Splunk Enterprise Security Reviews

We mainly use the Splunk Enterprise Security app to use Splunk as a SIEM. I have worked with Splunk on-premises, which is Splunk Enterprise, and I have worked with Splunk Cloud as well. 

We mostly use Splunk for the SOC environment. We use Splunk for security incident monitoring.

Splunk Enterprise Security fastens our security investigations.

Our organization monitors multiple cloud environments. We have more than 50 customers. Customers have their own licenses, and for some customers, they are shared. We have a single Splunk console. We have customized Splunk, and we have onboarded multiple customers. For some customers, we have integrated Splunk with SOAR. There is a single console to monitor SIEM and other devices. It saves the analysis work. It provides good visibility as compared to the other SIEM products I have worked with. 

We use the Threat Topology and MITRE ATT&CK framework features. You can map your use cases with the MITER ATT&CK framework. It is common in all SIEMs nowadays. It is good. It gives a good mapping of the use case and a better understanding.

Splunk Enterprise Security has not helped reduce our alert volume. It behaves as we configure it. The engineer handles the fine-tuning of the use case and reduction in the alerts.

The fast search is valuable. As compared to other SIEMs, Splunk is very fast in terms of the search and providing data.

The customization of the use cases is another valuable feature. It is query-based, and now, there is a feature to have machine learning as well. We can write advanced-level use cases, which is a limitation of other SIEMs.

The third point is the device integration. It is very smooth. If I need to integrate devices for logs, it is easier with Splunk. We can integrate different applications, network devices, and databases. It is also very rich in documents. It is the best.

Splunk does not provide any default threat intelligence like Microsoft Sentinel, but you can integrate any third-party threat intelligence with Splunk. By default, no threat intelligence suite is there, whereas, with IBM QRadar or Microsoft Sentinel, the default feature of threat intelligence is there. It is free. It would be better if Splunk could provide a default threat intelligence suite.

The second issue is that Splunk is expensive compared to many other SIEM tools in the market. A competitive price will work better.

The third issue is that Splunk Cloud is sometimes slow. If I create more use cases, Splunk will be slow because they provide limited resources in Splunk Cloud. They can do some optimization there.

The last issue is that they used to give a trial version of the Splunk Enterprise Security app that we could showcase to customers for demonstration, but they have stopped that free trial version. If they can start that again, it will be better. It will help to showcase the capability of Splunk.

I have been using Splunk Enterprise Security for seven years.

It is sometimes slow. It also depends on the number of use cases or queries. You need to optimize the use cases or queries that are running and consuming a lot of resources. I have also seen Splunk Cloud hanging a bit. I would rate it a seven out of ten in terms of stability.

We have contacted their support many times. Their support is average. We sometimes have a hard time with their support. They are not very reliable, but this is the case with all SIEM products.

Neutral

We are also using Microsoft Sentinel and IBM QRadar. We have also used ArcSight. For some customers, we are using LogRhythm and the RSA solution. Different customers have different SIEM tools, but I find Microsoft Sentinel and Splunk better than the others in the market. I feel Splunk is the most mature tool at this time. It is very easy to customize. You can do whatever you want.

IBM QRadar is the cheapest option available in the market. It is a traditional SIEM tool. It is not as fast as Splunk or Microsoft Sentinel, but from a costing perspective, it is convenient. There are also a few open-source SIEM tools. Many companies are using those, but if you go with a commercial tool, IBM QRadar is very good in terms of cost value. When it comes to customization and maturity, Splunk Enterprise Security is definitely number one. Microsoft Sentinel comes second, and IBM QRadar comes third.

It is easier than other tools.

We implement it for our clients. The number of people involved depends on the license utilization, the number of devices, and the time frame. Two to three months are normally required for the full integration of a customer environment, and a minimum of two people are required for the integration.

It is expensive. That is why many customers have moved to IBM QRadar. The price is definitely a challenge for customers.

If budget is not an issue, you can go ahead with Splunk Enterprise Security. Nowadays, Splunk is ready to negotiate. With good negotiation, you might get a good deal. If you are a large organization with more than 2,000 devices or more than 500 licenses, Splunk is the best choice. If price is not an issue, you can blindly go with Splunk because it is the most mature tool in the market at this time. Microsoft Sentinel is scaling up, but it is still not there where Splunk Enterprise Security is.

Overall, I would rate Splunk Enterprise Security a nine out of ten.

There are lots of use cases such as finding threats, attack factors, and logs. It helps with rogue DNS or brute force attack detection. We have logs related to why a particular account was created. There is alerting. We can get some false positives, but by fine-tuning some of the things, we can reduce false positives.

Splunk is a security monitoring tool. It helps with incident handling, data logging, and observability of metrics. Splunk can handle all these things. Splunk Enterprise security is a premium app of Splunk through which we can have all the threat intelligence and incident reviews. It helps in finding all the attacks and Advanced Persistent Threats (APTs).

We also have dashboards. We can collect logs from different sources and applications. We can also troubleshoot issues. If we are having any issues with an application, we can go to that particular index to see what is the cause. If any application is failing or giving an error, we can troubleshoot the issue. We do not have to log into the server to find the error.

We monitor multiple cloud environments. We have GCP, Azure, and AWS. It is easy to monitor multiple cloud environments using the Splunk Enterprise Security dashboards. Splunk releases inbuilt apps, so by using those apps and add-ons, we can integrate it with our cloud environments. For example, for Azure, they have a Microsoft Cloud Services add-on. We need to register the app in Azure, and after registering the app, we have to use the tenant ID and set it up. There are a lot of inputs, and we can use all those inputs to onboard different logs from Azure. There is also the capability for HTTP event collection.

