Splunk Enterprise Security Reviews

I am a SOC lead, and we use Splunk Enterprise Security for alerting and working on incident review and incident response.

We have a hybrid environment. We have multiple clouds, and I am not sure if I know all of them. We have Azure Labs that we run for our students. We have cloud infrastructure. We have cloud applications on which we need visibility.

It is incredibly important that Splunk Enterprise Security provides end-to-end visibility into our environment. Especially being someone who goes through and reviews the work that my analysts are doing, I definitely need to be able to see what is happening all across different domains of our network.

We work for a large university, and we have different tenants. We have our students, we have our employees, and then we have our faculty as well. We definitely need to see what is happening across the domains and across all of those different tenants.

It saves so much time for the analysts, and it empowers analysts to carry out and triage an investigation, wherever needed. It is incredibly hard when you are working with different sources. I am sure everyone else knows that you cannot expect your analysts to be on the same page a hundred percent at the time. They might say, "Hey, I am going to go into this tool and look at these alerts here, or I am going to look at these learnings from this tenant." We need to be looking at all of those sources and all of those domain tenants at once. Being able to see that across the board and not having to jump through hoops to get the data that we want is extremely valuable. I do not have metrics for how much time it has saved because I do not know our life before Splunk. I know that it has done a great deal in saving time, and now with SOAR, that is exactly what we are looking into. We are looking into how we can empower that even more by combining it with Splunk Enterprise Security.

Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data. Splunk is definitely a leader. I cannot imagine leaving and going to another toolset and losing the capabilities that I have and the knowledge that I have. One of my favorite parts is that Splunk really does work. It seems to me that they work with actual users on a regular basis, so they know the pain points and they know what our issues or our primary concerns are.

In the beginning, it did not help to reduce our alert volume, but over time, it has definitely reduced that. Something that I am working on primarily with our SOC right now is increasing our alert volume because we are at such a low rate because of the work that we can do with Splunk's capabilities. We are looking into what areas in the network we are not alerting on. We have these out-of-the-box solutions, but there is more that we can build on. It is empowering our analysts to be SOC analysts, but the more advanced employees can work towards the threat detection engineering side or SOAR playbooks development side or even just on the backend of setting up and working with the configuration.

I wish I knew the metrics for the reduction in the alert column. I do not have any approximation, but our SOC is very manageable. We are a small team, and the number of alerts varies. On average, we get about 300 alerts a day on the high end and 150 alerts on the low end. If it is a very slow day, such as a vacation for everyone, and we do not have a lot of activity going on in the network on our endpoints, it is very manageable for a small team. Our SOC team has four full-time employees, and then we have intern/student workers because we partner with the university. We have three of them. Overall, there are seven, but, of course, students are only able to work a maximum of 15 or 18 hours a week or something like that, so the amount of man-hours that we have is pretty low.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. There could be a little bit more, but that also depends on the analysts and where they are in terms of maturity. I have a lot of capability to go and expand what I need to, but others do need a little bit more guidance. It is not easy on the first look for someone who has never done it before, but after being taught or learning about it themselves, it is pretty easy. It can still do a whole lot. If we are looking at an anonymous login, we are getting context from different sources. If there is an activity that is going on in the host machine, such as we have some login from Russia, which has never happened before, there is a firing of alerts from the EDR. We can see our email gateway firing alerts regarding their account. That allows us to contextualize and correlate the activity very easily.

Splunk Enterprise Security has helped improve our organization’s business resilience. We are able to take action immediately when we need to. Especially with risk-based alerting, we are able to understand what needs attention right now. We do work with young junior analysts a lot, and we are able to teach them how to identify what needs action right now or what needs to be investigated or triaged immediately. We are basically protecting our crown jewels first rather than some low-hanging fruit that we see everyday, but we cannot take a look at them because we have some important things going on in our network.

Being able to aggregate detection and alerts from various sources is valuable. Like everyone else, we have a wide range of tools in our shop. We are able to stop at one spot and look at all the data. All the data is able to come through, and we can then jump from source to source or index to index. We can dig deep whenever we need to and get a good high-level understanding.

The first thing that comes to mind is a little bit of UI improvement. It sometimes can be a little bit buggy or it can be a little bit slow, but that varies from customer to customer.

