Splunk Enterprise Security Reviews

We essentially use Splunk for our Security Operations Center (SOC). All of the notables that we create for the SOC are done in Splunk Enterprise Security. It is our SIEM.

I cannot put a value on it, but it has been pretty good. Previously, we used to use ArcSight. I used to do incident response when I first joined the SOC, and there were times when I used to sit down and run a search right at the start of my shift, which is at 7 AM, and I used to hope that it would be run by the end of the shift at 7 PM. I used to hope that it would run in 12 hours and not time out. When we got Splunk, it was a game changer. It took seconds to a minute depending on how intense the search was.

We monitor multiple cloud environments. It is easy to ingest data in Splunk. Based on what I hear from our customer success manager, he has customers who have issues ingesting logs, but for me, it is one of the easiest things ever. Their documentation is fantastic.

Splunk Enterprise Security has end-to-end visibility into our cloud-native environments. It is very important for us. When we first got cloud, it was like the Wild West. Anyone could spin up their own cloud infrastructure, and we would not know about it. It was public. We did not know what they were doing with it. Now, we have a better grasp and understanding of what is out there, so Splunk makes it easy for us to keep track of our endpoints that are public-facing.

Splunk Enterprise Security has helped reduce our mean time to resolve. As compared to ArcSight, it has saved at least three to four hours per incident. We utilize a SOAR platform. We do not use Splunk SOAR. We use a different SOAR platform, but with the combination of Splunk Enterprise Security and our SOAR platform, we are able to cut down our mean time to resolve. The time saved varies depending on the case. A normal case would probably take less than ten minutes per investigation. A critical P1 case would take more time, but a normal day-to-day case would take less than ten minutes for our analysts to do their work. A normal case is where a user clicks on a phishing link in an email, or your EDR solution says something happened and there is a threat actor in your environment moving laterally trying to access data.

The correlation searches are most valuable just because we are able to do things like RBA. One of the things that we started pretty recently is our insider threat program, and it has been pretty good, especially using RBAs as our framework for the insider threat.

The UI could be better. This is applicable to Splunk in general. I know that a lot of people who get their hands on Splunk are hesitant to use it just because they find it overwhelming. There are a lot of options. If you open Google.com, you just have a search bar. You just search and hit "go," but when people look at Splunk, they are just overwhelmed. I see that with our analysts. Even after training, if they do not use it every day, which they should be doing, they kind of lose it.

Its learning curve is a bit steep. It is hard for users to use it. For individuals who know how to use it, it is fantastic. It is great. For example, if you are a Splunk Cloud customer, and you had an outage or there is a maintenance window, those individuals who are power users would know immediately when it happens or they would know that there is a maintenance window coming up because they are the experts. They are the SMEs on their teams, and they are the ones creating value using Splunk. Individuals who do not know how to use it are intimidated.

We have been using Splunk Enterprise Security since 2017. It has been about six years.

Its stability is amazing. It is always up. It is fantastic.

It is awesome. When we first purchased Splunk Cloud, our ingest rate was about one terabyte or one and a half terabyte. We moved from the ingest-based license to the workload-based license three or four years ago, and now, we ingest about 10 to 12 terabytes. It is handling that just fine as if nothing has changed.

I would rate their support a six out of ten because there are times when someone picks up a support case, but they do not know what they are doing. I have to guide them. It is like, "I have already done the research. This is what needs to be done. There you go. Do it." I expect a little bit more from support in terms of having the knowledge upfront.

Neutral

We had on-premises ArcSight. We had one guy run it for our enterprise. Our enterprise has roughly over 130,000 people. We are a global company, and we had one guy run the entire infrastructure. We could tell when he took days off because it would not work. When we moved to Splunk, we went to Splunk Cloud immediately. We were one of the first Splunk Cloud customers or one of the bigger ones. That is what I was told when we made the switch.

I do not know whether we have seen any cost efficiencies by switching to Splunk Enterprise Security because I was not there during the ArcSight days per se. I was there at the very tail end, but I would assume that we have seen cost efficiencies just because ArcSight was only used by the security team, whereas Splunk is used enterprise-wide, not just by the security team. It should be cheaper for us. The value is there. It is cross-functional.

I was not involved in its deployment.

Its time to value was about a year. It took us about a year because back in 2017, we were making that conversion from an on-premise ArcSight deployment to a Splunk Cloud deployment. We had to make sure that everything that was being sent to ArcSight was sent correctly to Splunk. We had to make sure that everything was in a common information model format and that we could rebuild the content.

Splunk Enterprise Security is cheaper than competitors, but I do not know whether it is just our contract. 

Everyone says that Splunk, in general, is expensive. I have talked to many peers within our industry, and I know a lot of individuals who are moving away from Splunk just because of the price. That is one of the reasons why we are looking at other competitors to see if anyone is doing something better than Splunk and has a cheaper rate.

