Regional Sales Manager at Redington (India) Ltd
Reseller
Top 20
Drastically reduces time spent by analysts on false positives, and AI-based detection identifies real-time anomalies
Pros and Cons
  • "The dashboard and reporting are very good... It provides very good visibility in a hybrid cloud environment, and you can build custom utilization APIs using Splunk."
  • "While there aren't any major areas where the solution has to be improved, there are certain integrations that are still not available. I would specifically like to see legacy applications integrated."

What is our primary use case?

The use cases are mainly around monitoring for our clients' security operation centers and correlation of events and analytics for incidents that have been identified.

How has it helped my organization?

It has really improved things for our clients by reducing false positives. Most of the time, analysts end up wasting their time with false incidents, and that has been drastically reduced by Splunk.

It also definitely helps speed up your security investigations.

What is most valuable?

The dashboard and reporting are very good. Our clients monitor multiple cloud environments and Splunk helps because, in general, monitoring multiple cloud environments is definitely difficult and very complex. It provides very good visibility in a hybrid cloud environment, and you can build custom utilization APIs using Splunk.

The solution is also very good in its threat-hunting capabilities and anomaly detection. It uses an AI-based detection system to identify real-time anomalies and provides complete visibility into the network.

And you can feed multiple threat sources into Splunk and the Threat Intelligence Management feature gives you information about current or potential attacks. It provides complete security support in the threat intelligence space. It helps your administrator to correlate indicators of compromise from threat intelligence databases and feeds.

Also, the Splunk Mission Control feature, which is mainly for Splunk Enterprise Security cloud users, provides a unified and simplified security operations experience for SOC analysts.

We also use the solution's Threat Topology and MITRE ATT&CK framework feature. That's something you need for cyber breaches to contain a threat. This feature comes into play when you need to mitigate an incident in your environment.

What needs improvement?

While there aren't any major areas where the solution has to be improved, there are certain integrations that are still not available. I would specifically like to see legacy applications integrated. Splunk has integrations with AWS, Azure, and other cloud providers, but when it comes to legacy applications, it is difficult to do a Splunk integration.

Buyer's Guide
Splunk Enterprise Security
March 2024
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,386 professionals have used our research since 2012.

For how long have I used the solution?

We have been working with Splunk Enterprise Security for one and a half years.

What do I think about the stability of the solution?

It's a very stable solution. 

What do I think about the scalability of the solution?

It is very highly scalable.

How are customer service and support?

The technical support is very good.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I used IBM Security QRadar. The main reason for switching is that Splunk has the scalability to handle bigger enterprise logs. Log management is the biggest issue in any SIEM. Splunk is able to rapidly grow its capacity.

How was the initial setup?

Our clients' implementations are mostly on-prem and in the cloud.

What's my experience with pricing, setup cost, and licensing?

Splunk is definitely not a cheap solution. It is an expensive product.

If a customer is evaluating SIEM solutions and is considering cheaper products, it depends on the customer's budget and use cases. For a large, enterprise customer with critical infrastructure that needs to be monitored 24/7, obviously, the cheaper solutions may not have the capacity to handle the huge volume of data. Splunk has the SIEM and the scalability as well as visibility features. When you want to monitor your applications and how they are performing, that is where Splunk is very strong.

What other advice do I have?

In terms of maintenance of Splunk, you need to have an IT administrator monitoring it at all times.

When it comes to a large, enterprise customer's critical infrastructure, Splunk is one of the best solutions to use in a security operations center. It has multiple advantages, such as the dashboard that provides complete visibility, and a threat detection system with very advanced features. It is very valuable for any company that wants a good protection system.

You should definitely consider Splunk as one of your options for your SOC.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
Flag as inappropriate
PeerSpot user
Owner at Py Concepts
Real User
Top 20
Good notifications, a well-designed dashboard, and helpful logs
Pros and Cons
  • "It gives me notifications of notable events."
  • "Sometimes, there is latency in the logs."

What is our primary use case?

We use the solution for tracking successful and unsuccessful logins. We track privileged account activities and also a variety of other things, like developing use cases for data exfiltration or integration with ETRs and other security tools for data analysis. 

How has it helped my organization?

