Splunk Enterprise Security Reviews

We develop use cases for Splunk Enterprise Security all the time. I mostly work with the SOAR platform to ingest those use cases.

Splunk Enterprise Security helps our organization because we use it daily to solve our security use cases. We have incidents every day.

The most valuable feature is the incident review, which gives a good overview of our security incidents. I also like the solution's search functionality, which makes it easy to find things.

Splunk Enterprise Security generates our alerts, and we would have to refine the searches if we want to reduce them.

It's very important to our organization that Splunk Enterprise Security provides end-to-end visibility into our environment.

Splunk Enterprise Security has helped reduce our mean time to resolve and helped improve our organization’s business resilience.

The incident review could definitely be improved in many ways. It should be easier to run integrations from it. You can run a script from an event, but it needs many clicks to run that integration, which could be made easier.

I have been using Splunk Enterprise Security for five years.

The solution’s stability is very good, and we haven’t had any stability issues with Splunk Enterprise Security.

The solution’s scalability could have been better.

The solution's technical support is very good, and I'm very happy with the support.

The solution’s initial setup is easy.

Overall, I rate the solution an eight out of ten.

We usually use the solution for the same functionality, which includes setting up alerting and making notables. We also use it for the workflow from ingestion, alerting, and response.

Splunk Enterprise Security serves as our SIEM, providing security alerts, operational alerts, and even some logging that we probably need to check in on from time to time. It basically serves as an alerting platform for our enterprise.

The solution's most valuable feature is the criticality of alerts. Some alerts can be noise, and others will be more high-level and warrant a higher-level response than others.

The solution's automation could be improved. It would be better if we could automate ingesting and alerting for low-level events.

I have been using Splunk Enterprise Security for seven to ten years.

I rate the solution’s stability a nine out of ten.

For the times I've had to set up incidents from critical to lower ones, the technical support team has been fairly responsive. Sometimes, the support team has had a two to three-hour turnaround time for critical incidents. Usually, you would like to get to someone sooner rather than later for critical incidents.

Positive

I've previously used other SIEM tools like ArcSight, QRadar, and Elastic Security.

We have seen a return on investment with the solution.

The solution helps us see what's actually happening in our environment. Some things we might not expect at times, and others we do expect. The tool helps us respond based on what we see from our logs. I've seen and thoroughly liked some AI, automation, and single-pane-of-glass updates coming to the solution.

It is very important to our organization that Splunk Enterprise Security provides end-to-end visibility into our environment. You can't respond to what you can't see was ingested. So, the visibility provided by the tool into our logs and alerting environment is critical.

From an ingestion point of view, the solution alerts you to what you'd tell it to. It's pretty agnostic log-wise.

Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data.

It has helped reduce our alert volume. You're getting the same alerts. You can see what's noise, what's actionable, and what's not as actionable.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. We see what's coming into the environment, including specific logs that we wouldn't expect as much. All of that gets filtered into alert data, potentially operational data, and sometimes even billing data, so we can adjust and move forward with that in the environment.

Splunk Enterprise Security helped reduce our mean time to resolve by somewhere between 20% to 35%.

Splunk Enterprise Security has helped improve our organization's business resilience for some ingestion purposes.

The unified platform helps consolidate networking, security, and IT observability tools. Splunk is pretty log-agnostic. All of your logs, tools, and sometimes even dashboards can get ingested into one specific tool. That way, you have a single platform where you can view all those logs and respond based on that data.

Overall, I rate the solution a nine out of ten.

The solution is primarily for security incident investigation. Whenever a customer wants to monitor the environment for any security incident or events that are occurring, and they want to analyze the incident when virtual issues happen, that's when we propose Splunk. Otherwise, it's difficult to understand what kind of security event is arising in the environment.

The primary feature that is the most valuable is the correlation feature, which helps you analyze the data. If there's a lot of telemetry data at some point, Splunk can take advantage of it. It can handle a large volume of data. 

Now, with big data, AI, and all those things, the amount of security data that is generated is too high. Generally, the other SIMs face trouble when handling big data. However, Splunk itself is a very strong solution for handling lots of data. It helps the SOC team analyze data very well, and it does not crash on handling a large amount. That's a key benefit.