We have a hybrid environment, and that works best for us. For a lot of things, we cannot just go fully cloud. Hybrid is the best option for us. We are happy with the visibility that Splunk Enterprise Security provides. It is also about how we configure things. If we do not do it in the right way, we will not get visibility. We have to know what kind of tools we are using and what kind of data we are pulling. We cannot pull everything. We have to know what to pull. If we pull only what is required, we would not have any problems.

Splunk Enterprise Security comes with MITRE ATT&CK and Cyber Kill Chain frameworks by default. There are 12 processes in the MITRE ATT&CK framework. We just have to onboard logs, create the data models, and assign those ATPs to monitor all the kill chains. We can monitor all attack vectors and persistent threats that we want to monitor.

Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches. I would rate it a 9 out of 10 for that. It can also go to 10 for different clients based on different requirements.

Along with Splunk Enterprise Security, we also install another Splunk app that has all the threat intelligence. We then feed the data through a CSV file and create the use cases. We set up alerts for those. In the case of an event, an alert is generated and assigned to a particular SOC analyst. There can be some false positives, but with proper configuration and filtering, they can be reduced.

Splunk Enterprise Security has been very beneficial and valuable for us. Our application teams can use the indexes to troubleshoot the issues they are facing at their location.

Being able to ingest data from all the tools and all the apps being used in the environment is valuable. Being able to create alerts when, for example, the CPU usage reaches 95% is also valuable. We can set up alerts and proactively fix the issues. Splunk helps with all these things, and Splunk Enterprise Security has almost 2,000 use cases. It follows MITRE ATT&CK and Cyber Kill Chain frameworks. There are certain notable events for which we can configure our security posture. We can onboard all the logs through indexes and create dashboards to view what is going on in the environment.

Overall, it is pretty good. They are improving it every day. They recently released SC4S for onboarding syslog data. However, the support and the pricing can be better.

It has been 8 years since I have been using Splunk. I am not a part of the core security team. I handle some parts of enterprise security, such as SIEM data models or the creation of some correlation searches and use cases. The majority of things, such as threat hunting or threat intelligence, are managed by our core security team.

We faced some issues, but we fixed them ourselves. We have around 10,000 knowledge objects running. All the knowledge objects should not be running all the time. They should be distributed over 24 hours so that the servers do not have any extra pressure at a particular time. We used to have an issue with our indexes going down. The CPU was being utilized 100%, and everything was getting stopped. We found the issue. We fixed that, and we are good now.

It is pretty easy to scale. For Splunk Cloud, we log a ticket with Splunk support, and they start the process. It does not take much time. However, there is a cost involved in that. 

We have been ingesting 40 TB a day. We have three locations: The USA, the UK, and France.

The SLA for Splunk Cloud support is not satisfactory for a customer. The turnaround time is a bit low. That should be fixed. I would rate their support a 9 out of 10.

Positive

I have not used any similar solution in my current organization.

In my previous organizations, I have used solutions such as Elk, IBM QRadar, and Microsoft Sentinel. Microsoft Sentinel is good. Splunk is better than QRadar. Splunk has a lot of capabilities. It makes it easier to do many things and do them correctly. It does not require as much effort as required in IBM QRadar and Microsoft Sentinel.

Splunk is a bit costly, but if we control our usage during our searches, its cost is okay. When not controlled, it becomes a bit costly.

To those evaluating Splunk and solutions, I would advise knowing the features they would be getting. Elk is open source, but there is an underlying cost of infrastructure. The cost almost becomes the same. You have to hire people who can work on Elk and then you have the underlying infrastructure cost.

We were on-premises, but we recently moved to Splunk Cloud. We have been using Victoria for the last eight months. When going from on-premises to Splunk Cloud, Splunk recommends engaging professional services. 

The migration was done by Splunk. For administration and maintenance, we have about eight people, but the number of users in the environment would be in the thousands.

The maintenance of Splunk Cloud is taken care of by Splunk. Customers do not manage the clusters. With the on-prem setup, we have to patch the servers, upgrade the servers, or restart them from time to time so that the rebalancing of the buckets happens properly. In Splunk Cloud, we do not have to do these things. We only take care of the data normalization part. All other things are managed by Splunk.

It does provide a return on investment.

It is a bit costly.

Be clear about what you want and try to filter out as much as possible. Create role-based rules and assign them to users rather than assigning every role capability to all the users. Also, everyone should not have access to all indexes. Only certain people should have access. For example, if someone is from the AD team, he or she should have access to the particular index logging the AD logs. They should not have access to all of it. There should also be some kind of training before you give access to people so that they know which searches to use and which ones not to use. They should understand the impact of various things.

I would rate Splunk Enterprise Security a 9 out of 10 based on my experience and the work that I do with the core security team. They are pretty satisfied with it.

I mostly use the solution in my company for incident response, ticket management, and integration with other endpoint products.

The benefits my company has seen from the use of Splunk Enterprise Security revolve around the speed of detection it offers.

The most valuable feature of the solution is the correlation searches. The one-stop shop shows me all my insights, and alerts, and can send alerts to my analysts.

I would say it is fairly important for my organization that Splunk Enterprise Security provides end-to-end visibility in our environment. At the same time, my company has other products that cover the observability piece. From a security perspective, we use data outside of our security data to piece together the whole picture. I think our company's perspective is that no matter how we get the whole picture, we will do it, even if it is from outside Splunk Enterprise Security. I think Splunk Enterprise Security plays a major role in this.

