Splunk Enterprise Security Reviews

Splunk Enterprise Security by our SOC organization to aggregate and triage alerts used to identify IOCs.

Splunk Enterprise Security has a strong feature set that helps identify, and solve problems in real time.

The benefits of those features for my organization, more specifically, are that it prevents us from being hacked. 

The features of Splunk Enterprise Security that I prefer most are the correlation engine and the common information model, basically the aggregation of data. It's usually designed to take all the data, normalize it into a flat schema, so you can then see patterns more easily. That's the significant aspect.

The problem with Splunk Enterprise Security generally, is that organizations strugle to fit into their cultures and workflow. For better outcomes, companies have to fit their internal processes to how the tool has been designed. At times, this can be too complex to run, has high overhead requiring constant tuning. Newer versions e.g. 8.3, hint at greater ease of use.

I have been working in my current field for around 12 years.

Reliability is all about the care and feeding of it. I have not experienced downtime, crashes, or performance issues with Splunk Enterprise Security.

I would evaluate customer service and technical support as an eight on a scale of one to ten. Splunk Cloud's support is not bad. However, there's a gray area between what they do and what they don't do. What they don't do is the blind spot for most enterprise customers; they don't realize they have to handle certain responsibilities. There's a shared responsibility.

Positive

Setup can be complex. Splunk has specific guidelines. Do your home work and read their SVA architecture and capacity manuals. 

And always read their release notes.

My experience with pricing, setup costs, and licensing for Splunk Enterprise Security is limited. The unit cost of Splunk Enterprise Security is slightly less than the core product. 

My advice to other organizations considering using Splunk Enterprise Security is to do your homework. Attend industry peer sessions and learn from other organizations. Splunk's partner program, RBA Community offer compelling resources for new customers.

I would rate it an eight out of ten.

My main use case for this solution is to detect threats.

The features I appreciate the most in Splunk Enterprise Security are the scheduled alerts and the search function. 

The other SIEMs were more menu-driven, similar to Yahoo in the past. With Yahoo, you would navigate to find restaurants in San Francisco. Splunk Enterprise Security operates more with a 'tell us what you want and we'll find it' approach versus directing users to look in specific directions. It is very hunt-friendly. 

We are able to prevent breaches with Splunk Enterprise Security. 

Integration supports our security operations since our analysts operate within Splunk.

Additional features could be included in the next release. The specific functionality I'm looking for relates to alerts and false positives. If we want to filter alerts, currently it's a very manual process. We identify IP addresses and usernames and must manually filter them. It would be beneficial if we could simply click a checkbox to filter and automatically add it to the search, then save it immediately, instead of the time-consuming process of cutting and pasting, which isn't efficient. 

The most significant challenge I face when using Splunk Enterprise Security for advanced threat detection is maintaining balance in search parameters. Creating searches that aren't too narrow to miss threats, yet not too wide to generate excessive false positives is crucial. When determining recurring false positives for filtering, junior analysts who aren't coders must edit code-like elements. This introduces unnecessary risk when they could simply check a box to filter.

I have been working in my current field for 33 years.

I would assess the stability and reliability of Splunk Enterprise Security to be generally acceptable. Some performance issues occur with historical, long-distance searches spanning three to six months, however, these are very rare searches that we perform.

Splunk Enterprise Security scales effectively with the growing needs of my organization because we've never had an issue with it. I don't know if the technology team expands usage significantly, but we've used Splunk Enterprise Security for a long time. The expansion process is so smooth it's barely even a process.

I would evaluate customer service and technical support as frustrating at times. It was similar to experiences with other companies, where they would explain why issues occurred instead of solving them. It took time to reach the right individual who would solve the problem, however, these instances were infrequent.

Neutral

Prior to adopting Splunk Enterprise Security, I worked at a previous job where they had a different SIEM that was inadequate, so we implemented Splunk Enterprise Security. At my next job, they already had it installed. If they didn't have it, I would have brought it in during the first month. I cannot name the previous solution as it was approximately 15 years ago and was a second-tier provider, not QRadar or other well-known solutions from that time.

My SecOps team has never had a previous solution to compare how long it takes to remediate security incidents in Splunk Enterprise Security. When I arrived, they had a developer license and decided to use it going forward for all security purposes. My team has no experience with other solutions.

I have not seen a return on investment with Splunk Enterprise Security. It's similar to having a car. It's a necessity. I don't have to prove to the business executives that it provides return on investment. It's a necessary function and a must-have.

