Splunk Enterprise Security Reviews

We mostly use the solution for compliance, logging, log storage, and root cause analysis. In 2015, we had AIG as a client, and they only had Splunk. Splunk Enterprise Security is one of the oldest solutions that did the logging and storage.

Splunk has fantastic brand value, which helps us sell it as resellers. The solution's pricing is quite competitive. The solution meets all the requirements. As a compliance person, I know that log storage is very important for data privacy compliance guidelines like ISO or CCPA. Splunk provides all of those compliances and checkmarks.

I like that the tool is light and the agent doesn't slow down the machine. Splunk Enterprise Security is a standard solution providing good customer service and partnership.

The solution should improve regional knowledge of the new regulations coming out of the Middle East. As a consulting firm, we are currently targeting many Middle Eastern markets, including Saudi Arabia and Dubai. They don't have a local server support cloud center there, which is a big issue because they don't want their data to go out of the region. Splunk should have more regional data centers in the Middle East.

I have been using Splunk Enterprise Security for five years.

Splunk Enterprise Security provides good stability.

The solution's scalability is fantastic. Even 10,000 to 50,000 endpoints don't slow anything down. The servers, log storage, and ingestion work smoothly, irrespective of whether there are 5,000 or 50,000 endpoints.

The solution’s technical support is very good.

Our customers using Splunk Enterprise Security don't have any compliance issues, and they don't get fined by the regulators, which saves them money.

Splunk Enterprise Security's pricing is pretty competitive.

I'm a consultant who uses Splunk for other clients. It's important for the clients that it can communicate with all kinds of devices, like firewalls, WAFs, servers, endpoints, switches, and routers. All of that is figured out over time, which is useful.

Splunk Enterprise Security is a good tool for finding security events across multi-cloud, on-premises, or hybrid environments.

Splunk has helped improve our organization's ability to ingest and normalize data. It can also identify and solve P1 or high-critical-priority problems in real-time.

Splunk Enterprise Security has helped us reduce our alert volume by around 50%.

The solution provides us with the relevant context to help guide our investigations, and this context information has impacted our investigation process. Having all the data in a single place does help with post-incident response and forensic root cause analysis.

Splunk Enterprise Security has significantly helped speed up our security investigations. I save 60% to 70% of my time because it's easier to find what I want to find through the tool's user interface.

Splunk Enterprise Security has helped reduce our mean time to resolve by around 50%.

Overall, I rate the solution ten out of ten.

We essentially use Splunk for our Security Operations Center (SOC). All of the notables that we create for the SOC are done in Splunk Enterprise Security. It is our SIEM.

I cannot put a value on it, but it has been pretty good. Previously, we used to use ArcSight. I used to do incident response when I first joined the SOC, and there were times when I used to sit down and run a search right at the start of my shift, which is at 7 AM, and I used to hope that it would be run by the end of the shift at 7 PM. I used to hope that it would run in 12 hours and not time out. When we got Splunk, it was a game changer. It took seconds to a minute depending on how intense the search was.

We monitor multiple cloud environments. It is easy to ingest data in Splunk. Based on what I hear from our customer success manager, he has customers who have issues ingesting logs, but for me, it is one of the easiest things ever. Their documentation is fantastic.

Splunk Enterprise Security has end-to-end visibility into our cloud-native environments. It is very important for us. When we first got cloud, it was like the Wild West. Anyone could spin up their own cloud infrastructure, and we would not know about it. It was public. We did not know what they were doing with it. Now, we have a better grasp and understanding of what is out there, so Splunk makes it easy for us to keep track of our endpoints that are public-facing.

Splunk Enterprise Security has helped reduce our mean time to resolve. As compared to ArcSight, it has saved at least three to four hours per incident. We utilize a SOAR platform. We do not use Splunk SOAR. We use a different SOAR platform, but with the combination of Splunk Enterprise Security and our SOAR platform, we are able to cut down our mean time to resolve. The time saved varies depending on the case. A normal case would probably take less than ten minutes per investigation. A critical P1 case would take more time, but a normal day-to-day case would take less than ten minutes for our analysts to do their work. A normal case is where a user clicks on a phishing link in an email, or your EDR solution says something happened and there is a threat actor in your environment moving laterally trying to access data.

The correlation searches are most valuable just because we are able to do things like RBA. One of the things that we started pretty recently is our insider threat program, and it has been pretty good, especially using RBAs as our framework for the insider threat.