They can continue building out the Splunk community. They can give incentives for customers to collaborate and expand on what they are working on but also provide the tools to do that. There are good resources such as Splunktern. I love the Splunk education and training platform. It is amazing, but I wish there was a little bit more. Especially with the training and applications, they should give us real-world use cases and a little bit more specific scenarios. Splunk is doing a much better job than a lot of other organizations or technology platforms, but they can give more information. I know a lot of my Splunk users do not even realize the things that they can do. On the user end or analyst end, they need to be more proactive by giving more of a heads-up. For example, I found out about Splunk research today. I have been using Splunk for two years. I wish I had known about that more. They can reach out more. The incentives can be anything. Some people love stickers, and some people love shirts. They can create that community a little bit more.

I have been using Splunk Enterprise Security for two years.

I do not have much to compare it to, but it is stable. We hardly have any issues, and if we do, they are intermittent. 

The growth that we have seen in my time with our team has not been so much. However, we are adding more tools or trying to gain visibility into different areas of our network or applications that have already been there. Being able to throw some logs in and figure out that we should be monitoring this has been painless. We can just forward them all over. It takes an hour or so. We get the answers and the visibility that we need.

I have not used it very often. I have used it once or twice, but I would say that the engineers I have worked with have been extremely knowledgeable. They have helped so much. We were working on SOAR, and we were pretty new to it as a SOC. We were able to work all of that out with a Splunk engineer on a call. They were able to answer our questions. They knew our needs and goals, and they were able to guide us to meet those. That has been very effective for us. I would rate them a ten out of ten. I have not had any bad experiences.

Positive

We have had Splunk since I have been in this company.

Specifically, I cannot say what return on investment we are getting. However, when we look at other products, we know we are not going to have the same capabilities and we are not going to have the same response times and correlation capabilities. Even working with other vendors and getting their logs into Splunk can be a nightmare, and that is enough to make us say that we do not want to buy their product.

Personally, I have not evaluated other solutions. We do have some friends and family connections who use other solutions. Based on their stories, we will continue using Splunk.

I would rate Splunk Enterprise Security a nine out of ten. If it were a ten, it would do my job for me.

We mostly use the solution for compliance, logging, log storage, and root cause analysis. In 2015, we had AIG as a client, and they only had Splunk. Splunk Enterprise Security is one of the oldest solutions that did the logging and storage.

Splunk has fantastic brand value, which helps us sell it as resellers. The solution's pricing is quite competitive. The solution meets all the requirements. As a compliance person, I know that log storage is very important for data privacy compliance guidelines like ISO or CCPA. Splunk provides all of those compliances and checkmarks.

I like that the tool is light and the agent doesn't slow down the machine. Splunk Enterprise Security is a standard solution providing good customer service and partnership.

The solution should improve regional knowledge of the new regulations coming out of the Middle East. As a consulting firm, we are currently targeting many Middle Eastern markets, including Saudi Arabia and Dubai. They don't have a local server support cloud center there, which is a big issue because they don't want their data to go out of the region. Splunk should have more regional data centers in the Middle East.

I have been using Splunk Enterprise Security for five years.

Splunk Enterprise Security provides good stability.

The solution's scalability is fantastic. Even 10,000 to 50,000 endpoints don't slow anything down. The servers, log storage, and ingestion work smoothly, irrespective of whether there are 5,000 or 50,000 endpoints.

The solution’s technical support is very good.

Our customers using Splunk Enterprise Security don't have any compliance issues, and they don't get fined by the regulators, which saves them money.

Splunk Enterprise Security's pricing is pretty competitive.

I'm a consultant who uses Splunk for other clients. It's important for the clients that it can communicate with all kinds of devices, like firewalls, WAFs, servers, endpoints, switches, and routers. All of that is figured out over time, which is useful.

Splunk Enterprise Security is a good tool for finding security events across multi-cloud, on-premises, or hybrid environments.

Splunk has helped improve our organization's ability to ingest and normalize data. It can also identify and solve P1 or high-critical-priority problems in real-time.

Splunk Enterprise Security has helped us reduce our alert volume by around 50%.