I am aware of the pricing, setup cost, and licensing for it. I don't handle pricing because the primary user is the cyber team. The owners of all technology are the technology team. I inform them we need this solution, and they handle acquisition and management.

We use multiple best-of-breed products to provide data to Splunk Enterprise Security for correlation and malicious activity determination. 

My organization does not use risk-based alerting in Splunk Enterprise Security. We use third parties for threat detection features. 

Splunk Enterprise Security's impact on business resilience is unclear as we use it exclusively for cyber purposes. 

My advice to other organizations considering Splunk Enterprise Security is to use it. 

On a scale of one to ten, I rate this solution a nine.

My main use cases for Splunk Enterprise Security have evolved over various roles, primarily focusing on the correlation of external threat intelligence in the notables existing in Splunk Enterprise Security, where we currently emphasize making it easier for our customers to bring in external threat intelligence such as from Recorded Future and correlate that against their entire telemetry to create notables indicative of alerts that could have been missed through traditional defenses.

The feature I appreciate the most about Splunk Enterprise Security is the CIM data model, which allows users to bring in data from different technologies, such as firewalls, endpoints, and perimeter DMZs, enabling every device to pump data into Splunk Enterprise Security, with the data model normalizing all the data and placing it in a common plane.

The main benefit of Splunk Enterprise Security features is the increased visibility of our data itself since we can pump in all the data from every security device within our enterprise, providing comprehensive visibility in a single pane of glass without needing to check every tool for individual alerts, allowing us to identify outliers and anomalies easily and build detection rules across multiple technologies.

Splunk Enterprise Security's risk-based alerting has been a game-changer for us. Previously, we were flooded with many alerts, leading to alert fatigue; now, risk-based alerting adds intelligence to alerts by considering behavioral or internal asset-based criteria, effectively helping us prioritize alerts and filtering out noise that can be ignored.

When it comes to leveraging Splunk Enterprise Security's dashboards and visualizations, we struggle to communicate our security posture effectively to leaders such as the CISO, yet Splunk Enterprise Security provides the ability to create tailored reports from generated data using correlations, macros, and specific metrics such as MTTR or MTTD, allowing us to convert this into strategic or tactical-level reports sent directly to the CISO for situational awareness.

Splunk Enterprise Security assists our SOC team in prioritizing and investigating high-fidelity alerts effectively after we triage and identify them; there are various ways to dig deeper, either by building search queries that expand the scope to other data sources or using adaptive response actions to gather additional context, aggregating everything inside Enterprise Security for a comprehensive investigation.

While Splunk Enterprise Security is powerful, it presents significant complexity for users, as it's not particularly user-friendly for beginners. I recommend focusing on building user-driven guided workflows to help newcomers navigate and efficiently use the platform through simple guides. 

I also see room for improvement in the integration of Splunk SOAR, which currently has some limitations regarding its data use in downstream playbooks.

I have been using Splunk Enterprise Security for approximately seven to eight years, starting even before my current role.

I find Splunk Enterprise Security to be generally reliable and stable, as we haven't experienced issues with downtime or crashes despite having a single-node cluster, which has been sufficient for our operational needs.

One of the main reasons we moved to Splunk Enterprise Security is its ability to scale with our growing needs, as it easily accommodates additional compute and storage, and even for on-premises deployment, it simplifies the process of adding those resources as we expand our telemetry.

I would give Splunk customer service an okay rating since they handle standard queries with clear responses; however, the experience can vary when tailored queries arise, sometimes leading to delays in communication, which highlights areas for possible improvement.

Neutral

Before adopting Splunk Enterprise Security, we relied on a couple of open-source tools, yet soon realized they weren't scaling to our needs, prompting the decision to switch to a more scalable solution backed by support.

From my point of view, the biggest return on investment when using Splunk Enterprise Security comes from its flexibility to bring any data into the platform for visibility, which is hard to achieve with other platforms; this capability, combined with features such as UEBA and risk-based alerting, reduces the need for full-time employees in my SOC while allowing easy integration with external threat intelligence to reveal hidden threat patterns, resulting in reduced MTTD, MTTR, and enhanced situational awareness.

I don't directly handle pricing, yet my experience indicates that Splunk tends to be on the expensive side as a SIEM platform, so I suggest users consider a phased deployment starting with Splunk Cloud or Splunk ES and then expanding capabilities over time rather than embarking on a full deployment initially.