The UI could be better. This is applicable to Splunk in general. I know that a lot of people who get their hands on Splunk are hesitant to use it just because they find it overwhelming. There are a lot of options. If you open Google.com, you just have a search bar. You just search and hit "go," but when people look at Splunk, they are just overwhelmed. I see that with our analysts. Even after training, if they do not use it every day, which they should be doing, they kind of lose it.

Its learning curve is a bit steep. It is hard for users to use it. For individuals who know how to use it, it is fantastic. It is great. For example, if you are a Splunk Cloud customer, and you had an outage or there is a maintenance window, those individuals who are power users would know immediately when it happens or they would know that there is a maintenance window coming up because they are the experts. They are the SMEs on their teams, and they are the ones creating value using Splunk. Individuals who do not know how to use it are intimidated.

We have been using Splunk Enterprise Security since 2017. It has been about six years.

Its stability is amazing. It is always up. It is fantastic.

It is awesome. When we first purchased Splunk Cloud, our ingest rate was about one terabyte or one and a half terabyte. We moved from the ingest-based license to the workload-based license three or four years ago, and now, we ingest about 10 to 12 terabytes. It is handling that just fine as if nothing has changed.

I would rate their support a six out of ten because there are times when someone picks up a support case, but they do not know what they are doing. I have to guide them. It is like, "I have already done the research. This is what needs to be done. There you go. Do it." I expect a little bit more from support in terms of having the knowledge upfront.

Neutral

We had on-premises ArcSight. We had one guy run it for our enterprise. Our enterprise has roughly over 130,000 people. We are a global company, and we had one guy run the entire infrastructure. We could tell when he took days off because it would not work. When we moved to Splunk, we went to Splunk Cloud immediately. We were one of the first Splunk Cloud customers or one of the bigger ones. That is what I was told when we made the switch.

I do not know whether we have seen any cost efficiencies by switching to Splunk Enterprise Security because I was not there during the ArcSight days per se. I was there at the very tail end, but I would assume that we have seen cost efficiencies just because ArcSight was only used by the security team, whereas Splunk is used enterprise-wide, not just by the security team. It should be cheaper for us. The value is there. It is cross-functional.

I was not involved in its deployment.

Its time to value was about a year. It took us about a year because back in 2017, we were making that conversion from an on-premise ArcSight deployment to a Splunk Cloud deployment. We had to make sure that everything that was being sent to ArcSight was sent correctly to Splunk. We had to make sure that everything was in a common information model format and that we could rebuild the content.

Splunk Enterprise Security is cheaper than competitors, but I do not know whether it is just our contract. 

Everyone says that Splunk, in general, is expensive. I have talked to many peers within our industry, and I know a lot of individuals who are moving away from Splunk just because of the price. That is one of the reasons why we are looking at other competitors to see if anyone is doing something better than Splunk and has a cheaper rate.

I have looked at other competitors. We recently looked at CrowdStrike's LogScale solution. It feels like Splunk to me. I cannot say how we would reproduce what we have done in Splunk on the infrastructure side or backend. Our environment is uniquely different. Technically, I am the only person who runs Splunk for our entire organization, similar to the way the previous person ran ArcSight for the organization. If I were to compare apples to apples, Splunk to me is still number one in that category.

Splunk's community is the biggest benefit. It is so easy to go to Slack and hit someone up. There is a good chance that you will find someone out there who has run into the exact same issue that you are having. Their documentation is fantastic. Because I am the only one who runs it for our organization, it is easy for me just to Google it, find the document, and just follow it. It is as simple as that. It gets a little dicey with XDR and all the other things that are happening in the market, such as using a data lake. Instead of putting our eggs in one basket or using Splunk, we might use something like Snowflake.

I get introduced to new ideas by attending the Splunk Conference. In the year before last, someone did a talk about business email compromises. Within our company, we did something similar, and we did it about nine to ten months before the talk. I listened to the talk to see if we were doing anything different from what they were doing. I found out that we were doing the exact same thing essentially. I thought, "We could have done a talk like this too." These talks are very helpful. For example, they showcased the attack analyzer, and currently, we are looking for an automated online sandbox, just like the attack analyzer. We have been looking at cloud-based sandboxes that are out there. Being able to see it hands-on and how it interacts with Splunk makes it much easier for us to make that decision.