We wanted to solve the issue of unauthorized access, brute force attacks, and exfiltration. It's helped with MITRE ATT&CK frameworks. 

The organization has been able to quickly triage issues and investigate if something is a true threat or not. Most times, it helps our security posture. The level of confidence we have is high. With Splunk, you can query accounts when you see some strange activity. 

What is most valuable?

It gives me notifications of notable events. 

The default dashboard is very good. We can see our security posture from there.

On-prem and cloud data analysis are good. You can aggregate it if you need to in order to get good data.

Splunk has proven to be great when tracking down anomalous behavior. The logs are excellent. It is the platform in the industry.  You can integrate anything. The amount of information and usability you get out of Splunk is very good.

We do use the Threat Intelligence Manager. It can be integrated with third parties. The actionable intelligence we get is useful. There is sequencing where you can gauge some actionable steps. 

I use the MITRE ATT&CK framework when I am developing a new use case. It helps us discover the overall scope of an incident. Using Splunk is essential in developing that. 

It's good for analyzing malicious activities and detecting breaches. I'd rate it highly in its capabilities. However, if you don't have the knowledge, it may be difficult. You might get a lot of false positives.

It's helped us detect threats very fast, in almost real time. 

We have reduced our alert volume. I'm not sure of the exact number, however, instead of having 100 to 200 false positives, we might get 20 to 30. 

It has helped us speed up our security investigation, although I don't handle it directly. I simply do triage, and it definitely helps there. 

What needs improvement?

There are a lot of false positives which can cause a lot of fatigue. 

Sometimes, there is latency in the logs. 

When you deploy Splunk, you need a high level of knowledge. You really need to know what you are doing. It requires a lot of things.

They need to come up with straight steps to get things done, to have a step-by-step process to achieve this or that. 

For how long have I used the solution?

I've been using the solution since 2020.

What do I think about the stability of the solution?

The stability is okay.

Splunk would tell you, especially on the different licenses they have, your storage, and your level of ingesting, it can vary. 

Splunk needs to be more clear between storage and performance. 

We worked with a client where almost immediately their storage was already in red. They didn't understand their storage needs as that wasn't clear. 

What do I think about the scalability of the solution?

The solution cuts across countries. I'm not sure how many end-users we have.

The scalability is okay. It scales well even though you have to consider your licensing and storage.

How are customer service and support?

Technical support is good. 

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I have used ELK previously. 

How was the initial setup?

I have been involved in the deployment of Splunk in the past.

The initial setup is not so straightforward for those new to it. I'm accredited and have four years of implementation. You really need that level of knowledge. It's straightforward to make a feed, make it compliant, and do field mapping, however, there are many things you need to do before deployment. 

We had six to eight people deploying Splunk. They were all mostly Splunk professionals, who understood the product and devised a plan and timeline for implementation. We integrated the relevant stakeholders into the process. We were connecting to the Splunk Cloud. 

There is a little bit of maintenance required to maintain the infrastructure. 

What about the implementation team?

We used all in-house resources to implement Splunk.

What was our ROI?

I have witnessed an ROI while using Splunk. There were some incidents previously in which the company lost millions of dollars. Bringing in Splunk has curbed that. 

What's my experience with pricing, setup cost, and licensing?

The pricing is on the high side. It's not a solution for SMEs.

Which other solutions did I evaluate?

I'm not sure if any other options were evaluated by the company. 

What other advice do I have?

Currently, we are just Splunk customers. 

We do not monitor various clouds; we only monitor one. However, they have a good solution in that we don't need to worry about maintenance if we do. 

We've never used the Mission Control feature.

If someone is looking for the cheapest SIEM solution, there are a lot of open-source options out there. However, Splunk definitely is an option. If a company is bigger, it would benefit from Splunk. They will be paying some money for it, however, it's worth it.

Resilience is important. To some extent, Splunk addresses this as we haven't had any issues. It's important to have resiliency. If your solution is not resilient, you risk security issues. 

I'd rate the solution eight out of ten. 

I would advise others to spell out what you really need and make it measurable so that you will understand if Splunk is right for you. If you are going to use Splunk, it's important to do your due diligence. 

Which deployment model are you using for this solution?