In our strategy to combat insider threats and advanced persistent threats, Splunk Enterprise Security plays an important role with its UEBA features, helping us identify outliers from baseline behavior that assists in detecting anomalies or insider threats that may otherwise slip through traditional defenses. 

I advise organizations considering Splunk Enterprise Security to proceed if you are already a big Splunk shop with an underlying platform deployed, as it seamlessly integrates with your existing data and allows easy onboarding of additional technologies within the Splunk ecosystem without additional overhead. 

Considering the overall performance, I would rate Splunk Enterprise Security as an eight out of ten, recognizing it as a powerful platform within our SOC toolkit.

My main use cases for Splunk Enterprise Security include detection engineering tasks. I work with the SIM team handling various responsibilities, specifically ensuring uptime availability and correct log ingestion.

Splunk Enterprise Security has helped improve my organization's business resilience. We have definitely been able to get significant value out of it.

As an administrator, I mainly ensure other people can use the system effectively rather than using it extensively myself. 

My impressions of Splunk's ability to predict, identify, and solve problems in real time are solid. I definitely notice when it makes predictions and helps with what we're trying to find in general. The ability to identify risks as they come in is quite good.

The integration of disparate security solutions supports our security operations by providing multiple methods to handle things. We have 21 lines of business with different Splunk pods, each requiring different solutions.

Personally, the integration creates some challenges, particularly when trying to standardize processes and migrate to Splunk Cloud. Managing different Splunk pods on-premises and separate stacks leads to confusion and time inefficiencies.

The process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security works adequately. While I don't write the detections myself, I work closely with those who do, and it doesn't seem to be an issue.

Our Security Ops team's incident remediation time has improved significantly. Previously, it took approximately 11 hours, but now it takes a few hours, though we're still working to reduce this time further through our migration to Splunk Cloud.

There are ways Splunk Enterprise Security can be improved, though I might be speaking specifically about my organization's implementation. Better education for users would be beneficial as they often don't know what they don't know or how to look for certain features.

Regarding ease of use, Splunk Enterprise Security is adequate. The challenge arises when we have multiple users trying to differentiate between the regular search head and the Enterprise Security search head. While users can accomplish their tasks, the main issue stems from education rather than the platform itself.

I have been using Splunk Enterprise Security for three years, with a six-month break in between. I have been using it extensively for the last year.

The stability and reliability of Splunk Enterprise Security is very good. While we've experienced some downtime, crashes, and performance issues, these were caused by end users running poorly optimized queries rather than system problems.

Splunk Enterprise Security scales effectively with our organization's growing needs. We haven't encountered any problems with scalability.

I would rate customer service and technical support from Splunk at nine out of ten. I have had nothing but good experiences with Splunk support, receiving timely and helpful replies. In one instance, when I needed immediate support, I received a call within ten minutes of submitting the ticket, and we resolved the issue promptly.

Positive

I am uncertain if my organization used another solution prior to adopting Splunk Enterprise Security. I believe we have been using Splunk the whole time, but this predates my joining the team.

The deployment is fine. I don't really have much of a problem with that end of things.

I have seen a return on investment with Splunk Enterprise Security.

I am not familiar with the pricing of Splunk Enterprise Security. Regarding licensing, we face some challenges. The management of different pods makes it confusing and complicated, but it gets resolved by our senior team members.

I use disparate security solutions that integrate or import data into Splunk Enterprise Security. We utilize many different tools.

I would advise other organizations to consider Splunk Enterprise Security as it's an easy solution to implement and effective for its intended purpose.

On a scale of one to ten, I rate Splunk Enterprise Security an eight.

When we talk about Splunk Enterprise, I have seen clients using it for their data analysis, collecting the logs and preparing meaningful insights out of it, like having dashboards created from the data that they ingest into Splunk. Apart from that, there is a SaaS platform that Splunk provides which is called the Splunk Cloud platform; it provides similar functionality, but the end-to-end config management is handled by Splunk directly. You just have access to the Splunk search head where you log in and can search the data you ingest into Splunk Cloud. Regarding Splunk Enterprise Security, I have seen customers using it for security use cases and to ensure that the environment or organization is not impacted by any SOC threats; basically, they use it for detection and mitigation both.

Customizing and developing new detections in Splunk Enterprise Security are quite simple since I have got experience with it for more than four years. I am quite familiar with it and enjoy working through that as well.

