Splunk Enterprise Security Reviews

My main use case for Splunk Enterprise Security is web uploads.

The ability to create SPLs in Splunk Enterprise Security is my favorite feature. These features benefit my organization primarily through threat detection, which I use for, so that's a huge benefit. Splunk Enterprise Security has absolutely helped improve my organization's business resilience.

Splunk Enterprise Security could be improved by incorporating AI features, as it doesn't have the AI capability that Pyramid does, where users can ask questions without having to write code.

It has been more than three years.

I haven't experienced any downtime or performance issues with Splunk Enterprise Security. Zscaler may experience issues because Splunk grabs data from them, but other than that, I haven't had anything crash.

Splunk Enterprise Security adapts to our growing needs on a yearly basis, as we're constantly growing our program and it has helped in that way. We have expanded usage from just engineering, as now our whole DLP team uses it, allowing us to not rely on other people for it. It was a smooth process when we were expanding usage.

The most significant challenges I've faced when using Splunk include getting the code right. I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security to be good, as changes are easy to make. On average, my security ops team takes about three days to remediate security incidents with Splunk Enterprise Security, depending on what the incident is.

My advice to other organizations considering Splunk Enterprise Security is that it depends on their needs and costs, but I think it can cover everything from a small business to a large business, so I would definitely recommend it.

On a scale of 1-10, I rate Splunk Enterprise Security an 8.

My usual use cases for Splunk Enterprise Security involve creating notables, use cases, and dashboards. We are creating the use cases as per the defense of depth in all the security layers, such as the network layer or data link layer, DLP protection, and network protection. We are using firewalls and proxy, as well as IPS, and we are using Defender as Cloud App Security of 365 and EDR. We are using Defender as a single pane of glass, collecting all the logs from all the security devices, writing the correlation rules, configuring the notables, and monitoring 360 degrees of the organization's security.

It is a comprehensive solution with many security-related features. The data enrichment feature helps identify any anomalies from devices and users. It helps identify any malicious activity patterns, risks, or login failures. 

We have implemented conditional policies where traffic from certain countries gets blocked. We are utilizing the Splunk Machine Learning Toolkit (MLTK) app to create models for automatic actions or remediation. We are trying to catch the true positive incidents and orchestrate a response. We have created two models to identify brute force attacks and user login failures.

The features of Splunk Enterprise Security that I have found most valuable include the risk-based score and UBA/UEBA, user behavior analytics, or user and entity behavior analytics. Based on this feature, we can identify anomalies in any activity from the user or device. 

It serves as a single pane of glass for all the security-related events. It helps cross-correlate with minimal manual intervention, detect true positives, and take remediation steps in an orchestrated manner. It is very efficient. It's a top solution in Gartner Quadrants and Datamatics.

Areas of Splunk Enterprise Security that could be improved include the need for training and certifications. We are planning to do certifications, and there are many features, such as risk-based score and score detection, where the current training doesn't provide visibility to the analyst. They should offer training based on the features we use. For any future enhancements or features, such as MLTK and SOAR platform integration, we need more visibility, training, and certification for the skilled professionals who are working.

I have been working with Splunk Enterprise Security for seven years.

This solution is stable. The platform and the applications we are dealing with are stable and maintain high availability both on-prem and cloud.

Scalability-wise, we find it comfortable. It's convenient to scale up or scale down the licenses or the components in the cloud.

When we require support from the Splunk Enterprise Security team, if we raise a request, they respond based on priority, providing recommendations or best practices as per the platform recommendations.

Positive

I work with multiple customers. They use different products, such as Trend Micro XDR. The customer I am working with right now is using Splunk Enterprise Security. It was chosen by the customer.

For deploying Splunk Enterprise Security, we follow a cluster environment for high availability and high performance, maintaining an architecture with several search heads, indexers, and forwarders. Data is pushed from all forwarders to the indexers, which are heavy forwarders where indexing, parsing, and normalization are performed. Once it is done, we search the data through search heads, with a license master and deployment server present to push configurations to all components of Splunk Enterprise Security. It's a distributed and clustered environment we are maintaining.

