Splunk Enterprise Security Reviews

Splunk Enterprise Security provides us with both log monitoring and alerting capabilities from a centralized interface.

Splunk Enterprise Security's detection capability is good. Real-time alerts are crucial for threat detection. When unknown traffic is identified, incidents are automatically created and alerts are sent to the monitoring team for prompt action.

Our mobile device ordering website experienced a fraud attempt. We identified a surge in traffic originating from the same IP address through Splunk Enterprise Security. This allowed us to swiftly block the suspicious activity, potentially saving millions of dollars.

Integrating Splunk Enterprise Security with other tools is easy.

It is easy for us to monitor our multiple cloud environments using Splunk.

Splunk offers good visibility across our multiple environments. We can monitor roughly 80 percent of our environment through Splunk.

Splunk is our primary tool for analyzing real-time logs to detect malicious activity. These logs are then used to create security incidents and trigger alerts for further action.

We can see the benefits of Splunk Enterprise Security quickly after deployment.

Splunk Enterprise Security reduces our alert volume because it is precise and customizable.

Splunk Enterprise Security helps us speed up our security investigations by sending alerts and providing a deep dive into the logs.

Splunk's visualizations make it easy for users to understand the data. Additionally, Splunk can ingest all our data, creating a centralized and informative platform. This combination is a powerful asset for data analysis.

Splunk Enterprise Security's pricing structure could be more accessible for smaller organizations. Licensing costs can be a barrier for those with limited budgets.

I have been using Splunk Enterprise Security for 5 years.

I would rate the stability a 9 out of 10. With a stable environment, we may encounter issues 2 percent of the time.

I would rate the scalability an 8 out of 10. 

Splunk now offers SmartStore, which automatically scales storage capacity without sacrificing performance.

The support team is supportive and quick to respond.

Splunk offers Platinum, Gold, and Silver support. With the Platinum package, they respond within two hours.

Positive

We transitioned from AppDynamics to Splunk Enterprise Security, which provides a valuable single pane of glass for managing and viewing security metrics.

The initial deployment is easy. The deployment for Splunk Enterprise Security is quick.

By automating our monitoring and alerting with Splunk Enterprise Security, we've achieved a significant return on investment. This has freed up over 190 days of manual monitoring effort by our team, resulting in overall cost savings of around 30 million dollars.

The licensing costs are high for Splunk Enterprise Security.

I would rate Splunk Enterprise Security 8 out of 10.

I highly recommend Splunk Enterprise Security to anyone looking for a comprehensive security solution. It's a single tool that can monitor and manage our entire security posture, including business metrics, IT infrastructure, and security alerts. Splunk also simplifies incident creation and log management, providing a central location for all your security data.

Splunk Enterprise Security is used by 30,000 people across multiple locations in our organization.

The widespread adoption of Splunk Enterprise Security requires regular maintenance to ensure optimal performance.

Organizations with low logging volumes can benefit from using the open-source ELK Stack.

The resilience Splunk Enterprise Security offers is good.

We mainly use the Splunk Enterprise Security app to use Splunk as a SIEM. I have worked with Splunk on-premises, which is Splunk Enterprise, and I have worked with Splunk Cloud as well. 

We mostly use Splunk for the SOC environment. We use Splunk for security incident monitoring.

Splunk Enterprise Security fastens our security investigations.

Our organization monitors multiple cloud environments. We have more than 50 customers. Customers have their own licenses, and for some customers, they are shared. We have a single Splunk console. We have customized Splunk, and we have onboarded multiple customers. For some customers, we have integrated Splunk with SOAR. There is a single console to monitor SIEM and other devices. It saves the analysis work. It provides good visibility as compared to the other SIEM products I have worked with. 

We use the Threat Topology and MITRE ATT&CK framework features. You can map your use cases with the MITER ATT&CK framework. It is common in all SIEMs nowadays. It is good. It gives a good mapping of the use case and a better understanding.

Splunk Enterprise Security has not helped reduce our alert volume. It behaves as we configure it. The engineer handles the fine-tuning of the use case and reduction in the alerts.

The fast search is valuable. As compared to other SIEMs, Splunk is very fast in terms of the search and providing data.

The customization of the use cases is another valuable feature. It is query-based, and now, there is a feature to have machine learning as well. We can write advanced-level use cases, which is a limitation of other SIEMs.