Our customers usually monitor multiple cloud environments. It's not very difficult. There are two ways we use Splunk. One is that they can be multiple cloud environments. The second is that it can be an on-prem and a cloud environment. We are mapping it to our one solution. 

Splunk is very flexible and it's integratable with other solutions

If you want to understand how it can analyze or find out incidents, the visibility is good. The best visibility would always be in the on-prem environment. Then, the cloud, since Splunk is not a native cloud solution like Microsoft's Sentinel, is used. We don't see a lot of challenges if we do a hybrid kind of setup, however.

I'd assess Splunk's insider threat detection capabilities to help find unknown threats or anomalous user behavior at an eight out of ten. Splunk itself uses another agent or another module to do it. Splunk does the job. It's not that it will not do the job; however, it will require more refining than other solutions in the market.

My team uses the Splunk Mission Control, topology, and attach framework features, which are really helpful. We've used it for multiple customers. We take their existing SOC or detection use cases and try to map them to the framework. From a security point of view, it obviously makes a solution more superior. With Splunk, you can catch more security incidents. From a best practice standpoint also, it is a good thing as we can configure the solution, and, according to that configuration, the entire performance is better in terms of security. 

It's very useful for assessing malicious activities or detecting breaches. It's a robust solution. 

We've been able to help customers detect threats faster. It might be 5% to 10% faster in some cases. And since we can analyze large volumes of data, we're not missing any particular data point or data set. That gives us an advantage.

Splunk helps reduce alert volume. You can reduce your alert volume based on your configuration, and it's highly customizable, so it can help you reduce alerts by a lot. It's helped us improve the quality of incidents we receive. 

It's helping customers speed up security investigations somewhat.

It improves the resilience of a company thanks to its ability to quickly analyze data.  

While it's costlier than other solutions, it's highly stable. 

The security orchestration response requires a bit of improvement. 

We'd like to see a more seamless cloud-based integration.

Their mobile features for iOS and Android could be improved in terms of quality of performance. 

I've been using the solution for three and a half years. 

It's a highly stable product even for large customers with diverse environments. For companies that have huge amounts of data even, it does not crash. It's the preferred option when a lot of data is involved. It offers good resilience and improves performance. 

I'd rate the scalability seven out of ten since it is not cloud-native.

Technical support is good. We purchase premium support services.

Positive

I was not involved in the initial setup of the solution. 

The solution is deployed wherever your appliance is. You deploy it where your software team wants to monitor from. Typically, that's headquarters or a company's security center. Splunk then has agents that help devices connect across geographies. For example, while Splunk may be primarily in the UK, it can cover devices via agents across Europe, and the agents can monitor other environments.

We have between two to five people who handle maintenance activities, depending on the client. 

There is a threat intelligence management feature. However, customers don't use it in our case. Typically, customers want something superior in that nature.

Price is a major concern for most customers, big or small. However, price should not be the determining factor when seeking a solution. Users need to think about performance and quality. They need something that will help them prevent security incidents, and they need a product that will be stable. If you can monitor your environment better, you can prevent incidents that may lead to financial loss - and when incidents happen, companies can spend far more dealing with an extended phishing attack than they would on a service like Splunk that will protect them effectively. When it comes to security, while it's not necessary to have the most expensive solution on the market, you should at least seek out a solution that's best suited to your company and its needs.

I'd rate the solution eight out of ten. It's a great option for enterprise-level companies. However, a smaller customer with a smaller budget may not be a good match. They may not need such a powerful solution in any case. That said, if a customer is about to grow a lot, I might suggest Splunk as a primary option. I'd advise potential users to look at the environment size and complexity, consider the budget, and then decide if Splunk makes sense. 

We are using Splunk Enterprise Security for collecting and analyzing logs. We are keeping up with the SLAs with Splunk Enterprise Security.

Splunk Enterprise Security has helped reduce our alert volume. There is about 30% reduction.