The solution provides us with the relevant context to help guide our investigations, and this context information has impacted our investigation process. Having all the data in a single place does help with post-incident response and forensic root cause analysis.

Splunk Enterprise Security has significantly helped speed up our security investigations. I save 60% to 70% of my time because it's easier to find what I want to find through the tool's user interface.

Splunk Enterprise Security has helped reduce our mean time to resolve by around 50%.

Overall, I rate the solution ten out of ten.

We use Splunk daily to find the root cause of attacks and analyze users attempting to access our system. We create incidents and address 5 to 7 simultaneously. Once we analyze and record the activity, we can delete the incident. Our admin team will verify whether it originated externally or internally. 

We use Splunk to respond to security incidents and for data analytics. We conduct custom correlations for the customer and write reports on any attacks. We set alerts for user behavior to discover threats, like if someone is constantly attempting to access our internal domain. The admin will identify that threat and block it. 

Splunk helps us be more proactive. We can take predictive action to identify and block threats so that nothing harmful gets into the system. With Splunk, we can monitor the entire environment from one place. It's a single point of control for all infrastructure, whether in the cloud or on-premise. Splunk has sped up our security investigations. 

I like Splunk's Notable Events. We have created several dashboards for our customers, where you can see the activity and number of alerts. The database receives data about the mask and domain IPs of any user trying to gain access.  We ingest logs from multiple antivirus products and firewalls and analyze them to prevent attacks and threat activities.

Splunk could have more built-in use case presets that customers can build on and customize. 

I have used Splunk for 9 years. 

Splunk is a stable product.

I rate Splunk technical support 8 out of 10. 

Positive

We previously used Dynatrace but switched to Splunk because it has more features. 

Splunk is easy to deploy if you have some basic knowledge. You need experience. It doesn't require any maintenance after deployment. 

Splunk is a good value for the features it provides. The license is costly, but it's better than the other tools. 

I rate Splunk Enterprise Security 8 out of 10. I would recommend Splunk to others. It's one of the most powerful tools available. It's a valuable tool for monitoring infrastructure. 

I use the solution in my company, and most of the use cases are security-specific. My company uses it to transfer from our detection engineering team to our incident response team. For observability, our company is looking for security events within the tool, and we are logging all the critical security infrastructure and security-relevant logs to a platform for security operations.

The tool has helped to streamline our company's mean time spent in understanding security-relevant events and mitigating those risks.

Some of the tool's best features are RBA and UBA. I also like the tool's single point-of-view dashboard for incident response. The case management area is one of its good features.

The tool has reduced the mean time needed to resolve. The reason is that the dashboard offers a single point of view, especially in areas where people aren't spread out. Our company is getting all the relevant data in there, and we are able to identify the problem instead of having to go to multiple tools or different interfaces.

It is very important for our organization that Splunk Enterprise Security provides end-to-end visibility into our environment. It is our company's way of understanding what is going on in our environment, and then it is our way of handling security events, relevant events, mitigating risk, understanding risk, quantifying risk, producing metrics, and everything else.

Splunk Enterprise Security provides our company with the relevant context to help guide your investigations. The tool has allowed us to gain better visibility and accuracy into security events.

The tool has helped our company improve the resiliency of our security operations. This is based on the fact that we don't have full adoption of the tool for all users in our organization, especially not Splunk Enterprise Security.

My company uses the tool for security operations, and we have built our security operations around Splunk based on what it can do and its performance.

I think Splunk is already improving its products. Some of the features that Splunk has been bringing out, like Splunk Attack Analyzer, while covering some of the other areas, like regulatory compliance and asset security, are good. It is just a matter of the customers being able to see the new features introduced by Splunk and get a demo to see if it makes sense for their work.

I already have Splunk Enterprise Security set up. My company is interested in seeing Splunk Attack Analyzer, and that is why we are dealing with Splunk's point of contact right now.

The area of concern revolves around the fact that Splunk is an expensive product. Splunk's expensive nature is an aspect where improvements are needed.

I have been using Splunk Enterprise Security for six to seven years.

It is a very stable solution. I never really had a hiccup with the tool. Even for migrations or anything, our company has never had to use Splunk's partners, and it has been a seamless process.