The third point is the device integration. It is very smooth. If I need to integrate devices for logs, it is easier with Splunk. We can integrate different applications, network devices, and databases. It is also very rich in documents. It is the best.

Splunk does not provide any default threat intelligence like Microsoft Sentinel, but you can integrate any third-party threat intelligence with Splunk. By default, no threat intelligence suite is there, whereas, with IBM QRadar or Microsoft Sentinel, the default feature of threat intelligence is there. It is free. It would be better if Splunk could provide a default threat intelligence suite.

The second issue is that Splunk is expensive compared to many other SIEM tools in the market. A competitive price will work better.

The third issue is that Splunk Cloud is sometimes slow. If I create more use cases, Splunk will be slow because they provide limited resources in Splunk Cloud. They can do some optimization there.

The last issue is that they used to give a trial version of the Splunk Enterprise Security app that we could showcase to customers for demonstration, but they have stopped that free trial version. If they can start that again, it will be better. It will help to showcase the capability of Splunk.

I have been using Splunk Enterprise Security for seven years.

It is sometimes slow. It also depends on the number of use cases or queries. You need to optimize the use cases or queries that are running and consuming a lot of resources. I have also seen Splunk Cloud hanging a bit. I would rate it a seven out of ten in terms of stability.

We have contacted their support many times. Their support is average. We sometimes have a hard time with their support. They are not very reliable, but this is the case with all SIEM products.

Neutral

We are also using Microsoft Sentinel and IBM QRadar. We have also used ArcSight. For some customers, we are using LogRhythm and the RSA solution. Different customers have different SIEM tools, but I find Microsoft Sentinel and Splunk better than the others in the market. I feel Splunk is the most mature tool at this time. It is very easy to customize. You can do whatever you want.

IBM QRadar is the cheapest option available in the market. It is a traditional SIEM tool. It is not as fast as Splunk or Microsoft Sentinel, but from a costing perspective, it is convenient. There are also a few open-source SIEM tools. Many companies are using those, but if you go with a commercial tool, IBM QRadar is very good in terms of cost value. When it comes to customization and maturity, Splunk Enterprise Security is definitely number one. Microsoft Sentinel comes second, and IBM QRadar comes third.

It is easier than other tools.

We implement it for our clients. The number of people involved depends on the license utilization, the number of devices, and the time frame. Two to three months are normally required for the full integration of a customer environment, and a minimum of two people are required for the integration.

It is expensive. That is why many customers have moved to IBM QRadar. The price is definitely a challenge for customers.

If budget is not an issue, you can go ahead with Splunk Enterprise Security. Nowadays, Splunk is ready to negotiate. With good negotiation, you might get a good deal. If you are a large organization with more than 2,000 devices or more than 500 licenses, Splunk is the best choice. If price is not an issue, you can blindly go with Splunk because it is the most mature tool in the market at this time. Microsoft Sentinel is scaling up, but it is still not there where Splunk Enterprise Security is.

Overall, I would rate Splunk Enterprise Security a nine out of ten.

We are using the SIEM platform in our security operations center. We use it both for internal purposes, for monitoring the alerts coming from our network, as well as we have built security operation center services for our B2B customers. We are using QRadar, Splunk Enterprise Security, and more recently, we have added Elastic on top of it.

The features of Splunk Enterprise Security that I find the most useful include the event collector and the tool for analyzing the incidents. The dashboard that we use summarizes the alerts within a certain period of time. The customizable dashboard feature helps to improve the team's decision-making skills because it provides us with a clear image of the types of events that we have within a month, and we are able to classify them based on severity.

I do not really have any additional features that I would want to see in Splunk Enterprise Security. The ticketing platform could be improved. We are using our own ticketing platform right now, but we have integrated it into Splunk Enterprise Security to communicate and report back to our customers on the events to have constant interaction.

I have been working with Splunk Enterprise Security for more than five years.

I have not faced any issues with stability or upgrades so far.

Splunk Enterprise Security is easy to scale for scalability. We onboard more and more endpoints from our customer infrastructure without any issues scaling it up.

We provide the Splunk Enterprise Security Threat Intelligence framework as a level three service for hunting and deeper inspection. We aggregate everything into a threat intelligence platform and provide feedback to our customers on their events.