Overall, I would rate Splunk Enterprise Security a nine out of ten.

We monitor secure events and notable events in the system and watch for outside intrusion. We create a lot of dashboards to respond to these events. It's used to monitor our live system, and as things occur, such as alarms and other notifications, it's really helpful.

We've captured many security intrusions and all kinds of threats trying to access the system and cause issues, particularly with the FAA in Alaska.

It's been great for us so far.

Splunk Enterprise Security provides end-to-end visibility into our environment is really critical. If we don't capture these events and something happens in the system, it could cause havoc to the telecommunications system in Alaska and really mess up air traffic.

Splunk Enterprise Security has been fantastic in helping us find any security event across multi-cloud, on-prem, or hybrid environments. I would give it a ten on ten.

It 100% improved our organization's ability to ingest normalized data. Splunk's ability to identify and solve problems in real time has been great. We use it in real-time every single day, 24/7.

Moreover, it helped us reduce our mean time to resolve. 

It helped us improve our organization's business resilience. We have great impressions of its ability to predict, identify, and solve problems in real-time. 

It 100% helps us consolidate networking, IT security, and IT and observability. Just being able to have everything in one spot together, a one-stop shop, is huge.

The dashboards let us dig deep into our actual system. Our system is spread throughout Alaska with about 70 sites, each with all kinds of equipment. Splunk Enterprise Security helps us mine through that data and look for security events.

I have been using it for about ten years now. We use it in our system in Alaska. Basically, it's the software we use to do a lot of our monitoring of the system and dig deep into the data.

It's been great. The site is constantly up, and it's been really easy to adjust the data.

It's been pretty good. I've never had to deal with it personally.

Ever since I started here, we've been using Splunk.

I'd give it a nine out of ten. There's always room for improvement, but Splunk is pretty great. It's one of our main tools.

Splunk Enterprise Security serves as our primary tool for endpoint detection.

Our organization manages security across multiple cloud environments. Splunk Enterprise Security is a valuable tool in this process, offering a comprehensive dashboard that centralizes monitoring for all our cloud deployments. This unified view allows us to efficiently track security posture and identify potential threats from a single location.

Splunk Enterprise Security offers strong capabilities for detecting insider threats. This security platform excels at analyzing data from a variety of sources, allowing it to identify unusual user behavior patterns.

It does a good job of analyzing malicious activity and helps us detect threats faster.

Splunk Enterprise Security helps reduce our alert volume and helps speed up our security investigations.

In our financial institution client environment,  The insider threat detection capabilities allow us to closely monitor credit and debit card transactions for any signs of compromise. By leveraging Splunk's capabilities, we can proactively identify and address potential security threats that might impact our client's financial data.

We have improved our incident response time with Splunk.

Splunk Enterprise offers a variety of apps that cater to different needs. These apps provide features like directory management, add-on and data model control, report dashboards, and alerts. Notably, some of these functionalities are available in the free version. Additionally, there are separate apps for security purposes. Our EMEA region has its own set of apps, allowing them to upgrade, maintain, and manage separate dashboards specific to their requirements.

Dashboards can be customized to allow users to easily monitor specific data relevant to their needs. This might include data segmented by country, region, or even customer credit card information. By customizing the view, users can quickly identify trends and gain insights into areas of particular interest. Additionally, dashboards can be configured to automatically display default information or alerts upon opening, further streamlining the monitoring process and ensuring users can find the specific data they need right away.

Splunk Enterprise Security is a valuable tool that allows us to monitor data from the APS daily. This monitoring focuses on the success or failure of APS calls. Successful calls are identified by a status code of 200, while unsuccessful calls are indicated by a status code of 400 or any other code. By monitoring these codes, we can proactively identify situations where the intended data retrieval fails due to backend server issues. This distinction is important because it helps us differentiate between failures caused by backend server problems and those resulting from issues with the monitoring team's ability to send requests. This clear separation allows a dedicated team to investigate these specific backend server failures and implement resolutions.

Data profiling, data onboarding, and data maintenance are all crucial steps in ensuring the quality and usability of our information. However, encountering missing files disrupts this process. When files are absent, troubleshooting becomes difficult, and performance issues inevitably arise.

I have been using Splunk Enterprise Security for many years.

Splunk Enterprise Security is stable.

The initial deployment is straightforward.

I would rate Splunk Enterprise Security eight out of ten.