I do use disparate security solutions that integrate or import data into Splunk Enterprise Security.

The security operations are supported on a very great scale because let's say we have written n number of detections; we also need to ensure that we don't get alerted or notified on false positives. There is a dashboard in Splunk Enterprise Security that displays all the detections identified as a potential risk or alert to the environment. From there, you can triage the work to investigate deeper into it, and from the dashboard, you can drive it towards closure, with different drill-down options to investigate how a particular event was identified as a risk event and whether it was a false positive. If it wasn't a false positive, you can dive deeper into it using different response actions as well; all these customizations can be done and they support any third-party response actions that you want to apply to the Splunk Enterprise Security detection you have.

What I like about Splunk Enterprise Security is the way it is able to correlate or ingest any kind of data from any product or source, alert and adapt the whole data as it is, and then provide it in a single visualization format. It handles and provides you options for customizations and different options for alerting as well. Summing up everything from a SIEM and security point of view, I think Splunk is by far the best product that I have been using since my work experience.

Splunk Enterprise Security has indeed helped improve the organization's business resilience. I don't have specific numbers for sharing purposes, but on a quarterly basis, I have seen Splunk helping the resilience and assisting the business greatly in terms of avoiding SOC threats.

You need to adapt to new changes constantly and be sure of new learnings in Splunk Enterprise Security; that is the only challenge I would say. However, I don't see it as a problem because if resources are available for you to understand new changes and how detections are managed or how to incorporate advanced threat intelligence frameworks, there is no huge challenge in integrating it with Splunk Enterprise Security. You need to know what things you want to click on the UI; if you are aware of that, there is no challenge. It is just constant learning that you have to give yourself to learn and grow for your own better self.

One improvement I want to foresee is that the AI or agent needs to be fed with accurate data, not false data, so that whenever it performs automation on your behalf, it doesn't misconfigure anything. Trust in the product relies on the AI being reliable and trustworthy, ensuring 100% accuracy and avoiding false positives.

I would say Splunk's ability to predict, identify, and solve problems in real time is near accurate; I cannot confirm that it is 100% since none of the systems are. It definitely alerts you on what particular time you need to be notified. However, to achieve near 100% accuracy, how you handle the searches running in your environment and stagger them is important to avoid overwhelming server resources. Splunk provides features to adjust time zones and write custom schedules; there is no challenge with that. However, there will always be delays, so it is about how you ingest the data; if the source is behind the Splunk server's timezone, that could impact results.

I have been working with Splunk for almost six years now.

So far, we have not faced any downtime or performance issues with Splunk; there can be outages, but we are automatically notified when they occur, and the team works on resolution. Since we are using Splunk Cloud, we receive notifications directly from them.

I would say Splunk is quite scalable, and we are definitely making the most out of it. Our company was involved in delivering sessions at splunk.conf last year, showcasing how we utilize Splunk and the solutions provided, indicating that we are scaling quite effectively.

I would rate the Splunk support team an eight or nine out of ten; this rating is based on my experience of being part of the partner team that delivered Splunk support. The support depends on the partner, and I appreciate having a dedicated account manager for our customer account, ensuring effective handling of operations and issues. No one can have 100% knowledge, and while there might be delays in response, the support team effectively isolates problems and finds solutions, adhering to an escalation policy that keeps customers updated and satisfied.

Positive

Since I have worked more with Splunk, I am somewhat biased but I would say understanding and writing queries to analyze your ingested data is simpler in Splunk and in other products such as Sumo Logic as well. However, no product can match the level of customization and visualization that Splunk can build; you can create reports, dashboards, and present these in a business fashion, which is unmatched.

Deploying Splunk is a piece of cake for me; since I have got so much experience, deploying any kind of environment is not a challenge. I am still in the evolving phase as I started my professional journey with Splunk in 2019. I have made numerous deployments for different testing purposes, replicating customer challenges in our test environment to address their issues directly.

That is a bit subjective, I would say because in the Indian market, people often look for alternative solutions to avoid spending more. However, I have seen great satisfaction levels among companies that have utilized Splunk, including the one I am working for now, which has been renewing Splunk licenses over the past decade. If Splunk were not that great, people would not keep renewing it over the years; there is an option for good return on investment, but eventually, people try to find alternatives to save on expenses for R&D or other purposes.