We have seen a return on investment. We are getting more security. We are able to secure the environment from all security threats and maintain an environment that is free from threats and attacks, especially cyberattacks.

Pricing and licensing are quite high compared to other tools or SIEM tools, but the features justify it.

Overall, I would rate Splunk Enterprise Security a nine out of ten.

We use Splunk Enterprise Security for our security monitoring and incident management. This is our global application that we are using for security monitoring and compliance.

We've seen some good improvements from a business perspective, particularly regarding security monitoring. However, when I consider our current challenges and future roadmap, I don't believe Splunk Enterprise Security has the capabilities we need. We previously faced challenges with QRadar, which prompted us to migrate to Splunk Enterprise Security. While Splunk Enterprise Security has addressed the past issues we encountered, it fails to meet our future requirements. Currently, it effectively addresses existing threats, but it doesn’t tackle advanced threats, which is a significant challenge we foresee with Splunk. There is still a lot of room for improvement.

With the Classic flavor we have in our company, the feature that I find good in Splunk Enterprise Security is from the MITRE coverage point of view, and then the level of information that it provides. The integration with its own SOAR platform is also one of the pros.

From the product point of view and deployment point of view, Splunk Enterprise Security is satisfactory. It is not simple; it is at a medium level when it comes to deployment and management of the tool altogether. This includes not only the enterprise platform but also other components such as deployment servers or the Splunk agents we use for collecting logs. When comparing it with different vendors in the industry, from the deployment and maintenance point of view, it is not up to the level of other vendors. 

When discussing the drawbacks, it's important to note that the flavor I’m currently using is called "Classic." Unfortunately, this platform does not offer any of the new features that Splunk introduces. As a result, we are the last ones to find out about new capabilities, and we’re also slow to implement them. Splunk tends to release new features with different flavors of their platform, and being on the Classic flavor means we are least likely to receive the latest updates. This is a significant concern I have regarding Splunk.

When comparing Splunk Enterprise Security with next-gen SIEMs, we look for AI and ML models being incorporated in such a way that it automatically should be able to detect behavioral-based detections. It should be able to detect behaviors from logs and show us the entire attack surface and blast radius of any particular incident, which is primarily missing.

The capability of AI, Artificial Intelligence, is missing, which would help to automatically detect and read data comprehensively. Splunk lacks the new native solutions for agent deployment, which is essential for a large enterprise.

Currently, there is Machine Learning in Splunk Enterprise Security, but that is resource exhaustive and complex, bringing an impact onto our overall stack performance. Technical expertise in Machine Learning is required, and continuous monitoring is needed to ensure Machine Learning learns about our data to provide results, which is resource exhaustive, time-consuming, and costly.

Artificial Intelligence is missing in the Splunk Enterprise Security platform, which would help us read the data automatically, learn from it, and provide attack surface area from a 360-degree perspective. The fixed pricing model requires upfront purchase based on assumptions and roadmap, requiring payment for the next two to three years regardless of usage.

I have been using Splunk Enterprise Security for around three years.

On a stability scale, I would rate it an eight out of ten.

Regarding scalability, I would rate it a seven out of ten. I don't have the pay as you go model. 

We have 150 users using this solution.

Whenever we raise any support case in Splunk, even after providing the required information, if a person is working on it and it gets transferred or handed over to a different representative in a different shift, they keep asking the same questions and requesting more details. Even when we ask for a call, even for P1 or P2 incidents, they keep going around asking for details. When we request P1 or P2 support, it would be wise to get into a call, get all the details, and have a troubleshooting call to address the issue on a priority basis. The technical support representatives keep transferring the tickets during shift handover, and different representatives ask the same questions multiple times, wasting our precious time. The issue doesn't get resolved until I escalate it to their higher management.