Splunk Enterprise Security is quite easy to set up, especially the on-premises solution.

I have contacted Splunk Enterprise Security support for issues through a local partner that we work with. They provide the first level of support and in case there is a problem with the platform, they escalate it to the vendor.

Since implementing Splunk Enterprise Security, I have seen a return on investment. It is primarily a safety tool, so we do not expect a return on investment, but since we use the platform as an MSSP partner for Splunk Enterprise Security, we incur revenues for the services that we provide to our customers. We had a business case and the TCO looks quite acceptable.

Splunk Enterprise Security is reasonably priced compared to other platforms, and the licensing model is quite flexible. Based on the gigabyte of data that we ingest on a daily basis, it is quite well positioned in the market.

The event collector has been useful for us to gather logs from our customer's infrastructure. We have VPN connections with our customers, and we use the event collector to gather data from their network devices and incorporate it into the SIEM platform for further analysis.

The integration of Splunk Enterprise Security with our existing security infrastructure has influenced our threat detection capabilities as we use it as an independent tool. We have other security tools in place, such as firewalls from FortiGate, from Fortinet. We have some endpoint protection solutions, but we have integrated everything into the Splunk Enterprise Security platform. We use it as an XDR platform to collect logs from different sources, from clouds, from active directory, from endpoints, from routers, from firewalls, from all the points in our customer's infrastructure.

For the time being, we are quite satisfied with Splunk Enterprise Security. We are waiting for the AI engine to get more mature and to use it more extensively.

I would rate Splunk Enterprise Security a nine out of ten.

As a Splunk engineer, I collect data from various sources, including Universal Forwarder, Heavy Forwarder, DB Connect, and Syslog to monitor application logs. This data is used to create dashboards that visualize application health and identify potential security incidents. Additionally, I configure alerts to notify teams via Slack or email when CPU or memory usage reaches critical thresholds, allowing for prompt resolution. Furthermore, I use Splunk to create KPIs and NDDs for various aspects of the organization, including a custom ITSI service for Microsoft 365. This service monitors child entities like Teams, Outlook, and Edge within a parent application, tracking metrics like team member logins and meetings, CPU usage, and memory usage. All this information is consolidated into a three-page ITSI report.

Splunk Enterprise Security helps us detect malicious activity, such as failed login attempts by unauthorized users. These attempts, whether brute-force attacks or phishing attempts, trigger alerts with detailed information about the incident mapped to the MITRE ATT&CK framework. This allows our security team to investigate and take appropriate action quickly.

We managed Splunk's large clustered environments, I oversaw data collection from roughly 750 applications via universal deployment clients. This experience, coupled with my nearly six years of Splunk expertise, made monitoring application logs and creating Splunk knowledge bases straightforward tasks. While processing task cut-off tickets from the application team could be time-consuming, the actual monitoring itself was easy to manage.

The end-to-end visibility provided by Splunk is important because our company uses applications like K-Connect and Splunk to monitor user activity across different sectors. Having previously worked in both healthcare and finance, I'm familiar with how this process works. We access user information including personal data to track their activity from start to finish within our systems. Splunk allows us to mark specific user data points for further analysis, ensuring we have a full view of user or patient activity within each organization we serve.

Splunk helps me find security events across multi-cloud and on-prem platforms. I would identify missing data by checking the last hour's timeframe (span=1h). If on-prem or cloud data was missing, I'd investigate which logs weren't being ingested, whether an indexer was down, or if a forwarder wasn't sending data. Additionally, I'd check if the application or event log volume was overwhelming the universal forwarder, requiring a queue to process the data effectively.

Splunk improves our ability to handle data from applications. This data is often unstructured or unavailable in a usable format. To make it usable, we used to normalize the logs manually through back-end commands and edit various Splunk consoles and platforms. This process transformed the data into a structured, human-readable event format, allowing us to extract the information we needed.

We can identify potential malicious activity through Splunk by analyzing database logs with SQL queries. For instance, a high number of failed login attempts within a short timeframe could indicate unauthorized access attempts. Additionally, with multi-factor authentication systems like Duo, a user logging in from two geographically distant countries within a short period might be suspicious. To address this, I've developed SQL queries that check for logins within a one-hour timeframe across different countries. These queries trigger alerts on a dashboard, allowing IT to investigate the user's IP address and determine if the login is legitimate.