I am not very much aware of the licensing since we are service providers for Splunk or Cribl or DataDog, but I do know Splunk provides licensing in two different ways: SVC-based licensing and ingest-based licensing. The old model charged based on the volume of data ingested on a daily basis, while the current SVC-based model charges based on the compute utilized for searching that data, regardless of volume.

All over the globe, it is the AI and agent era, and Splunk is also a part of it having introduced Splunk AI as part of its cloud platform features, eventually to be released in on-prem solutions as well.

I usually do not manage or investigate the alerts that have been triggered; I work on building and managing the use cases, optimizing them. The analyst team works on the incidents but from what I have heard, before I joined the current organization there were a lot of changes required to be made internally in the product itself and the way we were writing optimizations. But afterwards, we defined a clean process and the mean time to closure or mean time to resolve had reduced drastically by almost 60 to 70% compared to what it was previously.

It is not that we are limited to risk-based alerting in Splunk Enterprise Security; we are using threat intelligence and we have recently configured SOAR as I just mentioned. Additionally, we are using UBA for user behavioral analytics.

We have definitely seen benefits from the threat detection and threat intelligence capabilities in Splunk; we apply risk scores and threat scores to our detections and to the attributes we want to identify or flag as potentially high-risk or high-threat objects. This helps us prioritize the tasks we want to start our daily task with; it definitely helps with understanding the priority tasks to be worked upon. We also make sure to update our threat feeds regularly since we need to stay on top of all the threat findings globally, ensuring we identify all malicious IP addresses or any file hashes that have been tracked as a threat and are publicly available.

I would advise organizations considering Splunk to stick to the fundamentals; as long as you understand how Splunk operates and the functions of its different components, you won't face challenges in troubleshooting or understanding errors. I would rate this review a ten out of ten overall.

My main use case for Splunk Enterprise Security is security eventing.

The features of Splunk Enterprise Security provide a standardized platform for investigating.

The content libraries are helpful. In our organization, we don't use them a lot. We will use them as ideas and rebuild them into what our needs are.

It's standardized and easy to use, so you don't have to have a lot of top-tier analysts to do the same job.

The investigations plane and use case library have been beneficial.

We utilize Splunk Enterprise Security for our fraud team using pure ES. We use all the fraud features, and that's been incredibly helpful.

The detection rate and prevention rate has gone up 30 times compared to when they were working on a spreadsheet. The fraud team loves it.

Once we move over to 8.2, we're going to utilize more of the built-in features.

I appreciate the visual control and the investigations plane, though that will be a major migration for us.

Splunk Enterprise Security can be improved by bringing back some of the operational use cases. When Splunk developed ITSI, they took a lot of information or use cases out of ES, where operational use cases can also be security use cases. Those two products need to be more migrated to each other. In the next release of Splunk Enterprise Security, there should be more reporting options.

I have been using Splunk Enterprise Security for nine years.

I would assess the stability and reliability of Splunk Enterprise Security as excellent. I've had no problems with downtime, crashes, or performance issues.

Splunk Enterprise Security scales with the growing needs of my organization just fine. The licensing for ingest is a different story.

I would evaluate customer service and technical support for Splunk Enterprise Security as lacking. The service engineers that we've been getting as part of our weekly or bi-weekly calls with our salesperson, where they've assigned an engineer, have decreased tremendously in quality and expertise over the last few years. People on the team that really know Splunk know a lot more than they do, and it's evident because they don't try anymore. We can still get expert help when we need it.

Positive

Prior to adopting Splunk Enterprise Security, I was not using another solution to address similar needs.

I would describe my experience with deploying Splunk Enterprise Security as easy. The KV store setup was straightforward.

I have seen ROI with Splunk Enterprise Security.

My experience with pricing, setup cost, and licensing for Splunk Enterprise Security has been fine. We've renewed since Cisco took over.

My advice to other organizations considering Splunk Enterprise Security is to follow the documentation and not build your own stuff.

On a scale of one to ten, I rate this solution a nine.

My main use case is for log management and checking the logs. We have rules running in Splunk Enterprise Security. We are using it as a main SIEM solution for our customers.

Alert fatigue is a common issue with security solutions, but Splunk Enterprise Security reduces alert fatigue. When we encounter real incidents, we get to dive deeper to check out the main cause of that incident. It is useful because it reduces alert fatigue.

The best feature of Splunk Enterprise Security is the documentation. Splunk Enterprise Security's documentation is well-organized. For example, if you have a problem or if you want to read about what you're looking for, you can easily go there and read from the documentation. It also has many resources worldwide. It is a de facto standard of the SIEM solutions. For example, I have used IBM QRadar, which is another solution many companies are using.