I have looked at other competitors. We recently looked at CrowdStrike's LogScale solution. It feels like Splunk to me. I cannot say how we would reproduce what we have done in Splunk on the infrastructure side or backend. Our environment is uniquely different. Technically, I am the only person who runs Splunk for our entire organization, similar to the way the previous person ran ArcSight for the organization. If I were to compare apples to apples, Splunk to me is still number one in that category.

Splunk's community is the biggest benefit. It is so easy to go to Slack and hit someone up. There is a good chance that you will find someone out there who has run into the exact same issue that you are having. Their documentation is fantastic. Because I am the only one who runs it for our organization, it is easy for me just to Google it, find the document, and just follow it. It is as simple as that. It gets a little dicey with XDR and all the other things that are happening in the market, such as using a data lake. Instead of putting our eggs in one basket or using Splunk, we might use something like Snowflake.

I get introduced to new ideas by attending the Splunk Conference. In the year before last, someone did a talk about business email compromises. Within our company, we did something similar, and we did it about nine to ten months before the talk. I listened to the talk to see if we were doing anything different from what they were doing. I found out that we were doing the exact same thing essentially. I thought, "We could have done a talk like this too." These talks are very helpful. For example, they showcased the attack analyzer, and currently, we are looking for an automated online sandbox, just like the attack analyzer. We have been looking at cloud-based sandboxes that are out there. Being able to see it hands-on and how it interacts with Splunk makes it much easier for us to make that decision.

Overall, I would rate Splunk Enterprise Security a nine out of ten.

We use Splunk Enterprise Security as the main SIEM system for our operation center. We use it for monitoring detection, and alert management.

We implemented Splunk Enterprise Security to help detect attacks on our network.

Splunk Enterprise Security is highly flexible, allowing us to create whatever we desire. This exemplifies its inherent power. The visibility it offers is notably robust. We can craft it to our needs and even utilize various frameworks within Splunk, prepackaged for security purposes. We possess distinct applications hosting diverse dashboards, catering to numerous security products, including those from different vendors.

The effectiveness of Splunk Enterprise Security insider threat detection capabilities, aimed at identifying unfamiliar threats, relies on whether we establish alerts based on the rules we formulate. If we construct rules incorporating user behavior criteria, the system functions optimally. It appears that there is an Extended User and Entity Behavior Analytics add-on available, which requires a separate license in addition to the enterprise security license. This add-on utilizes machine learning and encompasses multiple developed use cases. While it has limitations, it effectively serves the specific use cases it is designed for.

The threat intelligence framework within Splunk is also highly potent. We can ingest, link, and integrate external data feeds. Concerning IOCs, there are numerous pre-configured alerts within the system that rely on a feed of undesirable IPs. If one of these IPs triggers any of the alerts, such as those generated by our firewall's traffic logs, and the IP matches the bad IPs in the threat intelligence feed, the system correlates this information. If the flagged IP is detected within our network or appears in our firewall logs, an automatic alert is generated. We simply need to ingest the external feed. Subsequently, if the system identifies the IP anywhere, we will receive corresponding alerts.

I appreciate the new MITRE ATT&CK feature. I believe it's a valuable addition and reasonably priced. It seems the feature has been largely developed through marketing efforts, utilizing the capabilities of Splunk to display the MITRE ATT&CK map and the associated rules. This is important since MITRE ATT&CK encompasses over a hundred techniques. It presents the information to us based on the MITRE ATT&CK framework to illustrate ongoing activities. However, achieving a comprehensive understanding of each technique within the MITRE ATT&CK framework requires significant effort and adjustments.

Splunk Enterprise Security has enhanced our organization by offering increased visibility. If any adverse incidents occur, we are promptly informed. Even without configuring the custom rules, Splunk provides effective out-of-the-box rules that help prevent attacks. Consequently, it effectively halts these attacks. In fact, we have been able to detect and thwart potential attacks in their initial stages. This exemplifies the benefits it provides us.

Splunk Enterprise Security has helped to speed up our security investigations. We are now able to complete our investigations within three or four days. 

The most valuable features include agility and Splunk Enterprise Security's ability to quickly search for alerted items, as well as the capacity to create custom alerts using the SQL language employed by Splunk. This makes it a highly potent and versatile solution tailored to both user and company needs.

Splunk could enhance its services by providing more comprehensive professional assistance aimed at optimizing our investment. This aspect seems lacking as our expenses increase with higher data connectivity, seemingly without much consideration, as this translates to increased revenue for them. The challenge lies in the fact that we don't always require all the amassed data. Oftentimes, clients are uncertain about their actual data needs. Therefore, if Splunk integrated a service dedicated to system optimization and pricing, focusing on essential monitoring data while eliminating less crucial elements, it could potentially lead to cost savings for the customers. This strategic move would demonstrate their commitment to customers beyond just financial gain. It would highlight their genuine intention to provide support, streamline operations, and maximize the potential of this technology for individuals and their respective companies.