Splunk has significantly improved our business resilience by providing a single pane of view for all our data. This visualization allows us to monitor for anomalies, including unusual application activity, unauthorized executables, and suspicious shell scripts running on both Linux and Windows servers. By triggering alerts for these events, Splunk empowers our organization to proactively identify and address potential threats, ultimately improving overall stability.

Splunk allows us to easily check the data for malicious activity. It also helps reduce the alert volume by allowing us to set thresholds for alerts. For example, we only receive an alert when the CPU usage exceeds 90 percent or the number of failed logs is more than 15.

Splunk helps us investigate by providing relevant context from system logs. We can search the Splunk logs for specific applications and timeframes, and then examine all the data fields for suspicious activity, failed login attempts, or any other anomalies.

It helps security teams investigate threats faster by providing a central platform to collect and analyze data from various security applications. This focus on enterprise security allows teams to identify and respond to threats across the organization, leveraging frameworks like MITRE ATT&CK to match attacker techniques and tactics.

Splunk's strength lies in its single-page view. This interface allows us to explore all our data, build dashboards with alerts, and visualize real-time information through various charts like column, bar, and pie formats, providing a full user experience.

Due to its high licensing cost, Splunk is out of reach for many organizations. Making their licensing more affordable would open up Splunk's solution to a wider range of users.

I have been using Splunk Enterprise Security for six years.

Splunk Enterprise Security is a stable solution.

Splunk Enterprise Security has excellent scalability.

The technical support is good.

Positive

The deployment is complicated  because our organization works with on-prem servers. All the data needs to be duplicated and all the searches and indexes need to happen properly.

The Splunk licensing is high.

While more affordable, alternative SIEM solutions lack the flexibility and in-depth visualization capabilities offered by Splunk.

I would rate Splunk Enterprise Security nine out of ten.

While Splunk Enterprise Security offers a user-friendly interface, its true power lies in its ability to create highly customized dashboards that streamline investigations and reporting.

My role is to design and implement and manage a strong environment. I need to ensure the available insights can be extracted efficiently and I use the solution for that. I also configure the Splunk custom dashboard and optimize searches to meet specific business needs. We also do a lot of troubleshooting and upgrading.

The security part is useful as it helps secure the entire environment. I designed the security aspect of it for a lot of applications in my company. It's the security thread within the application that we build. I'm able to use Splunk to secure the applications. 

We use the solution to monitor multiple cloud environments. We can monitor even on Amazon products. It's a good source for monitoring all types of applications. 

I can manage and correlate different kinds of searches within my environment. It's good for performance monitoring as well. I can do auditing and reporting through Enterprise Security.

The solution gives us visibility into multiple types of environments. There's a good level of cost optimization as well. It's good for end detection and prevention. I can identify anomalies and get a data view of fraudulent activities. You can uncover the source type and the IP address from where things originate.

Splunk gives us the capability to handle insider threat detection. I'm able to create my own dashboard that will visualize the information. It does depend on how you handle the configuration and permissions. 

We do use the MITRE ATT&CK framework. It helps us discover the scope of the incidents. It helps us to target incidents immediately. We're able to quickly resolve it and stop it. We get data visibility to see what's coming in, which helps us act fast. 

We can work with data from any source as long as you configure it correctly.

The solution has helped us to reduce our alert volume. You can tune your alert thresholds. You can also create rules to define your alerts. It gives you the capacity to optimize queries as well. 

They didn't use to be able to integrate with Cisco. However, this has changed now. 

Some minor features could be added. However, I need to do more research. 

The user experience could be improved. It could be more intuitive.

There should be a way to do bulk visualization reporting. 

I've been using Splunk for 7 years. 

We haven't had any downtime. The only issues come up is if there is an extension of limits. If you extend beyond your license, you may get downtime. 

The solution is scalable. It's easy to manage. 

We have contacted technical support for troubleshooting. No solution or machine is perfect. We had an issue where a new hire misconfigured some servers and they were able to offer us support. They are helpful, however, they do need to be faster in response. They do provide a to of documentation that can be helpful. 

Neutral

I'm also familiar with CloudWorks. However, Enterprise Security has more features and can provide more insights. 