Positive

We were using QRadar previously. We had legacy systems, and from the volume and log source point of view, from the costing perspective and detection point of view, we thought Splunk Enterprise Security was far better than QRadar. Splunk Enterprise Security would provide better capabilities and out-of-box detections. These were some of the things that we saw, and Splunk Enterprise Security was also one of the leaders in SIEM technology. However, once we started using Splunk Enterprise Security, we discovered it was not the right tool.

The initial setup was of medium complexity. It took approximately 8 to 12 months to migrate from QRadar to Splunk Enterprise Security. 

The cloud platform we are using is maintained by the Splunk team itself. However, when it comes to our on-premises deployment, the maintenance is very high, cumbersome, and costly from both resource and time perspectives.

We haven't saved any money with Splunk Enterprise Security. Instead, we have spent excess of the budget on this with unexpected costs. That's one of the pain points I see with Splunk Enterprise Security. There haven't been any savings.

Splunk Enterprise Security comes with high fixed costs. That's one of the disadvantages. When comparing with different vendors, they offer pay-as-you-use models, which is more user-friendly, but Splunk Enterprise Security comes with fixed pricing.

We use different security tools as well.

For any user who wants to have a cost-efficient and next-gen SIEM solution, I wouldn't recommend Splunk Enterprise Security. However, if a user is not concerned about cost and is looking for an on-premises solution, then I would suggest Splunk Enterprise Security. For anyone who wants to go for a cloud and cost-effective solution with next-gen capability, I wouldn't recommend this.

I would rate it a seven out of ten.

My main use cases for Splunk Enterprise Security are mostly for SOC, detection engineering, and incident response.

Splunk features benefit my organization as we can use it for any custom needs. That's the biggest benefit of getting it. It doesn't matter what team has what kind of requirements. There's a possibility through Splunk's back-end that we can customize it and make it work.

The features of Splunk Enterprise Security that I appreciate the most are its flexibility and scalability. 

I use disparate security solutions that integrate or import data into Splunk Enterprise Security. This integration supports my security operations, as one of the biggest advantages is that Splunk Enterprise Security comes with many apps and applications out of the box through Splunkbase, and there's essentially a connector available for any log source imaginable.

I find the process of customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security pretty straightforward overall. There's a lot of out-of-box content that can be leveraged and many features available to ensure all configurations are working as expected.

My organization uses risk-based alerting in Splunk Enterprise Security. It supports our SOC by significantly reducing the alert count and allowing analysts to focus on what matters most.

My SecOp team's remediation time for security incidents with Splunk Enterprise Security is definitely faster than other solutions.

I am utilizing new threat detection features in Splunk Enterprise Security, specifically the Assets and Identity Framework and risk-based alerting. These features have improved efficiency and helped reduce false positive counts.

Splunk Enterprise Security has helped improve my organization's business resilience. The flexible pricing models allow us to pick and choose, and I can easily see how different business units are consuming Splunk Enterprise Security, thereby distributing the cost within the organization.

I have recently expanded my usage, and the process was smooth.

Splunk Enterprise Security can be improved by having more focus on the data health monitoring aspect, which will definitely be helpful. A good out-of-box application that can help monitor if the data feeds are feeding in properly or if there is any drop will really help make life easier.

I have been using Splunk Enterprise Security for six years now.

I would assess the stability and reliability of Splunk Enterprise Security in terms of downtime, crashes, and performance issues, as there are no issues with the availability of the platform since it's cloud-based.

Splunk Enterprise Security scales with the growing needs of my organization as it's highly scalable. As the organization grows, Splunk Enterprise Security can also grow.

I would evaluate customer service and technical support as good.

Positive

I was mostly using Splunk Enterprise Security.

I would describe my experience with deploying Splunk Enterprise Security as time-consuming. It definitely needs some planning and time to ensure that everything is set up and configured properly.

I have seen return on investment with Splunk Enterprise Security.

Im not on the licensing side. 

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection are that it takes some time to get the hang of the platform, and it has a slight learning curve associated with it. Other than that, I have no complaints.

The advice I would give to other organizations considering Splunk Enterprise Security is to try it out and see if it fits their requirements. It's highly flexible, highly customizable, and can scale according to needs.

