Splunk Enterprise Security Reviews

The most valuable feature of Splunk is security information and event management(SIEM). Additionally, the solution is easy to use, has useful reports, and good interface.

I have used Splunk within the past 12 months.

Splunk is stable, and this is why many customers want it.

The scalability of Splunk is good. Customers can purchase 100 GB now and if they wanted more, they can immediately add an additional 100. The customer will have to only pay for additional licenses.

I hear that customers usually have support on time from the Splunk team. Generally, they are satisfied with the response they receive from Splunk.

The total time of the implementation depends upon the customer's requirement. The factors that affect the implementation time are the type of use case, the environment of deployment, one location or multiple locations, number of devices, and applications. The requirements play a large role in the time it might take for implementation. You cannot simply explain in one week or one month.

There are two to three people required for the implementation of Splunk.

The price of this solution is expensive. However, it has great features. If you want a great solution you need to pay a price matching the features.

If this solution matches the needs of your use case then I would give it a try.

I rate Splunk a nine out of ten.

Our initial use case was for security investigation, with the intention of creating some use cases. We ended up adding operational aspects, monitoring certain operational activities, such as high CPU utilization or any other applicational basis. 

This is obviously a cloud solution, but it does have some presence on-premises as well, so it's hybrid. 

One of the most valuable features is threat hunting. We can do threat hunting and identify if there is any malicious activity happening within our environment, which is a key feature for us. 

Splunk could be improved by reducing the cost. The cost is one of the biggest challenges for us in keeping to our production requirements. 

As for additional features, I think they need to refine their AI capability. I know that everyone is talking about artificial intelligence and threat hunting, so I guess one of the key requirements for us is for the solution to automatically provide us some kind of indication and then mitigate any risk. So automation should be a feature. 

I have been using Splunk for two years. 

This solution is excellent from a performance and stability perspective. There's very minimal maintenance required. Basically the only aspect we need to maintain is the one we have on-prem. So patching up everything and making sure it has the required updates. 

There are no issues at all in terms of scalability, since this is a cloud-based solution. There are around 25 to 30 users in my company accessing Splunk. 

Splunk's support is good. The process was smooth and they provided sufficient support, so there was no need to escalate anything. Also, they provide training on a regular basis, which is good. 

I have never worked with other similar products. I've worked for three companies, all of which use Splunk. 

The initial setup was very smooth. I think we got some support from the Splunk team. Since it's a cloud-based solution, it took us probably three or four weeks to actually start working. But deploying agents, configuration, refining, fine tuning, and other ongoing activities went on for about a month. 

We implemented through an in-house team with some support from the Splunk team. It was a very smooth process, from our perspective. 

This solution is costly. Splunk is obviously a great product, but you should only choose this product if you need all the features provided. Otherwise, if you don't need all the features to meet your requirements, there are probably other products that will be more cost-effective. It's cost versus the functionality requirement. 

I also evaluated IBM QRadar and LogRhythm NextGen SIEM. 

I work in security architectures, not operations, so I don't actually work with Splunk on a regular basis, but the team that does is working on threat hunting and incident management. 

I rate Splunk an eight out of ten. 

We are currently using it with SIEM, and SOAR which is Security Orchestration, Automation, and Response.

Splunk is primarily used for security, incident response, and security analytics.

Using Splunk, give us the visualization we need, we can easily observe things such as user behavior analytics, irregular traffic, frequency, and any spikes in unusual activity inside the network.

The additional vendors we've brought on board, particularly the Elastic, have been quite beneficial.

It's a solid platform.

Other than the pricing modules, I have no issues with the product itself.

The configuration had a bit of a learning curve.

I would like to learn more about the Cloud solution, but I'm aware that it's lacking some core applications.

If they could bring on more vendors, you would be able to monitor a larger number of applications. We could have visualization with other applications we have with the infrastructure in our organization.

I did a POC, but we have recently procured it. We did a rudimentary setup to get an understanding of how it works. We are into our sixth month of using it now.

Splunk is a very stable solution.

This solution is quite scalable.

In our organization, we have 10 users, who use this solution but we have plans to increase our usage.

The technical support has been quite helpful.

The previous solution was limited in its functionality. 

We were looking at the additional controls that enterprise security may have, as well as visualization, to gain greater visibility.

Splunk offered us more visibility.

The initial setup was complex.