One of the most beneficial use cases for me is that Splunk Enterprise Security is fast. I cannot speak to how the SIEMs work in the backend, but I can say it is fast to find any logs. 

Its UX and UI experience is getting better. It is much better than one year ago. Some of the buttons and other features are much easier to locate and choose. The user interactions are much better than one year ago. The advanced queries are much faster. The UI design is much better. That is one of the best changes that happened in one year.

AI is an area that has room for improvement in Splunk Enterprise Security. I would say that AI plays a significant role in many of the cybersecurity tools I've used, not just Splunk. Many AI tools offer some form of assistance. By "AI assistance," I mean that while AI may not have complete knowledge of all customer flow data, it can still help engineers who often encounter unfamiliar situations. For example, during incidents, a large volume of logs can be generated, and it can be difficult to analyze all of them in a timely manner. In such cases, AI tools can be beneficial, even if they are not universally applicable. Certain events, like denial-of-service attacks, can result in massive log flows, which complicate detection and response efforts. Additionally, there may be similar collective issues affecting multiple customers.

Many cybersecurity tools incorporate some limited AI capabilities, which can assist operators. For instance, if a specific endpoint security issue arises with a customer, AI can help identify potential causes and suggest improvements. In my experience, most cybersecurity operators and companies rely on security tools that may not offer full-fledged SIEM solutions but do provide integrated security functionalities such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). My expectation is that even small, incremental integrations of AI will significantly enhance these tools' effectiveness.

I have been using the solution for approximately one year. I used it for 12 months in the company.

It's stable. I would rate it a ten out of ten for stability.

The scalability of Splunk Enterprise Security rates as an eight out of ten. I have not used the scalability option, but I would say the other procedures and processes are flawless. Scalability might be the same.

I have not reached out to their technical support because whenever I have an issue, I use the documentation rather than reaching out to technicians. When there is an issue, people need swift assistance to solve it. People do not want to wait, so I mainly use the documentation.

Neutral

I have worked with other SIEM solutions. Splunk Enterprise Security is great but can have some frustration points. It can sometimes be slower to use. On the other hand, when I use IBM QRadar, it rarely experiences slowdowns, especially when using the Incident Command Module (ICM). In the case of Splunk Enterprise Security, the speed might be affected by the number of systems in use or possibly due to how the security engineers configure it. As an operator, I find that the speed is a reason I would rate it an eight out of ten. Overall, it's very fast and accurate, and the user interface is excellent for various uses, such as querying data. However, I do notice that it can be slightly slower compared to other large enterprise solutions.

Most of the time, it is deployed on-premises. We don’t rely heavily on cloud solutions, although we have explored them a bit. Our customers, particularly in the financial industry, tend to prefer on-premises systems due to their concerns about cloud security.

Having good documentation is helpful for deployment. If the documentation is lacking, it can be challenging. The ease of navigating the systems really depends on a person's experience. 

The duration varies depending on the company. I can't give a specific answer because it depends on several factors, such as the number of people working in the system, the number of endpoints, and how many on-premises servers are running. In my case, I haven't experienced a full deployment, as I've only deployed a few endpoints and on-premises services. This process took just a couple of days for me, but I haven't dealt with a large-scale on-premises deployment. When I joined the company, they were already using Splunk for various on-premises services, so I haven't gone through a complete zero to one hundred type of scenario.

Splunk Enterprise Security absolutely requires maintenance, but I don't deal with maintenance. It needs maintenance, but I have not encountered much of it. 

From a return on investment standpoint, Splunk Enterprise Security saves a lot of time. I have used other SIEM solutions, and they are not so great. They create lots of exhaustion and frustrating periods of checking queries, and the response times are slower. This leads to a lot of frustration because many companies don’t rely on just one SIEM tool; they often use multiple alternatives simultaneously.

The documentation for Splunk Enterprise Security is outstanding. It is well-organized and easy to access. You can simply go to the Splunk documentation website, search for what you need, and by the end of the day, you’ll have a great solution for any issue you encounter with Splunk Enterprise Security. In contrast, other SIEM tools often lack this level of documentation, which is quite disappointing. 

Splunk Enterprise Security also excels with its user interface. It is easy to navigate and integrates seamlessly with other services, which is a significant advantage. You can easily search for solutions, try out different features, and create reports.

