Splunk Enterprise Security Reviews

When we talk about Splunk Enterprise, I have seen clients using it for their data analysis, collecting the logs and preparing meaningful insights out of it, like having dashboards created from the data that they ingest into Splunk. Apart from that, there is a SaaS platform that Splunk provides which is called the Splunk Cloud platform; it provides similar functionality, but the end-to-end config management is handled by Splunk directly. You just have access to the Splunk search head where you log in and can search the data you ingest into Splunk Cloud. Regarding Splunk Enterprise Security, I have seen customers using it for security use cases and to ensure that the environment or organization is not impacted by any SOC threats; basically, they use it for detection and mitigation both.

Customizing and developing new detections in Splunk Enterprise Security are quite simple since I have got experience with it for more than four years. I am quite familiar with it and enjoy working through that as well.

I do use disparate security solutions that integrate or import data into Splunk Enterprise Security.

The security operations are supported on a very great scale because let's say we have written n number of detections; we also need to ensure that we don't get alerted or notified on false positives. There is a dashboard in Splunk Enterprise Security that displays all the detections identified as a potential risk or alert to the environment. From there, you can triage the work to investigate deeper into it, and from the dashboard, you can drive it towards closure, with different drill-down options to investigate how a particular event was identified as a risk event and whether it was a false positive. If it wasn't a false positive, you can dive deeper into it using different response actions as well; all these customizations can be done and they support any third-party response actions that you want to apply to the Splunk Enterprise Security detection you have.

What I like about Splunk Enterprise Security is the way it is able to correlate or ingest any kind of data from any product or source, alert and adapt the whole data as it is, and then provide it in a single visualization format. It handles and provides you options for customizations and different options for alerting as well. Summing up everything from a SIEM and security point of view, I think Splunk is by far the best product that I have been using since my work experience.

Splunk Enterprise Security has indeed helped improve the organization's business resilience. I don't have specific numbers for sharing purposes, but on a quarterly basis, I have seen Splunk helping the resilience and assisting the business greatly in terms of avoiding SOC threats.

You need to adapt to new changes constantly and be sure of new learnings in Splunk Enterprise Security; that is the only challenge I would say. However, I don't see it as a problem because if resources are available for you to understand new changes and how detections are managed or how to incorporate advanced threat intelligence frameworks, there is no huge challenge in integrating it with Splunk Enterprise Security. You need to know what things you want to click on the UI; if you are aware of that, there is no challenge. It is just constant learning that you have to give yourself to learn and grow for your own better self.

One improvement I want to foresee is that the AI or agent needs to be fed with accurate data, not false data, so that whenever it performs automation on your behalf, it doesn't misconfigure anything. Trust in the product relies on the AI being reliable and trustworthy, ensuring 100% accuracy and avoiding false positives.

I would say Splunk's ability to predict, identify, and solve problems in real time is near accurate; I cannot confirm that it is 100% since none of the systems are. It definitely alerts you on what particular time you need to be notified. However, to achieve near 100% accuracy, how you handle the searches running in your environment and stagger them is important to avoid overwhelming server resources. Splunk provides features to adjust time zones and write custom schedules; there is no challenge with that. However, there will always be delays, so it is about how you ingest the data; if the source is behind the Splunk server's timezone, that could impact results.

I have been working with Splunk for almost six years now.

So far, we have not faced any downtime or performance issues with Splunk; there can be outages, but we are automatically notified when they occur, and the team works on resolution. Since we are using Splunk Cloud, we receive notifications directly from them.

I would say Splunk is quite scalable, and we are definitely making the most out of it. Our company was involved in delivering sessions at splunk.conf last year, showcasing how we utilize Splunk and the solutions provided, indicating that we are scaling quite effectively.

I would rate the Splunk support team an eight or nine out of ten; this rating is based on my experience of being part of the partner team that delivered Splunk support. The support depends on the partner, and I appreciate having a dedicated account manager for our customer account, ensuring effective handling of operations and issues. No one can have 100% knowledge, and while there might be delays in response, the support team effectively isolates problems and finds solutions, adhering to an escalation policy that keeps customers updated and satisfied.

Since I have worked more with Splunk, I am somewhat biased but I would say understanding and writing queries to analyze your ingested data is simpler in Splunk and in other products such as Sumo Logic as well. However, no product can match the level of customization and visualization that Splunk can build; you can create reports, dashboards, and present these in a business fashion, which is unmatched.

Deploying Splunk is a piece of cake for me; since I have got so much experience, deploying any kind of environment is not a challenge. I am still in the evolving phase as I started my professional journey with Splunk in 2019. I have made numerous deployments for different testing purposes, replicating customer challenges in our test environment to address their issues directly.

That is a bit subjective, I would say because in the Indian market, people often look for alternative solutions to avoid spending more. However, I have seen great satisfaction levels among companies that have utilized Splunk, including the one I am working for now, which has been renewing Splunk licenses over the past decade. If Splunk were not that great, people would not keep renewing it over the years; there is an option for good return on investment, but eventually, people try to find alternatives to save on expenses for R&D or other purposes.

I am not very much aware of the licensing since we are service providers for Splunk or Cribl or DataDog, but I do know Splunk provides licensing in two different ways: SVC-based licensing and ingest-based licensing. The old model charged based on the volume of data ingested on a daily basis, while the current SVC-based model charges based on the compute utilized for searching that data, regardless of volume.

All over the globe, it is the AI and agent era, and Splunk is also a part of it having introduced Splunk AI as part of its cloud platform features, eventually to be released in on-prem solutions as well.