Private Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
PeerSpot user
Buyer's Guide
Splunk Enterprise Security
March 2024
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,386 professionals have used our research since 2012.
IS Engineer at a hospitality company with 10,001+ employees
Real User
Top 20
Enables us to drive down the alert count and the alert fatigue for analysts to make the alerts they see more valuable and actionable
Pros and Cons
  • "The UI of Splunk makes it easier for our analysts to move around and see what they need to see."
  • "Features related to content management must be improved."

What is our primary use case?

Our SOC uses the solution to monitor our corporate and franchise environments.

What is most valuable?

Risk-based alerting is the most valuable feature. It really allows me to drive down the alert count and the alert fatigue for my analysts to make the alerts they see more valuable and actionable. The way that alerts are handled is better in Splunk. SPL is easier in Splunk. The UI of Splunk makes it easier for our analysts to move around and see what they need to see.

What needs improvement?

There are a lot of areas that are currently being improved that I want to be improved. Features related to content management must be improved. The product is adding more drill-downs.

When the tool was originally set up, things were not configured properly due to the rapid deadlines for installing everything. Now, we have to go back and recover a lot of things that aren't properly configured.

For how long have I used the solution?

I have been using the solution for approximately four years.

What do I think about the stability of the solution?

I haven't seen any issues with stability. Most of the stability issues I've seen have actually been on the on-prem hardware.

What do I think about the scalability of the solution?

We have no issues at all with scalability. The tool has high scalability and usability. The size of our environment is relatively large since it is an enterprise solution. We have around 5000 users and a franchise base.

How are customer service and support?

I have never had an issue with Splunk’s support team. Every time I ask a question, I usually receive really quick responses. We are in the middle of a migration, and the engineers helping us migrate to Splunk Cloud have been fantastic every step of the way. They provide really rapid and complete answers when we ask questions.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I use LogRhythm a lot. I worked for an MSSP, so I have seen several products. So far, Splunk has been my favorite.

What was our ROI?

We have definitely seen an ROI on the solution. Any security tool has a fantastic ROI. A lot of companies don't like to budget for security until there's an incident or something goes terribly, terribly wrong. Just having that SIEM and having eyes on potential security issues is an ROI.

What other advice do I have?

We are behind a few versions. So I hope that as we upgrade, I get more ideas for what I'd like to improve. We're still in the process of moving to the cloud.

The product has improved our organization's business resilience. The right tools are available to our analysts within the product, and we use them daily. It has drastically driven down our time to remediate, which is huge for us. It's huge for any company. We don't want four hours to find out that something has gone terribly, terribly wrong. Finding such issues before they turn into full-blown security incidents has been our biggest impact.

Splunk Enterprise Security empowers our staff. It is so user-friendly. It allows our analysts at every level to learn the tool and learn more about security through the tool. I progressed from level one. Now, I'm a content developer for enterprise security. The usability of Splunk is the best on the market. The solution has helped reduce our mean time to resolve.

As we add new features and applications into Splunk, time to value is pretty quick on most things. As long as we have someone that's willing to go through the effort to configure, the time to value is rapid. Adding applications to Splunk is a seamless experience. The UI of Splunk makes life so much easier. Some of my experience is based on technical debt in the organizations I worked with. I would probably rate the tool a ten if we didn't have so much technical debt.

By attending Splunk conferences, I get to learn about all the new tools and how to implement them. I use it for RBA and Machine Learning Toolkit. I develop content for our company. I am here to learn how to implement RBA and Machine Learning Toolkit better to reduce alert fatigue for my analysts.

Overall, I rate the product an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
IT Specialist at a government with 10,001+ employees
Real User
Fair price, integrates well, and allows us to have everything in one tool
Pros and Cons
  • "Exporting is a good feature. It helps me out when I have to do reports. I do a lot of exporting and crunching of the numbers. Dashboards are okay for showing to the leadership, but for doing statistics and updating tickets, the export feature is very beneficial for me."
  • "It works as intended for us, and we are getting everything that we need out of it. If anything, its initial setup can be improved a bit."

What is our primary use case?