Splunk provides automation for large-scale environments where numerous servers are present. Consequently, efficient management of these servers becomes imperative. Currently, our management server operates using a top-down approach. This involves establishing connections from the main management server to every individual leaf and subsequently, to each lower-level server.

However, this architecture lacks inherent security measures. In the current setup, Splunk employs multiple collectors to gather data. Subsequently, this data is relayed upward, filtered, and then once again transmitted to the main management server. Notably, data traffic consistently flows from external sources toward the central management hub. This design enhances security, as even if a hacker were to compromise or gain control of the management server, their influence would be limited. The data originates externally and travels inwards, preventing unauthorized access to the entire system. 

In contrast, the proposed approach for managing extensive infrastructures situates the management hub at the core. This central position allows us to establish connections from the hub to the various peripheral components, even if they are located on a secure network. However, this configuration carries significant risks. A security breach at the central hub could potentially grant an attacker elevated permissions. This would enable them to compromise the entire network by gaining access to all Splunk nodes within the company. This architecture is vulnerable and has room for improvement.

I have been using Splunk Enterprise Security for four years.

I would rate Splunk Enterprise Security's stability a seven out of ten. This is because the system lacks built-in protection against certain issues. It alerts us when there are problems in the system, which we then need to address. However, these issues are not always easily fixable, setting it apart from other systems. For instance, sometimes the system slows down while we're working. This can occur when a new alert is implemented, leading to high resource usage and system instability. We are then required to identify and rectify the specific cause of this problem. This might involve disabling or adjusting the alert to ensure it doesn't negatively impact the system's performance.

Splunk Enterprise Security's ability to scale is good. I rate the scalability an eight out of ten.

The technical support is good.

Positive

Previously, I used QRadar, McAfee, and ArcSight. However, Splunk Enterprise Security is a more modern solution. While ArcSight from HP is powerful, it is an older system with limited flexibility and complex architecture. Many companies implemented SIEM systems before Splunk became available. It seems that most large companies might still be using ArcSight, but other competitors have entered the market since then.

McAfee attempted to develop a similar system, but it lacked scalability and was better suited for small businesses rather than larger enterprises. QRadar, on the other hand, remains robust, but it lacks Splunk's flexibility. One of Splunk's notable advantages is its ability to generate alerts and then allow users to enter searches and queries to investigate network activities and log data. This process, known as threat hunting, enables users to conduct specific searches, such as identifying individuals who accessed a particular system and the internet between four and five o'clock on a Friday. Splunk promptly provides the desired results, typically within a few minutes, making it a strong choice for this purpose. Additionally, Splunk Enterprise Security features a highly effective filtering mechanism.

I participated in the planning and implementation of Splunk Enterprise Security, as well as the creation of all rulesets and alerts. I am also configuring it to align with our technical framework.

Individuals who market Splunk Enterprise Security often claim that it can be deployed within half a day, which is quite amusing. While it is conceivable to perform the installation in that timeframe, the real complexity arises when we must establish connections with numerous systems. This involves accessing each system external to our main setup, configuring it, and directing the system to send its logs to Splunk. On the Splunk side, we encounter the need to create parsing mechanisms that allow proper data reading. This entails installing applications capable of correctly parsing the data, and addressing issues where parsing is inadequate. We then proceed to work with the data. Although Splunk provides some pre-configured rules, we also need to develop our own rules to identify specific events and potential attacks. The process of rule creation demands a substantial investment in writing rule sets. Additionally, integrating a threat intelligence framework becomes essential. We aspire to leverage the micro-framework we have established. Splunk Enterprise Security undeniably possesses considerable capabilities. Nevertheless, it necessitates continuous effort to unlock its full potential and achieve ongoing enhancements.

The solution's complete implementation may require up to one year. Throughout most of the deployment, we had a team of two members, occasionally expanding to three.

For the implementation, we used two integrators and Splunk Professional Services.

Considering the fact that Splunk Enterprise Security aids in thwarting attackers from gaining access to our environment, I would correlate this with a return on investment.

Splunk Enterprise Security's pricing is high. Larger companies may afford it, but I believe that in the current market situation, where everyone is facing challenges, financial resources are tight. Even stock market tech companies are embracing cost-saving measures. Expenses are now more constrained compared to a few years ago when companies had greater spending capacity. Companies are reluctant to make hefty payments. While Splunk is cheaper than Microsoft Sentinel, QRadar is priced at half the cost of Splunk.

Splunk Enterprise Security's licensing is typically determined by the data throughput we handle. Additionally, they offer an alternative pricing model which involves payment based on CPU usage. This newer model was introduced as a response to Elastic Security. However, Splunk enforces licensing in either scenario. 

I rate Splunk Enterprise Security a nine out of ten.