On our rating scale, I give Splunk Enterprise Security an eight out of ten.

As a threat detection engineer, my main use case for Splunk Enterprise Security is to create content to find anomalous activity in our environment. Splunk Enterprise Security, via the content management interface, allows us to create correlation searches, take advantage of summary indexes where we can correlate multiple findings per host, per user, whatever anchor point you want to use, and get those alerts to our analysts in a timely manner, where they can be triaged based on alert severity and criticality.

The notable feature of Splunk Enterprise Security, which in version 8 is going to be called "findings," is the ability to send notables, and all the actions that can be chained with the notable when you actually have a hit or a finding.

The ability to quickly automate detections based on alerts or intelligence that we operationalize in the environment benefits my company, as we get that alert sent to the appropriate parties and put in front of the analysts quickly, allowing for triage and the ability to group the alerts together instead of just always looking at a single finding.

Splunk Enterprise Security can be improved by addressing the content management interface, which is very outdated, slow, and clunky; sometimes we think things are saved and they haven't. Being able to edit saved content and saved searches in batch, such as when you have a log source and a field changes, is a pain point right now since you have to go in and basically update all of them unless you do some kind of Eval on the ingestion side; that's probably the biggest pain point with it right now.

I would assess the stability and reliability of Splunk Enterprise Security as very reliable and very stable.

Splunk Enterprise Security scales very well with the growing needs of our company, although there are definitely some things that are behind the times, such as some of the limitations out of the box on KV Stores, lookups, and some of the commands, the MV line of commands and some of the limitations there. Hopefully, with the advent of all the cool AI and ML capabilities coming down in the 8 series, many of those limitations will be eliminated.

Regarding customer service and technical support, I don't generally submit support tickets, however, I have on a few occasions. It's usually our Splunk engineering team.

We have bimonthly meetings with our account representatives, and we have some sort of on-call technical staff that are assigned to our company and our contract, and they've all been excellent; wonderful people to work with.

Positive

Prior to adopting Splunk Enterprise Security, I used another solution that does similar things, and over the course of my career, I've used a couple of different solutions, peer solutions with Splunk, but Splunk Enterprise Security is the best.

It really comes down to the versatility and how powerful it is; I have never worked with another platform where I can do as much for as many teams, not even just security, which is my primary focus, and the value that you can get out of it, I've never seen a platform that versatile.

From my point of view, the biggest return on investment when using Splunk Enterprise Security is keeping our company safe.

The advice I would give to other companies that are considering Splunk Enterprise Security is that if you've never used Splunk, it can be a little daunting at first, learning a new language, Splunk SPL. That said, it's worth it.

The cycle time that's going to be taken in training and upskilling, once your staff is familiar with that, and you don't even have to do a lot of training, just a couple of the basic classes from Splunk University to get proficient, it's going to open a lot of doors.

On a scale of one out of ten, I rate Splunk Enterprise Security a nine out of ten.

My main use cases for Splunk Enterprise Security include finding out excessive login failures, any compromised accounts, any compromised emails using phishing tactics with Proofpoint, network anomalies, User Behavior Analysis, and detecting rogue assets.

I appreciate the Identity and Assets framework the most, as well as the threat analysis framework. Those are my two favorites in Splunk Enterprise Security, along with correlation searches and the entire incident response workflow.

The Risk-Based Alerting in Splunk Enterprise Security is a great addition to our team, as it correlates data from different sources and adds scores to users or systems, allowing us to make decisions based on risk scores assigned to assets or identities.

Splunk Enterprise Security dashboards communicate our security posture and risk score to executives, including major contributing risk factors, key performance indicators (KPIs), and key risk indicators, which help us make informed decisions about future focus areas.

Splunk Enterprise Security helps our team save time by performing correlation searches automatically, eliminating the need for manual searches. We also utilize SOAR for taking automated remediation responses.

To improve Splunk Enterprise Security, I suggest incorporating more AI features for faster remediation and enhanced responses, allowing users to build more correlation searches quickly. Regarding improvements in Enterprise Security, I believe the incorporation of AI would enable Splunk users to spend less time on building correlation searches while still gaining productive ideas.

