Splunk Enterprise Security Reviews

My main use cases for Splunk Enterprise Security have evolved over various roles, primarily focusing on the correlation of external threat intelligence in the notables existing in Splunk Enterprise Security, where we currently emphasize making it easier for our customers to bring in external threat intelligence such as from Recorded Future and correlate that against their entire telemetry to create notables indicative of alerts that could have been missed through traditional defenses.

The feature I appreciate the most about Splunk Enterprise Security is the CIM data model, which allows users to bring in data from different technologies, such as firewalls, endpoints, and perimeter DMZs, enabling every device to pump data into Splunk Enterprise Security, with the data model normalizing all the data and placing it in a common plane.

The main benefit of Splunk Enterprise Security features is the increased visibility of our data itself since we can pump in all the data from every security device within our enterprise, providing comprehensive visibility in a single pane of glass without needing to check every tool for individual alerts, allowing us to identify outliers and anomalies easily and build detection rules across multiple technologies.

Splunk Enterprise Security's risk-based alerting has been a game-changer for us. Previously, we were flooded with many alerts, leading to alert fatigue; now, risk-based alerting adds intelligence to alerts by considering behavioral or internal asset-based criteria, effectively helping us prioritize alerts and filtering out noise that can be ignored.

When it comes to leveraging Splunk Enterprise Security's dashboards and visualizations, we struggle to communicate our security posture effectively to leaders such as the CISO, yet Splunk Enterprise Security provides the ability to create tailored reports from generated data using correlations, macros, and specific metrics such as MTTR or MTTD, allowing us to convert this into strategic or tactical-level reports sent directly to the CISO for situational awareness.

Splunk Enterprise Security assists our SOC team in prioritizing and investigating high-fidelity alerts effectively after we triage and identify them; there are various ways to dig deeper, either by building search queries that expand the scope to other data sources or using adaptive response actions to gather additional context, aggregating everything inside Enterprise Security for a comprehensive investigation.

While Splunk Enterprise Security is powerful, it presents significant complexity for users, as it's not particularly user-friendly for beginners. I recommend focusing on building user-driven guided workflows to help newcomers navigate and efficiently use the platform through simple guides. 

I also see room for improvement in the integration of Splunk SOAR, which currently has some limitations regarding its data use in downstream playbooks.

I have been using Splunk Enterprise Security for approximately seven to eight years, starting even before my current role.

I find Splunk Enterprise Security to be generally reliable and stable, as we haven't experienced issues with downtime or crashes despite having a single-node cluster, which has been sufficient for our operational needs.

One of the main reasons we moved to Splunk Enterprise Security is its ability to scale with our growing needs, as it easily accommodates additional compute and storage, and even for on-premises deployment, it simplifies the process of adding those resources as we expand our telemetry.

I would give Splunk customer service an okay rating since they handle standard queries with clear responses; however, the experience can vary when tailored queries arise, sometimes leading to delays in communication, which highlights areas for possible improvement.

Neutral

Before adopting Splunk Enterprise Security, we relied on a couple of open-source tools, yet soon realized they weren't scaling to our needs, prompting the decision to switch to a more scalable solution backed by support.

From my point of view, the biggest return on investment when using Splunk Enterprise Security comes from its flexibility to bring any data into the platform for visibility, which is hard to achieve with other platforms; this capability, combined with features such as UEBA and risk-based alerting, reduces the need for full-time employees in my SOC while allowing easy integration with external threat intelligence to reveal hidden threat patterns, resulting in reduced MTTD, MTTR, and enhanced situational awareness.

I don't directly handle pricing, yet my experience indicates that Splunk tends to be on the expensive side as a SIEM platform, so I suggest users consider a phased deployment starting with Splunk Cloud or Splunk ES and then expanding capabilities over time rather than embarking on a full deployment initially.

In our strategy to combat insider threats and advanced persistent threats, Splunk Enterprise Security plays an important role with its UEBA features, helping us identify outliers from baseline behavior that assists in detecting anomalies or insider threats that may otherwise slip through traditional defenses. 

I advise organizations considering Splunk Enterprise Security to proceed if you are already a big Splunk shop with an underlying platform deployed, as it seamlessly integrates with your existing data and allows easy onboarding of additional technologies within the Splunk ecosystem without additional overhead. 

Considering the overall performance, I would rate Splunk Enterprise Security as an eight out of ten, recognizing it as a powerful platform within our SOC toolkit.