We do not monitor the cloud environments with Splunk. While we have several cloud environments, we avoid using Splunk for this purpose due to its high cost. To utilize Splunk, it would be necessary to place the Splunk engine in the cloud and gather all the logs from various cloud sources, resulting in substantial expenses due to the large volume of logs. As a result, our primary usage of Splunk is on-premise. Instead, we employ different systems to monitor the cloud, generating alerts through various security mechanisms. These alerts are then processed in Splunk, reducing both data traffic and costs.

Splunk Enterprise Security's capabilities to analyze malicious activities and detect breaches are similar to those of other systems. Its effectiveness depends on the rules we develop within it. To truly maximize its value and tailor it to the organization's needs, a significant amount of additional work and utilization of professional services are required.

The reduction of the alert volume presents a challenge due to the X number of personnel in the security alert center. They can effectively handle only Y alerts per day without experiencing fatigue. When the volume surpasses this limit, they tend to merely open and close alerts without thorough investigation. It's as if they've become weary of the process. Therefore, we must determine the optimal number of alerts per day and adjust the rules accordingly. The primary objective is to achieve a statistically reasonable number of alerts per day. This number should be somewhat higher than the current rate, but not three times greater, as exceeding this threshold would render their efforts ineffective. Conversely, if the number of alerts is too high, the personnel's capacity to take action is undermined, resulting in a lack of meaningful outcomes. Striking a balanced middle ground is imperative. This approach enables us to effectively identify and address crucial matters while ensuring our personnel can thoroughly investigate each alert.

Depending on the goals an organization aims to achieve, if their sole focus is on finding the most economical solution and they do not prioritize comprehensiveness, then QRadar would suffice. However, if they seek instant access to answers, I would recommend Splunk Enterprise Security.

Splunk Enterprise Security is deployed across our entire network.

Maintenance is necessary for the system, and updates are needed periodically. Whenever we acquire a new system, we must connect it to Splunk.

Resilience constitutes a crucial component of Splunk Enterprise Security, contributing significantly to the safeguarding of our system.

I recommend Splunk Enterprise Security for organizations that have the budget, time, and skill to properly utilize the solution. I do recommend paying for Splunk Professional Services.

We typically suggest Splunk IT builds for customers with significant EPS requirements and large-scale data environments. While other solutions like Foundry and IBM QRadar may be popular, they often have limitations in handling big data effectively.

It offers visibility across various environments, encompassing diverse infrastructures such as multiple firewalls. Some environments are entirely cloud-based, while others follow a hybrid model with services both on-premises and in the cloud. The infrastructure setup varies depending on the organization's specific model and needs.

We are highly satisfied with the level of visibility provided by Splunk.

It offers advanced threat detection capabilities to assist organizations in uncovering unknown threats and anomalous user behaviors. Splunk is utilized for integrating various devices including firewalls and other security controls, enabling coordination of logs and the creation of use cases. Analysts investigate alerts generated by these use cases, identifying and mitigating potential threats. Additionally, Splunk provides built-in and customizable use cases to enhance security measures.

We utilize the threat intelligence management feature in Splunk, which includes the provision of IOCs. Additionally, we have third-party intelligence services integrated into Splunk, which alert us whenever any related feature is triggered.

The effectiveness of the actionable intelligence offered by the threat intelligence management feature hinges on the third-party engines integrated or enabled within it. While false positives are common and require investigation, there are instances where identified IOCs are indeed malicious. In such cases, actions like reporting or following a predefined playbook can be taken.

We leverage the Splunk Mission Control feature, and I have hands-on experience with it. Typically, I manage it through Splunk, where I create rules, reports, and dashboards. Enabling third-party intelligence and other features involves a thorough review process, particularly when onboarding new clients. Once set up, we regularly review our baseline configuration and make adjustments as needed to ensure optimal performance. The Splunk Mission Control feature aids our organization in centralizing our threat intelligence and ticketing system data management. We integrate third-party intelligence services along with our company's proprietary advisories, particularly in the retail sector. This integration enables us to maintain a comprehensive reference set within Splunk.

We utilize the Threat Topology and Mitre ATT&CK Framework features to enhance our understanding of threats. These features offer micro-mapping visibility, allowing us to align identified needs with specific techniques.

The purpose of the Mitre ATT&CK Framework is to aid in discovering and understanding the full scope of an incident. Using the micro-hypotheses, we assess whether our subcontractors are adequately covered. We evaluate our rules to determine whether we have sufficient use cases for tactics and techniques, such as initial access. This process helps us identify any gaps in coverage within the Mitre ATT&CK Framework and address them accordingly.

Splunk is a valuable service for analyzing malicious activities and detecting breaches. However, I recommend ensuring comprehensive coverage of threats by integrating all relevant devices and maximizing visibility into logs. For instance, leveraging firewall logs enables the detection of anomalies at the network level, while logs from EDR solutions can identify malicious activities on endpoints.

Splunk has significantly improved our threat detection speed. Comparatively, when working with other teams, I've found Splunk to be more efficient due to its big data capabilities, allowing for faster analysis compared to IBM QRadar and similar tools.