I usually do not manage or investigate the alerts that have been triggered; I work on building and managing the use cases, optimizing them. The analyst team works on the incidents but from what I have heard, before I joined the current organization there were a lot of changes required to be made internally in the product itself and the way we were writing optimizations. But afterwards, we defined a clean process and the mean time to closure or mean time to resolve had reduced drastically by almost 60 to 70% compared to what it was previously.

It is not that we are limited to risk-based alerting in Splunk Enterprise Security; we are using threat intelligence and we have recently configured SOAR as I just mentioned. Additionally, we are using UBA for user behavioral analytics.

We have definitely seen benefits from the threat detection and threat intelligence capabilities in Splunk; we apply risk scores and threat scores to our detections and to the attributes we want to identify or flag as potentially high-risk or high-threat objects. This helps us prioritize the tasks we want to start our daily task with; it definitely helps with understanding the priority tasks to be worked upon. We also make sure to update our threat feeds regularly since we need to stay on top of all the threat findings globally, ensuring we identify all malicious IP addresses or any file hashes that have been tracked as a threat and are publicly available.

I would advise organizations considering Splunk to stick to the fundamentals; as long as you understand how Splunk operates and the functions of its different components, you won't face challenges in troubleshooting or understanding errors. I would rate this review a ten out of ten overall.

My main use case for Splunk Enterprise Security is security eventing.

The features of Splunk Enterprise Security provide a standardized platform for investigating.

The content libraries are helpful. In our organization, we don't use them a lot. We will use them as ideas and rebuild them into what our needs are.

It's standardized and easy to use, so you don't have to have a lot of top-tier analysts to do the same job.

The investigations plane and use case library have been beneficial.

We utilize Splunk Enterprise Security for our fraud team using pure ES. We use all the fraud features, and that's been incredibly helpful.

The detection rate and prevention rate has gone up 30 times compared to when they were working on a spreadsheet. The fraud team loves it.

Once we move over to 8.2, we're going to utilize more of the built-in features.

I appreciate the visual control and the investigations plane, though that will be a major migration for us.

Splunk Enterprise Security can be improved by bringing back some of the operational use cases. When Splunk developed ITSI, they took a lot of information or use cases out of ES, where operational use cases can also be security use cases. Those two products need to be more migrated to each other. In the next release of Splunk Enterprise Security, there should be more reporting options.

I have been using Splunk Enterprise Security for nine years.

I would assess the stability and reliability of Splunk Enterprise Security as excellent. I've had no problems with downtime, crashes, or performance issues.

Splunk Enterprise Security scales with the growing needs of my organization just fine. The licensing for ingest is a different story.

I would evaluate customer service and technical support for Splunk Enterprise Security as lacking. The service engineers that we've been getting as part of our weekly or bi-weekly calls with our salesperson, where they've assigned an engineer, have decreased tremendously in quality and expertise over the last few years. People on the team that really know Splunk know a lot more than they do, and it's evident because they don't try anymore. We can still get expert help when we need it.

Positive

Prior to adopting Splunk Enterprise Security, I was not using another solution to address similar needs.

I would describe my experience with deploying Splunk Enterprise Security as easy. The KV store setup was straightforward.

I have seen ROI with Splunk Enterprise Security.

My experience with pricing, setup cost, and licensing for Splunk Enterprise Security has been fine. We've renewed since Cisco took over.

My advice to other organizations considering Splunk Enterprise Security is to follow the documentation and not build your own stuff.

On a scale of one to ten, I rate this solution a nine.

My main use case is for log management and checking the logs. We have rules running in Splunk Enterprise Security. We are using it as a main SIEM solution for our customers.

Alert fatigue is a common issue with security solutions, but Splunk Enterprise Security reduces alert fatigue. When we encounter real incidents, we get to dive deeper to check out the main cause of that incident. It is useful because it reduces alert fatigue.

The best feature of Splunk Enterprise Security is the documentation. Splunk Enterprise Security's documentation is well-organized. For example, if you have a problem or if you want to read about what you're looking for, you can easily go there and read from the documentation. It also has many resources worldwide. It is a de facto standard of the SIEM solutions. For example, I have used IBM QRadar, which is another solution many companies are using.

One of the most beneficial use cases for me is that Splunk Enterprise Security is fast. I cannot speak to how the SIEMs work in the backend, but I can say it is fast to find any logs. 

Its UX and UI experience is getting better. It is much better than one year ago. Some of the buttons and other features are much easier to locate and choose. The user interactions are much better than one year ago. The advanced queries are much faster. The UI design is much better. That is one of the best changes that happened in one year.

AI is an area that has room for improvement in Splunk Enterprise Security. I would say that AI plays a significant role in many of the cybersecurity tools I've used, not just Splunk. Many AI tools offer some form of assistance. By "AI assistance," I mean that while AI may not have complete knowledge of all customer flow data, it can still help engineers who often encounter unfamiliar situations. For example, during incidents, a large volume of logs can be generated, and it can be difficult to analyze all of them in a timely manner. In such cases, AI tools can be beneficial, even if they are not universally applicable. Certain events, like denial-of-service attacks, can result in massive log flows, which complicate detection and response efforts. Additionally, there may be similar collective issues affecting multiple customers.

Many cybersecurity tools incorporate some limited AI capabilities, which can assist operators. For instance, if a specific endpoint security issue arises with a customer, AI can help identify potential causes and suggest improvements. In my experience, most cybersecurity operators and companies rely on security tools that may not offer full-fledged SIEM solutions but do provide integrated security functionalities such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). My expectation is that even small, incremental integrations of AI will significantly enhance these tools' effectiveness.