In terms of Splunk Enterprise Security for helping our company find any security event across multi-cloud, on-premises, or hybrid environments, I would say that it is great once you get past the learning curve. The learning curve is higher than normal.

I think Splunk Enterprise Security has helped improve our organization's ability to ingest and normalize data in a great manner. Splunk is a great product and provides these features, but not so much when it comes to identifying and solving problems in real-time because there are always data delays. There is always onboarding, mapping, creation of correlation search, and then enabling Splunk ESCU part. It works in a general sense and not on a real-time basis.

In terms of whether Splunk Enterprise Security has helped reduce alert volume, I would say that it is the only active SIEM tool my company is currently utilizing. Reducing alert volumes involves tuning up certain areas of the engineering team. If I look at the product alone, I would say it can help reduce alert volume. If I consider the learning curve, I would say that you have to learn how to tune it the right way with the help of professional services or experts. You need to utilize your resources, which I think is the best way to do it.

Splunk Enterprise Security provides our company with relevant context to help guide our investigations since the correlation searches with the enriched data do help gain insights on all of our investigations. At the current point, we are still trying to get past the tool's learning curve so that all of our analysts and everyone on the security team can utilize the tool the best way they can. The more they learn, the better it gets, so currently, we are doing our best.

Splunk Enterprise Security helped reduce the meantime needed to resolve our issues because we have all our data in a centralized location and mapped to a data model. As long as we know what detection and data we are looking at, we can go to our data model and figure out where the issue lies.

Splunk Enterprise Security's ability to help improve our organization's business resilience revolves more around observability. Our company recently migrated to Splunk Cloud, and I think we have more hands-on experience with the ingestion side than ever before. I think it is a lot easier for us since we moved to Splunk Cloud as we don't have to focus on maintaining the infrastructure so much, and we can focus more on the data. I think this is outside of Splunk Enterprise Security's scope and falls under Splunk Cloud's capacity.

Speaking about Splunk's unified platform helping consolidate networking, security, and IT observability tools, I would say that my company is not there yet.

In the next release, I want Splunk to offer more openness to integrations with other products that may be more of a preference for my incident response teams.

I have been using Splunk Enterprise Security for five years. I am an end-user.

In terms of stability, if configured correctly, it works great.

With Splunk Cloud, I think using the tool's scalability feature is easy since one can just call the product's support team.

The solution's technical support is great since they have been very responsive and very attentive while answering all my questions. If the support team can't answer my questions, they escalate it to their engineering team. 

I have had nothing but good things to say about Splunk's technical team. There have been times when I had to rephrase my questions or when there were communication issues, but the time to respond, escalation, and the attempts in trying to find help and answers from the support team's end have always been great. 

I think the only thing lacking is that there are some answers that I couldn't find about the tool without reaching out to support, and it had to be escalated to the engineering team. If this process is the only way I can find answers, I think it is a little bit limiting for an engineer who supports a real-time incident response team. I rate the technical support a nine and a half out of ten.

Positive

I have personally not used any other product before Splunk Enterprise Security.

The product's deployment phase was pretty easy to manage since our company has a migration team and support staff. We also had a really good project manager from Splunk to help us, who walked us through every step, and it was a great experience.

The solution is deployed on Splunk Cloud, which runs on AWS.

My company works with Splunk directly to help us with the implementation, and our experience with the product has been great.

I have not seen an ROI.

The pricing model is great. You can choose between workloads or volume. I am not part of the conversation about pricing in my organization. I just know what I know about the tool from learning about Splunk.

I rate the tool a ten out of ten.

We use Splunk Enterprise Security as our SIEM solution.

The log sources are in multiple cloud environments, but the deployment of Splunk is on-premises.

Monitoring our AWS and Azure cloud environments with Splunk Enterprise Security is easy.

The visibility into multiple cloud environments is good. We have complete visibility because we integrate all our logs and sources into Splunk.

Splunk Enterprise Security's insider threat detection capabilities module runs on the backend and provides complete visibility into anomalous behavior and zero-day attacks.

The threat intelligence management feature is a necessary tool in our environment. The actionable intelligence provided by the threat intelligence management feature is helpful. We can see the IoC to help with our investigation.

Splunk Enterprise Security does a good job analyzing malicious activities and detecting breaches.

Splunk Enterprise Security helps us detect threats faster.

Splunk Enterprise Security helps reduce our alert volume by whitelisting the false positives.

Splunk Enterprise Security has helped speed up our security investigations. Splunk uses user-friendly language and visibility to speed up our investigation times.

Splunk offers significant time savings for analysts compared to tools like Azure Sentinel, with analysts resolving alerts 30-40 percent faster. Additionally, Splunk's user-friendly dashboards simplify administration.  

Splunk Enterprise Security's value lies in its ability to collect and analyze security logs, providing insightful dashboards.

Splunk's high cost, despite its recognition in our region, prevents many organizations from adopting Splunk Enterprise Security, suggesting there's room for improvement in their pricing strategy. 

I have been using Splunk Enterprise Security for six months.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is designed for easy scaling.

Our organization is expanding our clusters day by day.

The technical support is collaborative. We do receive a response within the appropriate time.

Positive

While I have experience with Azure Sentinel and other SIEM tools, Splunk stands out for me. It provides a full SIEM experience with informative dashboards, clear language for easy analysis, comprehensive visibility across my systems, and a robust CIM for data organization.