Splunk Enterprise Security improves our organization’s ability to ingest and normalize data, but it requires lots of effort from our side. Splunk Enterprise Security can do that, but we also need to put effort into it. It is good enough to achieve that.

Splunk Enterprise Security has helped reduce our mean time to resolve. We have seen a reduction because doing this manually through queries is crazy. It helps to find out the root cause and things like that. It is helpful. 

We have an on-prem environment. Our information security team is using the data security features. Its security features are satisfactory.

It is pretty good. We can extract the metrics we want on the dashboards. We are able to react to the incidents. We are also able to monitor the service. In addition to the incident response, we can also do investigations, fraud detection, and other things like that.

We have this issue of data versus pricing. Its pricing can be better. There should also be a more flexible licensing model.

There is a learning curve in order to start using machine learning. We have been trying to do it for three years, and we have not managed anything. It is too complex.

Its ability to identify and solve problems in real-time could be better. We would like to have pattern recognition. There should be some kind of pre-made model to help detect something. For example, at the time of the incident investigation, there should be an option to ask questions, such as if anything changed. It is pretty hard to find out the patterns that are occurring currently because you have to have deep knowledge about your log content. There should be an option to ask a question like, "What has changed as compared to a week ago?" We should be able to specify a time frame and compare.

We have been using Splunk altogether for probably five years.

It has not failed over the last year. There were no failures, so it is pretty good.

Its scalability is quite good if you are willing to invest in the new design and do the manual work. You have to deploy new servers and things like that. In terms of architecture, it is scalable.

Based on the few problems that we have had, I would rate them a seven out of ten. For an issue, we did not get the answer we needed within the timeframe we were expecting. They took more time, and some IT guys were disappointed. The experience varies from case to case.

Neutral

We were not using any similar solution previously. We were only collecting logs through open-source means. We went for Splunk Enterprise Security because we needed visibility into the logs. It was the primary requirement.

We are also using Elasticsearch. We have two parallel systems.

Splunk Enterprise Security is better in terms of query language and the capability to do great searches, whereas Elasticsearch has a little bit less functionality. It is more complicated for end-users to use. However, Elasticsearch is better in terms of pricing because they do not charge based on the daily ingestion amount. You can put whatever amount into the system. Elasticsearch also has lots of additional logging capabilities. It has file beats and metrics beats capabilities, so you can use it more widely. You can also get end-to-end visibility because you can make integrity checks with it. It helps with IT operations as well. They can include these capabilities in Splunk Enterprise Security.

Its deployment was not very complicated. It was easy.

The hard part comes after you have deployed it. You have to educate people to start using it and understand the relevant information in your logs. The configuration itself is pretty simple, but field extractions and tagging are complex.

We are just using it and doing our queries and dashboards. We have not been calculating the ROI. It has been quite easy. We invest and create our dashboards and reports. Sometimes, when a dashboard becomes too complex or too expensive, we start to think about alternatives. Other than that, we have not thought of ROI.

The pricing can be better. We are already considering Elastic because Splunk is too expensive. 

You have to pay based on per-day ingestion. There should be a more flexible model for the use cases where one day you have a huge amount, and on other days, it is quite less.

Splunk Enterprise Security provides end-to-end visibility into an environment, but it is not our use case currently.

Splunk Enterprise Security does not really provide the relevant context to help guide our investigations because, in our country, Splunk is not represented, so it is pretty hard to get the relevant information.

Overall, I would rate Splunk Enterprise Security a seven out of ten. Its pricing is not good, and the learning curve for machine learning is not good. However, the parts that are working are working very well.

I use the solution for data analysis and log collection. 

Splunk Enterprise Security helps with advanced reports and keeps the system scalable and flexible. It provides a clear picture of the current status of any incidents. As a CISO, I see a lot of potential for future innovation, which is interesting. I've noticed better performance, especially with the reports.

Splunk Enterprise Security can provide more details and help CISOs resolve vulnerability situations better. The reason is that the tools we choose for data analysis and log collection cannot collect all the data and logs. Splunk Enterprise Security should help me with this, but it cannot.

I have been working with the product for four years. 