Splunk Enterprise Security is a powerful security solution that offers flexibility. This flexibility empowers our team to adapt and respond to evolving threats. With Splunk Enterprise Security, we have the tools and adaptability to effectively address whatever security challenges we encounter.

I recommend Splunk Enterprise Security as the most suitable solution for monitoring and protecting our data.

We use Splunk Enterprise Security to secure our client's network and provide clear visibility.

Our client lacked an SIEM solution to comply with regulations, so we recommended Splunk Enterprise Security, and they agreed to implement it.

Splunk Enterprise Security provides complete visibility into the environment. We can add any data to the indexer, and it will begin to be displayed. All we need to do is create use cases tailored to the client's needs.

Splunk's threat intelligence management capabilities are strong, thanks to its user-friendly interface and ability to correlate data from various sources. While it competes favorably with other SIEM tools, its effectiveness ultimately depends on how it's configured.

The actionable intelligence from Splunk's threat intelligence management feature helps us understand what's happening in our environment, enabling further investigation.

We updated the IOCs within the MITRE ATT&CK framework indexing for Splunk. This allows us to compare all received alerts against the MITRE ATT&CK categories. By using the MITRE ATT&CK framework, I can identify the potential type of threat, its mitigation strategies, and the overall attack behavior. Furthermore, I can use the framework to investigate the affected hosts, their origin, and the attack vector.

Splunk Enterprise Security does a good job analyzing malicious activities and detecting breaches.

Splunk Enterprise Security has improved our detection time.

Splunk Enterprise Security has improved our clients' security posture by providing them with better visibility into vulnerabilities, along with proper mitigation strategies and clear explanations. The benefits are apparent within the first month.

Splunk Enterprise Security helped us reduce our alert volume. Initially, the high number of alerts was overwhelming because we were in a new environment, but the volume gradually leveled off and decreased by 50 percent.

Splunk Enterprise Security has accelerated our security investigations by 30 percent. It integrates seamlessly with our EDR solution, providing a single pane of glass view for all security logs.

Splunk Enterprise Security offers valuable features like seamless integration and a SQL-standard Structured Query Language for easy searching. Additionally, implementing devices is straightforward, similar to a plug-and-play process.

Splunk's insider threat detection capabilities have limitations. While it offers customization, pre-configured rules for common threats are scarce. This means we need to create our own rules, which can be effective if we have the expertise and understand our specific needs. However, behavior analytics seem less useful and have room for improvement.

Splunk's implementation process for managing multiple indexes can be complex, especially when dealing with a large number of components.

Splunk could benefit from a feature that allows users to indicate they are working on an alert or incident. This would prevent other users from wasting time investigating the same issue. Ideally, this wouldn't involve a formal assignment, but rather a temporary indication that someone is currently looking into it.

I have been using Splunk Enterprise Security for 9 months.

Splunk Enterprise Security is reliable and the stability is a ten out of ten.

Splunk Enterprise Security offers good resilience. Even for unsupported tools, simple integrations can be customized. Splunk is constantly improving.

I would rate the scalability of Splunk Enterprise Security ten out of ten.

The technical support team is excellent. They proactively identify and inform clients about any vulnerabilities or security gaps in their environment.

Positive

The initial deployment of Splunk Enterprise Security was fairly straightforward. While the documentation is comprehensive, fully deploying the solution can be time-consuming. The timeframe can vary depending on your environment's complexity. For instance, a company with 1500 to 2000 employees and a large number of systems and servers might require a month for complete deployment.

I collect the client's requirements and then open a support ticket with Splunk. The ticket will address configuration assistance and, if the deployment is in the cloud, will inquire about the client's storage needs. After I submit the ticket, Splunk will communicate directly with the client.

The deployment involves several teams, and I lead the oversight of both the deployment itself and the analytics function, ensuring a seamless process.

While some clients find the cost of Splunk Enterprise Security to be on the higher end, its pricing is comparable to other SIEM solutions. Ultimately, the value it delivers justifies the investment.

Don't simply choose the cheapest SIEM solution. Consider your organization's specific needs and environment. Even if you prioritize affordability right now, I can offer more powerful tools. However, the best solution isn't just about price. It depends entirely on your environment. Therefore, you need to establish a budget based on your specific requirements. Ultimately, the ideal SIEM solution aligns with your organization's needs.

I would rate Splunk Enterprise Security 8 out of 10.