The tool's scalability has been good, but it depends on the organization and how Splunk is being adopted there.

The solution's technical support can be hit or miss, but it is mostly positive. I can't give you all the scenarios, but the one thing that I do like about Splunk is that if there ever is a hiccup, a simple phone call from our end can ensure that Splunk's technical team takes care of our problems. I rate the technical support a ten out of ten.

Positive

I have used many products in the past, but they were not in my present organization. It has been a long time since I used some products, as it was done back during my engineering days. I used to use HPE ArcSight. I have been through McAfee products, such as McAfee Nitro, back in the day. I have been an active Splunk business owner for almost a decade now.

The product's initial setup phase has been perfect since our company uses the cloud services offered by Splunk.

The solution is deployed on the cloud services offered by Splunk.

The reseller that my company gets in touch with to help with the implementation part is called GuidePoint Security. My company's experience with GuidePoint Security has been good.

I think that based on my experience in the organizations that I have been in with Splunk, the tool definitely fetches a return on investment because it allows us to streamline security-relevant events that we need to take care of quickly. Overall, the tool saves us from any impact on our finances and business.

Most of Splunk's customers are trying to find ways to keep the pricing from the ingest licensing model of Splunk down. What that comes down to is that we have to manage the platform. For our company, being a security enterprise and using it for security-relevant data allows us to streamline and control the ingest licensing model because we don't put in a lot of stuff in the tool. We have other things that we output to different data lakes. Splunk has always been on the expensive side.

The ease of deploying the tool, its great customer service, and the development you can do within the tool is very seamless, so I would recommend the product to my peers since it is a great solution.

I rate Splunk Enterprise Security a ten out of ten.

We use the solution for monitoring and detection and for threat hunting.

On the threat-hunting side, we can easily hunt down what we're looking for because Splunk's language parses the data coming in and allows us to utilize it to filter down through the data we need.

I very much enjoy Splunk's robust search nature, which enables me to find the data I want within the data I have. It's helpful for doing an investigation, whether that's an incident response or threat hunting.

It is important to our organization that Splunk Enterprise Security provides end-to-end visibility into our environment. That way, we can see where the data is throughout the entire process, depending on where we are in the incident.

Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data.

Splunk Enterprise Security has, by far, the best search capabilities. It ties that into alerts and notables, allowing you to refine what you want to see in your data.

There's been a big push for SBC compute over the ingestion model, which will hamper us. We're trying to increase our search counts with things like risk-based alerting, and I think that change will hinder our process.

I have been using Splunk Enterprise Security for eight years.

Splunk Enterprise Security is a stable solution.

Splunk Enterprise Security is a scalable solution.

I think we recently switched to the SVC pricing compared to the ingest pricing. I don't know if that was the right move for us.

Overall, I rate the solution an eight out of ten.

I use Splunk for visualization, reporting, monitoring, log aggregation, and other security purposes. We gather various logs into one place and analyze them based on specific business use cases to get high-level insights that inform decision-making at every level of the organization. We also use it to aggregate other IT logs — not just security. 

Our organization is working in a massive on-prem environment. We're one of Splunk's oldest clients. It's convenient to migrate everything to the cloud, and we would have more flexibility. However, we currently have our resources and everything established to use Splunk on-premises, so we aren't switching to a cloud environment.

Splunk allows us to monitor logs and track suspicious activity in real time. With the help of the SOAR platform powered by AI and ML, we can respond quickly. Our security posture is better, and we can resolve security incidents quicker. Splunk has improved our visibility by providing critical security metrics in our dashboard and strengthened our security controls. 

The number of alerts we receive is similar to what we saw using our previous solution. While it hasn't necessarily reduced our alerts, Splunk is improving our resolution time and overall security.

I like Splunk's automated threat detection and orchestration capabilities. Splunk offers a single solution for analyzing, aggregating, correlating, monitoring, reporting, visualizing, etc. You can get all of these capabilities in one place. On top of that, it provides a cloud, testing, on-premise, and hybrid solution, giving customers more flexibility for their use cases. 