I have been using the solution for approximately one year. I used it for 12 months in the company.

It's stable. I would rate it a ten out of ten for stability.

The scalability of Splunk Enterprise Security rates as an eight out of ten. I have not used the scalability option, but I would say the other procedures and processes are flawless. Scalability might be the same.

I have not reached out to their technical support because whenever I have an issue, I use the documentation rather than reaching out to technicians. When there is an issue, people need swift assistance to solve it. People do not want to wait, so I mainly use the documentation.

Neutral

I have worked with other SIEM solutions. Splunk Enterprise Security is great but can have some frustration points. It can sometimes be slower to use. On the other hand, when I use IBM QRadar, it rarely experiences slowdowns, especially when using the Incident Command Module (ICM). In the case of Splunk Enterprise Security, the speed might be affected by the number of systems in use or possibly due to how the security engineers configure it. As an operator, I find that the speed is a reason I would rate it an eight out of ten. Overall, it's very fast and accurate, and the user interface is excellent for various uses, such as querying data. However, I do notice that it can be slightly slower compared to other large enterprise solutions.

Most of the time, it is deployed on-premises. We don’t rely heavily on cloud solutions, although we have explored them a bit. Our customers, particularly in the financial industry, tend to prefer on-premises systems due to their concerns about cloud security.

Having good documentation is helpful for deployment. If the documentation is lacking, it can be challenging. The ease of navigating the systems really depends on a person's experience. 

The duration varies depending on the company. I can't give a specific answer because it depends on several factors, such as the number of people working in the system, the number of endpoints, and how many on-premises servers are running. In my case, I haven't experienced a full deployment, as I've only deployed a few endpoints and on-premises services. This process took just a couple of days for me, but I haven't dealt with a large-scale on-premises deployment. When I joined the company, they were already using Splunk for various on-premises services, so I haven't gone through a complete zero to one hundred type of scenario.

Splunk Enterprise Security absolutely requires maintenance, but I don't deal with maintenance. It needs maintenance, but I have not encountered much of it. 

From a return on investment standpoint, Splunk Enterprise Security saves a lot of time. I have used other SIEM solutions, and they are not so great. They create lots of exhaustion and frustrating periods of checking queries, and the response times are slower. This leads to a lot of frustration because many companies don’t rely on just one SIEM tool; they often use multiple alternatives simultaneously.

The documentation for Splunk Enterprise Security is outstanding. It is well-organized and easy to access. You can simply go to the Splunk documentation website, search for what you need, and by the end of the day, you’ll have a great solution for any issue you encounter with Splunk Enterprise Security. In contrast, other SIEM tools often lack this level of documentation, which is quite disappointing. 

Splunk Enterprise Security also excels with its user interface. It is easy to navigate and integrates seamlessly with other services, which is a significant advantage. You can easily search for solutions, try out different features, and create reports.

As a security operator, one of our main responsibilities is writing reports. If an issue arises, clients will often ask, “What happened around noon? Can you explain the main issue?” Other SIEM tools can make it difficult to find the appropriate buttons or functions to navigate and analyze these incidents. However, with Splunk Enterprise Security, you just look up the documentation, write what you’re searching for, and apply the same rules in Splunk Enterprise Security. Everything is easy to follow, and the system works effectively. In summary, I would say that the well-documented guidance is one of the most valuable aspects for saving me time.

I have not used the advanced correlation capabilities so much because mainly all of them are running. Specifically, I have not gone very deep into the use case of Splunk Enterprise Security. I have used advanced queries a couple of times. For example, there was a sort of attack, a false positive attack. We had to check out all the timelines or block queries to find out what might have happened or what the reason was for the false positive. I used that and it is quite fast.

I have not used the risk-based alerting feature. It is more for log management and checking the log flow. 

Whenever you want to apply for any exams, such as the SOC exam or Blue Team certification exams, they mainly ask for Splunk rather than other SIEM solutions. For me, it is overall the best SIEM solution to use.

I can recommend Splunk Enterprise Security to other users. It is fast and well-documented. User interface and user interaction are well-designed compared to other SIEM solutions. It is a great SIEM tool.

I would rate Splunk Enterprise Security an eight out of ten.

Our main use cases for Splunk Enterprise Security include security, detection, and incident response.

The data model benefits our organization by making it easy for the team to get data into Splunk, and field tagging is particularly helpful.

The features of Splunk Enterprise Security that I most appreciate are CIM, the data model, the search capabilities, and the investigation feature embedded into Splunk version 8.

The investigation feature helps the team seamlessly put everything together, providing a consistent view of all relevant artifacts for incidents.

Splunk's ability to predict, identify, and solve problems in real-time is exceptional due to its ease of data ingestion and comprehensive search capabilities with various options.

I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security to be excellent, especially with the new Mission Control included in Splunk Cloud version 8. It is really easy to use.

We are sending data directly to Splunk Cloud without any broker or pipeline in between. Our organization does not use risk-based alerting in Splunk Enterprise Security yet, and our SecOps team has not measured incident remediation times compared to our previous solution.

I would advise other organizations considering Splunk Enterprise Security to check their business case, considering the number of systems and amount of data to determine if it is the right tool in terms of the licensing model. If they decide to implement Splunk Enterprise Security, getting professional support is crucial.

One of our decision drivers was the customer support, which we found to be very responsive based on feedback from other customers. Additionally, the ability to extend the license for IT-related topics provides flexibility to leverage the platform across all departments, not just security - a unique feature compared to other SIEM tools.

Splunk Enterprise Security can be improved with better triage capability and less dependency on running SPL searches, which would allow analysts who may not have much experience in writing SPL searches to still use the tool and run investigations.