My main use cases for Splunk Enterprise Security include detection engineering tasks. I work with the SIM team handling various responsibilities, specifically ensuring uptime availability and correct log ingestion.

Splunk Enterprise Security has helped improve my organization's business resilience. We have definitely been able to get significant value out of it.

As an administrator, I mainly ensure other people can use the system effectively rather than using it extensively myself. 

My impressions of Splunk's ability to predict, identify, and solve problems in real time are solid. I definitely notice when it makes predictions and helps with what we're trying to find in general. The ability to identify risks as they come in is quite good.

The integration of disparate security solutions supports our security operations by providing multiple methods to handle things. We have 21 lines of business with different Splunk pods, each requiring different solutions.

Personally, the integration creates some challenges, particularly when trying to standardize processes and migrate to Splunk Cloud. Managing different Splunk pods on-premises and separate stacks leads to confusion and time inefficiencies.

The process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security works adequately. While I don't write the detections myself, I work closely with those who do, and it doesn't seem to be an issue.

Our Security Ops team's incident remediation time has improved significantly. Previously, it took approximately 11 hours, but now it takes a few hours, though we're still working to reduce this time further through our migration to Splunk Cloud.

There are ways Splunk Enterprise Security can be improved, though I might be speaking specifically about my organization's implementation. Better education for users would be beneficial as they often don't know what they don't know or how to look for certain features.

Regarding ease of use, Splunk Enterprise Security is adequate. The challenge arises when we have multiple users trying to differentiate between the regular search head and the Enterprise Security search head. While users can accomplish their tasks, the main issue stems from education rather than the platform itself.

I have been using Splunk Enterprise Security for three years, with a six-month break in between. I have been using it extensively for the last year.

The stability and reliability of Splunk Enterprise Security is very good. While we've experienced some downtime, crashes, and performance issues, these were caused by end users running poorly optimized queries rather than system problems.

Splunk Enterprise Security scales effectively with our organization's growing needs. We haven't encountered any problems with scalability.

I would rate customer service and technical support from Splunk at nine out of ten. I have had nothing but good experiences with Splunk support, receiving timely and helpful replies. In one instance, when I needed immediate support, I received a call within ten minutes of submitting the ticket, and we resolved the issue promptly.

Positive

I am uncertain if my organization used another solution prior to adopting Splunk Enterprise Security. I believe we have been using Splunk the whole time, but this predates my joining the team.

The deployment is fine. I don't really have much of a problem with that end of things.

I have seen a return on investment with Splunk Enterprise Security.

I am not familiar with the pricing of Splunk Enterprise Security. Regarding licensing, we face some challenges. The management of different pods makes it confusing and complicated, but it gets resolved by our senior team members.

I use disparate security solutions that integrate or import data into Splunk Enterprise Security. We utilize many different tools.

I would advise other organizations to consider Splunk Enterprise Security as it's an easy solution to implement and effective for its intended purpose.

On a scale of one to ten, I rate Splunk Enterprise Security an eight.

My main use case for Splunk Enterprise Security is security eventing.

The features of Splunk Enterprise Security provide a standardized platform for investigating.

The content libraries are helpful. In our organization, we don't use them a lot. We will use them as ideas and rebuild them into what our needs are.

It's standardized and easy to use, so you don't have to have a lot of top-tier analysts to do the same job.

The investigations plane and use case library have been beneficial.

We utilize Splunk Enterprise Security for our fraud team using pure ES. We use all the fraud features, and that's been incredibly helpful.

The detection rate and prevention rate has gone up 30 times compared to when they were working on a spreadsheet. The fraud team loves it.

Once we move over to 8.2, we're going to utilize more of the built-in features.

I appreciate the visual control and the investigations plane, though that will be a major migration for us.

Splunk Enterprise Security can be improved by bringing back some of the operational use cases. When Splunk developed ITSI, they took a lot of information or use cases out of ES, where operational use cases can also be security use cases. Those two products need to be more migrated to each other. In the next release of Splunk Enterprise Security, there should be more reporting options.

I have been using Splunk Enterprise Security for nine years.

I would assess the stability and reliability of Splunk Enterprise Security as excellent. I've had no problems with downtime, crashes, or performance issues.

Splunk Enterprise Security scales with the growing needs of my organization just fine. The licensing for ingest is a different story.

I would evaluate customer service and technical support for Splunk Enterprise Security as lacking. The service engineers that we've been getting as part of our weekly or bi-weekly calls with our salesperson, where they've assigned an engineer, have decreased tremendously in quality and expertise over the last few years. People on the team that really know Splunk know a lot more than they do, and it's evident because they don't try anymore. We can still get expert help when we need it.