We had some assistance with the actual deployment, but while I was doing the POC, I was working with a vendor. There were things I had to do myself, such as the configuration, which was a bit challenging for me, it was a big learning curve.

For the installation, we received some assistance from the vendor.

It's too early to know if there will be a return on investment.

The pricing modules could be improved.

The licensing fees are paid on a yearly basis.

There is a standard license with provisions for more. As we are still exploring the functionality, there may be other departments that want to use it.

Those who are interested in implementing this solution should be prepared to dig deep into their pockets.

I would rate Splunk a nine out of ten.

I have some experience with the solution, since I am working with customers who are interested in part time help monitoring their network and have been helping them fine-tune the rules in the solution's platform. The way the primary task works is to watch for and then respond to the threat. Should there be a need, I usually work with a team in fine-tuning the rules on this platform. We are providing the products.

I recently started working primarily on the Playbooks of the Splunk Phantom, so I've been creating some of these to help the customer automate the process of responding to the threats.

What is nice about the solution is that it makes it easy to build the queries, search for the events and then do analysis. I recently have become involved in the Playbooks, since it is painful for the client to respond to the threat, be it positive or negative. As such, I currently see the Phantom component of the solution to be of great value. Otherwise, most other features seem to be similar to Netwitness, such as the monitor log, network, and endpoint capabilities. Importantly, the solution lacks endpoint options, as these are currently deployed on Cisco, which is okay, as it works fine with that bad side of the endpoint security. This translates into them building queries, rules and then Playbooks. 

The main advantage of the solution is that it provides an easy setup platform in the new environment. When set up afresh, it is also easy to build queries. Historical queries can be used to site for a new event, which makes it easy to use, deploy and understand.

Endpoint access is the only issue I can think to mention, even though the endpoint access we have with Cisco is fine. 

I have been engaged in the production environment of Splunk for around a year and have been reading up on it for a long time.

I would rate Splunk as one of the big five platforms. I would give it a high rating based on the efficiency of the platform. 

Splunk allows one to easily scale up this platform. One can add more interfaces to that platform if he gets more data. 

I usually rely on the Splunk community for information, such as discussions of incidents and other issues which others are facing. I feel the Splunk community to be an excellent source of information for me.

Out of the three platforms I have been dealing with, I feel the initial setup of Splunk to be the easiest. I found it a bit difficult to set up a new environment with RSA Netwitness. Splunk, on the other hand, I have found to be very straightforward and an uncomplex platform. 

I have been proposing to management to take the solution to be a primary product in our dealings with it. We do not encounter many issues involving the solution. One of the problems I have with the RSA Netwitness platform is its complexity. Splunk is straightforward for us when it comes to views and it provides us the network security posture.

The ability for the solution to work with Cisco shows that the solution can work with other products. The only thing is that when the solution is compared with other vendors, one sees that there is only a single other vendor that has endpoint security like this one, Netwitness platform having its component for the endpoint. This is why an integrated endpoint would be a nice feature, even though the solution works on Cisco. 

The main advantage of the solution is that it provides an easy setup platform in the new environment. When set up afresh, it is also easy to build queries. Historical queries can be used to site for a new event, which makes it easy to use, deploy and understand. 

When it comes to a data platform, there is RSA NetWitness, which may also be a good platform. I have not done much training of my own on Splunk, but have gained much experience through learning and working with clients that I support. This is because the platform is understandable. 

I would rate Splunk as one of the big five platforms. I would give it a high rating based on the efficiency of the platform. Clearly, I cannot include Wazuh in the top five categories, as its rating is not up there with Splunk, Qradar and LogRythm.

I cannot think of anything disadvantageous about Splunk, as we are talking about a product that I like. I feel the solution has beautiful features. 

The decision to go with Splunk would depend on the business needs of the individual. I know that Splunk has both a cloud and an on-premises option. Sometimes, such as when it comes to conferences, there is no need to move some of the data to the cloud for the purpose of complying with regional requirements. There may be a need to retain some of it and a person might wish for a mixture of on-cloud and on-premises capabilities.

I rate Splunk as an eight out of ten. It is a robust platform and easy to use. 

We typically use it for centralized log management and SIEM functionality.

I am using the most recent version of it.

As per government requirements, a lot of government sites have to have the active monitoring of logs. So, we use their security appliance add-on that essentially combs through the log. It pre-filters and brings out the critical events so that you can focus on those instead of having to create your own searches and whatnot. It helps simplify the process of monitoring security events in the logs for people.