We are still at the beginning, just four months into using Splunk Enterprise Security.

I assess the stability and reliability of Splunk Enterprise Security as generally good. We had a few glitches, but nothing serious, and when we needed to raise cases with the support team, they were quickly resolved, particularly an issue on the indexer level.

Splunk Enterprise Security scales effectively with our growing needs. As a global organization, we first started with three regions, and when we were about to move to include the last region, it was easy to increase the license and onboard the new region seamlessly.

I would evaluate customer service and technical support for Splunk Enterprise Security as excellent, particularly our sales representative, who is exceptional. On a scale of one to ten, I would rate customer service and technical support as a nine.

Positive

Prior to adopting Splunk Enterprise Security, we were using QRadar from IBM, but we wanted a modern and state-of-the-art SIEM, which led us to choose Splunk Enterprise Security.

The deployment was the best that I have gone through so far. We had the professional support, which is something I recommend everyone do, which is like introducing Splunk and having the Splunk professional support personnel advising and supporting through the implementation phase.

We had professional support, which I recommend to everyone introducing Splunk Enterprise Security, to have professional support advising and supporting them through the implementation phase.

The return on investment from Splunk Enterprise Security is still to come.

My experience with pricing, setup cost, and licensing for Splunk Enterprise Security was positive. We had an excellent sales representative. The licensing model was fair and good compared to other tools we evaluated. The storage-based licensing was the best model that fit our requirements, though it may change as we evolve and ingest more data.

I rate this product seven out of ten. Nothing is perfect, and there is still room for improvement.

Splunk Enterprise Security serves as our security tool, specifically functioning as a SIEM product.

Splunk Enterprise Security's best features include scalability, reliability, and extensive integrations.

The RBA in Splunk Enterprise Security helps us considerably because there are rules that we cannot turn off, but they are spammy rules that we can whitelist. We group them as intermediate findings, making this risk score useful. It saves us time because instead of working on 1,000 alerts per day, we focus on two or three alerts and simply review their impact on our organization.

With Splunk Enterprise Security and our SOC team, we have developed custom rules that adjust the risk scores based on our observations, not merely Splunk's recommendations. It helps considerably because it groups the alerts, gives us information about related alerts, and provides excellent features such as drill-down searches and dashboards, which save our time and decrease mean time to respond and mean time to detect.

Overall, Splunk Enterprise Security has reduced our MTTR by approximately 30%. That reduction applies to both response and detection.

Our dashboards and visualizations in Splunk Enterprise Security communicate our security posture to executives effectively, as they are more interested in numbers and money saved rather than technical details. The visualizations allow us to present why they spend money on this solution, and we can create engaging visual stories for them based on the dashboards.

The area for improvement with Splunk Enterprise Security is support.

The knowledge base could also be improved.

Beyond support, the pricing tier of Splunk Enterprise Security could be better, as it is an expensive solution; however, the cost reflects the value delivered.

I have been using Splunk Enterprise Security for more than eight years.

For stability, I give it a ten.

In terms of scalability, I also rate it a ten.

On a scale from 1 to 10, I rate support for Splunk Enterprise Security at a six.

My experience deploying Splunk Enterprise Security is straightforward; I am a certified Splunk architect, which is the highest certification. Based on the documentation, it is easy for non-distributed deployments, but it can be challenging for others with larger infrastructures.

In terms of deployment time for Splunk Enterprise Security, it takes approximately 15 minutes.

For my clients, there are over 200 people using Splunk Enterprise Security.

In my company, we have approximately 30 specialists.

Regarding Splunk Enterprise Security deployment, we utilize both on-premises and cloud setups.

The return on investment we see from Splunk Enterprise Security is not straightforward, as it depends on the company; some may not have alerts or impacts, while others, when detecting critical alerts or threats, may realize it has saved them a million dollars. Overall, I estimate the ROI to be approximately 20% to 30%.

When comparing Splunk Enterprise Security with other security solutions, I find it to be the best as it consolidates everything in one place. They have updated it with endpoint security and admission control capabilities, allowing you to see every comment and action during an incident, which I have not seen in other solutions such as Elastic, Sumo Logic, or LogRhythm.

Since we do not work with UEBA in Splunk Enterprise Security, I cannot comment on any improvements in threat hunting and investigations. I have seen demos of it, and while it is a remarkable solution, I cannot personally answer that question. I provide this review with an overall rating of 10.

Splunk Enterprise Security is used for our SOC, the Security Operations Center, which provides 24/7 monitoring. I am using disparate security solutions to integrate or import data into Splunk Enterprise Security. We use Splunk Enterprise Security to ingest the logs and do the monitoring.

As for alerting, especially risk-based alerting, it works well. It supports the use cases that we are looking for. Splunk Enterprise Security supports my SOC in terms of developing any new use cases. If we have any custom integration requirements or any custom use cases, we can easily develop that in Splunk Enterprise Security, and that's how we are able to leverage Splunk Enterprise Security for any custom use cases.

The biggest advantage for me in Splunk Enterprise Security is all the ready-made integrations and the connectors that are available. Integration is the strongest part; the connectors and the built-in connectors are the strongest part which allow the integration.

My impression of processes such as customization, developing, testing, deploying, and refining detections is that it works as designed for all the detections and all the new capabilities that we can leverage. It works very well.

Integration supports my security operations. When it comes to remediation, we are not using it for remediation with Splunk Enterprise Security; Splunk Enterprise Security is purely for detection. Remediation has to be done by the respective teams using their own tool sets.