Splunk's real-time monitoring is one of its best features.  The user interface gives you a single dashboard to directly view all the high-level information. The security incident monitoring and investigation page is also very helpful. You can document an investigation step by step. Many investigators can work on a single incident also based on their shifts. Everyone can add notes on the investigation page. 

The incident response features are based on real-time data. The monitoring team can immediately take over an incident and prioritize tasks based on risk scores. We can assign multiple technicians to one security incident based on their skill, improving resolution time.  The incident review dashboard provides many useful details, like the indicators of compromise and risk scores.

We can get threat intelligence from multiple platforms, including the latest known IOCs, to support our response to security incidents. We store the threat data from various sources in a centralized place, and it updates every six to 12 hours. 

The MITRE ATT&CK framework feature is helpful for understanding which phase an incident is in and what the next steps are so a technician can prevent it from progressing. It gives us a detailed overview of other tactics it might be associated with, enabling us to stay vigilant. We can correlate with other simultaneous or sequential incidents and take action to strengthen our security based on these incidents.

We've sometimes faced issues with upgrades. The incident review dashboard sometimes breaks after updates. When we add a space or something in the description or anywhere in the SQL, the drill-down value may be reset with a blank value. Before rolling out any software, they should test it thoroughly and ensure clients won't have issues with the upgraded version. It should be compatible with all or most of the apps. All major issues must be addressed before rolling out the upgrade.

I have used Splunk for eight or nine years. 

I rate Splunk nine out of 10 for stability. 

I rate Splunk eight out of 10 for scalability. Scalability is always a challenge. The larger your environment, the more issues you'll have. There aren't many problems with Splunk on the cloud, but scaling can be challenging in an on-prem environment. If you're ingesting a significant volume of data, you need a proper maintenance routine to maintain your base architecture. Sometimes, it's a bucket application. It can take a few hours to reset those things, and network issues might contribute to that. 

I rate Splunk support eight out of 10. It varies based on your data volume and number of licenses. 

Positive

I have used several solutions for different clients, including QRadar, Palantir, and Microsoft Sentinel. Splunk has more capabilities than QRadar. It's also more flexible and user-friendly. You can modify and customize the solution to show you the information you want.

The deployment depends on the environment. It may take only a couple of weeks to deploy Splunk in a small environment, but a larger environment involves a detailed process that may take months. It helps to have a larger staff. It also depends on how process-oriented an organization is. Some organizations will take much more time in the planning and design phase. 

After deployment, Splunk requires a good deal of maintenance, depending on the volume of data you're ingesting and your user base. It may require multiple resources to manage this environment. 

Splunk improves our security controls, resolution time, and threat-handling capabilities. We're saving time and resources, meaning more money for our clients. 

I don't know about Splunk's pricing because I work on the technical side, but I know it is a costly platform. There are cheaper products and some open-source ones, but Splunk costs a lot because of the features it provides. Still, the pricing is a concern for many of my clients, and more would use Splunk if they lowered the cost a bit. 

I rate Splunk Enterprise Security nine out of 10. I would recommend Splunk because it covers multiple services in one place. It also has a strong developer community. You can easily get help from community support. Splunk is a versatile product that competes well with leading security tools like Microsoft Sentinel.

We use Splunk Enterprise Security to analyze log data for log monitoring, creating use cases, onboarding, and incident response.

We wanted a single security tool that could immediately identify notable events that could be reported as security breaches, and then enable us to take intelligent action without having to purchase additional security tools.

We have two customers with hybrid cloud solutions. Neither customer is fully cloud-based. Our implementation is based on the customer's requirements, such as compliance, data ownership, and administration. We plan the implementation of Splunk cloud or hybrid models based on these requirements. We discuss the benefits and solutions with the customer to ensure that we are not breaching any compliance policies and that we are selecting the right model for their needs. Because we have multiple customers, we must also consider how to manage this process effectively.

We use multiple cloud environments for our clients, including AWS, Azure, GCP, and private cloud. We can easily integrate Splunk Enterprise Security and segregate the logs based on the type of index we create for each customer. When we create different indexes, we can segregate the types of logs based on the device type. This makes it easy to separate logs from different universal providers, different machines, and specific types of indexes dedicated to particular customers or groups.