I'm familiar with Dynatrace.

Splunk was already in place when I arrived. I simply tried to implement different strategies in multiple environments. 

Splunk is pay-as-you-go. The pricing depends on your use case. You only really pay for the amount of data you are dealing with. 

I'm a Splunk customer. 

People shouldn't necessarily look for the cheapest pricing. You need to look at what will optimize costs and the time it takes to secure the data. The most important thing, before cost, is being able to successfully secure your data. You should choose your solution based on your use case as well. 

I'd rate the solution 8 out of 10. 

We use Splunk Enterprise Security as the main SIEM system for our operation center. We use it for monitoring detection, and alert management.

We implemented Splunk Enterprise Security to help detect attacks on our network.

Splunk Enterprise Security is highly flexible, allowing us to create whatever we desire. This exemplifies its inherent power. The visibility it offers is notably robust. We can craft it to our needs and even utilize various frameworks within Splunk, prepackaged for security purposes. We possess distinct applications hosting diverse dashboards, catering to numerous security products, including those from different vendors.

The effectiveness of Splunk Enterprise Security insider threat detection capabilities, aimed at identifying unfamiliar threats, relies on whether we establish alerts based on the rules we formulate. If we construct rules incorporating user behavior criteria, the system functions optimally. It appears that there is an Extended User and Entity Behavior Analytics add-on available, which requires a separate license in addition to the enterprise security license. This add-on utilizes machine learning and encompasses multiple developed use cases. While it has limitations, it effectively serves the specific use cases it is designed for.

The threat intelligence framework within Splunk is also highly potent. We can ingest, link, and integrate external data feeds. Concerning IOCs, there are numerous pre-configured alerts within the system that rely on a feed of undesirable IPs. If one of these IPs triggers any of the alerts, such as those generated by our firewall's traffic logs, and the IP matches the bad IPs in the threat intelligence feed, the system correlates this information. If the flagged IP is detected within our network or appears in our firewall logs, an automatic alert is generated. We simply need to ingest the external feed. Subsequently, if the system identifies the IP anywhere, we will receive corresponding alerts.

I appreciate the new MITRE ATT&CK feature. I believe it's a valuable addition and reasonably priced. It seems the feature has been largely developed through marketing efforts, utilizing the capabilities of Splunk to display the MITRE ATT&CK map and the associated rules. This is important since MITRE ATT&CK encompasses over a hundred techniques. It presents the information to us based on the MITRE ATT&CK framework to illustrate ongoing activities. However, achieving a comprehensive understanding of each technique within the MITRE ATT&CK framework requires significant effort and adjustments.

Splunk Enterprise Security has enhanced our organization by offering increased visibility. If any adverse incidents occur, we are promptly informed. Even without configuring the custom rules, Splunk provides effective out-of-the-box rules that help prevent attacks. Consequently, it effectively halts these attacks. In fact, we have been able to detect and thwart potential attacks in their initial stages. This exemplifies the benefits it provides us.

Splunk Enterprise Security has helped to speed up our security investigations. We are now able to complete our investigations within three or four days. 

The most valuable features include agility and Splunk Enterprise Security's ability to quickly search for alerted items, as well as the capacity to create custom alerts using the SQL language employed by Splunk. This makes it a highly potent and versatile solution tailored to both user and company needs.

Splunk could enhance its services by providing more comprehensive professional assistance aimed at optimizing our investment. This aspect seems lacking as our expenses increase with higher data connectivity, seemingly without much consideration, as this translates to increased revenue for them. The challenge lies in the fact that we don't always require all the amassed data. Oftentimes, clients are uncertain about their actual data needs. Therefore, if Splunk integrated a service dedicated to system optimization and pricing, focusing on essential monitoring data while eliminating less crucial elements, it could potentially lead to cost savings for the customers. This strategic move would demonstrate their commitment to customers beyond just financial gain. It would highlight their genuine intention to provide support, streamline operations, and maximize the potential of this technology for individuals and their respective companies.

Splunk provides automation for large-scale environments where numerous servers are present. Consequently, efficient management of these servers becomes imperative. Currently, our management server operates using a top-down approach. This involves establishing connections from the main management server to every individual leaf and subsequently, to each lower-level server.