Regarding the impact on threat detection capabilities, it provides a faster mean time to detect. The team is able to respond faster because we are using Splunk Enterprise Security and we are able to ingest all the logs from various sources. Any threats which are emerging across the world and across different types of log sources, our team is able to detect them faster. Overall dwell time of an attacker or any kind of attacks that we see, we are able to respond much faster because we are able to detect it in the first place much faster.

There is something in Splunk Enterprise Security which is not perfect. What we are seeing is more not on the technology side, but on the pricing and support point of view once Cisco has taken over. We have seen that the pricing has gone higher and the support quality has not kept up or was not as good as it was earlier. These are the two things we see as areas for improvement.

Regarding the issue with support, it takes longer for support to come back to us and then it goes through multiple layers of escalation before we get to the right person.

I would like to see some additional features, more on the AI detection and automatic detection using AI capability. Although Splunk Enterprise Security has some amount of AI capability, what we would like to see is more on the detection side, how AI can help and how Splunk Enterprise Security can introduce those features as part of the built-in platform itself.

I started working with Splunk Enterprise Security about six or seven years ago.

Splunk Enterprise Security is very reliable and stable. Reliability is also very good.

Regarding scalability for Splunk Enterprise Security, scalability is very good. We have scaled it about four times over the past six years in terms of the log size. Scalability is very good.

As for the issue with support, it takes longer for support to come back to us and then it goes through multiple layers of escalation before we get to the right person.

Splunk Enterprise Security is a worth buying product if you are able to leverage all the features and the capabilities or if the team is strong to leverage all of them.

The percentage of savings depends on what we are comparing. It is straightforward; if the team is experienced with Splunk Enterprise Security, it is quite straightforward and quite fast.

Regarding business resilience, Splunk Enterprise Security does improve business resilience because I am able to protect my assets and hence improve the resilience. I am able to solve problems in real time, to predict, and to identify threats. It helps my detection to be faster, which is about 40 percent faster. The overall review rating for this product is 8 out of 10.

The clients who are using Splunk Enterprise Security are primarily using it for security as a SIEM solution, or they are also using Splunk Observability.

Generally, when you have the complete set of solutions such as EDR or DLP and then on top of it, if you have a solution such as SIEM, which is collecting logs and everything and then correlating that particular data, it takes somewhere around five to ten minutes to identify and start working on that particular issue.

The biggest advantage, if I talk about for observability, is ease of use. The customers use OTEL collectors, and since this is an open OTEL collector, it is not bound to Splunk itself. That is something which is good.

Customization requires good effort, but it is doable. We being into professional services, we do this particular part. Splunk Enterprise Security provides flexibility to write those rules and regular expressions and other tools, wherein you can filter the traffic based on different kinds of policies.

It definitely helps because when you use different sets of solutions which work on SNMP, they will only poll that data and then they will collect and provide you some information on top of it. Splunk collects much more data as compared to traditional SNMP related tools. Log traces will eventually provide you much better and true information on which you can take actionable actions on top of it. With respect to unified security operations, it helps to consolidate both SIEM and SOAR so that you can quickly detect, investigate and neutralize cyber threats. They can integrate with third-party SOAR solution as well as they have internal capabilities for SOAR.

Cost is one major factor. The reason is because they primarily work on the ingestion of data, wherein it becomes a choice for large customers who have deep pockets to spend money on Splunk Enterprise Security. If the customer does not have that much budget, then obviously they will not go for Splunk Enterprise Security. They will go for a similar set of solution such as Elastic in that case. Cost is something which is a major factor.

In integrations, a good amount of integrations are already available, but integration with newer AI components or tools and upcoming tools such as Claude or ChatGPT will obviously take some more time to evolve perfectly so that these tools become more easy to use and align to an organization's environment.

I have been using the solution for somewhere around four years.

Splunk Enterprise Security is a stable product.

Splunk Enterprise Security is scalable. You can horizontally expand it with forwarders and universal forwarders. It's scalable.

We have been in business for the last eight years. Before partnership with Splunk, we have been working with Broadcom. Now we are also working with Elastic.

The initial setup is straightforward and not that complex. Initially, you will struggle, but once you are done with one or two installations, then it is pretty straightforward.

I am an implementation partner and not a direct customer of Splunk. I do implementation work.

With respect to Splunk Enterprise Security ROI, it is a costly solution. It is not something which can be adopted by every organization. Splunk Enterprise Security needs to come up with something different. When we speak to Splunk representatives, they boast about being a costly solution, but that does not make any sense because if you are not able to fit yourself with the customer and Datadog or Elastic is competing with you, then that is one part which they need to address. Rather than positioning themselves as a costly solution, they should work on something which can actually fit the customers as well as provide implementation partners like us with opportunities to work on certain projects. With respect to ROI, it takes a good amount of time because by the time you get the product installed in your environment, you start using it and you realize how much data needs to be ingested and then you fine-tune them. I think it takes a good amount of time because by that time, Splunk will take a good amount of licensing cost from the customer.

We are using other security tools. We are using API security, Symantec products for different customers, or CrowdStrike EDR. We generally ingest logs from all these different solutions, logs, metrics and traces from these solutions into Splunk Enterprise Security.

We are also using Elastic. The main part is for smaller customers or a limited set of customers, Elastic provides the community version. You can go and install the community version and seventy to eighty percent of the features are available, and the customer can start using it. They don't intend to use Splunk Enterprise Security in that case because that's free, and only a nominal services fee will be charged from these kinds of customers. Elastic also has the observability as well as the ELK stack, Kibana, dashboards and other tools. That part does not make too much of a difference. The major difference between both of the products is obviously pricing.