I have over eight-plus years of experience working in the IT sector, with six-plus years of experience collectively working on security and Splunk-related tasks.

I would assess the stability and reliability of Splunk Enterprise Security at 90%.

The scalability of Splunk Enterprise Security is impressive, as you can scale it to any size and make various types of data readable, although event types and tagging are necessary for optimal performance.

Customer service and technical support for Splunk Enterprise Security are great; they respond quickly and handle our cases efficiently whenever we require assistance.

Positive

I used Splunk Enterprise Security at my previous company yet have not used any different products since then, although I have some knowledge about platforms such as Elastic Search and QRadar.

The challenges with deployment are the fine-tuning and some of the correlations, such as where the data is not normalized. And that's why the CIM module has been great so far.

The biggest return on investment with Splunk Enterprise Security lies in the time and effort it saves due to its built-in features, datasets, and pre-built dashboards, providing us with visibility across different data sources.

My advice for other companies considering Splunk Enterprise Security is that if they're looking to enhance their security visibility or establish a security operation center, this tool is an excellent starting point, and they can scale and automate processes using SOAR effectively.

On a scale of one to ten, I rate this solution an eight.

My main use case for Splunk Enterprise Security is incident response.

The feature I appreciate the most in Splunk Enterprise Security is the case management, although I have more critiques for the case management than favorite features. Having case management in Splunk Enterprise Security is something I appreciate since we needed a way to centrally manage all of our incidents. 

Having case management in Splunk Enterprise Security has really benefited our organization.

To improve Splunk Enterprise Security, I would suggest allowing third-party SOAR solutions to work with it. The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection include the user interface, which isn't terribly intuitive, and it has been a process to get people to adopt it and use it as much as they should.

The user interface feels clunky to navigate and interact with in Splunk Enterprise Security compared to other case management solutions where it feels easier to use at a high level. In Splunk Enterprise Security, the way you click through everything, attach stuff, and interact with other analysts feels cumbersome, with a lot of digging required to get into things; not everything is just one click away—things are usually three clicks away. 

The process of extending the usage of Splunk Enterprise Security is still bumpy; the user experience is really the challenge there, as many of our analysts complain about its difficulty for day-to-day use.

I have been using Splunk Enterprise Security for about three years.

I have not experienced any downtime, crashes, or performance issues with Splunk Enterprise Security. Although we occasionally receive emails from Splunk about performance issues, they are typically resolved quickly, and the system appears to be running smoothly.

Splunk Enterprise Security scales effectively with the growing needs of my organization and there are no issues.

I evaluate customer service and technical support as great; our support team is fantastic, and we have regular cadence with our support teams and our representatives.

Positive

Before adopting Splunk Enterprise Security, we were using several different SIM products to address similar needs, but I disliked them all; none of them really worked and they all crumbled under the ingest load. 

One product required us to completely sever logs since it couldn't compute; it was pretty bad. Splunk Enterprise Security is probably one of the first products that actually could handle all the ingest and do all the correlation without crumbling under its own weight.

I would describe my experience with deploying Splunk Enterprise Security as easy, mainly because we use the cloud version; since it's Splunk Cloud, we didn't have to do much to deploy it, and we don't do a deployment in the cloud—it's managed.

I have a team that customizes, develops, tests, deploys, and refines detections in Splunk Enterprise Security; I don't do that personally, so I cannot talk extensively to that process, however, we go through a process to do that and I haven't heard many complaints about it.

I have seen a return on investment with Splunk Enterprise Security. Incident response, along with triaging and increased efficiency, has been a notable example of return on investment.

It would always be great if Splunk Enterprise Security was cheaper; we definitely hit limits frequently with our ingest. I'm planning to explore the SVC model soon to see what that looks like. We're able to get what we need with what we have and can afford, so I'm satisfied.

We do not purchase this product on AWS Marketplace; instead, we get it directly from Splunk, or we go through a VAR.