However, this architecture lacks inherent security measures. In the current setup, Splunk employs multiple collectors to gather data. Subsequently, this data is relayed upward, filtered, and then once again transmitted to the main management server. Notably, data traffic consistently flows from external sources toward the central management hub. This design enhances security, as even if a hacker were to compromise or gain control of the management server, their influence would be limited. The data originates externally and travels inwards, preventing unauthorized access to the entire system. 

In contrast, the proposed approach for managing extensive infrastructures situates the management hub at the core. This central position allows us to establish connections from the hub to the various peripheral components, even if they are located on a secure network. However, this configuration carries significant risks. A security breach at the central hub could potentially grant an attacker elevated permissions. This would enable them to compromise the entire network by gaining access to all Splunk nodes within the company. This architecture is vulnerable and has room for improvement.

I have been using Splunk Enterprise Security for four years.

I would rate Splunk Enterprise Security's stability a seven out of ten. This is because the system lacks built-in protection against certain issues. It alerts us when there are problems in the system, which we then need to address. However, these issues are not always easily fixable, setting it apart from other systems. For instance, sometimes the system slows down while we're working. This can occur when a new alert is implemented, leading to high resource usage and system instability. We are then required to identify and rectify the specific cause of this problem. This might involve disabling or adjusting the alert to ensure it doesn't negatively impact the system's performance.

Splunk Enterprise Security's ability to scale is good. I rate the scalability an eight out of ten.

The technical support is good.

Positive

Previously, I used QRadar, McAfee, and ArcSight. However, Splunk Enterprise Security is a more modern solution. While ArcSight from HP is powerful, it is an older system with limited flexibility and complex architecture. Many companies implemented SIEM systems before Splunk became available. It seems that most large companies might still be using ArcSight, but other competitors have entered the market since then.

McAfee attempted to develop a similar system, but it lacked scalability and was better suited for small businesses rather than larger enterprises. QRadar, on the other hand, remains robust, but it lacks Splunk's flexibility. One of Splunk's notable advantages is its ability to generate alerts and then allow users to enter searches and queries to investigate network activities and log data. This process, known as threat hunting, enables users to conduct specific searches, such as identifying individuals who accessed a particular system and the internet between four and five o'clock on a Friday. Splunk promptly provides the desired results, typically within a few minutes, making it a strong choice for this purpose. Additionally, Splunk Enterprise Security features a highly effective filtering mechanism.

I participated in the planning and implementation of Splunk Enterprise Security, as well as the creation of all rulesets and alerts. I am also configuring it to align with our technical framework.

Individuals who market Splunk Enterprise Security often claim that it can be deployed within half a day, which is quite amusing. While it is conceivable to perform the installation in that timeframe, the real complexity arises when we must establish connections with numerous systems. This involves accessing each system external to our main setup, configuring it, and directing the system to send its logs to Splunk. On the Splunk side, we encounter the need to create parsing mechanisms that allow proper data reading. This entails installing applications capable of correctly parsing the data, and addressing issues where parsing is inadequate. We then proceed to work with the data. Although Splunk provides some pre-configured rules, we also need to develop our own rules to identify specific events and potential attacks. The process of rule creation demands a substantial investment in writing rule sets. Additionally, integrating a threat intelligence framework becomes essential. We aspire to leverage the micro-framework we have established. Splunk Enterprise Security undeniably possesses considerable capabilities. Nevertheless, it necessitates continuous effort to unlock its full potential and achieve ongoing enhancements.

The solution's complete implementation may require up to one year. Throughout most of the deployment, we had a team of two members, occasionally expanding to three.

For the implementation, we used two integrators and Splunk Professional Services.

Considering the fact that Splunk Enterprise Security aids in thwarting attackers from gaining access to our environment, I would correlate this with a return on investment.

Splunk Enterprise Security's pricing is high. Larger companies may afford it, but I believe that in the current market situation, where everyone is facing challenges, financial resources are tight. Even stock market tech companies are embracing cost-saving measures. Expenses are now more constrained compared to a few years ago when companies had greater spending capacity. Companies are reluctant to make hefty payments. While Splunk is cheaper than Microsoft Sentinel, QRadar is priced at half the cost of Splunk.

Splunk Enterprise Security's licensing is typically determined by the data throughput we handle. Additionally, they offer an alternative pricing model which involves payment based on CPU usage. This newer model was introduced as a response to Elastic Security. However, Splunk enforces licensing in either scenario. 