The primary benefits our customers experience from utilizing Splunk in their organization are significant. While Splunk may be more costly compared to other machine solutions, its effectiveness shines in handling large volumes of data, making it ideal for organizations with extensive data needs. Unlike solutions like IBM QRadar, which may struggle with processing large amounts of data efficiently, Splunk's big data capabilities enable it to excel in such scenarios.

Splunk Enterprise has effectively decreased our alert volume across various use cases. Whenever we develop a new use case, we carefully analyze it, occasionally encountering false positives. In such instances, we collaborate with IT to whitelist these cases. Over time, as we accumulate a robust whitelist, the ratio of false positives diminishes, resulting in a higher rate of true positive alerts.

It has significantly accelerated our security investigations, proving to be immensely helpful. We can efficiently track and analyze user activities with most devices integrated into the Splunk environment. The visibility provided by Splunk allows us to coordinate activities seamlessly and thoroughly investigate any detected incidents. Whether it's identifying the origin of an activity or uncovering correlations between events, Splunk enables us to piece together the entire user activity chain swiftly and effectively.

Compared to other SIEM products, I've found that Splunk offers quicker alert resolution times. Its ability to efficiently handle large data volumes contributes to this advantage. Analysts typically have predefined playbooks and investigation checklists for when alerts are triggered, which Splunk supports well. Additionally, we've customized dashboards and reports to further streamline our detection process, ultimately reducing our response time.

For those seeking cost-effective solutions, Elastic Stack stands out as a popular choice due to its single-source administration and competitive pricing. Many industries, recognizing its affordability and robust services, are swiftly adopting Elastic and other similar solutions like Wazuh.

The value of resilience in a SIEM solution varies depending on the organization's preferences and requirements. Some organizations prioritize high availability and disaster recovery capabilities, which contribute to resilience.

As an analyst, I've observed that Splunk offers a variety of rule sets, along with built-in and customizable use cases. We have the flexibility to create dashboards and expand reports for management visibility. One key advantage of Splunk over competitors like IBM QRadar is its superior device integration capabilities. With Splunk, we can seamlessly integrate and coordinate data from various sources, enhancing our analytical capabilities.

I believe there is room for improvement in reducing costs, particularly in the financial aspect, as Splunk tends to be pricier compared to other options. Additionally, enhancing support services with more technical personnel is essential. Delays in responses from the technical team can pose challenges for both vendors and clients, especially considering that Splunk applications and machine solutions are critical assets. Splunk's pricing may pose a barrier for some users, but if it becomes more competitive, it could attract those currently using IBM QRadar or similar solutions. Additionally, considering the trend towards migration to Microsoft Sentinel, which offers a comprehensive suite including identity management and EDR coverage with Microsoft Defender, Splunk could benefit from offering similar modules. In Microsoft Sentinel, they offer a separate identity management module, which I find particularly valuable. Any anomalies detected within identity management trigger alerts, providing enhanced security.

I have been working with it for two years.

It provides good stability capabilities.

The scalability of Splunk, particularly when implemented as an enterprise solution, is notable. While we work with a limited number of clients, typically five to six, they are spread across various locations, including the US and Pakistan. From a maintenance perspective, our operations are based in Pakistan. Our clientele predominantly consists of customers from Gulf countries, and we also extend our services to clients in the US.

There have been instances where the response time from Splunk's support team has been slower in comparison to others. I find IBM QRadar and similar solutions to have more efficient support teams. I would rate it five out of ten.

Neutral

Our deployment team handles both deployment and support services, including maintenance responsibilities.

It offers a return on investment for our company.

Overall, I would rate it eight out of ten.

We use Splunk daily to find the root cause of attacks and analyze users attempting to access our system. We create incidents and address 5 to 7 simultaneously. Once we analyze and record the activity, we can delete the incident. Our admin team will verify whether it originated externally or internally. 

We use Splunk to respond to security incidents and for data analytics. We conduct custom correlations for the customer and write reports on any attacks. We set alerts for user behavior to discover threats, like if someone is constantly attempting to access our internal domain. The admin will identify that threat and block it. 

Splunk helps us be more proactive. We can take predictive action to identify and block threats so that nothing harmful gets into the system. With Splunk, we can monitor the entire environment from one place. It's a single point of control for all infrastructure, whether in the cloud or on-premise. Splunk has sped up our security investigations. 

I like Splunk's Notable Events. We have created several dashboards for our customers, where you can see the activity and number of alerts. The database receives data about the mask and domain IPs of any user trying to gain access.  We ingest logs from multiple antivirus products and firewalls and analyze them to prevent attacks and threat activities.

Splunk could have more built-in use case presets that customers can build on and customize. 

I have used Splunk for 9 years. 

Splunk is a stable product.

I rate Splunk technical support 8 out of 10. 

Positive

We previously used Dynatrace but switched to Splunk because it has more features. 