The initial deployment was technical but not overly complex. We faced difficulties with the log process going down and not getting the results in the client console. The overall deployment took around three hours to complete.

Three people were involved in the deployment. 

The implementation was completed in-house.

Splunk differs from other SIEM solutions by using a gigabyte-based pricing model, rather than the agent-based licenses common with its competitors.

While Splunk Enterprise Security carries a higher cost and requires budgeting, cheaper SIEM, and open-source alternatives often have limitations. This makes the decision a matter of weighing the cost against the features most important to each organization's security needs.

I would rate Splunk Enterprise Security nine out of ten.

On paper, Splunk Enterprise Security is the top solution for detecting security threats in any organization, but Splunk Enterprise Security is expensive and most organizations don't have a proper budget to implement a SIEM solution. So they look for a more reasonable cost-effective solution. This is a hurdle for implementing Splunk Enterprise Security. It was originally designed for data science and modified for security. It is a top tool for SIEM and data analytics.

Splunk Enterprise Security stands out for its threat detection capabilities, but its cost can be a barrier for many organizations. Originally designed for data science, it excels in both security and analytics, but its price tag often pushes businesses towards more budget-friendly SIEM solutions.

Splunk Enterprise Security offers good resilience for our customers.

For organizations that don't have the budget for Splunk Enterprise Security, I would recommend Azure Sentinel.

We use Splunk Enterprise Security as the main SIEM system for our operation center. We use it for monitoring detection, and alert management.

We implemented Splunk Enterprise Security to help detect attacks on our network.

Splunk Enterprise Security is highly flexible, allowing us to create whatever we desire. This exemplifies its inherent power. The visibility it offers is notably robust. We can craft it to our needs and even utilize various frameworks within Splunk, prepackaged for security purposes. We possess distinct applications hosting diverse dashboards, catering to numerous security products, including those from different vendors.

The effectiveness of Splunk Enterprise Security insider threat detection capabilities, aimed at identifying unfamiliar threats, relies on whether we establish alerts based on the rules we formulate. If we construct rules incorporating user behavior criteria, the system functions optimally. It appears that there is an Extended User and Entity Behavior Analytics add-on available, which requires a separate license in addition to the enterprise security license. This add-on utilizes machine learning and encompasses multiple developed use cases. While it has limitations, it effectively serves the specific use cases it is designed for.

The threat intelligence framework within Splunk is also highly potent. We can ingest, link, and integrate external data feeds. Concerning IOCs, there are numerous pre-configured alerts within the system that rely on a feed of undesirable IPs. If one of these IPs triggers any of the alerts, such as those generated by our firewall's traffic logs, and the IP matches the bad IPs in the threat intelligence feed, the system correlates this information. If the flagged IP is detected within our network or appears in our firewall logs, an automatic alert is generated. We simply need to ingest the external feed. Subsequently, if the system identifies the IP anywhere, we will receive corresponding alerts.

I appreciate the new MITRE ATT&CK feature. I believe it's a valuable addition and reasonably priced. It seems the feature has been largely developed through marketing efforts, utilizing the capabilities of Splunk to display the MITRE ATT&CK map and the associated rules. This is important since MITRE ATT&CK encompasses over a hundred techniques. It presents the information to us based on the MITRE ATT&CK framework to illustrate ongoing activities. However, achieving a comprehensive understanding of each technique within the MITRE ATT&CK framework requires significant effort and adjustments.

Splunk Enterprise Security has enhanced our organization by offering increased visibility. If any adverse incidents occur, we are promptly informed. Even without configuring the custom rules, Splunk provides effective out-of-the-box rules that help prevent attacks. Consequently, it effectively halts these attacks. In fact, we have been able to detect and thwart potential attacks in their initial stages. This exemplifies the benefits it provides us.

Splunk Enterprise Security has helped to speed up our security investigations. We are now able to complete our investigations within three or four days. 

The most valuable features include agility and Splunk Enterprise Security's ability to quickly search for alerted items, as well as the capacity to create custom alerts using the SQL language employed by Splunk. This makes it a highly potent and versatile solution tailored to both user and company needs.

Splunk could enhance its services by providing more comprehensive professional assistance aimed at optimizing our investment. This aspect seems lacking as our expenses increase with higher data connectivity, seemingly without much consideration, as this translates to increased revenue for them. The challenge lies in the fact that we don't always require all the amassed data. Oftentimes, clients are uncertain about their actual data needs. Therefore, if Splunk integrated a service dedicated to system optimization and pricing, focusing on essential monitoring data while eliminating less crucial elements, it could potentially lead to cost savings for the customers. This strategic move would demonstrate their commitment to customers beyond just financial gain. It would highlight their genuine intention to provide support, streamline operations, and maximize the potential of this technology for individuals and their respective companies.

Splunk provides automation for large-scale environments where numerous servers are present. Consequently, efficient management of these servers becomes imperative. Currently, our management server operates using a top-down approach. This involves establishing connections from the main management server to every individual leaf and subsequently, to each lower-level server.

However, this architecture lacks inherent security measures. In the current setup, Splunk employs multiple collectors to gather data. Subsequently, this data is relayed upward, filtered, and then once again transmitted to the main management server. Notably, data traffic consistently flows from external sources toward the central management hub. This design enhances security, as even if a hacker were to compromise or gain control of the management server, their influence would be limited. The data originates externally and travels inwards, preventing unauthorized access to the entire system. 