Splunk Enterprise Security's stability is very good. The system consistently performs well, and we don't encounter many issues. Ticketing problems are minimal, which is significant because it handles a lot of logs and data persistently without causing frustration.

The tool's customer support is good. 

Positive

We chose Splunk Enterprise Security because it was simple and had better data analysis capabilities. 

A reseller helped us with the deployment. 

The tool's licensing is good and we haven't received any complaints from the team handling it. 

I haven't used it for multi-cloud environments. As for on-premise, it's meeting my current needs quite well. When it comes to identifying and solving problems in real time, sometimes it's challenging to understand the situation, and generating reports can be difficult. But overall, it's good for monitoring activities like endpoint and authentication incidents and normalizing.

The solution has helped us reduce alerts by five to ten percent. It processes data and allows us to look back at incidents to see what happened and where they occurred.

I rate the overall product a nine out of ten. 

The visibility that it provides is awesome. You can connect it to whatever you want and create whatever visibility you want. 

Its insider threat detection capabilities for helping our organization find unknown threats and anomalous user behavior are great. They have a lot of built-in capabilities for analytics, and they can provide a lot of visualizations and insights into whatever is being brought into it. The threat intelligence that is part of the platform itself is awesome.

In terms of actionable intelligence, it depends on what you bring to the table. The platform itself gives you the capability to make threat intelligence actionable, but if your feed is not good, it is of no use. There is a lot of noise within the SIEM. This is not on Splunk. This is on the SIEM, but Splunk does help to eliminate a bit of the noise and create a more cohesive view of the intelligence you digest.

Splunk is very good for analyzing malicious activities and detecting breaches. Its ability to connect things that are manually hard to connect is awesome. It is a bit lacking when you compare it to Microsoft Sentinel because Microsoft Sentinel already brought the SOAR solution, which in the case of Splunk comes at an additional cost. When I used it, they did have it quite expensive, but as a SIEM, if you compare Splunk to other SIEMs, it provides you with a great ability to detect and understand that you have something that is suspicious and anomalous within your network. Its ability to connect us to that otherwise cannot be connected by humans is very good.

It helps to detect threats faster, but I do not have the metrics. When it comes to reducing the alert volume, it is not Splunk. It is more of the analyst's work on top of Splunk.

Splunk definitely helps speed up our security investigations. It has the ability to connect and bring information with the click of a button. 

I have used Threat Topology and MITRE ATT&CK framework. It was very good for management but not so much for analysts' day-to-day work. It is a cool feature that helps you bring money from management, but it is not something that an analyst will use on a day-to-day basis.

The ability to digest any information and then correlate it in accordance with what you need is valuable. The ability to connect to pretty much everything and bring the information in the same format is also valuable. On top of that, we can use their language in order to create and customize the dashboards, correlations, or analytics that we want to incorporate. They also have a lot of out-of-the-box correlation that we can use, which is awesome.

They can incorporate the SOAR solution within the actual product so that we do not require two different products, two different installations, and two different pricing methods. In regards to UBA, I am familiar with the UBA that existed two years ago. I am not updated about it today, but two years ago, UBA required such an amount of data that from a cost perspective, it was not worth it. When you compare it to what you get out of the box with Microsoft Sentinel without additional costs, there is no match. 

I have been working with it for the past five or six years. 

It is very stable. I did not have any crashes or malfunctions. It does have a bit of a stretching point when you are doing a very large query or you are retrieving a lot of data. For example, when you are retrieving months of logs in order to conduct an investigation. However, that is at the edge of the product. On a day-to-day basis, it is very stable. It does everything that you need to do. We did not have any crashes in either of our implementations. We did not have anything major.

In the on-prem environment, it is scalable, but it requires work because you need to install indexes and forwarders. It requires more work from someone who is specialized in that domain, but in the cloud environment, it is super easy. It is very scalable. You can just grow as you need.

Their support is awesome. I would rate them a ten out of ten. It is not just the technical support. Their documentation is also good. The whole support system is awesome.