Splunk Enterprise Security requires maintenance for new onboarding, log management, and archiving. A maximum of two people are required for the maintenance.

Splunk Enterprise Security is a robust security solution that's easy to manage after initial configuration.

I use the solution in my company to deal with certain migrations from a legacy SIEM solution to a new product like Splunk Enterprise Security or from on-prem to cloud migrations. Another use case involves implementing a new SIEM solution like Splunk Enterprise Security from scratch.

The most valuable features are its ability to transact in the cloud and its ability to onboard data easily with minimal connectors. Some of the new players in the market need to build new connectors to bring data into the SIEM solution. With Splunk Enterprise Security, you get built-in connectors, as it is a major platform.

The product's price may be an area of concern where improvements are required.

The metrics that I or my company's clients see in terms of the improvements from the use of Splunk stem from the fact that some of the metrics that the tool provides for senior leadership, specifically in the area of visibility when it comes to organizational split, considering that there are multiple lines of business. It would be a good feature in the tool if it could provide dashboarding for different lines of business in the product's next release.

One of the key areas where Splunk Enterprise Security can do better is if it integrates with AI solutions.

I have been using Splunk Enterprise Security for five years.

Our company's clients who use the solution like the fact that they can rely on Splunk Enterprise Security as a product, especially since it is not a new entrant in the market. Though the tool has moved from on-prem to the cloud, I feel that the fundamentals of Splunk Enterprise Security are strong. The support structure available for Splunk is good.

Scalability is of paramount importance to a lot of clients. Some of the clients value the scalability feature of the product, and they are also willing to pay more to use such features. There are some pharmaceutical clients my company deals with who like the scalability feature but do not like the increase in the price attached to the scalability part.

To be very fair, I have not been directly exposed to Splunk's support team since I deal with our company's clients. I have not heard any major complaint from our company's client regarding Splunk's support team, so I assume that it is pretty good.

Deployment of the product is easier than migration. It is always better to write on a clean board than write on a board where someone has already written something. If you migrate from one solution to another, you also have to migrate some of the use cases, and you need to fine-tune them. If you are deploying a product from scratch, it is easier. My company also recently dealt with one of the clients, and we had to onboard 28 log sources in ten weeks with no issues. We also had to deal with heavy forwarders, syslog, universal forwarders, and everything under the sun, which was a big mix, making it a difficult environment. There were no issues during the onboarding process. In general, I am happy with the product.

ROI depends on a lot of calculations, so my company does not consider it. Most of the complaints from our clients are related to the cost of the product. Our company's clients are happy with the features and reliability of the product. Cost is one of the major factors that companies are migrating from Splunk Enterprise Security to some other solution. I don't know if it is relevant or not, but I feel that the acquisition of Splunk by Cisco has spooked a few of the clients since they are unsure if they will receive any support if they don't have a Cisco-based infrastructure and instead have some other company like HP supporting their infrastructure.

Splunk is really expensive compared to all the other tools on the market, including Microsoft Sentinel. Some of the clients prefer to go for a data lake kind of solution because of Splunk Enterprise Security's prices. Some of the clients have also mentioned that the pricing of Splunk Enterprise Security is not visible for them and it is based on storage because of which they are not able to control various aspects associated with the pricing part.

In cases where I see the replacement of existing SIEM solutions from my company's customers' end, I have dealt with scenarios where Microsoft Sentinel replaces Splunk Enterprise Security. I have also dealt with implementations associated with Splunk Enterprise Security from scratch. I have managed migrations of Splunk Enterprise Security from on-prem to the cloud.

The primary reason customers are moving to a cloud-based solution is that products like QRadar and LogRhythm did not initially offer cloud versions. The other reasons why customers are moving to cloud-based solutions are the difficulty of configuring their use cases and the problem of finding the right resources to support them. With Splunk and Microsoft Sentinel, resources will be much more available to users in the market, but for LogRhythm, the market is going down. Training opportunities, the building of accelerators, available information in the outside world, and a lot of reasons have prompted customers to move to cloud-based products.

I would say that it is easy to configure the use cases, and also to correlate use cases, which in turn helps reduce alert volume. More importantly the product can provide good visibility in the area of dashboarding, metrics and security events.

Splunk Enterprise Security helps me find any security event across multi-cloud, on-premises, or hybrid environments.