In contrast, the proposed approach for managing extensive infrastructures situates the management hub at the core. This central position allows us to establish connections from the hub to the various peripheral components, even if they are located on a secure network. However, this configuration carries significant risks. A security breach at the central hub could potentially grant an attacker elevated permissions. This would enable them to compromise the entire network by gaining access to all Splunk nodes within the company. This architecture is vulnerable and has room for improvement.

I have been using Splunk Enterprise Security for four years.

I would rate Splunk Enterprise Security's stability a seven out of ten. This is because the system lacks built-in protection against certain issues. It alerts us when there are problems in the system, which we then need to address. However, these issues are not always easily fixable, setting it apart from other systems. For instance, sometimes the system slows down while we're working. This can occur when a new alert is implemented, leading to high resource usage and system instability. We are then required to identify and rectify the specific cause of this problem. This might involve disabling or adjusting the alert to ensure it doesn't negatively impact the system's performance.

Splunk Enterprise Security's ability to scale is good. I rate the scalability an eight out of ten.

The technical support is good.

Positive

Previously, I used QRadar, McAfee, and ArcSight. However, Splunk Enterprise Security is a more modern solution. While ArcSight from HP is powerful, it is an older system with limited flexibility and complex architecture. Many companies implemented SIEM systems before Splunk became available. It seems that most large companies might still be using ArcSight, but other competitors have entered the market since then.

McAfee attempted to develop a similar system, but it lacked scalability and was better suited for small businesses rather than larger enterprises. QRadar, on the other hand, remains robust, but it lacks Splunk's flexibility. One of Splunk's notable advantages is its ability to generate alerts and then allow users to enter searches and queries to investigate network activities and log data. This process, known as threat hunting, enables users to conduct specific searches, such as identifying individuals who accessed a particular system and the internet between four and five o'clock on a Friday. Splunk promptly provides the desired results, typically within a few minutes, making it a strong choice for this purpose. Additionally, Splunk Enterprise Security features a highly effective filtering mechanism.

I participated in the planning and implementation of Splunk Enterprise Security, as well as the creation of all rulesets and alerts. I am also configuring it to align with our technical framework.

Individuals who market Splunk Enterprise Security often claim that it can be deployed within half a day, which is quite amusing. While it is conceivable to perform the installation in that timeframe, the real complexity arises when we must establish connections with numerous systems. This involves accessing each system external to our main setup, configuring it, and directing the system to send its logs to Splunk. On the Splunk side, we encounter the need to create parsing mechanisms that allow proper data reading. This entails installing applications capable of correctly parsing the data, and addressing issues where parsing is inadequate. We then proceed to work with the data. Although Splunk provides some pre-configured rules, we also need to develop our own rules to identify specific events and potential attacks. The process of rule creation demands a substantial investment in writing rule sets. Additionally, integrating a threat intelligence framework becomes essential. We aspire to leverage the micro-framework we have established. Splunk Enterprise Security undeniably possesses considerable capabilities. Nevertheless, it necessitates continuous effort to unlock its full potential and achieve ongoing enhancements.

The solution's complete implementation may require up to one year. Throughout most of the deployment, we had a team of two members, occasionally expanding to three.

For the implementation, we used two integrators and Splunk Professional Services.

Considering the fact that Splunk Enterprise Security aids in thwarting attackers from gaining access to our environment, I would correlate this with a return on investment.

Splunk Enterprise Security's pricing is high. Larger companies may afford it, but I believe that in the current market situation, where everyone is facing challenges, financial resources are tight. Even stock market tech companies are embracing cost-saving measures. Expenses are now more constrained compared to a few years ago when companies had greater spending capacity. Companies are reluctant to make hefty payments. While Splunk is cheaper than Microsoft Sentinel, QRadar is priced at half the cost of Splunk.

Splunk Enterprise Security's licensing is typically determined by the data throughput we handle. Additionally, they offer an alternative pricing model which involves payment based on CPU usage. This newer model was introduced as a response to Elastic Security. However, Splunk enforces licensing in either scenario. 

I rate Splunk Enterprise Security a nine out of ten.

We do not monitor the cloud environments with Splunk. While we have several cloud environments, we avoid using Splunk for this purpose due to its high cost. To utilize Splunk, it would be necessary to place the Splunk engine in the cloud and gather all the logs from various cloud sources, resulting in substantial expenses due to the large volume of logs. As a result, our primary usage of Splunk is on-premise. Instead, we employ different systems to monitor the cloud, generating alerts through various security mechanisms. These alerts are then processed in Splunk, reducing both data traffic and costs.

Splunk Enterprise Security's capabilities to analyze malicious activities and detect breaches are similar to those of other systems. Its effectiveness depends on the rules we develop within it. To truly maximize its value and tailor it to the organization's needs, a significant amount of additional work and utilization of professional services are required.

The reduction of the alert volume presents a challenge due to the X number of personnel in the security alert center. They can effectively handle only Y alerts per day without experiencing fatigue. When the volume surpasses this limit, they tend to merely open and close alerts without thorough investigation. It's as if they've become weary of the process. Therefore, we must determine the optimal number of alerts per day and adjust the rules accordingly. The primary objective is to achieve a statistically reasonable number of alerts per day. This number should be somewhat higher than the current rate, but not three times greater, as exceeding this threshold would render their efforts ineffective. Conversely, if the number of alerts is too high, the personnel's capacity to take action is undermined, resulting in a lack of meaningful outcomes. Striking a balanced middle ground is imperative. This approach enables us to effectively identify and address crucial matters while ensuring our personnel can thoroughly investigate each alert.