Positive

I used it in my last organization. In my current organization, we have adopted Microsoft Sentinel. I am creating a new managed service company, so it is going to provide service to multiple clients. We have multi-tenancy and full cloud environments and monitoring of on-prem solutions. When I implemented Splunk, it was not used for multi-tenancy. Their multi-tenancy was not that great. It was the old solution, but they now have the cloud environment that is more supportive of multi-tenancy, but with their on-prem solution, for multi-tenancy, we could just play with permissions. It was not the best. It was not proper multi-tenancy where you need different databases and different control planes. It was not the ideal solution, but now they have the cloud environment.

The experience that I had a few years ago was for on-prem, but now, I do have an implementation that is cloud-based. We are implementing it cloud-based for one of our customers. It is deployed on AWS.

The initial deployment is very fast. It is very quick. The on-prem can take a few days, and it is up and running. If it is on the cloud, it is already installed. You only need to connect all the source logs. The duration depends on the number of source logs. It differs. I had a project where I connected all my source logs in one week, and I had a project that took about four months, but the number of logs was different. The complexity was different. We had to create our own connectors and our own parsers.

The pricing is very complicated, and it is very pricey. You do require a lot of different licenses in order to get a comprehensive solution that is not just the SIEM solution.

To someone who is evaluating SIEM solutions but wants to go with the cheapest solution, I would recommend QRadar.

Overall, I would rate Splunk Enterprise Security an eight out of ten. There are several reasons for not rating it a nine or a ten because the pricing is very complicated, and it does require someone who is knowledgeable in the platform. You need someone who is specialized in that. Fortunately, I have these people, but when I tried to look for one in the beginning, it was not an easy job to find someone who was very skilled in this platform. Once you have such a person, it is awesome. You can do whatever you want. The sky is the limit. In fact, not even the sky is the limit. It does provide a very comprehensive solution. It does provide tons of flexibility. It is the platform that you should go for when you need something that is not ordinary or not your typical SIEM solution for a typical organization. It is the platform when you need something that will provide more. For example, one of the projects that I worked on was related to a SOC that needed to digest information from multiple organizations that already digest information, and we had to create cohesive use of that. In such a case, this is the platform to work with because it provides the flexibility that no one else provides.

We primarily use the solution for SOC purposes.

The solution has made it possible to check and detect our traffic a bit better.

The incident review is great for working inside of a SOC if we want to see everything and we want to configure notables and have all notable features, it's useful. We're moving to SOAR right now for configuration for our work center. As far as ES in our work center, just detecting our notables and monitoring all our traffic, is the most important feature as far as what our day-to-day is concerned. 

Splunk has helped us with mean time to respond, although I don't have exact numbers.

Splunk has helped improve our company's resilience level.

Splunk is very good at predicting, identifying, and solving problems in real time. I've never used anything else, however, I'm impressed with the ease of it and the ability to find anything and everything we need. 

I do a lot of the maintenance. A lot of my workers are fresh into Linux and need to monitor, manage, and do maintenance on it. They should bring back the maintenance mode button. Splunk used to have it and they took that feature away.

The upgrading process could be smoother. 

I've used the solution for about a year.

The stability and availability of Splunk are great. It does get weird when we initially update items, however. That's the only time we see issues. It may try to input data in areas it doesn't need to. That said, we are aware of the quirks of the setup. 

Scaling is easy if you have done it a couple of times. 

The environment I have has multiple servers. We might have around 100 servers. 

Splunk support is very communicative about our concerns. That said, the answers I've gotten back don't make sense. I'm not sure if they communicated our issue in the right way or if they misunderstood, however, they did not correctly address our issue. In the end, we do have a good dialogue. I now expect that they will misunderstand the problem on the first round and we have to go back and forth. The effort is there to try to understand. 

Neutral

The company may have had QRadar for a while before Splunk. I wasn't around when they switched to Splunk so I cannot compare the two. 

I was not involved in the initial deployment of Splunk. 

The company has witnessed an ROI in terms of the amount of time saved via being able to tweak our searches. The docs are great. They help tremendously in filling knowledge gaps. The ROI is solid. 

I don't deal with pricing or licensing. 

I've only worked with Splunk as far as data ingestion. 