Visibility across multiple environments or varied environments is absolutely important to our company's clients, and it is one of the key areas because most clients do not want to go and see multiple tools like CrowdStrike for endpoint protection. Our company's clients want to be able to see one dashboard with all the feeds coming in, along with all the alerts correlated to it.

The product provides relevant context to guide our company in the investigation. When you have more context, L1 or L2 support finds it easier to investigate. I don't know if Splunk already has an AI-based plugin tool or not. If AI is present in the product, it would help L1 and L2 support resolving tickets in a much faster manner, and it is also an area where context helps.

I have seen a reduction in the mean time to resolve from the use of Splunk Enterprise Security by around 30 to 40 percent if it is able to deal with contextualization. L1 and L2 support teams look at a particular incident, and if they end up spending more time adding the context or going through multiple tickets, it adds up the time needed to resolve an issue.

The product helps speed up security investigations by around 30 to 40 percent. Collecting the context is the key step for resolving or investigating purposes.

It is not fair to state why a certain rating is being given to a product since a person rates a solution on certain aspects, and it could be in terms of the migration part. If I speak in terms of the performance and support parts of the solution, I would rate the product a nine. If I consider the cost of implementing and maintaining the product, I would rate other products much better than Splunk Enterprise Security. As a company, we have implemented Splunk Enterprise Security multiple times, and we see the business associated with the product growing higher. My company also provides training to people in relation to Splunk Enterprise Security. My company hopes to do more business with Splunk Enterprise Security. My company has 3,00,000 employees.

I rate the overall tool an eight out of ten.

Splunk Enterprise Security provides us with both log monitoring and alerting capabilities from a centralized interface.

Splunk Enterprise Security's detection capability is good. Real-time alerts are crucial for threat detection. When unknown traffic is identified, incidents are automatically created and alerts are sent to the monitoring team for prompt action.

Our mobile device ordering website experienced a fraud attempt. We identified a surge in traffic originating from the same IP address through Splunk Enterprise Security. This allowed us to swiftly block the suspicious activity, potentially saving millions of dollars.

Integrating Splunk Enterprise Security with other tools is easy.

It is easy for us to monitor our multiple cloud environments using Splunk.

Splunk offers good visibility across our multiple environments. We can monitor roughly 80 percent of our environment through Splunk.

Splunk is our primary tool for analyzing real-time logs to detect malicious activity. These logs are then used to create security incidents and trigger alerts for further action.

We can see the benefits of Splunk Enterprise Security quickly after deployment.

Splunk Enterprise Security reduces our alert volume because it is precise and customizable.

Splunk Enterprise Security helps us speed up our security investigations by sending alerts and providing a deep dive into the logs.

Splunk's visualizations make it easy for users to understand the data. Additionally, Splunk can ingest all our data, creating a centralized and informative platform. This combination is a powerful asset for data analysis.

Splunk Enterprise Security's pricing structure could be more accessible for smaller organizations. Licensing costs can be a barrier for those with limited budgets.

I have been using Splunk Enterprise Security for 5 years.

I would rate the stability a 9 out of 10. With a stable environment, we may encounter issues 2 percent of the time.

I would rate the scalability an 8 out of 10. 

Splunk now offers SmartStore, which automatically scales storage capacity without sacrificing performance.

The support team is supportive and quick to respond.

Splunk offers Platinum, Gold, and Silver support. With the Platinum package, they respond within two hours.

Positive

We transitioned from AppDynamics to Splunk Enterprise Security, which provides a valuable single pane of glass for managing and viewing security metrics.

The initial deployment is easy. The deployment for Splunk Enterprise Security is quick.

By automating our monitoring and alerting with Splunk Enterprise Security, we've achieved a significant return on investment. This has freed up over 190 days of manual monitoring effort by our team, resulting in overall cost savings of around 30 million dollars.

The licensing costs are high for Splunk Enterprise Security.

I would rate Splunk Enterprise Security 8 out of 10.

I highly recommend Splunk Enterprise Security to anyone looking for a comprehensive security solution. It's a single tool that can monitor and manage our entire security posture, including business metrics, IT infrastructure, and security alerts. Splunk also simplifies incident creation and log management, providing a central location for all your security data.

Splunk Enterprise Security is used by 30,000 people across multiple locations in our organization.

The widespread adoption of Splunk Enterprise Security requires regular maintenance to ensure optimal performance.

Organizations with low logging volumes can benefit from using the open-source ELK Stack.

The resilience Splunk Enterprise Security offers is good.