I am the branch chief. I use Splunk Enterprise Security depending on how swamped the team is. I use it for anything from basic searches to DDoS attacks, which is a big thing right now. So, DDoS attacks and phishing emails are a lot of what I am using it for.

How has it helped my organization?

We had FireEye before and then we went to CrowdStrike. Splunk has definitely helped to have everything into the tool. It is a lot easier to complete the tickets. It saves, on average, a couple of hours a day. We just go to Splunk and then provide data and work with different people on the tickets, so it saves hours each day. We have been able to allocate these hours to other projects or things that are more of a priority. We are able to do different projects that were on the back burner. We can put those hours towards other things.

Splunk has improved our organization’s business resilience. We are able to give leadership updates through dashboards versus the actual metadata. It is easier for them to understand and provide leadership.

Splunk’s ability to predict, identify, and solve problems in real-time is very good. It is proven. Every couple of weeks, it catches some of the things that our SOC team did not catch and provides alerts, so its real-time capabilities are very good.

Our team has overall benefited from Splunk. We had FireEye before, which was not that good. We are able to benefit from Splunk not only in terms of instant response. We also have other teams doing vulnerability management using the Prisma systems. It is important that Splunk provides end-to-end visibility into our native environment. We use it for Prisma and instant response. Without Splunk, we would not be able to do some of the things that we need to do unless we went to individual tools, and we do not have the resources for that.

What is most valuable?

Exporting is a good feature. It helps me out when I have to do reports. I do a lot of exporting and crunching of the numbers. Dashboards are okay for showing to the leadership, but for doing statistics and updating tickets, the export feature is very beneficial for me.

They offer training. That is a big part of it. If you do not understand the tool, they are able to provide everything that you need, which helps the business. When you have learned a tool, you are able to speed up the process meantime, so you are not wasting a lot of man-hours trying to figure things out. 

What needs improvement?

I do not have any areas that can be improved. It works as intended for us, and we are getting everything that we need out of it. If anything, its initial setup can be improved a bit. 

In terms of additional features, I am still learning SOAR and everything else, so I do not have any feature requirements at this time, but as we do these SOAR operations, there might be some additional features that we will need.

For how long have I used the solution?

I have been using Splunk Enterprise Security since 2016.

What do I think about the stability of the solution?

It is very good as long as you have the scope of how many servers, processors, and other things you need. There was a learning curve of making sure our servers were beefy enough to handle the data. We had four terabytes of data coming in every day. We were maxing out our systems a little bit, so we beefed that up, and we have had no issues since. 

What do I think about the scalability of the solution?

Its scalability is easy. On-prem was very easy, and on the cloud, you have to learn and adapt a little bit, but scalability is perfect. 

How are customer service and support?

I only reached out to our Splunk contacts, but my team reached out to Splunk's support team. I have not had any issues where they told me that they did not get the support they needed. They might take time to figure out what the issue is, but overall, I would rate their support a ten out of ten. 

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We used FireEye, which was our primary one, and then we had CrowdStrike. Splunk has definitely been wonderful for us. The biggest reason for switching was integration. It is very easy to get all the tools fed into Splunk. They also had a cloud version, which was another reason. We are doing a hybrid setup, so cost savings was also a big factor.

How was the initial setup?

I was involved in its deployment. I am the system owner of it. I am in charge of it, so I oversaw the project deployment. There is a learning curve with the hybrid setup with the cloud and on-prem, but overall, I am pretty satisfied with it.

We have an on-prem and a cloud environment depending on the platforms we are using in the system, so we have both environments. The challenging part was getting everything set up and fed into Splunk, but once it is set up, there is no difference in using it on-prem or on the cloud. We do not notice any real difference in it. 

The initial setup could be improved a little bit. It depends on your local team, firewalls, and other things like that, so there was a learning curve for the teams to learn how to set it up. That part could be improved, but once you go through it, it is not an issue. 

What about the implementation team?

We had the Splunk team, and they did wherever they needed to get everything deployed. Our experience with them was good. We have worked with Splunk for years now. Their support has been very beneficial. If I have a question, they jump right on and let me know. They walk me through it and give me updates, so I am pretty happy with Splunk.

What was our ROI?