Positive

Prior to adopting Splunk Enterprise Security, I was not using another solution to address similar needs.

I would describe my experience with deploying Splunk Enterprise Security as easy. The KV store setup was straightforward.

I have seen ROI with Splunk Enterprise Security.

My experience with pricing, setup cost, and licensing for Splunk Enterprise Security has been fine. We've renewed since Cisco took over.

My advice to other organizations considering Splunk Enterprise Security is to follow the documentation and not build your own stuff.

On a scale of one to ten, I rate this solution a nine.

My main use case is for log management and checking the logs. We have rules running in Splunk Enterprise Security. We are using it as a main SIEM solution for our customers.

Alert fatigue is a common issue with security solutions, but Splunk Enterprise Security reduces alert fatigue. When we encounter real incidents, we get to dive deeper to check out the main cause of that incident. It is useful because it reduces alert fatigue.

The best feature of Splunk Enterprise Security is the documentation. Splunk Enterprise Security's documentation is well-organized. For example, if you have a problem or if you want to read about what you're looking for, you can easily go there and read from the documentation. It also has many resources worldwide. It is a de facto standard of the SIEM solutions. For example, I have used IBM QRadar, which is another solution many companies are using.

One of the most beneficial use cases for me is that Splunk Enterprise Security is fast. I cannot speak to how the SIEMs work in the backend, but I can say it is fast to find any logs. 

Its UX and UI experience is getting better. It is much better than one year ago. Some of the buttons and other features are much easier to locate and choose. The user interactions are much better than one year ago. The advanced queries are much faster. The UI design is much better. That is one of the best changes that happened in one year.

AI is an area that has room for improvement in Splunk Enterprise Security. I would say that AI plays a significant role in many of the cybersecurity tools I've used, not just Splunk. Many AI tools offer some form of assistance. By "AI assistance," I mean that while AI may not have complete knowledge of all customer flow data, it can still help engineers who often encounter unfamiliar situations. For example, during incidents, a large volume of logs can be generated, and it can be difficult to analyze all of them in a timely manner. In such cases, AI tools can be beneficial, even if they are not universally applicable. Certain events, like denial-of-service attacks, can result in massive log flows, which complicate detection and response efforts. Additionally, there may be similar collective issues affecting multiple customers.

Many cybersecurity tools incorporate some limited AI capabilities, which can assist operators. For instance, if a specific endpoint security issue arises with a customer, AI can help identify potential causes and suggest improvements. In my experience, most cybersecurity operators and companies rely on security tools that may not offer full-fledged SIEM solutions but do provide integrated security functionalities such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). My expectation is that even small, incremental integrations of AI will significantly enhance these tools' effectiveness.

I have been using the solution for approximately one year. I used it for 12 months in the company.

It's stable. I would rate it a ten out of ten for stability.

The scalability of Splunk Enterprise Security rates as an eight out of ten. I have not used the scalability option, but I would say the other procedures and processes are flawless. Scalability might be the same.

I have not reached out to their technical support because whenever I have an issue, I use the documentation rather than reaching out to technicians. When there is an issue, people need swift assistance to solve it. People do not want to wait, so I mainly use the documentation.

Neutral

I have worked with other SIEM solutions. Splunk Enterprise Security is great but can have some frustration points. It can sometimes be slower to use. On the other hand, when I use IBM QRadar, it rarely experiences slowdowns, especially when using the Incident Command Module (ICM). In the case of Splunk Enterprise Security, the speed might be affected by the number of systems in use or possibly due to how the security engineers configure it. As an operator, I find that the speed is a reason I would rate it an eight out of ten. Overall, it's very fast and accurate, and the user interface is excellent for various uses, such as querying data. However, I do notice that it can be slightly slower compared to other large enterprise solutions.

Most of the time, it is deployed on-premises. We don’t rely heavily on cloud solutions, although we have explored them a bit. Our customers, particularly in the financial industry, tend to prefer on-premises systems due to their concerns about cloud security.

Having good documentation is helpful for deployment. If the documentation is lacking, it can be challenging. The ease of navigating the systems really depends on a person's experience. 

The duration varies depending on the company. I can't give a specific answer because it depends on several factors, such as the number of people working in the system, the number of endpoints, and how many on-premises servers are running. In my case, I haven't experienced a full deployment, as I've only deployed a few endpoints and on-premises services. This process took just a couple of days for me, but I haven't dealt with a large-scale on-premises deployment. When I joined the company, they were already using Splunk for various on-premises services, so I haven't gone through a complete zero to one hundred type of scenario.