Depending on the goals an organization aims to achieve, if their sole focus is on finding the most economical solution and they do not prioritize comprehensiveness, then QRadar would suffice. However, if they seek instant access to answers, I would recommend Splunk Enterprise Security.

Splunk Enterprise Security is deployed across our entire network.

Maintenance is necessary for the system, and updates are needed periodically. Whenever we acquire a new system, we must connect it to Splunk.

Resilience constitutes a crucial component of Splunk Enterprise Security, contributing significantly to the safeguarding of our system.

I recommend Splunk Enterprise Security for organizations that have the budget, time, and skill to properly utilize the solution. I do recommend paying for Splunk Professional Services.

We use Splunk Enterprise Security for various security use cases, including writing correlation searches. This has significantly improved both our use cases and correlation searches. We can leverage existing resources, making modifications as needed, rather than starting from scratch each time. Splunk Enterprise Security provides diverse use cases across different environments, including AWS, Azure, and multi-cloud setups, while also integrating with Microsoft Sentinel. Additionally, we can integrate Splunk's service orchestration product for further automation. Overall, this allows us to automate tasks that security analysts previously performed manually, such as reviewing incident dashboards. We can fine-tune alerts based on analyst feedback. Splunk's research team ensures that use cases are updated with the latest security content, enabling us to understand and implement necessary steps while customizing them to fit our company's needs. This is what makes Splunk Enterprise Security so popular; it streamlines processes compared to legacy security products that often rely on manual scripts. Clients, including government agencies and banks, are transitioning to Splunk Enterprise Security due to its reduced training requirements and comprehensive features. Everything is consolidated, simplifying training and certification. Additionally, integrating Splunk's service orchestration product further automates tasks and improves response times. The substantial investment in Splunk indicates its staying power; no other product on the market currently offers comparable capabilities. Cisco's acquisition of Splunk reinforces its potential for success, combining APM, data logging, and security portfolios. In one financial project involving 600,000 users, we were able to monitor all incoming traffic, identify security activities, and distinguish between legitimate and malicious traffic, including phishing attacks and potential identity-based threats. Splunk enables tracking individual identities, crucial for detecting attacks where perpetrators hide behind compromised identities, often leading to data breaches and other security incidents.

We implemented Splunk Enterprise Security to assist with AWS security, which includes GuardDuty, CloudTrail, CloudWatch, and Inspector. These AWS components generate compliance and security alerts, which we correlate and use to create dashboard reports and identify security events for various use cases. We then enable the out-of-the-box use cases and send notable events to the dashboard. The implementation is currently in its early stages.

Splunk Enterprise Security operates based on incoming data, making monitoring multiple cloud environments relatively simple due to data availability and integration capabilities. Data from cCloudRail, CloudWatch, Azure, and other diverse environments can be incorporated. While occasional patching might be necessary, most integrations are readily available, offering extensive coverage without customization. Specific customizations might still be required, but most functionalities are pre-built, leveraging code developed by Splunk. This efficient approach involves analyzing data from vendors like Palo Alto and applying add-ons to apply code and automate parsing.

Our visibility into various environments depends on how much data we incorporate; therefore, the more we scan, the better our visibility.

Splunk Enterprise Security's insider threat detection capabilities act as a secondary approval and vetting process, helping our organization ensure there are no unauthorized users.

The MITRE ATT&CK framework allows us to identify criticality levels, helping us respond to incidents. We might integrate incident response with a REST API, where a notable event triggers the creation of a ServiceNow ticket. Information flows from ServiceNow back to Splunk, which then feeds other systems, enabling bidirectional incident management. These processes are largely out-of-the-box, as Splunk integrates well with ServiceNow, except for any customizations. We understand the data integration requirements and leverage Splunk's extensive integration capabilities.

Splunk Enterprise Security does a good job of analyzing malicious activities and detecting breaches. The amount of information the research and threat detection teams receive from Splunk enables faster threat detection of up to 60 percent, eliminating the need to consult numerous sources. This efficiency is a key benefit of Splunk, as its significant investment in security allows for expedited processes.

I have seen the older legacy product where they have this manual process to identify issues, run scripts, try to identify the output, and then go through ten systems to collect data. This could take days. Now, with Splunk, we have everything correlated with multiple use cases, and we have a correlation search between multiple systems, along with application data. Splunk Enterprise Security can stitch all this information together and show it in a single pane of glass, which makes decision-making faster and allows us to focus on the relevant issues instead of wasting time on non-relevant ones. They have done this well.

Splunk Enterprise Security significantly reduced our alert volume. The initial challenge was dealing with a legacy IBM system that generated a massive amount of unfiltered noise, making it difficult to identify relevant events to send to the incident dashboard. This process was time-consuming and inefficient, and the value of the system wasn't apparent. To address this, we fine-tuned both the SOAR system and Splunk by applying filters and conditions to focus on relevant data. Ultimately, Splunk reduced the alert noise from 1,000 events in two hours down to ten, which were then grouped into a single notable event. Despite potentially having hundreds of background events, Splunk condensed this information into a single, actionable item, allowing us to focus on investigating the most relevant issues.

Splunk Enterprise Security accelerates our security investigations by reducing noise, allowing us to focus on relevant use cases. Everything is categorized as high, medium, or low priority, and people immediately start investigating high-priority issues connected to PagerDuty. Sometimes, this leads to on-call situations, sometimes immediate action. Service orchestration and playbook scenarios enable automated responses, like instantly blocking unauthorized access to a system. The possibilities for security use cases with playbooks and service orchestration are vast, and I'm excited to explore them further in the coming days.