Splunk is easy to deploy if you have some basic knowledge. You need experience. It doesn't require any maintenance after deployment. 

Splunk is a good value for the features it provides. The license is costly, but it's better than the other tools. 

I rate Splunk Enterprise Security 8 out of 10. I would recommend Splunk to others. It's one of the most powerful tools available. It's a valuable tool for monitoring infrastructure. 

We use Splunk Enterprise Security to analyze log data for log monitoring, creating use cases, onboarding, and incident response.

We wanted a single security tool that could immediately identify notable events that could be reported as security breaches, and then enable us to take intelligent action without having to purchase additional security tools.

We have two customers with hybrid cloud solutions. Neither customer is fully cloud-based. Our implementation is based on the customer's requirements, such as compliance, data ownership, and administration. We plan the implementation of Splunk cloud or hybrid models based on these requirements. We discuss the benefits and solutions with the customer to ensure that we are not breaching any compliance policies and that we are selecting the right model for their needs. Because we have multiple customers, we must also consider how to manage this process effectively.

We use multiple cloud environments for our clients, including AWS, Azure, GCP, and private cloud. We can easily integrate Splunk Enterprise Security and segregate the logs based on the type of index we create for each customer. When we create different indexes, we can segregate the types of logs based on the device type. This makes it easy to separate logs from different universal providers, different machines, and specific types of indexes dedicated to particular customers or groups.

We use threat topology and MITRE ATT&CK to create and integrate use cases for network framework detection and visualization in Splunk. Splunk helps us segregate and integrate use cases based on different threat detections and provides a complete dashboard view of how use cases match with detected threats.

When discussing MITRE ATT&CK and topology, we sometimes encounter use cases where we must ensure the logic is properly implemented to detect the threat and trigger the alert. This is because log access may involve specific teams and their associated MITRE ATT&CK tactics and techniques. We must be very specific about the information we are observing in order to derive the correct information and framework topology.

Splunk is one of the easiest solutions for analyzing malicious activities and detecting breaches. It is flexible enough to work with small teams, and it provides a broad view of the data, allowing us to segregate and fine-tune the analysis based on the customer's requirements.

Splunk Enterprise Security can help us detect threats faster when it is properly configured. We have implemented over 400 use cases for specific types of malware and other threat detection. In over 70 percent of environments, Splunk is able to detect threats faster than other solutions.

It has helped our organization improve by integrating with cloud providers. Splunk enables us to blacklist specific data types and ranges to reduce our losses, based on our requirements.

We have reduced our alert volume by around 50 percent with Splunk. When we first started creating and using Splunk use cases, we received around 700 alerts. Splunk can merge different sources of use cases into one to identify false positives, which has been very helpful for us.

Splunk has helped speed up our security investigations by almost 70 percent. We have a dedicated incident response team. They use the Splunk incident reports to help with their investigations. 

Splunk Enterprise Security comes with 300 pre-deployed use cases that can be easily customized to meet the specific needs of our organization, without the need to purchase additional tools.

We can easily identify the number of security devices and users that are authenticated on the network and present the information to the executive team.

Splunk can improve its third-party device application plugins.

I have been using Splunk Enterprise Security for five years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is scalable.

The Splunk technical support is good but their call times differ.

Positive

I previously used IBM Security QRadar, Azure Sentinel, and McAfee Network Security Platform. Splunk Enterprise Security is designed for multiple platforms and is easier to implement.

Splunk is much faster when used correctly and has many tools. With the exception of Sentinel, the other solutions do not have many tools. With Sentinel, we have to define the indexes and all those things, such as the aggregation of logs. It is easy to do searches in Splunk, even in a large environment. I find Splunk to be more efficient than the other solutions I have used in the past.

The initial deployment is straightforward. We install the solution and define the roles of each server and the data it will store. The deployment in our test environment took 13 hours.

We have seen a return on our investment in Splunk. The variety of options that Splunk provides is a great selling point for our customers.

While Splunk is more expensive than other solutions, we would still choose it because of its capabilities. Splunk is a leader in the field and provides a wider range of data and security features than other SIEM solutions.

I would recommend Splunk over any of the less expensive SIEM products. I recommend the license-based solution over the user-based solution that Splunk offers. If I had to recommend any other SIEM other than Splunk, it would be Microsoft Sentinel.

I would rate Splunk Enterprise Security seven out of ten.

The threat detection capabilities that we get by default are very basic. However, if we want to implement the most effective threat protection on the internet, we need to purchase a relevant solution for intelligent threat protection. This will provide us with more feeds for enterprise security and help us to integrate data by matching the data to the target and to the security with our Splunk.

We have 60 percent of our customers using Splunk Enterprise Security in their environments.

Splunk maintenance is required for updates. 

Splunk provides a centralized monitoring platform, eliminating the need to switch between different platforms to monitor security. Splunk provides a clear view of different security losses and incidents, and we can onboard any number of devices as needed. We can monitor our entire environment from one place, requiring only one team to monitor it. Splunk adds a lot of value currently.