My advice to other organizations considering Splunk Enterprise Security is to make sure you understand all the functionality of it, not just what they show you, but also the integration points; understand the automation side of it and get a good holistic understanding before making a decision. 

On a scale of one to ten, I rate this solution a seven out of ten.

Our purpose for using Splunk Enterprise Security is SIEM.

Machine learning has been incredibly beneficial in our efforts to detect various threats. For example, we pull all security logs and utilize the MLTK framework, which helps us identify potential risks effectively. So, overall, it's been quite helpful.

We use the risk-based alerting feature. For instance, when it detects a failed login attempt, it assigns a risk score to it. This allows us to utilize the risk-based alerting features effectively to prioritize incidents based on their severity.

Risk-based alerting generates notifications based on the level of risk associated with a transaction. This approach effectively assists in monitoring transactions, such as payments. It allows us to track the progress of a transaction, from initiation to completion, and identify any errors that may occur during the process. If there are numerous errors, we can assess the risk and determine whether the transaction might be a false positive.

Splunk Enterprise Security has been very helpful in this regard. However, I've noticed that improvement is still needed. We need to analyze the data more thoroughly. While this can be quite complex, finding a simpler solution would be beneficial.

The best features of Splunk Enterprise Security are the correlation rules and automation over the correlation rules. We can trigger alerts and notifications. The alerting and notification mechanism is really powerful and good. 

It needs more AI integration. The threat intelligence framework requires some AI functionality, which would be helpful.

We have been using Splunk Enterprise Security for a couple of years, and I have been on the ES team for the last year. I have also used it in my previous company.

The stability of Splunk Enterprise Security rates at eight out of ten.

It is scalable. We can only increase the environment. For instance, with an ES server, we cannot make a cluster of ES. If you have two servers and want to make a cluster of these two servers for ES, that is not possible. There is only one server, and if you want to increase scalability, you must increase the RAM and memory for that same server. The scalability is an eight out of ten.

We simply request Splunk support to increase our storage or make other adjustments as needed. We don't have access to AWS; all of that is managed by Splunk. We just need to reach out to them and say, "Please increase our storage by one terabyte," and they can handle that for us.

Technical support for Splunk Enterprise Security is very good. We have daily calls. They are very helpful, rating at nine out of ten.

Positive

We tried LogScale in the past, but it has very limited functionalities and not a proper UI. It offers approximately 10% of Splunk Enterprise Security's capabilities. We haven't found any solution comparable to Splunk Enterprise Security.

We utilize a combination of both cloud and on-premises setup. Specifically, we use Splunk Cloud for search indexes and other things. On the on-premises side, we have our heavy forwarders, standard forwarders, and user-defined forwarders. So, we effectively integrate both approaches.

The deployment for Splunk Cloud is very easy. They have predefined templates and setups on the AWS end. They utilize many AWS features. If you terminate any indexer, it will spawn up again. This type of automation exists with Splunk Cloud, making it really efficient.

It doesn't require any maintenance, but when we are doing batch upgrades, we need downtime, which is acceptable. It's four to five hours of downtime.

Currently we have a team of seven people for Splunk Enterprise Security, with additional staff using Splunk Cloud and related services.

Splunk Enterprise Security helps to save a lot of time, which is our main purpose. Whenever something is wrong in our environment, we immediately get an alert. It saves time and costs. Compared to traditional methods, Splunk Enterprise Security saves approximately 40% to 50% of time.

For small customers, Splunk Enterprise Security is quite expensive. For my team with a substantial budget, the cost is acceptable.

I would definitely recommend Splunk Enterprise Security because if you are really concerned about security and want to follow compliance rules, this product is really helpful.

Splunk Enterprise Security helps save significant time and money, which most customers are looking for. It is easy to configure and manage. If you have certification or basic knowledge of Splunk Enterprise Security, it provides excellent job opportunities. The solution provides numerous helpful dashboards where you can directly check threats and other metrics. 

Overall, I would rate it an eight out of ten.