I rate Splunk Enterprise Security a nine out of ten.

We do not monitor the cloud environments with Splunk. While we have several cloud environments, we avoid using Splunk for this purpose due to its high cost. To utilize Splunk, it would be necessary to place the Splunk engine in the cloud and gather all the logs from various cloud sources, resulting in substantial expenses due to the large volume of logs. As a result, our primary usage of Splunk is on-premise. Instead, we employ different systems to monitor the cloud, generating alerts through various security mechanisms. These alerts are then processed in Splunk, reducing both data traffic and costs.

Splunk Enterprise Security's capabilities to analyze malicious activities and detect breaches are similar to those of other systems. Its effectiveness depends on the rules we develop within it. To truly maximize its value and tailor it to the organization's needs, a significant amount of additional work and utilization of professional services are required.

The reduction of the alert volume presents a challenge due to the X number of personnel in the security alert center. They can effectively handle only Y alerts per day without experiencing fatigue. When the volume surpasses this limit, they tend to merely open and close alerts without thorough investigation. It's as if they've become weary of the process. Therefore, we must determine the optimal number of alerts per day and adjust the rules accordingly. The primary objective is to achieve a statistically reasonable number of alerts per day. This number should be somewhat higher than the current rate, but not three times greater, as exceeding this threshold would render their efforts ineffective. Conversely, if the number of alerts is too high, the personnel's capacity to take action is undermined, resulting in a lack of meaningful outcomes. Striking a balanced middle ground is imperative. This approach enables us to effectively identify and address crucial matters while ensuring our personnel can thoroughly investigate each alert.

Depending on the goals an organization aims to achieve, if their sole focus is on finding the most economical solution and they do not prioritize comprehensiveness, then QRadar would suffice. However, if they seek instant access to answers, I would recommend Splunk Enterprise Security.

Splunk Enterprise Security is deployed across our entire network.

Maintenance is necessary for the system, and updates are needed periodically. Whenever we acquire a new system, we must connect it to Splunk.

Resilience constitutes a crucial component of Splunk Enterprise Security, contributing significantly to the safeguarding of our system.

I recommend Splunk Enterprise Security for organizations that have the budget, time, and skill to properly utilize the solution. I do recommend paying for Splunk Professional Services.

There are many use cases. Most of the use cases are related to security, data integration, and data sources. 

Splunk Enterprise Security helps with real-time detection. When we integrate any data source, if any external IPs or external devices are accessing that data source, we get notified. We get alerts based on the use cases we develop.

Splunk Enterprise Security has improved the incident response time a lot. Splunk is doing log ingestion, and it is also used to search the database for issues. It is ingesting and identifying. All that is happening in a single solution.

Splunk Enterprise Security is very easy to use. We can monitor anything. We can monitor and integrate any type of applications and servers. It is very easy and effective. I work with different security tools, but none of the security tools has these many features.

Splunk's documentation is clear. Irrespective of the environment we are working in, we have clear documentation.

One of our clients is using the Threat Intelligence Management feature. The actionable intelligence provided by the Threat Intelligence Management feature is very good.

I have been working with different vendors. Splunk Enterprise Security is a very effective and user-friendly tool. Whether it is Sentinel, LogRhythm, or QRadar, each one of them has its own limitations, but Splunk has all the features.

Its benefits can be realized very quickly. It does not take lots of days or months.

Splunk Enterprise Security has helped to reduce our alert volume. There is a 60% to 70% reduction.

Splunk Enterprise Security has helped speed up our security investigations.

It is user-friendly. It is more effective than other solutions. The support and help for troubleshooting and the documentation from Splunk make it very effective.

It has multiple features. It has data integration, search, reporting, and alerting.

It does not need any advanced programming. It only requires basic programming.

In terms of features, it does not need any improvement. Everything is good so far. The only improvement I am expecting is the cost of the licensing. Clients are going to other solutions just because of the cost.

I have been working with Splunk for more than 7 years. I have worked with Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, and on-prem Splunk.

It is very stable. We never had any issues or bugs.

Its scalability is good.

The support from the Splunk side is very good. They provide the best support.