Splunk Enterprise Security absolutely requires maintenance, but I don't deal with maintenance. It needs maintenance, but I have not encountered much of it. 

From a return on investment standpoint, Splunk Enterprise Security saves a lot of time. I have used other SIEM solutions, and they are not so great. They create lots of exhaustion and frustrating periods of checking queries, and the response times are slower. This leads to a lot of frustration because many companies don’t rely on just one SIEM tool; they often use multiple alternatives simultaneously.

The documentation for Splunk Enterprise Security is outstanding. It is well-organized and easy to access. You can simply go to the Splunk documentation website, search for what you need, and by the end of the day, you’ll have a great solution for any issue you encounter with Splunk Enterprise Security. In contrast, other SIEM tools often lack this level of documentation, which is quite disappointing. 

Splunk Enterprise Security also excels with its user interface. It is easy to navigate and integrates seamlessly with other services, which is a significant advantage. You can easily search for solutions, try out different features, and create reports.

As a security operator, one of our main responsibilities is writing reports. If an issue arises, clients will often ask, “What happened around noon? Can you explain the main issue?” Other SIEM tools can make it difficult to find the appropriate buttons or functions to navigate and analyze these incidents. However, with Splunk Enterprise Security, you just look up the documentation, write what you’re searching for, and apply the same rules in Splunk Enterprise Security. Everything is easy to follow, and the system works effectively. In summary, I would say that the well-documented guidance is one of the most valuable aspects for saving me time.

I have not used the advanced correlation capabilities so much because mainly all of them are running. Specifically, I have not gone very deep into the use case of Splunk Enterprise Security. I have used advanced queries a couple of times. For example, there was a sort of attack, a false positive attack. We had to check out all the timelines or block queries to find out what might have happened or what the reason was for the false positive. I used that and it is quite fast.

I have not used the risk-based alerting feature. It is more for log management and checking the log flow. 

Whenever you want to apply for any exams, such as the SOC exam or Blue Team certification exams, they mainly ask for Splunk rather than other SIEM solutions. For me, it is overall the best SIEM solution to use.

I can recommend Splunk Enterprise Security to other users. It is fast and well-documented. User interface and user interaction are well-designed compared to other SIEM solutions. It is a great SIEM tool.

I would rate Splunk Enterprise Security an eight out of ten.

After the acquisition by Cisco, we are focusing on our partnership with them as a Gold Partner and Tier One reseller. Following the acquisition, we also shifted our focus to Splunk. I am a system integrator implementing Splunk for customers in their environments.

Splunk has a vast integration with multiple vendors, which makes it easy for our customers to integrate various cloud environments. 

Splunk provides complete visibility when integrated with all installed appliances and applications.

The threat intelligence management feature is a good add-on for startups, especially given its affordability.

Splunk allows organizations to ingest and normalize data effectively.

Splunk simplifies real-time problem identification and resolution by seamlessly integrating existing customer and vendor systems. Its customizable dashboards can be tailored to map and reflect specific environmental needs precisely.

The threat topology and MITRE ATT&CK framework features can help discover the full scope of a security incident, provided they are fully integrated into the customer's environment.

Splunk's comprehensive log visibility enables efficient investigation of malicious activities and breaches. By generating a dashboard that collects logs from firewalls, emails, proxy endpoints, and threat intelligence, Splunk can provide access to critical information within seconds, significantly reducing investigation time compared to other vendors or solutions. This streamlined process, facilitated by Splunk's ability to gather and analyze diverse log data, ensures swift identification and resolution of security incidents.

It helps our customers improve their organization's business resilience.

The unified platform helps consolidate networking infrastructure and security. This single-platform approach offers the advantage of combining multiple technologies and features, streamlining operations and enhancing efficiency.

Implementing Splunk with SOAR capabilities, along with machine learning and AI for alert filtering, can significantly reduce alert volume without constantly interrupting administrators. This streamlined approach ensures that only alerts requiring approval are sent to administrators, optimizing their workflow and efficiency.

The analysts using Splunk, even the free edition, are very satisfied with the information it provides for their investigations.

Splunk has helped customers accelerate their security investigations by integrating AI and machine learning into its platform. This integration automates many basic tasks and saves valuable time.

Splunk helps reduce our customer's mean time to resolve. 