Splunk Enterprise Security is the most significant challenge. I rate this product at nine out of ten.

I have been using Splunk Enterprise Security for the last five years, mainly building use cases for the SOC team. My role involves analyzing logs and writing vulnerability alerts based on what I observe. When security alerts are triggered, the security team receives notifications and takes appropriate action.

For the initial deployment of Splunk Enterprise Security, I cannot say this is easy. It is somewhat complex because when you purchase the product, you have a lot of data. You need to align all of your data so that it fits Splunk Enterprise Security standards. Splunk Enterprise Security has custom data models and custom correlation searches that are already defined. You need to modify or set your data according to Splunk Enterprise Security standards. Once you complete this setup, the product is amazing and will do all of the work.

The most valuable aspect of Splunk Enterprise Security is that SIEM compliance is one of the best features. I can say this not only because it is Splunk Enterprise Security specific, but also because it is Splunk specific. All data coming in needs to be placed in the SRC field. All data will be normalized with the SRC field. Whether you are collecting data from a firewall or from numerous products, all data with the same name will be automatically collected by Splunk Enterprise Security alerts. Based on that, you can get all alert triggers and perform any kind of investigations. If something goes wrong, such as someone wrongly accessing servers, you will get everything very quickly based on the authentication data model. The alert part and security investigation part are very good.

Threat intelligence is very helpful because there is a threat intelligence model in Splunk Enterprise Security. It will identify threats from around the world and bring them into Splunk Enterprise Security. AI also helps us. When a wrong IP is detected, an incident will be created in Splunk Enterprise Security. Once you click on the "get more info" button, it will bring all information about where this IP belongs, including location and coordinates. Based on that, you can trigger security incidents and alerts.

I am very familiar with risk-based alerting in Splunk Enterprise Security. Everything in Splunk Enterprise Security is on a risk-based model. When I found an unknown IP detection one time, everything is assigned with a risk score. If I found an unknown IP one time in one hour, the risk score might be five or ten. If the same thing repeats in one hour, for example if an unknown IP tries to log in twenty times in one hour, the score should be higher. Risk-based alerting will check the notables and increase the score. When you have one hit, the risk score will be two. Whenever you have more hits, the risk score increases and the alert severity and alert priority also go high, becoming a P1 or P2 incident for the analyst. Risk-based alerting is a very good feature in Splunk Enterprise Security.

MITRE ATT&CK is helpful for Splunk Enterprise Security. I take reference from this framework whenever I want to create alerts. The first thing I do is check the MITRE ATT&CK framework and read the documentation. In MITRE ATT&CK, there are tables with many rows and columns. I check these tables and review all the alerts. MITRE ATT&CK shows the security framework and the maximum possible things that can be done to secure our platform. From that MITRE ATT&CK reference, I create alerts.

The main dislikes about Splunk Enterprise Security are that we need more highly skilled people and the license for Splunk Enterprise Security is costly. Beyond this, the infrastructure cost is too high. Since we have an on-premises deployment, it is costly for us because we need a lot of storage and a big server.

From a maintenance perspective, Splunk Enterprise Security sometimes requires maintenance because it continuously monitors all alerts and continuously creates incidents. Sometimes the data volume is high and some searches will be skipped automatically. We might have 1,000 searches and sometimes experience a lot of skipped searches. Sometimes if we modify any macro, there can also be issues. We need at least one person for maintenance who can continuously ensure that Splunk Enterprise Security is running fine.

Regarding support for Splunk Enterprise Security, we reach out many times. Initially, we purchased hardware that was not capable enough. Sometimes our server became choked and Splunk was not able to run some searches on Splunk Enterprise Security. These issues were due to hardware limitations. We called a consultant from Splunk who analyzed the platform and fixed the issues. Sometimes we upgraded our platform twice by adding additional disk space and RAM.

We have not upgraded to version 8.0 yet for Splunk Enterprise Security and are currently on version 7.0. Recently, we have a demo scheduled from the Splunk team to learn about Splunk Enterprise Security 8.0 features. However, in version 8.0 they changed everything. Initially, we had an incident review dashboard and risk management dashboard that I was very familiar with. In Splunk 10X, all the names changed and everything was restructured. Currently, I am still learning which old features correspond to the new ones. They changed many things, which is also one of the disadvantages, as the changes were extensive.

Splunk Enterprise Security has never crashed. However, sometimes there was lagging, but this was due to our infrastructure because we have an on-premises deployment. I used it in the cloud three or four years ago, and the cloud version is very stable with no scalability issues.

Overall, I can give a rating of nine for the scalability of Splunk Enterprise Security.

Splunk Enterprise Security support deserves a rating of nine.

I have never used any alternative to Splunk Enterprise Security. Before Splunk Enterprise Security, we were using Splunk for monitoring purposes, writing queries and preparing alerts. However, this is not what Splunk Enterprise Security does. A normal traditional alert can be scheduled based on Cron or similar methods. Splunk Enterprise Security collects threats from around the world and includes a threat intelligence data model. It manages identity and asset information separately, which cannot be done with our traditional approach.

For the initial deployment of Splunk Enterprise Security, I cannot say this is easy. It is somewhat complex because when you purchase the product, you have a lot of data. You need to align all of your data so that it fits Splunk Enterprise Security. Splunk Enterprise Security has custom data models and custom correlation searches that are already defined. You need to modify or set your data according to Splunk Enterprise Security standards. Once you complete this setup, the product is amazing and will do all of the work.