The dashboards and reporting capabilities help to aid our security analysis.

We have integrated Splunk Enterprise Security with various services to streamline our security operations. This integration allows us to leverage diverse data sources for creating lookups, data models, knowledge objects, and regular expressions. By automating the development of use cases and regular expressions, we can apply them to data more efficiently, enabling faster implementation and analysis. This approach enhances our ability to detect and respond to security threats effectively.

Splunk Enterprise Security has enhanced our organization's security posture by providing comprehensive security compliance dashboard reports.

I appreciate how Splunk Enterprise Security connects users to the research team and threat documentation, providing access to current events impacting other clients, security vulnerabilities, and relevant use cases. The platform's daily updates offer valuable insights for enhancing our security posture.

Splunk Enterprise Security allows us to create custom dashboards by changing fonts and modifying widgets. Those familiar with XML coding can further personalize dashboards to align with frameworks such as MITRE. Alternatively, we have the option to use the pre-built dashboards.

I've noticed that onboarding data from various multi-cloud sources and diverse products, such as security network devices, can be challenging. Although Splunk has simplified data onboarding with features like data managers, they need to improve their out-of-the-box parsing capabilities. While they've made significant progress, covering about 70 percent of common products, there's still a 30 percent gap where manual configuration is required. This forces us to spend time understanding and writing custom parsing rules instead of focusing on data analysis. With Splunk's recent acquisition by Cisco, I'm hopeful they will prioritize enhancing this functionality and increasing their coverage to 90 percent or more.

I want to see Splunk Enterprise Security dashboards incorporate more features, such as out-of-the-box AI and user behaviour analytics, which are accessible within a single dashboard.

The technical support response time has room for improvement.

I have been using Splunk Enterprise Security for three years.

Splunk Enterprise Security has stability issues, especially with large data volumes, increased data intake, complex dashboards, custom models, and processing that significantly impact performance. Many customers experience this; even with demos using small datasets, performance degrades with millions of data points. This necessitates capacity planning, dedicated teams, and enforced best practices. These practices include restricting complex searches, blocking problematic users, and providing training to prevent performance degradation. Constant vigilance and proactive measures are crucial to maintaining a stable Splunk Enterprise Security environment. I would rate the stability of Splunk Enterprise Security five out of ten.

I would rate Splunk Enterprise Security's scalability six out of ten. We need to add more shared CPU memory and increase the capacity, and scaling requires a lot of planning and effort.

Splunk's support quality has declined in the past five years. Response times are now slower, and resolving an issue can take weeks. Submitting a ticket and connecting with the appropriate support agent often requires numerous emails and calls.

Neutral

To improve security coverage and user experience, we replaced our outdated legacy solution with Splunk Enterprise Security.

Our Splunk Enterprise Security cloud deployment utilizes a DevOps approach with a fully automated CI/CD pipeline. This automation has significantly improved our deployment speed, reducing the process from a week to a few minutes. Changes are made in the development environment and then automatically pushed to production after a click-through approval process. This streamlined workflow eliminates the previous manual process and associated delays, resulting in a faster and more efficient deployment cycle.

Splunk Enterprise Security's pricing is based on data volume, which generally suits large enterprises.

I would rate Splunk Enterprise Security eight out of ten.

Splunk is widely used across larger organizations. While large organizations often have extensive teams dedicated to Splunk projects and upgrades, smaller organizations can also use Splunk, taking advantage of more affordable pricing options like the free tier for limited data. Cost isn't a significant concern for larger organizations, who prioritize Splunk's security features and are willing to invest in its capabilities.

Splunk Enterprise Security is deployed across all departments, processing millions of data points. Over 500 people manage this data: building dashboards and reports, working with Enterprise Security, discussing use cases, and creating custom data models. This represents a massive effort for any large organization where every department utilizes Splunk.

Government departments are transitioning to Splunk, with daily onboarding increasing the current user base of 5,000.

Because the deployment is cloud-based, the Splunk DevOps team handles maintenance.

Splunk offers a resilient SIEM solution with comprehensive capabilities for research and a wide range of use cases. It is constantly updated, ensuring it remains a valuable and comprehensive SIEM package.

I recommend Splunk Enterprise Security. It is an excellent tool widely used by many organizations, making it a valuable choice for security information and event management.

We gather all the security logs from all the endpoints, network appliances, and the security filter. We have set up automatic alerts that are sent to system administrators, so we have pretty much real-time alerts about anything that happens. 

Splunk Enterprise Security has definitely improved my organization. First of all, it helps with compliance. Our organization has something called scorecard requirements. It is an annual self-check checklist. Having alerts set up is one of the requirements, and secondly, we have a local administrator who gets the alerts. That makes our job a lot easier. So, we pretty much know what is going on in a real-time setting.

We are the judicial branch of the government, so we are pretty much into our private cloud. We do have a setup to monitor our private cloud but not outside our organization. If we can monitor one cloud, multiple clouds will not be hard at all. It is easy.

Splunk has absolutely reduced our mean time to resolve. Knowing on time and having firsthand information is very helpful for any organization. We are able to capture what is going on, and the visibility of it is absolutely tremendous. I cannot provide the metrics, but it has saved a lot of time.