The flexibility of the search capability is most valuable. You can use it for more than just a basic log aggregator. It is powerful in that regard.

It is a good product, but the Achilles heel for a lot of organizations is the cost model for it because it gets expensive. That's because the model is based on how much data it processes a day, which can be prohibitive, especially if you have a lot of data. A lot of customers may not be ready for the sticker shock on how to fully leverage the product. I realized that the reason for that is that when it was originally designed, it was kind of like a big data modeling application. If they want to have a bigger customer base, they can come out with subsets of their product that are focused on specific things and have different pricing models. It may help with the cost.

To actively use the interface, you have to be able to speak their language. You really need to have Splunk training to use the tool. Integrations are not that bad, but once you get into that developer mindset and you understand the programming query language, then you're pretty flexible in making it work with other products. It could be daunting if you don't have the training. It is akin to being thrown and asked to go write a Python script when you don't know any of the Python language or PowerShell. If you don't know how to form the queries, the words, or the syntax, it can be a hurdle if you're looking everything up.

I have been using Splunk for about seven years.

It has been very stable. It is pretty rock solid.

It is as scalable as you can afford. We have a pretty small user base of 75 users, and it is mostly data center administration staff, application administrators, and security people. It is more of an in-house solution than a customer-facing solution.

Our usage is moderate. We're okay right now. We primarily use it as a SIEM and log aggregator. We could use it for other things, but the cost is what is preventing us from that at this point.

We've had a few calls, and they're very responsive.

We were using an assist log backend with Rsync and Kiwi prior to that. It was more of a co-solution than a cobbled-together solution. Splunk was a big improvement. The main reason for going for it was just the rate at which we were growing. We needed to have something that was more scalable than what we had before.

It was pretty straightforward as compared to most applications. It had the ability to auto-deploy agents to end devices. Splunk infrastructure itself wasn't difficult to deploy or set up. They package that process, and it is pretty well-rounded. They even offer a jumpstart install service to help get it off the ground when you buy in, and those components work really well together.

It was all done within a day. Some of the endpoints took a little bit longer, but the basic install was done in the day.

We used packaged professional services from a partner of Splunk. Our experience with them was very good.

In terms of maintenance, it is pretty simple. There are fewer patches than there would be for supporting a Windows device. There is not much labor to maintain it.

It can be cost-prohibitive when you start to scale and have terabytes of data. Its cost model is based on how much data it processes a day. If they're able to create scaled-down niche or custom package offerings, it may help with the cost. Instead of the full-blown features, if they can narrow the scope where it can only be used for a specific purpose, it would kind of create that market for the product, and it may help with the costing. When you start using it as a central aggregator and you're pumping tons of logs at it, pretty soon, you'll start hitting your cap on what it can process a day. Once you've got that, you're kind of defeating the purpose because you're going to have to scale back.

They're kind of pushing everybody away from perpetual licensing into subscription-based models, which a lot of companies are doing too, but in most environments that I've been in, they prefer to go the perpetual license and then just pay maintenance on top of it. That's because it's easier for them to forecast the big expense up front.

I would advise definitely taking advantage of their professional services and making sure that the administrators and whoever is going to be using the tool go through the training. The cost for the training, which depends on if you're commercial or government, is not that much, and there is a definite value there because if you're trying to learn it on your own with a book, it is going to take forever.

I would rate Splunk a seven out of 10. 

It's the mainstay of our monitoring solutions that we have for auto-logging, et cetera, for our enterprise solution.

The most valuable aspect of the solution is the ability to capture the different data streams. We also appreciate the reporting in that aspect of Splunk. If we can grow now, with any security arena, it's going to be proactive, not reactive. It allows us to digest the information, the data, the different data streams, so we can make decisions based upon information that we receive, and it is pretty robust.

The configuration could be better.

We would like to see improved pricing, however, I'm kind of out of that arena. I make suggestions based upon the flexibility with which we serve our customer base, which is millions of our veterans. I would say that if someone was not familiar with it, one of the things that I've heard is that it's kind of hard for them to understand the whole thing. Splunk is just one piece to the puzzle. It's not the whole puzzle. It's kind of not the solution's fault, in that sense. That said, if it could be more accessible to people with different skillsets, that would be ideal.