We have seen an ROI in terms of the mean time to resolution and man-hours. We are able to allocate those hours to other things. We have not got there yet in terms of the upfront costs, but we will get there over time.

When it comes to the time to value, we are getting there. We have not got there yet, but over time, we will get to the time to value.

What's my experience with pricing, setup cost, and licensing?

Its price is fair. Like with anything else, if you go into the cloud, different providers cost more, and you are able to throttle back or throttle up. The cost is comparable with anything else.

Which other solutions did I evaluate?

We evaluated other options. We had to evaluate the pros and cons in terms of the cost and the capabilities of each tool. A lot of that went into the proof of concept. We did our due diligence and determined that Splunk was the best fit for us.

What other advice do I have?

I would rate Splunk Enterprise Security a ten out of ten. It gives us everything we need, and its capabilities keep on improving, so it is getting better. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Kiran Kumar. - PeerSpot reviewer
Lead Administrator at Wipro Limited
Real User
Top 20
We can create dashboards, speed up our security investigations, and reduce alerts
Pros and Cons
  • "Splunk has a wide range of features that customers use to find and analyze all kinds of logs."
  • "The price has room for improvement."

What is our primary use case?

We provide comprehensive infrastructure support and ingest mine data in three ways. The first is Agent-based where the information is sent from client machines to an agent. The second is TCP port forwarding where data is sent to Splunk through an open port. The third is the HEC token. We then use the Splunk DB Connect app to ingest data as per the client's requirements.

How has it helped my organization?

We are currently onboarding data from AWS to GCP. We are moving data from on-cloud to our production and deployment level environment. Additionally, the data is being added to the services on those machines. To forward the logs to Splunk, we have created a default index, which is a way of storing data in a particular way. We have created the index based on the requirements of the data storage.

Currently, we are ingesting all kinds of government security PI data. Similarly, we can ingest any kind of confidential data into Splunk using masking. This allows us to filter the data and mask sensitive information. For example, if a user account number has ten digits, we can mask out the first six digits so that only the last four digits are visible. We ingest this kind of confidential data into Splunk, and we also ingest PI data and Splunk governance data.

We are using the threat intelligence management feature. We have a separate security team, called a soft team, which is responsible for finding vulnerabilities, threats, and malware alerts in our Splunk environment. We use the threat intelligence management feature to identify any suspicious activity that may be coming from outside users. The soft team continuously monitors these alerts and creates proxy alerts to identify any potential threats.

Splunk's insider threat detection capabilities help us to easily identify threats by using Splunk queries. We have predefined Splunk Insight and are also using the one in the app, which is configured on top of Splunk machines. This allows us to quickly identify how many unknown IPs are syncing into other machines, and we can use this information to identify threats.

We use threat pathology and MITRE ATT&CK. I am currently supporting a financial institution with its infrastructure, which is split into two teams: one for complete infrastructure support, including hosting and operations, and the other for security-related matters. My team is continuously investigating new security threats, so we will take care of the onboarding process. As part of the infrastructure support team, I am responsible for handling all onboarding tasks. If I encounter any security concerns, I will escalate them to the SOC team.

We have a lot of operations using the Mission Control feature in Splunk.

Splunk helps us analyze malicious activities and detect breaches. We are using a Splunk SaaS application in a multi-class environment. To maintain high availability with zero downtime, we have maintained close to 70 indexes and 50 searches. Splunk provides us with alerts from the entire infrastructure, which helps us maintain our service. We use Splunk Mission Control to iron out any issues. For any special needs, we can go to Mission Control to verify and mitigate alerts.

Splunk Enterprise Security has helped us reduce our alert volume. Splunk currently ingests five terabytes of data, and we can set parameters to exclude rotational works and backlogs to reduce the number of alerts.

Splunk Enterprise Security has helped speed up our security investigations.

What is most valuable?

Splunk has a wide range of features that customers use to find and analyze all kinds of logs. For example, they can use SQL queries to identify vulnerabilities. Additionally, they can create dashboards to visualize and filter their data, and to create real-time alerts when thresholds are exceeded. Splunk Vision is a popular tool for data modeling and visualization and is used worldwide.

What needs improvement?

The price has room for improvement.

For how long have I used the solution?