Splunk has absolutely improved our organization’s business resilience. We have been using Splunk for the last six or seven years, and I cannot imagine a life without Splunk. 

In terms of Splunk’s ability to predict, identify, and solve problems in real-time, this is something that we will look into. We have not yet looked into machine learning, AI, and all of Splunk. Currently, we are more in the reaction mode, but we are trying to get more in the protection mode or have more proactive measures. We have not got to that point yet, but we will definitely be there.

I am not into the administrator type of setup. I am more like an advanced user. The most useful feature for me is the ability to create different kinds of alerts and set a different kind of denominator that will capture the real event. That is helpful for a power user like me.

Splunk conferences are very helpful for networking and talking to folks who have a similar situation. It would be helpful for customers if they could create some real-world cases, and we can find a case study to align with. I know that Splunk has tremendous potential. We only include a tiny piece of it. There is a lot of stuff that we need to learn. If Splunk can provide more real-time examples, that will be helpful for customers.

It has been six or seven years. 

Splunk has a reputation for being scalable. You can start small, and if your demand increases, you can scale your platform. Splunk does a good job. It allows customers to have scalability so that they can expand their capacity. I would rate it a ten out of ten in terms of scalability.

In our company, we have a Splunk consultant who is very good at providing a solution. So far, I have not had any problem that is unresolved. I would rate their support a ten out of ten. In this industry, there is good support, and there is bad support. Splunk's support is more like Cisco's support. It is pretty good.

Positive

We used something else, but I do not remember the name. Splunk is what we have been using for a long time. It is more advanced in terms of IT security. There is more scalability and the capability to do a lot of different things on multiple platforms. This is where it is more advanced than other products.

I was not in the deployment team, but I was involved in the early stage of evaluating all different kinds of products.

There are a lot of things for which you can measure a return on investment, but security is something on which it is hard to put a dollar value and measure how much return you have got. However, in terms of helping the administrator or helping the company to put security in place, Splunk does a great job. I cannot imagine a life without Splunk.

The pricing is a little bit on the higher side, but looking at what Splunk provides us, it is reasonable.

We evaluated what was on the market, and fortunately, we picked Splunk. Looking back, it was the right decision.

Splunk is moving in the right direction and providing better and more mature products. This is my fifth conference, and I see the progress. I see Splunk bringing in all new products. They are pretty much in line with the security trends. They have improved a whole lot to meet customers' needs.

I would rate Splunk Enterprise Security a ten out of ten.

Splunk Enterprise Security offers a wide range of capabilities that benefit our organization. This includes user behavior analytics, which helps us identify suspicious activity. Additionally, Splunk Enterprise Security allows us to create custom alerts for various internal security needs.

Splunk has been instrumental in improving our incident response time, especially for user authentication issues. It excels at detecting anomalous behavior, such as brute force attacks or multiple login attempts from a single source. This allows us to quickly identify and address potential security threats, making Splunk a vital tool for our cybersecurity incident response efforts.

The asset and identity management feature strengthens our overall security posture. This system relies on the creation of security roles by administrators. These roles then determine access permissions based on the principle of Role-Based Access Control. In this way, access is carefully controlled and assigned based on specific job duties. It's important to note that administrators retain a high level of access and make final decisions regarding access permissions.

Splunk offers a variety of dashboards, including real-time dashboards that update continuously. These dashboards complement Splunk's real-time alerts by providing a visual overview of our system's health. They can be built to leverage different Splunk resources, like indexes, search clusters, and host clusters. This allows us to monitor key metrics and identify potential issues in real-time, helping us maintain a healthy and efficient system.

Our SoC and Analytics teams use Splunk to monitor multiple cloud environments.

The visibility into multiple environments is good.

The insider threat detection is valuable for our organization because it helps us identify unknown threats. While we leverage existing threat intelligence for known threats through signatures and endpoint protection tools, these methods have limitations. Since they rely on predefined information, they can't be readily integrated with Splunk to monitor for and generate alerts based on these known threats. Splunk's strength lies in its ability to detect anomalies and suspicious user behavior, which can be crucial for uncovering insider threats that might bypass traditional signature-based defenses.

Splunk Enterprise Security excels at analyzing malicious activity. Our team has created several use cases to identify such activity. These use cases focus on data patterns that might indicate malicious intent, such as a sudden increase in login attempts or logins occurring outside of regular business hours. Additionally, we can identify brute force attacks attempting to crack passwords through repeated login attempts. This allows us to effectively monitor for and respond to potential security threats.

It has improved our detection ability and has helped reduce our alert volume to a manageable level.

Splunk has helped speed up our security investigation.

Splunk stands out for its extensive application integrations. It boasts a user-friendly interface with intuitive features that are easy to understand and navigate for technical users. This accessibility is a major reason why I find Splunk so appealing.

The user interface is not user-friendly for non-technical users. 

I have been using Splunk Enterprise Security for three and a half years.

Splunk Enterprise Security is extremely stable.

Splunk Enterprise Security is easily scalable.

We have only had minimal contact with Splunk technical support.

Neutral

The initial deployment is straightforward.

Splunk Enterprise Security is affordable.

While affordability is important, I recommend Splunk Enterprise Security over the cheapest option on the market. This is because Splunk offers a robust feature set that justifies its cost.

I would rate Splunk Enterprise Security nine out of ten.

We have Splunk Enterprise Security deployed across multiple locations.

Splunk Enterprise Security requires minimal maintenance.

I recommend Splunk Enterprise Security as a scalable and reliable solution for both on-premises and cloud environments.