprise Security to make it cohesive from end to end.

I'd love to see more integrations, which is one of the primary points of the key node with Splunk Enterprise Security. I would also like to see more admin capability to enable the health of Splunk Enterprise Security because, a lot of times, it's difficult to know when and why things are failing, especially for on-premises customers.

Splunk Cloud is a little clearer because it has more integrated support. For on-premises, it feels like sometimes you have to guess and then hope for the best. Troubleshooting some things related to Splunk Enterprise Security takes a lot of time.

I have been using Splunk Enterprise Security for five years.

The solution's clustering is great, but it could have easier containerization where it's more dynamic, and you can spin up and scale down as needed. Right now, Splunk is a very large expense for us as far as our cloud environment is concerned. Anything we can do to cut costs would be great.

Right now, we run the servers 24/7 and never change the size unless they're underpowered. We're spending a lot of money on off-hours to keep it alive, which is not ideal.

We've got a lot of experience on our team solving Splunk, but the few times we used Splunk's technical support, we found them to be very effective and efficient. Occasionally, we'll forget to respond to them, and they'll follow up with us, which is usually the opposite of what you see. So, I've got nothing but good things to say about Splunk support.

The solution's deployment was difficult because we were going through admin changes right as we were installing it. It took three admins over the course of five years to get it set up. I think if we had one dedicated admin from the start and kept them on the job until the job was done, we wouldn't have had nearly as much trouble.

We used a reseller to implement the solution.

We have seen a return on investment with the solution.

Splunk Enterprise Security is really strong, capable, and great at what it does. There are obvious areas of improvement, but it looks like Splunk has already identified them and is working on road maps to enhance SOAR integration and AI digital assistance for Splunk Enterprise Security. Once those are fully implemented, the product will further improve.

Overall, I rate the solution an eight out of ten.

We use it for alerting. It also helps our analysts triage.

It is our bread and butter and our day-to-day tool for the SOC. Besides alerting, just being able to do research and look through various logs to gather context around the alerts has been super valuable.

It is critical to us that Splunk Enterprise Security provides end-to-end visibility. The place that you cannot see is from where you are going to get attacked.

We have a hybrid cloud environment with AWS and Azure. I am pretty confident in its ability to help us find any security event across our environment. We have put in time to feed Splunk Enterprise Security the data that we want to look at.

I am pretty happy with its ability to ingest data. When it comes to normalizing, my company could improve on that a little because we need to do more tuning of some of the data that we are ingesting. That is not much of an issue with Splunk Enterprise Security. That is more of an issue with how we are using it. We need to possibly do a little bit better in terms of how we utilize this tool.

I am pretty confident in its ability to identify and solve problems in real-time. If it has the data and you implement it properly, it will tell you what is wrong.

With risk-based alerting, we are now getting the right context for investigations. It definitely helps and speeds up the investigation. With risk-based alerting, I can see the chain of events. I can see what caused this to occur. I do not have a percentage, but I know my analysts are not getting the alerts that they have not completed by the end of the shift. Previously, that was not the case, so I am pretty pleased.

Splunk Enterprise Security has helped improve our organization’s business resilience.

Splunk Enterprise Security helps to identify and solve problems in real-time, but I do not know if it can also predict the problems in real-time.

I am enjoying our implementation of risk-based alerting. That has helped very much with cutting out a lot of the noise that we have. It has reduced our alert volume significantly. There is about an 80% reduction.

I do not like the pricing model. It is expensive.

I have been using Splunk Enterprise Security for about five years.

I have not had issues with its stability.

It is pretty scalable. It also depends on what you are ingesting, but it does a good job with our data.

I do not use the support that often. Normally, when I am looking for help, I just search on the web. If I am trying to build something and I do not remember the command, it is pretty easy to find.

I have used logging solutions. I find Splunk easier to use than other solutions such as LogStack.

With any such tool, the alert quality that you will get is based on the data that you are feeding it. If you are parsing logs and doing a good job with that, the outcome is good.

I did not deploy this instance, but I deployed it in my last company. It was not as bad as I thought. It was comparable to some of the other product rollouts in the environment.

It is expensive, but it is a good tool.

It is worth the cost. I have worked with organizations that did not want to invest in a security tool. I am glad that we are taking security a little more seriously in this organization.

I would rate Splunk Enterprise Security a ten out of ten. I enjoy it. I like it.

We use Splunk for identity protection, threat defense, vulnerability scanning, zero-trust, and user entity behavior and analytics.

Splunk Enterprise Security has helped our customers reduce the alert volume. We ended up validating the false positives manually. We have to do quite a review assessment task. It can do some automatically, but we end up doing them manually to improve the detection. 

Splunk's advanced threat detection capabilities are excellent. Recently, Cisco acquired Splunk, so many customers are migrating to the Microsoft platform, but historically, I've found Splunk does a better job of correlating and collecting the security logs of all kinds of appliances. Most customers want to consolidate their security products into Microsoft.

It supports just about every cloud solution. It is easy to collect and correlate all the data. The visibility is good. Insider threat detection can be customized. My customer was integrated with many third-party credentials and other threat sources as well. The integration part was seamless and easy. The rates for allocating valuable information and IOCs from different sources are also good. 

The incident response technique should be available out of the box. That isn't as available as we would expect. 

I have used Splunk for around two years.

Splunk is stable. We've had no breakdowns in the past few weeks.

We can scale Splunk quickly. 

I rate Splunk support seven out of 10. 

Neutral

Deploying Splunk was moderately difficult compared to Sentinel. Collecting logs, provisioning firewall servers, and indexing are all complex tasks. You need someone with expert knowledge to do the job. The process takes four to six weeks. You need to design the solution and onboard the data, then start collecting logs and doing the detection. 

I rate Splunk three out of 10 for affordability.

I rate Splunk Enterprise Security seven out of 10. Splunk needs to compete with other products like Microsoft, and right now, it looks like they're losing the race. They need to make drastic changes and accommodate more flexible options and integration solutions.