I have been using Splunk Enterprise Security for five years.

What do I think about the stability of the solution?

We are maintaining a multi-cloud environment across multiple regions, and for the last two years, Splunk Enterprise Security has maintained a 99.999 percent uptime.

How are customer service and support?

We open cases on behalf of our customers with Splunk. If the technical support resolution is not up to par, we request a meeting call to work with the support team and resolve the issue for our client.

Which solution did I use previously and why did I switch?

We also use the Red Hat OpenShift enterprise Kubernetes container platform. OpenShift is a more popular container tool with excellent support, but all of our OpenShift deployments are on-premises, along with production clusters around the world.

How was the initial setup?

For the deployments, we scan the data to ensure that the Splunk machines can support it. If we identify anything on the machine, we ask the customer to remediate the issue by upgrading the version of Splunk. Most of our customers are using version 8.3.3.

What other advice do I have?

I would rate Splunk Enterprise Security nine out of ten.

Organizations that value their security should not choose the cheapest SIEM solution. They should expect to invest in a SIEM solution that can meet their specific needs, even if it means spending more money.

Monthly patching maintenance is required. 

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Google
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
PeerSpot user
Senior Engineering Manager at Happiest Minds Technologies
Real User
Provides integrations, enables customizations, and has a good security posture and a helpful support team
Pros and Cons
  • "The product has a good security posture."
  • "The glass table feature does not perform as expected."

What is our primary use case?

We have many use cases for firewall logs in our system. We collect logs from these firewalls and customize our use cases.

What is most valuable?

The triad is one of the best features. The product has a good security posture. It provides many customizations.

What needs improvement?

The glass table feature does not perform as expected. It must be improved.

For how long have I used the solution?

I have been using the solution for seven years.

What do I think about the stability of the solution?

The tool is stable. I rate the stability a seven or eight out of ten.

What do I think about the scalability of the solution?

I rate the product's scalability an eight out of ten.

How are customer service and support?

If something doesn't work, we reach out to the support team. The support provided by the team is great. The support is part of the entitlements in the license we buy.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I'm using Microsoft Sentinel. It is a cloud-native tool. Compared to Splunk Enterprise Security, Microsoft Sentinel is easier to handle. We use Splunk Enterprise Security because we have to manage a big infrastructure and may have many security vulnerabilities. The cybersecurity team decided to use Splunk Enterprise Security. The volume of data is high, so it is easier to manage it in Splunk.

How was the initial setup?

The initial deployment was complex. If we need to customize the solution, we need one to four weeks to get all the data, manage the license, and calculate the resources.

What's my experience with pricing, setup cost, and licensing?

The solution is costly. The cost is calculated based on the volume of data ingested per day.

What other advice do I have?

It is not complicated to monitor multiple cloud environments using Splunk. It is one of the best solutions. The multiple cloud integration is open source. It's really helpful to monitor the structure and user authentication. I would definitely suggest it to people.

It's feasible to achieve visibility into multiple environments using the product. The cloud solution is recommendable. The on-premise product is tedious to manage, but it will be easier if we have a good resource to take care of the administration as an architect.

The tool has threat-detection capabilities. There are some limitations. We have a set of rules and patterns where we collect the tagging and the data we want to alert. It would have been better if detection and threat analysis recommendations were available out of the box. Though the solution keeps updating with the market demands, I still feel that the feature needs to be more reactive.

The product has inbuilt use cases for analyzing malicious activities and detecting breaches. It helps us run our alerts to catch malicious actions like brute force attacks or user-related authentication challenges. Splunk Enterprise Security has helped us reduce our alert volume. It has many automations and integrations. The SOAR tool detects and automatically manages repetitive and generic alerts proactively.

Splunk Enterprise Security helps us speed up our security investigations. It's at the top of its game. The tool is proactive and helps us take action before something happens. It has reduced our security threats. It is saving us hours of investigation. If you have a big data source, then I would recommend Splunk Enterprise Security. It will be easy for you to manage the data load. If you do not have a high data volume, you can look for other solutions like Sumo Logic.