We use threat topology and MITRE ATT&CK to create and integrate use cases for network framework detection and visualization in Splunk. Splunk helps us segregate and integrate use cases based on different threat detections and provides a complete dashboard view of how use cases match with detected threats.

When discussing MITRE ATT&CK and topology, we sometimes encounter use cases where we must ensure the logic is properly implemented to detect the threat and trigger the alert. This is because log access may involve specific teams and their associated MITRE ATT&CK tactics and techniques. We must be very specific about the information we are observing in order to derive the correct information and framework topology.

Splunk is one of the easiest solutions for analyzing malicious activities and detecting breaches. It is flexible enough to work with small teams, and it provides a broad view of the data, allowing us to segregate and fine-tune the analysis based on the customer's requirements.

Splunk Enterprise Security can help us detect threats faster when it is properly configured. We have implemented over 400 use cases for specific types of malware and other threat detection. In over 70 percent of environments, Splunk is able to detect threats faster than other solutions.

It has helped our organization improve by integrating with cloud providers. Splunk enables us to blacklist specific data types and ranges to reduce our losses, based on our requirements.

We have reduced our alert volume by around 50 percent with Splunk. When we first started creating and using Splunk use cases, we received around 700 alerts. Splunk can merge different sources of use cases into one to identify false positives, which has been very helpful for us.

Splunk has helped speed up our security investigations by almost 70 percent. We have a dedicated incident response team. They use the Splunk incident reports to help with their investigations. 

Splunk Enterprise Security comes with 300 pre-deployed use cases that can be easily customized to meet the specific needs of our organization, without the need to purchase additional tools.

We can easily identify the number of security devices and users that are authenticated on the network and present the information to the executive team.

Splunk can improve its third-party device application plugins.

I have been using Splunk Enterprise Security for five years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is scalable.

The Splunk technical support is good but their call times differ.

Positive

I previously used IBM Security QRadar, Azure Sentinel, and McAfee Network Security Platform. Splunk Enterprise Security is designed for multiple platforms and is easier to implement.

Splunk is much faster when used correctly and has many tools. With the exception of Sentinel, the other solutions do not have many tools. With Sentinel, we have to define the indexes and all those things, such as the aggregation of logs. It is easy to do searches in Splunk, even in a large environment. I find Splunk to be more efficient than the other solutions I have used in the past.

The initial deployment is straightforward. We install the solution and define the roles of each server and the data it will store. The deployment in our test environment took 13 hours.

We have seen a return on our investment in Splunk. The variety of options that Splunk provides is a great selling point for our customers.

While Splunk is more expensive than other solutions, we would still choose it because of its capabilities. Splunk is a leader in the field and provides a wider range of data and security features than other SIEM solutions.

I would recommend Splunk over any of the less expensive SIEM products. I recommend the license-based solution over the user-based solution that Splunk offers. If I had to recommend any other SIEM other than Splunk, it would be Microsoft Sentinel.

I would rate Splunk Enterprise Security seven out of ten.

The threat detection capabilities that we get by default are very basic. However, if we want to implement the most effective threat protection on the internet, we need to purchase a relevant solution for intelligent threat protection. This will provide us with more feeds for enterprise security and help us to integrate data by matching the data to the target and to the security with our Splunk.

We have 60 percent of our customers using Splunk Enterprise Security in their environments.

Splunk maintenance is required for updates. 

Splunk provides a centralized monitoring platform, eliminating the need to switch between different platforms to monitor security. Splunk provides a clear view of different security losses and incidents, and we can onboard any number of devices as needed. We can monitor our entire environment from one place, requiring only one team to monitor it. Splunk adds a lot of value currently.

Being in an air-gapped environment, we pretty much look for insider threats and other notables related to improper configurations and against security best practices.

We are 100% on-prem and in an air-gapped environment, so there is no Internet connection.

There have been some improvements, especially related to centering. We added user behavioral analytics, so it imports everything. Any threat generated inside of that goes into Enterprise Security. I wish anomalies would go in there, but I can understand why they don't, as it generates so many anomalies. However, it would be nice if I could select certain anomalies that would be helpful with notables. This way, I can track down security events before they become threats.

I believe Splunk Enterprise Security has reduced our mean time to resolve, but we do not have any definitive timing metrics.