Splunk Enterprise Security's most valuable features are its stability and the robust Splunk Search Processing Language, allowing extensive customization and analysis capabilities.

Splunk could enhance its offerings by incorporating modules for network detection and response and fraud management, along with improving its threat intelligence management capabilities. Additionally, the pricing could be made more competitive.

I have been using Splunk Enterprise Security for almost six months.

Splunk is a very stable platform.

My customers feel it's a good investment, but Splunk updated its price models recently.

One of Splunk's two major disadvantages is its high cost. The platform requires significant financial investment and resources, making it expensive despite its comprehensive features.

Splunk has disadvantages such as cost and resource requirements. However, once I invest, it's a powerful platform that ranks number one in SIEM and observability. I rate the product nine out of ten due to pricing concerns and threat intelligence management not being advanced.

I believe Splunk is the top SIEM tool. However, the term "enterprise security" is misused when applied to Splunk. While many vendors claim to offer "enterprise security," true enterprise security should cover all aspects of cybersecurity. Splunk excels in SIEM, SOAR, and UEBA, but it doesn't address other crucial areas like firewalls, PAM, or web/mail gateways. Therefore, Splunk shouldn't be categorized as an "enterprise security" solution. Although Splunk leads in SIEM with its superior visibility and observability, it lacks presence in other essential cybersecurity domains.

Our main use cases for Splunk Enterprise Security include security, detection, and incident response.

The data model benefits our organization by making it easy for the team to get data into Splunk, and field tagging is particularly helpful.

The features of Splunk Enterprise Security that I most appreciate are CIM, the data model, the search capabilities, and the investigation feature embedded into Splunk version 8.

The investigation feature helps the team seamlessly put everything together, providing a consistent view of all relevant artifacts for incidents.

Splunk's ability to predict, identify, and solve problems in real-time is exceptional due to its ease of data ingestion and comprehensive search capabilities with various options.

I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security to be excellent, especially with the new Mission Control included in Splunk Cloud version 8. It is really easy to use.

We are sending data directly to Splunk Cloud without any broker or pipeline in between. Our organization does not use risk-based alerting in Splunk Enterprise Security yet, and our SecOps team has not measured incident remediation times compared to our previous solution.

I would advise other organizations considering Splunk Enterprise Security to check their business case, considering the number of systems and amount of data to determine if it is the right tool in terms of the licensing model. If they decide to implement Splunk Enterprise Security, getting professional support is crucial.

One of our decision drivers was the customer support, which we found to be very responsive based on feedback from other customers. Additionally, the ability to extend the license for IT-related topics provides flexibility to leverage the platform across all departments, not just security - a unique feature compared to other SIEM tools.

Splunk Enterprise Security can be improved with better triage capability and less dependency on running SPL searches, which would allow analysts who may not have much experience in writing SPL searches to still use the tool and run investigations.

We are still at the beginning, just four months into using Splunk Enterprise Security.

I assess the stability and reliability of Splunk Enterprise Security as generally good. We had a few glitches, but nothing serious, and when we needed to raise cases with the support team, they were quickly resolved, particularly an issue on the indexer level.

Splunk Enterprise Security scales effectively with our growing needs. As a global organization, we first started with three regions, and when we were about to move to include the last region, it was easy to increase the license and onboard the new region seamlessly.

I would evaluate customer service and technical support for Splunk Enterprise Security as excellent, particularly our sales representative, who is exceptional. On a scale of one to ten, I would rate customer service and technical support as a nine.

Positive

Prior to adopting Splunk Enterprise Security, we were using QRadar from IBM, but we wanted a modern and state-of-the-art SIEM, which led us to choose Splunk Enterprise Security.

The deployment was the best that I have gone through so far. We had the professional support, which is something I recommend everyone do, which is like introducing Splunk and having the Splunk professional support personnel advising and supporting through the implementation phase.

We had professional support, which I recommend to everyone introducing Splunk Enterprise Security, to have professional support advising and supporting them through the implementation phase.

The return on investment from Splunk Enterprise Security is still to come.

My experience with pricing, setup cost, and licensing for Splunk Enterprise Security was positive. We had an excellent sales representative. The licensing model was fair and good compared to other tools we evaluated. The storage-based licensing was the best model that fit our requirements, though it may change as we evolve and ingest more data.

I rate this product seven out of ten. Nothing is perfect, and there is still room for improvement.

We use it for real-time monitoring and alerts for all instances and servers on our sub-prod instances. It helps in monitoring, getting alerts for specific errors, and identifying various logs. We also use it for log analysis, which is very beneficial.