Being in an air-gapped environment, we pretty much look for insider threats and other notables related to improper configurations and against security best practices.

We are 100% on-prem and in an air-gapped environment, so there is no Internet connection.

There have been some improvements, especially related to centering. We added user behavioral analytics, so it imports everything. Any threat generated inside of that goes into Enterprise Security. I wish anomalies would go in there, but I can understand why they don't, as it generates so many anomalies. However, it would be nice if I could select certain anomalies that would be helpful with notables. This way, I can track down security events before they become threats.

I believe Splunk Enterprise Security has reduced our mean time to resolve, but we do not have any definitive timing metrics.

Splunk has helped improve our organization’s business resilience because it is a central location where correlation searches populate. We can easily track down and figure out where issues lie, which minimizes the time of my SOC team. It probably saves them a couple of hours considering it is colocating everything in one location. It would be nice if there were better ways to search for the data. We can take a look at the raw logs, but we should be able to find the actual event that caused the problem and see all the logs associated with it in a standard log format as opposed to just a text file with all the events added in.

We are a small environment, so we do not get a lot of alerts. We work on the issues as we get them and I am sure it saves a couple of hours.

In terms of its ability to predict, identify, and solve problems in real-time, it works really well when you are connected to the Internet. The predictive analysis is more cloud-based. Trying to find ways to do it on-prem in an air-gapped environment with no Internet connection can be a pain. There are some ways to do risk-based analysis, but we are still hamstrung because we do not have the Internet connection and the larger data sets that they have.

Internal tracking is helpful because we do not like to deal with multiple ticketing systems, and I am not a fan of ServiceNow. We are able to keep everything internal and utilize Enterprise Security. Internal ticketing is helpful because we can bring in all the data and have it all available. That way, we can go back and take a look at it if we find another situation. We do not have to utilize other ticketing systems for cybersecurity.

Its interface and usability can always be improved. We are running on the last version, so I have not checked out how the newest one looks. Currently, we have to track down and remember where things are located. We have new guys on the team, and sometimes they have to click around and figure out where things are.

We have been using Splunk Enterprise Security for about five years.

The solution is not going anywhere. As long as they continue to support and develop it, and not make it a cloud solution, we will continue to purchase it.

We have a total of 500 devices, and we ingest around 150 gigs a day.

The scalability is pretty easy. They recently enabled it to be able to go into a search head cluster. Previously, the only way to install this was on its own dedicated search and it could not be connected to a cluster. Over the last four or five years, they have been pushing harder and harder for clustering everything up for shared resources. Enterprise Security is one of the few apps where you were not allowed to do that. Having scalability with the search head cluster is nice, and it is one thing I am looking at implementing in the future.

Splunk's support is pretty good. I contacted Splunk's support a couple of times. In total, they are helpful, and we are able to get the support where we need it, but unfortunately, it is self-inflicted because we are air-gapped. It takes me anywhere between 45 minutes to an hour and a half to get the logs required. I need to get them sanitized, approved, and transferred over so that I can get them to Splunk. I would rate them a nine out of ten because a couple of times, I found the answer before they did.

They have the best documentation in all of the tech sector, and it is not behind a paywall where you cannot find information. There is certain information in Splunk Knowledge Base under the support page that I believe should be searchable through Google.

Positive

The return on investment is very good because, with ELA, we purchased the products at a reasonable price. We did not have to pay significantly more for licensing than we could possibly use. We were able to combine and get it at a much lower cost point.

In terms of the time to value, it took us a couple of months to get used to the interface and get people trained. Unfortunately, we had some turnover during that time, so we had to constantly retrain or train new people. The newer versions of Enterprise Security that came along made things a little bit easier. Luckily, we had some free training provided to us because we have an enterprise license agreement.

Luckily, we come under a large federal agency, and before the pandemic, they signed a large enterprise license agreement. It worked out great and to our advantage because we are a small organization. We got a 300 gig license, and we just did not have the buying power to be able to get products cheaply. Because we all partnered together under the agency umbrella, we were able to get Splunk Enterprise Security, UBA, and ITSI for cheap. This was good considering the fact that some of these premium apps require a minimum number of users, and we do not have the number of people needed to even justify buying it.

I would rate Splunk Enterprise Security a seven out of ten. There is definitely some room for improvement. I have not installed the newer version. Once I get into it, I will see what new capabilities there are, but there is a decent lift that is needed for the setup. Professional services help with that, but the customer generally does not like paying for that more than once.

Because of the ELA, I am able to come to Splunk conferences for free instead of having to pay my own dime. That helps tremendously, especially considering the fact that education is included. I believe that is because of the enterprise license agreement with the government contract. That helps out a lot. I have been coming to conferences since 2017. There are a lot of good people and a great community. 