As a security operator, one of our main responsibilities is writing reports. If an issue arises, clients will often ask, “What happened around noon? Can you explain the main issue?” Other SIEM tools can make it difficult to find the appropriate buttons or functions to navigate and analyze these incidents. However, with Splunk Enterprise Security, you just look up the documentation, write what you’re searching for, and apply the same rules in Splunk Enterprise Security. Everything is easy to follow, and the system works effectively. In summary, I would say that the well-documented guidance is one of the most valuable aspects for saving me time.

I have not used the advanced correlation capabilities so much because mainly all of them are running. Specifically, I have not gone very deep into the use case of Splunk Enterprise Security. I have used advanced queries a couple of times. For example, there was a sort of attack, a false positive attack. We had to check out all the timelines or block queries to find out what might have happened or what the reason was for the false positive. I used that and it is quite fast.

I have not used the risk-based alerting feature. It is more for log management and checking the log flow. 

Whenever you want to apply for any exams, such as the SOC exam or Blue Team certification exams, they mainly ask for Splunk rather than other SIEM solutions. For me, it is overall the best SIEM solution to use.

I can recommend Splunk Enterprise Security to other users. It is fast and well-documented. User interface and user interaction are well-designed compared to other SIEM solutions. It is a great SIEM tool.

I would rate Splunk Enterprise Security an eight out of ten.

Our main use cases for Splunk Enterprise Security include security, detection, and incident response.

The data model benefits our organization by making it easy for the team to get data into Splunk, and field tagging is particularly helpful.

The features of Splunk Enterprise Security that I most appreciate are CIM, the data model, the search capabilities, and the investigation feature embedded into Splunk version 8.

The investigation feature helps the team seamlessly put everything together, providing a consistent view of all relevant artifacts for incidents.

Splunk's ability to predict, identify, and solve problems in real-time is exceptional due to its ease of data ingestion and comprehensive search capabilities with various options.

I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security to be excellent, especially with the new Mission Control included in Splunk Cloud version 8. It is really easy to use.

We are sending data directly to Splunk Cloud without any broker or pipeline in between. Our organization does not use risk-based alerting in Splunk Enterprise Security yet, and our SecOps team has not measured incident remediation times compared to our previous solution.

I would advise other organizations considering Splunk Enterprise Security to check their business case, considering the number of systems and amount of data to determine if it is the right tool in terms of the licensing model. If they decide to implement Splunk Enterprise Security, getting professional support is crucial.

One of our decision drivers was the customer support, which we found to be very responsive based on feedback from other customers. Additionally, the ability to extend the license for IT-related topics provides flexibility to leverage the platform across all departments, not just security - a unique feature compared to other SIEM tools.

Splunk Enterprise Security can be improved with better triage capability and less dependency on running SPL searches, which would allow analysts who may not have much experience in writing SPL searches to still use the tool and run investigations.

We are still at the beginning, just four months into using Splunk Enterprise Security.

I assess the stability and reliability of Splunk Enterprise Security as generally good. We had a few glitches, but nothing serious, and when we needed to raise cases with the support team, they were quickly resolved, particularly an issue on the indexer level.

Splunk Enterprise Security scales effectively with our growing needs. As a global organization, we first started with three regions, and when we were about to move to include the last region, it was easy to increase the license and onboard the new region seamlessly.

I would evaluate customer service and technical support for Splunk Enterprise Security as excellent, particularly our sales representative, who is exceptional. On a scale of one to ten, I would rate customer service and technical support as a nine.

Positive

Prior to adopting Splunk Enterprise Security, we were using QRadar from IBM, but we wanted a modern and state-of-the-art SIEM, which led us to choose Splunk Enterprise Security.

The deployment was the best that I have gone through so far. We had the professional support, which is something I recommend everyone do, which is like introducing Splunk and having the Splunk professional support personnel advising and supporting through the implementation phase.

We had professional support, which I recommend to everyone introducing Splunk Enterprise Security, to have professional support advising and supporting them through the implementation phase.

The return on investment from Splunk Enterprise Security is still to come.

My experience with pricing, setup cost, and licensing for Splunk Enterprise Security was positive. We had an excellent sales representative. The licensing model was fair and good compared to other tools we evaluated. The storage-based licensing was the best model that fit our requirements, though it may change as we evolve and ingest more data.

I rate this product seven out of ten. Nothing is perfect, and there is still room for improvement.