My experience with the solution is really good. It has the capability to analyze the platform and take care of vulnerabilities. There is scope for improvement. We have a huge data volume of 2 TB per day. Our platform needs a solution like Splunk Enterprise Security to maintain the data volume and filter out our security vulnerability logs.

Overall, I rate the product a nine out of ten.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
PeerSpot user
Information Security Analyst at Apcfss
Real User
The threat intelligence provides insight into how business decisions can make an organization vulnerable to cyber attacks
Pros and Cons
  • "Without Splunk Enterprise Security, it would be difficult for us to manage and prioritize alerts. There's a potential to lose track of important notifications, and it's essential to our security that we do not miss anything. Splunk has improved our investigations because the reporting and dashboarding make things so much easier. We can provide weekly or monthly reports. I also like Splunk's ability to integrate."
  • "Integrating tools and creating use cases could be easier. It's hard for a junior security engineer with only a couple of years of experience to write use cases. They can do it, but it's much easier in a solution like IBM QRadar. Setting conditions is like a multiple-choice type of thing. It's a more user-friendly process."

What is our primary use case?

We have integrated different tools to get files from various types of endpoints. We also have Check Point. There are a few Windows use cases for brute force and code block attacks, and we use Splunk to detect when a user is logging in from another country where we don't do business. Splunk is integrated with our AWS environment, so we ingest logs from Amazon CloudTrail, GuardDuty, and other solutions. 

How has it helped my organization?

Without Splunk Enterprise Security, it would be difficult for us to manage and prioritize alerts. There's a potential to lose track of important notifications, and it's essential to our security that we do not miss anything. Splunk has improved our investigations because the reporting and dashboarding make things so much easier.  We can provide weekly or monthly reports. I also like Splunk's ability to integrate. 

We can fine-tune our alerts to reduce false positives or low-priority alerts. It reduces the time our admins spend on responding to alerts by one or two hours weekly. We can alter the policies, do geoblocking, and add certain applications and IPs to our allowed list. 

What is most valuable?

Splunk covers our cloud and on-prem environments. We were exclusively on-prem, but we are slowly moving into the cloud. Our developers can customize investigations by adding multiple interesting fields and aggregate those details in Enterprise Security by using the appropriate SQL queries.

We use Splunk's threat intelligence management feature, which provides insight into how business decisions can make an organization vulnerable to cyber attacks. All of these things fall under tactical threat intelligence. For example, it can tell us if someone is accessing our organization's API. 

We have integrated all our tools so that we can monitor any alert type, but we use Splunk primarily for investigations. We're ingesting audit, security, application, and Windows logs. Once we get an alert, we go to the tool and investigate further

Splunk uses the MITRE ATT&CK framework, giving us new tactics and techniques based on issues observed in other businesses and industries and helping us to address novel threats to our network. MITRE ATT&CK is highly useful. 

What needs improvement?

It's a little difficult to archive data in Splunk for longer than six to eight months. Integration is more challenging compared to other tools we've used, such as LogRhythm. 

Integrating tools and creating use cases could be easier. It's hard for a junior security engineer with only a couple of years of experience to write use cases. They can do it, but it's much easier in a solution like IBM QRadar. Setting conditions is like a multiple-choice type of thing. It's a more user-friendly process. 

For how long have I used the solution?

We have used Splunk Enterprise Security for nearly a year. 

What do I think about the stability of the solution?

I rate Enterprise Security nine out of 10 for stability. Splunk is solidly stable. We've rarely experienced a crash requiring us to rebuild cases. 

What do I think about the scalability of the solution?

Our organization has around 1,000-1,500 groups, and Splunk works fine for us. 

How are customer service and support?

I rate Splunk support nine out of 10. Their support team is excellent. We schedule calls with them when we have issues. They typically rectify any problems in eight to 12 hours. At most, it will take a week to fix an issue. 

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I have worked with LogRhythm, and I think Splunk's interface is much better. It's more attractive and has a more interesting feel, so I think it makes things easy for our analysts.

What other advice do I have?

I rate Splunk Enterprise Security eight out of 10. Splunk is useful for compiling all types of logs for investigation and monitoring purposes. I can recommend Splunk for people if they are comfortable with the deployment and integration. While integration is easier with solutions like QRadar or LogRhythm, Splunk is better for everything else. 