We primarily use Splunk Enterprise Security for security incidents and event management. The solution is deployed in one department, but it covers multiple locations worldwide. 

With Splunk, we can monitor and manage enterprise-wide events. It provides a single console for various data sources covering the entire organization, which is critical for compliance purposes.

We can integrate Splunk Enterprise Security with other solutions to automate some security tasks, saving us some time. For example, if you detect potential malware and you want to isolate one system from the organization's network, you don't need to trigger a process. We can fully automate that. Minutes after malware is detected, the machine will be automatically quarantined from the rest of the network. 

You can integrate Splunk with third-party security automation solutions and set rules for automatic response. Splunk can monitor multiple cloud environments, but it's a little tricky if you're working with several vendors. Every cloud environment is slightly different, and some are better integrated.

The visibility into multi-cloud environments is decent. It depends on the number of sources you have, and Splunk is pretty flexible from that perspective. You can add any type of data source. The challenge is the engineering effort some of these data sources require, but others are effortless to manage.

We haven't used the insider threat capabilities yet, but it's an area that we want to explore. We have other tools for this. We use different products for threat intelligence. 

Splunk Enterprise Security could have more pre-built integrations and rules. The detection is fairly accurate, but it depends on the rules you create. Splunk's out-of-the-box configuration isn't that useful. 

If you spend time with your team creating rules specific to your environment, you can get a lot of value from Splunk. At the same time, that requires some additional effort and costs. Splunk has a few built-in integrations that are ready to go. In other cases, we need to build custom solutions, which is more difficult and costly.

I have used Splunk Enterprise Security for about three years. 

It is stable overall. 

Splunk Enterprise Security scales up pretty well. 

I rate Splunk support seven out of 10. There is a little room for improvement. We always start with junior support engineers who lack the experience to deal with complex issues, which are the only problems we ever contact support about. Our staff members can handle most minor issues. 

We typically need to escalate, and we've had an excellent experience with the higher-level engineers. Those qualified engineers are scarce, so I can imagine a situation where two big Splunk customers have significant problems simultaneously, but there aren't enough available technicians. Splunk has the right people but maybe not enough of them. The process could also be improved. 

Neutral

Deploying Splunk was relatively complex. After deployment, it requires some maintenance and management. A team of about 10-15 people is responsible for the solution. 

We deployed Splunk with an in-house team of five to 10 people and some professional support from the vendor. 

We've seen an ROI by automating Splunk Enterprise Security, but automation requires another product and license. 

Splunk Enterprise Security is quite expensive compared to some products on the market. 

The company evaluated a few tools before deciding on Splunk. I used ArcSight at a previous job. Splunk is more flexible than ArcSight, and it has various modules you can purchase to expand the functionality. You don't need to invest in a different solution because you can purchase add-ons for your existing infrastructure. 

It's modular, so you can tailor Splunk to your organization's size, structure, and specific needs. The customer can do it. You don't need to request it from a service provider. 

I rate Splunk Enterprise Security eight out of 10. My advice would be that before deploying Splunk, research some of the company's materials and make sure it meets your cybersecurity requirements. 

You may need to purchase other tools, and the solution might not do everything you want it to do out-of-the-box. Depending on your environment, you'll probably need to invest some time and money into the solution to get the results you want. 

We use Splunk for monitoring and investigation and recently integrated it with ServiceNow. It's a SOC tool, and any malicious activities on the client's side trigger an alert here. 

Splunk has improved our operations by giving us access to more information and allowing us to deploy more use cases. We have integrated Splunk with ServiceNow, so the information from the queries running on the back end is now directly forwarded to the analysts, reducing the manual work. We are pulling data from Splunk into ServiceNow, so the security analysts have all the user details to conduct their investigations. 

It's easy to monitor multiple environments with Splunk. The cloud model is better than the previous on-premises version. The custom dashboards are helpful. We have created multiple dashboards for user activity, logins, phishing, etc. If you miss an alert, you can check the dashboards. For example, if you need to check some user activity, we have a dashboard for Azure Active Directory, and Mimecast is integrated for monitoring email-based attacks like phishing. It throws the information up on the dashboard when we get an alert.

The monitoring aspect of Splunk could be improved. We have to do some queries to get as much information as CrowdStrike or other solutions provide. If you run a big query, you will see a delay. That is the only concern we have because it will take some time if you query large data sets. 

I have used Splunk for more than three years.

I rate Splunk 10 out of 10 for stability. 

Splunk is a highly scalable product. 

I rate Splunk support 10 out of 10.

Positive

Deploying Splunk is somewhat complex, and it requires maintenance afterward. 

Splunk is expensive based on our current requirements, but it's obviously worth what we pay. 

I rate Splunk Enterprise Security nine out of 10. I see Splunk as a monitoring tool, not as a security tool. It provides alerts, and we conduct an analysis and investigation based on the information we receive. I believe having another sandbox integrated with Splunk will be helpful for the investigator.