Splunk has helped improve our organization’s business resilience because it is a central location where correlation searches populate. We can easily track down and figure out where issues lie, which minimizes the time of my SOC team. It probably saves them a couple of hours considering it is colocating everything in one location. It would be nice if there were better ways to search for the data. We can take a look at the raw logs, but we should be able to find the actual event that caused the problem and see all the logs associated with it in a standard log format as opposed to just a text file with all the events added in.

We are a small environment, so we do not get a lot of alerts. We work on the issues as we get them and I am sure it saves a couple of hours.

In terms of its ability to predict, identify, and solve problems in real-time, it works really well when you are connected to the Internet. The predictive analysis is more cloud-based. Trying to find ways to do it on-prem in an air-gapped environment with no Internet connection can be a pain. There are some ways to do risk-based analysis, but we are still hamstrung because we do not have the Internet connection and the larger data sets that they have.

Internal tracking is helpful because we do not like to deal with multiple ticketing systems, and I am not a fan of ServiceNow. We are able to keep everything internal and utilize Enterprise Security. Internal ticketing is helpful because we can bring in all the data and have it all available. That way, we can go back and take a look at it if we find another situation. We do not have to utilize other ticketing systems for cybersecurity.

Its interface and usability can always be improved. We are running on the last version, so I have not checked out how the newest one looks. Currently, we have to track down and remember where things are located. We have new guys on the team, and sometimes they have to click around and figure out where things are.

We have been using Splunk Enterprise Security for about five years.

The solution is not going anywhere. As long as they continue to support and develop it, and not make it a cloud solution, we will continue to purchase it.

We have a total of 500 devices, and we ingest around 150 gigs a day.

The scalability is pretty easy. They recently enabled it to be able to go into a search head cluster. Previously, the only way to install this was on its own dedicated search and it could not be connected to a cluster. Over the last four or five years, they have been pushing harder and harder for clustering everything up for shared resources. Enterprise Security is one of the few apps where you were not allowed to do that. Having scalability with the search head cluster is nice, and it is one thing I am looking at implementing in the future.

Splunk's support is pretty good. I contacted Splunk's support a couple of times. In total, they are helpful, and we are able to get the support where we need it, but unfortunately, it is self-inflicted because we are air-gapped. It takes me anywhere between 45 minutes to an hour and a half to get the logs required. I need to get them sanitized, approved, and transferred over so that I can get them to Splunk. I would rate them a nine out of ten because a couple of times, I found the answer before they did.

They have the best documentation in all of the tech sector, and it is not behind a paywall where you cannot find information. There is certain information in Splunk Knowledge Base under the support page that I believe should be searchable through Google.

Positive

The return on investment is very good because, with ELA, we purchased the products at a reasonable price. We did not have to pay significantly more for licensing than we could possibly use. We were able to combine and get it at a much lower cost point.

In terms of the time to value, it took us a couple of months to get used to the interface and get people trained. Unfortunately, we had some turnover during that time, so we had to constantly retrain or train new people. The newer versions of Enterprise Security that came along made things a little bit easier. Luckily, we had some free training provided to us because we have an enterprise license agreement.

Luckily, we come under a large federal agency, and before the pandemic, they signed a large enterprise license agreement. It worked out great and to our advantage because we are a small organization. We got a 300 gig license, and we just did not have the buying power to be able to get products cheaply. Because we all partnered together under the agency umbrella, we were able to get Splunk Enterprise Security, UBA, and ITSI for cheap. This was good considering the fact that some of these premium apps require a minimum number of users, and we do not have the number of people needed to even justify buying it.

I would rate Splunk Enterprise Security a seven out of ten. There is definitely some room for improvement. I have not installed the newer version. Once I get into it, I will see what new capabilities there are, but there is a decent lift that is needed for the setup. Professional services help with that, but the customer generally does not like paying for that more than once.

Because of the ELA, I am able to come to Splunk conferences for free instead of having to pay my own dime. That helps tremendously, especially considering the fact that education is included. I believe that is because of the enterprise license agreement with the government contract. That helps out a lot. I have been coming to conferences since 2017. There are a lot of good people and a great community.