We mainly use the Splunk Enterprise Security app to use Splunk as a SIEM. I have worked with Splunk on-premises, which is Splunk Enterprise, and I have worked with Splunk Cloud as well. 

We mostly use Splunk for the SOC environment. We use Splunk for security incident monitoring.

Splunk Enterprise Security fastens our security investigations.

Our organization monitors multiple cloud environments. We have more than 50 customers. Customers have their own licenses, and for some customers, they are shared. We have a single Splunk console. We have customized Splunk, and we have onboarded multiple customers. For some customers, we have integrated Splunk with SOAR. There is a single console to monitor SIEM and other devices. It saves the analysis work. It provides good visibility as compared to the other SIEM products I have worked with. 

We use the Threat Topology and MITRE ATT&CK framework features. You can map your use cases with the MITER ATT&CK framework. It is common in all SIEMs nowadays. It is good. It gives a good mapping of the use case and a better understanding.

Splunk Enterprise Security has not helped reduce our alert volume. It behaves as we configure it. The engineer handles the fine-tuning of the use case and reduction in the alerts.

The fast search is valuable. As compared to other SIEMs, Splunk is very fast in terms of the search and providing data.

The customization of the use cases is another valuable feature. It is query-based, and now, there is a feature to have machine learning as well. We can write advanced-level use cases, which is a limitation of other SIEMs.

The third point is the device integration. It is very smooth. If I need to integrate devices for logs, it is easier with Splunk. We can integrate different applications, network devices, and databases. It is also very rich in documents. It is the best.

Splunk does not provide any default threat intelligence like Microsoft Sentinel, but you can integrate any third-party threat intelligence with Splunk. By default, no threat intelligence suite is there, whereas, with IBM QRadar or Microsoft Sentinel, the default feature of threat intelligence is there. It is free. It would be better if Splunk could provide a default threat intelligence suite.

The second issue is that Splunk is expensive compared to many other SIEM tools in the market. A competitive price will work better.

The third issue is that Splunk Cloud is sometimes slow. If I create more use cases, Splunk will be slow because they provide limited resources in Splunk Cloud. They can do some optimization there.

The last issue is that they used to give a trial version of the Splunk Enterprise Security app that we could showcase to customers for demonstration, but they have stopped that free trial version. If they can start that again, it will be better. It will help to showcase the capability of Splunk.

I have been using Splunk Enterprise Security for seven years.

It is sometimes slow. It also depends on the number of use cases or queries. You need to optimize the use cases or queries that are running and consuming a lot of resources. I have also seen Splunk Cloud hanging a bit. I would rate it a seven out of ten in terms of stability.

We have contacted their support many times. Their support is average. We sometimes have a hard time with their support. They are not very reliable, but this is the case with all SIEM products.

Neutral

We are also using Microsoft Sentinel and IBM QRadar. We have also used ArcSight. For some customers, we are using LogRhythm and the RSA solution. Different customers have different SIEM tools, but I find Microsoft Sentinel and Splunk better than the others in the market. I feel Splunk is the most mature tool at this time. It is very easy to customize. You can do whatever you want.

IBM QRadar is the cheapest option available in the market. It is a traditional SIEM tool. It is not as fast as Splunk or Microsoft Sentinel, but from a costing perspective, it is convenient. There are also a few open-source SIEM tools. Many companies are using those, but if you go with a commercial tool, IBM QRadar is very good in terms of cost value. When it comes to customization and maturity, Splunk Enterprise Security is definitely number one. Microsoft Sentinel comes second, and IBM QRadar comes third.

It is easier than other tools.

We implement it for our clients. The number of people involved depends on the license utilization, the number of devices, and the time frame. Two to three months are normally required for the full integration of a customer environment, and a minimum of two people are required for the integration.

It is expensive. That is why many customers have moved to IBM QRadar. The price is definitely a challenge for customers.

If budget is not an issue, you can go ahead with Splunk Enterprise Security. Nowadays, Splunk is ready to negotiate. With good negotiation, you might get a good deal. If you are a large organization with more than 2,000 devices or more than 500 licenses, Splunk is the best choice. If price is not an issue, you can blindly go with Splunk because it is the most mature tool in the market at this time. Microsoft Sentinel is scaling up, but it is still not there where Splunk Enterprise Security is.

Overall, I would rate Splunk Enterprise Security a nine out of ten.