Positive

I have used Sentinel and QRadar. I switched because of the advanced features, support, and good documentation. It is very effective. It is the best solution. The only problem is the cost.

I have worked with cloud deployments and on-prem deployments. Its initial setup depends on the environment. It is sometimes complex, and sometimes, it is very easy. We also get good support from them.

Our implementation strategy has 3 phases. We first go for development, and then we go for Pre-Prod. After that, we move to Prod.

Currently, I am the only one handling the deployment, but when it comes to operations, we need at least two to three people.

It requires maintenance. Generally, 2 people are required, but for my clients, I am the only one who is taking care of the maintenance.

We have seen an ROI.

It is expensive. I work for multiple clients. I am working for more than 5 clients, but most of the clients are switching from Splunk to Sentinel because of the cost. Even though Sentinel is very limited, clients are moving to Sentinel.

I would recommend Splunk Enterprise Security to anyone who is looking for a similar solution. This is the only solution with all these features.

I would rate Splunk Enterprise Security a 9 out of 10. It is stable, user-friendly, and feature-rich. It is very helpful. Even though it is expensive, the stability, support, and technical documentation make it very effective.

I work in security and use Splunk for endpoint and application security, use case development reports, etc. I haven't used Splunk much for threat intelligence. We have a threat intel feed configured, and we create use cases based on those and the recommendations by the threat intel team. If something isn't covered, we create a use case for it. For example, if an application has an authentication interface enabled, we check all their authentication mechanisms and all the login policies. 

Splunk speeds up our incident response by enabling us to automate some of the investigation steps, such as finding information about the user or the source of the incident on machines. We can then move directly into the remediation phase and assign those tickets to the remediation team. It also triggers automatic email alerts to the recipient user. If our security analyst wants to see the alert logs or anything, they can easily drill down to identify any information required.

It allows us to configure use cases involving our machine-learning toolkit, and we have an adaptive threshold in ITSI. Using these tools, we can eliminate false positives and do some whitelisting to weed out users who are performing benign activities. Removing the false positives reduces the incident response time.

We can start to see results immediately once we have achieved a steady state. For instance, we can easily show how much our mean resolution time for incidents has fallen and provide metrics in a way that is easy for our clients to understand. 

Splunk's interface is user-friendly, and it has apps and add-ons for most applications. We can easily normalize the data to make it readable and understand the logs. We easily get all the field extractions and enrichment done by using the apps and add-ons. This helps us understand the application logs because the raw data is useless unless we extract some useful information from it. These add-ons make it so much easier.

Dashboards are useful when we present things to management. They want the numbers and the results. The leaders aren't interested in what we are working on. We need some visualization for our presentations. Splunk has beautiful and useful visualization and dashboard alerts. We can easily create visualizations using the available options and create different types of charts, reports, and graphs that are easy for management to understand. We can also provide our leaders direct access to the dashboards, so they don't need to reach out to our team to get this data or we can automatically send them the reports via email. 

Splunk has several useful features, like asset and identity management. If we integrate our asset and identity management properly in this log, it's effortless to identify the user, device, or asset. We can get all the details if we integrate those things into the lookup engine.

It would be nice if Splunk reduced the cost of training. Their training sessions are way too costly.

We have used Splunk for around seven years.

Splunk is highly stable if you meet all the prerequisites and have enough physical memory for your local storage. 

If you use the cloud version you can scale as much as your licensing allows. It's easy to scale, upgrade, or add instances according to your needs. 

I rate Splunk support 8 out of 10. They're good, but I think there is room to improve because Splunk is the market leader, and they should strive to provide the best possible support. 

Positive

I previously used QRadar and ArcSight. Splunk is one of the top products. Compared to Sentinel or QRadar, Splunk is the market leader in features and security. You can integrate application, physical, or cloud security and onboard those logs into Splunk, then tailor it to your requirements. 

I've worked on multiple deployment models for Splunk, including hybrid, cloud, and on-prem. The deployment is straightforward. We do a POC and then scale it based on our requirements. 

I feel like Splunk is worth our investment. 

The cloud version of Splunk is somewhat expensive, but it does provide some flexibility because you do not need engineers to manage the system. Everything is hosted in the cloud because it is a SaaS service. It depends on the usage. It is costly, but everything good thing comes at a price.

I rate Splunk Enterprise Security 9 out of 10.