The solution does take a bit of understanding. It does need improvements in some areas. I'd rate the solution seven out of ten. 

I have worked in a couple of areas of Splunk. Initially, I was part of a monitoring team that used it for security information. I used to monitor security alerts which we used to get on Splunk, which was based on the use cases and we set up specific rules for it. Currently, I am part of the administration of Splunk. Now I onboard different log sources to Splunk. We pass over the logs so that it can be used for the security team.

It helps with security and making sure our infrastructure is compliant. It also allows reporting to be in one centralized location. We can monitor the security logs effectively. It really helps as a cybersecurity element for the company infrastructure to protect us from attacks.

It is quite reliable in terms of data. We have a good amount of licenses currently and find it to be very flexible. It can handle and pull up any amount of data.

Splunk is very fast and user-friendly as well. The UI and design is user friendly. It is easy to understand. 

We can do a lot of things on Splunk. We can integrate a lot of other applications on Splunk. And that can be used for day-to-day security operations. It is easy to use, easy to implement, and it is fast. It is reliable.

Our organization monitors multiple cloud environments. We monitor all the infrastructure and cloud environments of clients.

It is easy to monitor multiple cloud environments with Splunk. You have to get clients onboarded to Splunk first, and then the monitoring part comes last. We have a couple of things that have to be done before the security team starts monitoring. For example, we install the agents and set up the hosting. We get the data from the host, we pass it. It is quite a lengthy process. It is easy, however, we have to do it very carefully and cautiously.

Splunk Enterprise Security provides visibility into different environments.

The solution's insider threat detection capabilities for helping our organization find unknown threats or anomalies in behavior are good. We have multiple security frameworks. For example, we have micro frameworks. There are different sets of rules. We set it. What Splunk does internally is just match the incoming logs. Based on the rules that we have set, it will match with the incoming logs. If it matches, then it will generate alerts for the security team. Based on that, we can identify if there is a potential threat trying to get into the company or internal infrastructure. 

The actionable intelligence provided in Splunk Enterprise Security is good. 

It will help us to automate things and can handle certain items on its own. It will just investigate, remediate, and close the necessary alert. If it is beyond Splunk's capability, then an investigation team will be involved in it. 

I have used the threat topology and attack framework feature, however, now I am more of an administrator.

Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches. There are a couple of other tools as well, which do the same thing. However, with Splunk, it's very easy to work with the dashboard and do search queries. You can easily look through the logs via Splunk UI.

The solution helped reduce our alert volume. It will just minimize the false alerts, and just post positive alerts. It's likely reduced false alerts by 60%. A lot is automated now and that helps cut down on manual work.

The solution has helped to speed up our security investigations. Once again, the automation will speed up the process of investigation. It saves a lot of time for analysts as it allows them to see the initial data. If a team has multiple alerts, it will take them time to go through and check everything. However, Splunk does the initial investigation for analysts and will escalate to analysts as needed. It might have reduced security investigations by 80% compared to earlier versions. 

When we do a rollout from the server or host or anything, we'd like to see more automation. It would save us time. We wouldn't have to write anything. We would just like the raw log automation.

I've been using the solution for three years now. 

It is a stable product.

There are two types of users: the administrators and then the users where the logs are coming from. We have about ten to 15 administrators working directly with Splunk. Overall, there may be more than 1,000 end users we get logs from.

The solution is scalable. In terms of data, it's very flexible. 

Technical support is good.

Positive

I've used other solutions in the past. We previously used
ArcSight Enterprise Security Manager (ESM). It was older and very slow. Comparatively, Splunk is very fast and it has a better UI.

The initial setup was easy. It was not complex. I didn't do the implementation on my own. The deployment times vary. There are many moving parts, such as approvals that need to be taken into consideration. 

We get logs from various sources from various clients.

It does require a bit of maintenance. It requires, for example, server upgrades and patching. 

I can't comment on pricing. I don't take care of that aspect. 

I'm a customer and end-user.

I'd recommend the solution to others and invite them to test the service first on the infrastructure they have. It's a very valuable product to have.

I'd rate the solution nine out of ten.