We'd like to see reporting where there's a way that we can get a higher description without being too technical, for example, where it's kind of more of an executive-level of technical.

I've personally been using the solution for over ten years. At this point, it's been more than a decade. I've used it for a while now. 

We're partners and end-users. We don't have a business relationship with Splunk.

We use the latest version. I'm not hands-on. I'm called the architect, however, we do use the latest version as that's a part of our configuration management framework, that all of our applications - especially in security - are up-to-date with the latest and greatest updates, bells, and whistles. We use both public and private clouds.

In terms of creating the solution, for what we do from an enterprise standpoint, everything from monitoring to data capture to reporting, we would rate it at a nine out of ten.

As there is no SIEM solution here at present, we are building it up through the assistance of a vendor. In the past I worked in the Splunk Cloud, which was seven-point something. With QRadar I worked on version 7.3. 

We use Splunk Cloud as a SIEM solution and to monitor traffic and the network for detection purposes. We can create use cases so that if the solution picks up on anything entering our organization, the malicious IP can be blocked. 

In respect of ones which are suspicious, based on the logs we pull from the data source, we can build the use cases accordingly and have our analysts work on these. 

In the several years I have worked with the solution, I have felt there to be a need for practice of queries and understanding. As with other areas needing practice, the more one learns and practices, the easier things become. 

While this is not terribly difficult, it is so when compared with QRadar. This holds true when we don't know the queries at all. Other than this, it is a great tool. 

The solution should also have more advanced capabilities in comparison with QRadar, which offers Watson. The product should have add-ons. 

The solution is stable and reliable. 

The solution is easy to scale, to add on and to integrate with other solutions. I am familiar with app integrations. Many solutions can be integrated with Splunk Cloud, such as CrowdStrike or Symantec. 

The solution's response time is not that fast. The experience of some of my peers is that the vendors have actively offered help. By contrast, when I tried Splunk Cloud's technical support I did not receive a response. 

We have not yet undertaken deployment. For the moment, we are on the EPS and discussing the proposed structure with the vendors. Our team is conducting talks with the vendors of QRadar. 

We are exploring multiple avenues in search of a one-SIEM solution. 

I am not in a position to comment on the pricing. 

By comparison, I feel QRadar to be better than Splunk Cloud, since it comes with Watson. 

Another advantage is that QRadar works like a threat intelligence tool. It, also, does not require queries, which Splunk Cloud does. It is important that we have an understanding of the queries for the purpose of pulling the logs which we seek. I feel QRadar to be better than Splunk Cloud, as it does not require us to work on the queries. 

I have worked on Splunk Cloud in the past, as well as on QRadar. As there is no SIEM solution in my current organization, we have plans to build it up. This is an ongoing process. I have suggested QRadar to my team and others are considering Sentinel. 

The solution is deployed on-cloud. 

I would recommend the solution to others since there are a couple of companies with many clients that are looking for Splunk Cloud, with which they are familiar. We must consider client demands when it comes to attracting projects. 

Even in India, most of the companies employ Splunk Cloud as the most prevalently used SIEM solution. Then comes QRadar, which is easier. So too, Splunk is less cost-effective than QRadar, although it is more in demand. There are a couple of companies with call centers that request Splunk Cloud. 

I rate Splunk Cloud as a seven out of ten. 

Since we have an IT services company, we have been using Splunk for the deployment to the customer locations as well. Sometimes the customer will come back to us and say that we need to have a SIEM tool, and when we do the benchmarking, we'll do a couple of deployments on the Splunk side and at the customer's locations as well.

As an example use case, we deployed Splunk to a banking institution a few years ago. There the use case was basically this: the customer wanted to set up a security operation center, and they wanted to have a pretty large deployment in terms of the number of endpoints and number of switches and routers. There were many regional branch offices and they have data centers and therefore, many assets in terms of endpoints. They had 30% of their assets are running on the cloud and they needed a complete solution from an incident monitoring and management perspective. That's why we deployed Splunk. 

They wanted to reduce the MTTR, and meantime resolution, and maintain detection. They didn't want to add more SOC analysts into their SOC as the organization scaled up. They have a plan to scale from 5,000 endpoints into 15-20,000 endpoints. They're very particular about deploying the SOC operation center.

Splunk has since acquired Phantom as a SOAR platform. Therefore, we have tried to manage the security automation using Phantom with the help of Splunk deployments. It helps us meet the customer's requirements.