The mean time to resolve in Splunk Enterprise Security will increase. On other platforms, whenever you create alerts, you only need to see what is there and then troubleshoot everything. In Splunk Enterprise Security, when you create an alert, you can add many additional things. For example, once an unknown IP is detected, it will send an email, create an incident, and create a notable inside the security system. It can do many things and you can add more information. You can check a lookup, check an IP, or follow specific steps. You can add multiple steps to follow as well. All of this will be included with the alert, which resolves a lot of mean time. People do not need to go searching to find how to do things. This significantly reduces the time needed and alerts are immediate. Whenever something goes wrong, you will be notified quickly.

With Splunk Enterprise Security, we detect threats frequently. I work with a major client in the Emirates, and we find a lot of attacks happening and many phishing emails. Sometimes we have two firewalls, one is a DC firewall and one is a Palo Alto firewall, with many compliance requirements. People attempt to access these systems and sometimes send vulnerability emails. For all of these things, we are blocking and detecting with Splunk Enterprise Security and immediately notifying the candidate to not open emails or notifying our team via email.

It reduced the analyst's workload in Splunk Enterprise Security. However, after purchasing Splunk Enterprise Security, we hired more people to analyze the data. By purchasing this product, we came to understand that we can implement additional features and security rules. Our team is continuously and actively working, checking the MITRE ATT&CK framework, finding detections, and implementing them on our platform to make it more secure.

MITRE ATT&CK helps detect patterns that have occurred before.

ES Essentials is in our environment for Splunk Enterprise Security, though I have never focused much on working with it and do not know much about what it does.

Overall, I would rate this review as a nine.

At the moment, we are using Splunk ITSI (IT Service Intelligence) with Splunk Enterprise Security suite solution to create the use cases. We have criteria to create use cases in such a way that as soon as we receive a request from a customer or internally, we need to see based on the MITRE ATT&CK frameworks and techniques and tactics. Based on that, we are going to create use cases in Enterprise Security. We will consider a few things, such as what the severity is and what it is based on the group, whether it is end-user support or application support. Based on that, we will create the urgency and all.

The favorite features of Splunk ITSI (IT Service Intelligence) include the ability to define the risk score and understand how much priority we can assign. We can also define priority as critical, low, medium, or high. We can also give some filtering options during the execution time, such as filters, throttling, and mapping the fields by grouping the name and grouping the fields. Additionally, we have the feasibility to give a direct ticket to ServiceNow integration. It will create a ticket and assign it to somebody who is responsible to work on it. We are having some very good things with this solution.

Splunk ITSI (IT Service Intelligence) correlation what we are trying to do has missed a few features from the earlier versions. We previously had a chance to give complete descriptions of a particular thing and whether it is mandatory or not. However, in the new version, we are seeing something like a risk score that needs to be defined for any use case we are creating. I think that is not mandatory, but also in some areas we cannot define the risk score. At those times, in those cases, we are keeping the risk score as nominal, like one to ten. Because of that mandatory field, we are giving some wrong information to the end list.

I am using it in my career for six years.

I have never seen instability, lagging, crashing, or downtime throughout my experience with Splunk ITSI (IT Service Intelligence). We work on all production servers and production environment. We have scheduled operations, maintenance operations, and maintenance windows. During that time only, we will see if they are trying to do any activity or if they want to perform any shutdown. They plan accordingly and guide us before they are planning for it.

Splunk ITSI (IT Service Intelligence) has a good feature for scalability. We can scale it very quickly, and it is very helpful for an organization to scale up. It is having that feature and it is a very good feature.

I contacted technical support for Splunk ITSI (IT Service Intelligence). I have worked on both areas, on-premises and the cloud environment. For on-premises, based on the priority of the case, they address the issue. For the cloud environment, they will prioritize the case and give quick service.

Positive

During the initial setup a few days and a few months when I first started using Splunk ITSI (IT Service Intelligence), it was overall understandable. If somebody does not know about it, they can learn it very quickly and they can adapt to the technology.

For deployment of Splunk ITSI (IT Service Intelligence), we require two to three people based on the environment and the size of the environment. It is preferred to have two persons.

From a pricing point of view, Splunk ITSI (IT Service Intelligence) is a bit high. I was seeing one of my customers, an old customer, who are moving from Splunk ITSI (IT Service Intelligence) to other tools. The tool is Cortex XDR SIM. It is all because of the pricing. Other than the big organizations, if somebody in a small company or small to medium company wants to use Splunk ITSI (IT Service Intelligence) facilities, they are very much afraid of it because of the pricing. Also, the people who are already using Splunk ITSI (IT Service Intelligence) as a solution are checking for alternatives. For example, one of the other clients moved to another SIEM solution because of the pricing itself. It is comparatively more, and they need to think about this pricing.

I have familiarity with QRadar and SIM Nitro as alternatives to Splunk ITSI (IT Service Intelligence). I can compare QRadar with Splunk ITSI (IT Service Intelligence). My opinion is that Splunk ITSI (IT Service Intelligence) is the better one. Comparatively, I have used three SIEM tools, but Splunk has more visibility. As a Splunk engineer, we have the feasibility to integrate a lot of logs from different log sources and we can parse them. We can create custom rules. All of this provides very good visibility on Splunk ITSI (IT Service Intelligence). Log availability is also a very good thing. Splunk ITSI (IT Service Intelligence) has very good capability of storing, analyzing, and searching compared to other tools. We can create knowledge objects, such as dashboards, which is very much useful to review what we have in the system and also we can present it to somebody who is not much aware of the system. In QRadar, we do not have much scope to work on. In Splunk ITSI (IT Service Intelligence), we have a lot of things during the integration time. We have a lot of scope and also parsing, and also then utilizing the logs by creating use cases and alerts, reports, and dashboards.