My use case is more related to production issues. Threat detection is taken care of by another team.

It is our go-to tool for monitoring multiple cloud environments. The difficult part initially is to understand how the logging is happening for particular applications or instances. Once you have an understanding of what you want to see and how they are getting generated, you can just write queries, and you can create exhaustive dashboards for anybody to look at and understand how things are.

Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches. Its threat detection capabilities are good. We can look at the exact activity and task. We can look at a trace and understand what is happening. It gives a very granular understanding. I see emails from the security team mentioning what they have identified, so it seems to be helpful for threat detection.

Based on the org mail that we received, they were able to block almost 95% of threats in real time. That is a pretty good number.

Splunk Enterprise Security helps to reduce alert volume because you can understand patterns, such as where your requests are going and how everything is happening. There has been a 40% to 50% reduction.

Splunk Enterprise Security has helped speed up our security investigations by 40% to 50%. It has helped the security team to get a head start and understand where the issue is originating and where the problem is. We are operating in a very dynamic environment, so any time lost costs the company money.

I can create dashboards to collect and view information in a tabular, graphical format. This feature is important because it helps me understand time-series data over one or two hours. It creates graphs, allowing us to check spikes and examine average values and 90th and 95th percentile values. This capability is useful for performance monitoring and issue identification. I believe it has helped speed up security investigations.

Data retention can be better. If we want to look at the data for five months or six months, that is not available to us. We only have a history of 20 or 30 days. After that, the information gets lost. That is a drawback. 

Splunk's dashboards are pretty basic. In comparison to Grafana, the dashboards are not as detailed. There is room for improvement in that area.

I have been using it for about one and a half years now.

It is stable. I have not encountered any stability issues so far.

It is easy to scale. We have multiple instances, sub-instances, and prod instances running, so scalability is not a problem.

It is being used by development teams, QA teams, performance teams, and security teams. We have about 500 people using it.

It is good. I have not had any major issues where support was lacking, so I would rate it positively.

Positive

In this organization, I did not use any similar solution. In my previous organization, we used APM tools like Dynatrace and AppDynamics, which helped us monitor real-time data and performance. Splunk is a similar tool but offers more capabilities and is also cost-effective.

It was an organizational decision to go with Splunk Enterprise Security. It involved financial considerations and the kind of deal Splunk provided, as we are using the enterprise version and another version. Economics, capabilities, and support were factors.

I was not involved in its deployment. When it comes to maintenance, another team looks after it and takes care of maintenance.

I have not been involved in the finance part, so I cannot comment on ROI or costs. However, preventing incidents or solving performance issues saves money, converting time saved to money. Customers are happy. Employees are happy. There is less downtime.

I am not aware of the costs; that is handled by a separate team. I only use it for logs and performance issues.

Instead of going for the cheapest solution available, you should go for the one that meets your needs. It takes time for an organization to onboard a new solution, so it is important to choose the right solution from the start. I believe all available solutions are pretty good, so you should see what suits you better.

It is a great tool. If you learn to navigate it, you can access a wide range of information about any application or product. It is a very helpful tool, provided you know how to use it. 

Overall, I would rate it a nine out of ten.

My main use case for Splunk Enterprise Security is web uploads.

The ability to create SPLs in Splunk Enterprise Security is my favorite feature. These features benefit my organization primarily through threat detection, which I use for, so that's a huge benefit. Splunk Enterprise Security has absolutely helped improve my organization's business resilience.

Splunk Enterprise Security could be improved by incorporating AI features, as it doesn't have the AI capability that Pyramid does, where users can ask questions without having to write code.

It has been more than three years.

I haven't experienced any downtime or performance issues with Splunk Enterprise Security. Zscaler may experience issues because Splunk grabs data from them, but other than that, I haven't had anything crash.

Splunk Enterprise Security adapts to our growing needs on a yearly basis, as we're constantly growing our program and it has helped in that way. We have expanded usage from just engineering, as now our whole DLP team uses it, allowing us to not rely on other people for it. It was a smooth process when we were expanding usage.

The most significant challenges I've faced when using Splunk include getting the code right. I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security to be good, as changes are easy to make. On average, my security ops team takes about three days to remediate security incidents with Splunk Enterprise Security, depending on what the incident is.

My advice to other organizations considering Splunk Enterprise Security is that it depends on their needs and costs, but I think it can cover everything from a small business to a large business, so I would definitely recommend it.

On a scale of 1-10, I rate Splunk Enterprise Security an 8.