In terms of support, we're able to get the right support at the right time. If there's a break or an appliance issue, they're are on top of it.

This is very important during large-scale deployments. It's not easy to address product-related issues or appliance-related issues, and the number of collectors or number of logs that come into the collector, and managing the collectors across the branch offices, across the corporate offices, etc. It is a cumbersome process for us. That's why it's integral that we get the right support at the right time - and they make this happen.

The most valuable aspect of the solution is the dashboard. It's very intuitive. 

The reporting is excellent. The team and the SOC analyst are able to easily track the alerts and the correlation is very good compared to other SIEM tools. 

There are a lot of competitive products that are doing better than what Splunk is doing on the analytics side.

The automation could be better. Typically, the issue that we face is that it has to go to the analytics engine, then goes to the automation engine, basically. Therefore, if there are no proper analytics, the SOAR module is going to be overloaded, and we are not able to get the expected result out from the SOAR module. If they improve the analytics, I think they'll be able to solve these issues very quickly.

The playbooks which they create and provide to premium users can improve a lot. They have to create a common platform wherein the end-customers like us can choose the playbooks, and automation playbooks readily available.

In terms of integration with the third-party tools, what we are seeing is that it's very limited compared to the competitive products. Competitive products have a lot of connectors and APIs that they have developed, and that's where the cloud integration, whether it is a public cloud or a private cloud integration comes in. There are a lot of limitations to this product compared to other products.

In terms of Splunk, I've been working on it for more than three years in the current company. Prior to that, I worked with it at another company as well. In total, I have been using Splunk for close to six or seven years.

The solution is stable, however, sometimes in some of the collectors, we are facing a lot of issues. That said, overall, if you rate it from one to five, I would say in terms of stability, it will stand at a three. 

The scalability is perfectly fine. It's very awesome compared to all the other tools, as easily we can integrate with the log forwarding modules and the collector management appliances or modules. That aspect won't be a problem. 

If you look at the SIEM as a market today, Splunk is expensive compared to other competitive products. I'm also into the SIEM evaluation in my current role. I've seen that there are many tools are coming up in the last one and half years. I have also seen many other mature tools that are available now. If you compare next-gen SIEM tools compared to the Splunk, it's expensive. Therefore, it's possible we may not use this in the future or expand on current usage.

In terms of technical support, we don't have any issues, as the professional services which they have extended to us are very, very good. We're able to manage many of the critical issues with their support. I'd say we are definitely satisfied with the level of service provided.

In terms of deployment, it's not so complex compared to the competitive products, however, we will be able to manage that deployment. We don't feel there's any problem on the deployment side. In that sense, I don't think deployment is a complex one when somebody going for Splunk as a tool.

How long it takes to deploy the solution depends on the size of the deployment, basically. Even a large deployment won't take more than a week. When I say deployment, I'm considering all the log collection, log management, and the curation of the incidents, and how incidents are created and routed properly according to prioritization. 

In terms of ROI, for example, if you look at one of our customers today, they are managing close to 100 million events per day. If you look at a traditional SIEM with 100 million events, they need to manage this environment with at least 25 to 30 people. That's 30 security analysts that have to be there. However, when Splunk was deployed, a lot of automation was added on top of it, and today we are managing the same environment with Splunk with close to 15 people. In that sense, if you look at it that way, the ROI is between 30-40%.

In terms of a comparison with the rest of the competition, the licensing cost would be, I would say, 30% higher than most.

Before choosing Splunk, we have evaluated QRadar and LogRhythm. QRadar is much more expensive. LogRhythm lacked reporting.

We ended up choosing Splunk due to the pricing and the reporting features. It also had the kind of scalability that was required. We felt it would help us in terms of positioning from both a cost perspective and an incident alert perspective.

We're partners. We have a business relationship with Splunk.

We're using the latest version of the solution.

Overall, I would rate the solution at a seven out of ten.

I'd advise potential new users to ensure they do proper sizing before deploying the product. If it's a very large deployment, the number of endpoints will be quite sizeable. You need to figure out the correct number of endpoints as well as endpoint devices, switches, routers, etc.

It's also a good idea to look at use cases. Splunk is very strong in some use cases. It's important to look into deployment scenarios and check out the use cases before deploying anything.

My biggest takeaway after working with the solution is that the environment is very important. You need to be clear about the problem you are addressing and it takes a lot of planning at the outset.