My overall experience is eight years, and relevant to this field is six years. Whenever any new add-ons and integrations we are doing, we actually need to upgrade ourselves. We recently had an upgrade of utilizing Python scripting for scripting. For on-premises Splunk ITSI (IT Service Intelligence), I would give six out of ten. For the cloud solution, I would give nine out of ten. For the overall score for the support of Splunk ITSI (IT Service Intelligence), I will give seven out of ten. I am a customer of Splunk ITSI (IT Service Intelligence). I am continuing to learn on Splunk things based on different platforms, Linux, Windows, and also on cloud. So far it has been so good. It is a good journey and I am feeling positive about it. Splunk ITSI (IT Service Intelligence) is very understandable. Everybody says Splunk is a complex environment, but it is not much complex. We can adapt and we can quickly learn if anybody is starting a new journey on Splunk ITSI (IT Service Intelligence). I have thoughts on legal statements and the process of creating an account. My overall review rating for Splunk ITSI (IT Service Intelligence) is nine out of ten.

Splunk Enterprise Security is primarily a security solution used for device monitoring. If there is any suspicious activity happening, Cisco will capture that and get you the alert, then your SOC team can analyze the issue and take necessary action to avoid the breach.

Analysis is the first point when suggesting the best features of Splunk Enterprise Security.

I think the firewall and all these network devices and security devices—routers, switches—they all need to be connected to Splunk Enterprise Security in some way, so that it can get the data from all these devices, and then SIEM can analyze that data and get us the alert. There are a few tools such as Snowflake Security Data Lake which integrates with Splunk Enterprise Security, and Splunk Enterprise Security has its own security data lake. There are multiple tools that integrate with Splunk Enterprise Security.

In the context of risk-based alerting in Splunk Enterprise Security, company-wise, they have different policies, but risk-based alerting is definitely a great feature that multiple customers utilize.

I think the product is very good. It is a leader in its category. We have majorly utilized Splunk Enterprise Security in SIEM and SOAR use cases, and the product is top-notch, with no problems. The only challenge I was getting to know earlier was the resource crunch. The training and enablement was very limited, but post-Cisco acquisition, it is now quite easy because Cisco has a different outlook for partner enablement and partner management. They provide a plethora of free-of-cost training and enablement, and their solution engineers are available over the call for any kind of consultation, which was not very convenient before the acquisition. This is a clear call-out for me.

I am talking about the learning curve of the product. Your product adoption improves once you have the trained resources in the market, but if you don't have trained resources, then they will make mistakes in the implementation and deployment, and then people see that. If there are limited resources in the market, they will be very costly. Whoever is on that particular technology will not be affordable, and that also decreases the chance of the company to grow.

I am overall satisfied with how the dashboard is arranged. There is a lot of flexibility in the dashboard, the number of integrations that it provides, the level of accuracy, and the sensitivity level. I think these are the important things.

The workflow is good, and I think they keep improvising it. There is not a specific comment on that regarding how important this feature is and how it supports the overall workflow.

On average, the time my SecOps team takes to remediate security incidents with Splunk Enterprise Security is certainly less compared to previous solutions. In that case, I would rate Splunk Enterprise Security as the highest SIEM solution. Their SOAR solution is also quite competent.

As for currently using any new threat detection features in Splunk Enterprise Security, I mention Mandiant and VirusTotal, and then Cyber, which are a couple of tools that multiple customers, different customers, use.

It is tough to say which features would be included in future updates of Splunk Enterprise Security. I think it will keep growing. Maybe if they incorporate generative AI, I think AI is already there, but if they incorporate generative AI in terms of tracking the issues, automatic resolutions, and some root cause analysis, and I think threat intelligence, something using GenAI providing information on threat intelligence, that would also add value.

The workflow is good, and I think they keep improvising it. There is not a specific comment on that regarding how important this feature is and how it supports the overall workflow.

I have 12-plus years in software and IT.

My thoughts about the technical support of Splunk Enterprise Security is that they are good, but I think there are complaints about support sometimes. However, it is the same with every other player. I would say it is not so bad, but there could be improvements.

Negative

It depends on the volume of deployment for Splunk Enterprise Security. A bigger organization needs a month of time for different things: running some POCs in the beginning, understanding the environment complexities, the number of integrations, and if that integration requires some kind of development, how many legacy applications need to be integrated. The time varies depending on the scope of work. A couple of months for a large enterprise can take almost a month. Organizations have to migrate data also. If they are using some existing solution, that data needs to be migrated, and all those checks and balances will take time.

That depends on the size of the project, but I think maybe five to six resources, at least, are usually involved in deployment from my side.

I believe it is beneficial in terms of finance to use Splunk Enterprise Security, as enterprises are realizing the value, and the ROI is also good.

I think the licensing costs for Splunk Enterprise Security are on the higher side, but I am not certain. I have not done a thorough analysis—six months back I left this Splunk partnership. I think they are still affordable to some of the very demanding enterprises. However, the mid-market and startups may struggle, because it is a very premium, enterprise-based solution. The price is also very premium. Comparing it with Microsoft Defender and the Microsoft SIEM solution, I think in terms of pricing, they are very neck-and-neck. The pricing is also good. If they can offer a slight level of discount, that can enhance their ability to reach price-sensitive customers.

Product adoption improves once you have the trained resources in the market, but if you do not have trained resources, then they will make mistakes in the implementation and deployment, and then people see that. If there are limited resources in the market, they will be very costly. Whoever is on that particular technology will not be affordable, and that also decreases the chance of the company to grow.