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
PeerSpot user
Hari Haran. - PeerSpot reviewer
Technical Associate at Positka
Real User
Top 10
Multiple components are very useful, providing us with a lot of security information for our clients
Pros and Cons
  • "It gives us good visibility into multiple environments, including cloud, on-premises, and hybrid; irrespective of platform."
  • "One issue is that we are getting a lot of false positives. We are trying to reduce them by customizing the default rules, changing thresholds, and using white-listing and black-listing. It's getting better and better as a result. But they need to build components that would reduce the false positives."

What is our primary use case?

We use it to provide both operational and security dashboards based on our clients' equipment. We use it for infra monitoring and threat analysis.

We have multiple rules for analyzing malicious activities and detecting breaches. We get the notable events from the logs and from there we drill down into the cause. We correlate that with the framework and get a score. Based on that, we proceed to the investigation.

How has it helped my organization?

It gives us a complete correlation between data processes and security threats. It has threat analysis and the MITRE ATT&CK framework. From a SOC perspective, it uses multiple components or frameworks and, in that way, is very useful, providing us with a lot of information for our clients. They don't want multiple teams dealing with security and malware, et cetera. Splunk Enterprise Security gives us everything in one place.

We get all the real-time logs and, based on the configuration, it's pretty easy to use to find threats. It has helped to speed up our security investigations. Before we went with Splunk Enterprise Security we had limited information but now we have threat intelligence to enhance things.

We are now handling multiple customers globally. We are able to build custom rules based on customer requirements and the applications and data they are using. It is enhancing the security of each customer's infrastructure. We are able to provide weekly and monthly reports and, based on that, our customers are honing their firewalls and other security infrastructure. Splunk Enterprise Security is very helpful in improving the security of our clients.

What is most valuable?

It gives us good visibility into multiple environments, including cloud, on-premises, and hybrid; irrespective of platform.

The UI is also very friendly. You don't have to work very hard to find things.

What needs improvement?

One issue is that we are getting a lot of false positives. We are trying to reduce them by customizing the default rules, changing thresholds, and using white-listing and black-listing. It's getting better and better as a result. But they need to build components that would reduce the false positives. 

Also, we have a lot of security feed providers. If there was some kind of management tool for that, it would be a great tool to have.

For how long have I used the solution?

I have been working with Splunk for about four and a half years.

What do I think about the stability of the solution?

I started working with Splunk Enterprise Security at version 6 and now we are up to 9 and it needs more resources. But it's okay because we have a lot of functionality now. It's better than it was earlier. I would rate the stability at nine out of 10.

What do I think about the scalability of the solution?

Splunk on the cloud is scalable, a 10 out of 10.

How was the initial setup?

If someone is doing the deployment for the first time, it will be a little complex. The installation is straightforward, but for the configuration, you need to follow the documentation and understand it. That is a little difficult the first time if you are doing it on your own. If you have anyone with experience who can explain the configuration, the second time it will be straightforward.

The solution requires maintenance but not much, mostly when there are upgrades 

What's my experience with pricing, setup cost, and licensing?

Most of the companies we work with are keen on budgeting. They can't spend much on security. Their problem is with the cost. They would like to have it but the problem is the budget. If they got a taste of Splunk Enterprise Security and its benefits, they might be able to cope better. A 15-day trial doesn't give them much hands-on or benefit from the tool. From a security perspective, they would need to have it for six months or a year to get a sense of it.

We try to explain, to someone who is concerned about the cost, the functionality and how powerful the application is. Security people know it's better to have a better solution, but management has to look at the budget.

Which other solutions did I evaluate?

We tried some other solutions, but they didn't work like Splunk. We found that Splunk is the best one.

What other advice do I have?

We work on multiple cloud environments including AWS, Azure, GCP, and most of the popular clouds. We have built our own combined app to monitor most of the cloud service providers. We have our own solution for cloud security monitoring.

My advice is that for big firms, because it has better detection and security, Splunk Enterprise Security is a very good tool. For big companies, good security is important, especially if they have a global market.

I don't see any other software having as much functionality and different ways to investigate security.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros sharing their opinions.
Updated: March 2024
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros sharing their opinions.