Splunk Enterprise Security Reviews

During the initial two years, I was an incident response analyst who used Splunk Enterprise Security as a SIEM tool, and in the recent two years, I work as an admin who handles the integration part, content management part, and the detection response engineering.

We use disparate security solutions with additional IDS, IPS, and EDR tools integrated into Splunk Enterprise Security for single-handled monitoring for the analyst's ease. We do not need to go to each tool separately; instead, we integrate all of them into the Splunk Enterprise Security interface, allowing us to monitor them via Splunk Enterprise Security.

Regarding Risk-Based Alerting in Splunk Enterprise Security, we used to tag alerts while creating correlation searches in Splunk Enterprise Security.

I work with both on-premise and cloud-based setups.

Splunk Enterprise Security really helps improve business resiliency as we frequently capture real attacks.

In terms of customization ability and development capability inside Splunk Enterprise Security, it is very easy. Splunk Enterprise Security is a wide tool that we can use for different purposes. Splunk Enterprise Security can be configured in many ways, not just as a SIEM, but we can leverage it in various ways. The application add-on support from Splunk is very wide, making it very easy for configuration and customization.

The functions in Splunk Enterprise Security that I find most valuable are its ability to integrate any type of logs into the system. It is very user-friendly to read logs in any languages, which we can convert into a human-readable format in Splunk Enterprise Security, making log analysis and monitoring very useful compared to competitive SIEM tools.

The main benefits Splunk Enterprise Security provides to end users include a wide view, allowing us to have different kinds of views for the logs, and we can search according to the retention period we set in Splunk Enterprise Security. This capability and storage are good enough to retrieve older data for evaluation and analysis.

I find that threat detection in Splunk Enterprise Security is a wide case; we have the opportunity to create correlation searches, dashboards, and even integrate threat intel solutions in multiple ways into Splunk Enterprise Security. We can leverage these opportunities to get alerts based on these searches.

Whenever an upgrade happens from a lower version to the latest version, some things get complicated, particularly compatibility issues, which we usually see in Splunk Enterprise Security. In those cases, it sometimes definitely requires Splunk Enterprise Security's support or vendor support to resolve those issues. Compatibility issues during upgrades are a major concern.

I am generally satisfied with the functionality of Splunk Enterprise Security, and my only concern is the compatibility issue during upgrades.

I have been working with the product for four years.

I rate Splunk Enterprise Security's stability as a nine.

I consider its scalability, ability to scale, and ability to expand to be a ten.

I would rate vendor support as a nine.

The initial setup for Splunk Enterprise Security is simple, and guides from Splunk Enterprise Security support are available on the internet, making it very basic. We can read and understand the next steps from there.

On average, the time a SecOps team takes to remediate security incidents with Splunk Enterprise Security depends on projects. If the team is working as a threat hunt team, they do not have a proper SLA, but for incident handling, some projects have 15 minutes, others 30 minutes, one hour, or in some cases, up to four hours. It varies according to the project and client requirement; incident handling is different from incident response, which usually requires more time for detailed analysis.

I am totally satisfied with Risk-Based Alerting because it works well; it works on intermediate findings. If multiple detections occur for the same host or IP, it looks for behavioral analysis and generates alerts for the analyst based on that risk, so it is actually working well in Splunk Enterprise Security.

I can recommend Splunk Enterprise Security to other users. My overall rating for this product is eight out of ten.

Hybrid Cloud

I would like to discuss Enterprise Security, and I explain that the main use case for the product is to protect our customers and support various attacks.

Regarding threat detection, I explain that during investigations, most of our SOC-related customers use Splunk Enterprise Security to identify threats.

In terms of benefits, Splunk Enterprise Security provides numerous advantages to end users, notably in reducing personnel needs for SOC operations.

Regarding pricing for Splunk Enterprise Security, I find it relatively affordable globally, although it seems costly in India due to currency exchange.

In my opinion, the functions in Splunk Enterprise Security that I find most valuable include unique features and tools that the product offers.

For improvement points, I think Splunk has several enhancements on the table right now to enhance Splunk Enterprise Security with functionalities and threat detection improvements.

I have been working with Splunk Enterprise Security for seven years.

For stability, I would rate it a 10, as Splunk Enterprise Security is generally stable, especially now with its latest version.

Regarding scalability, Splunk Enterprise Security is way ahead compared to other products, and I would score it at the maximum.

I would rate Splunk Enterprise Security's technical support as a 10, as they provide 24/7 assistance based on priorities and are accessible for queries.

Positive

In comparison to other products, I think previous tools such as IBM QRadar were competitors, but currently, I hear about CrowdStrike getting into the picture.

In general, I find that the initial setup for Splunk Enterprise Security is simple, especially with clear documentation from Splunk.

It depends on the client; if they have a qualified engineer with experience in Splunk Enterprise Security, they can handle the setup themselves.

The solution is deployed both on-premises and cloud-based, depending on the customer's domain.

My feedback regarding some processes of customizing, developing, and testing in Splunk Enterprise Security is that I am thinking from a customer perspective, focusing on the customizations they require.

I have experience with risk-based alerting in Splunk Enterprise Security, as we configure based on the priority of the instance, servers, or the endpoints.

During my experience with Splunk Enterprise Security, I have faced some significant challenges, particularly with customers adapting from version 7 to version 8.

Hybrid Cloud

I deal with the Palo Alto FO and then Cortex XSIAM. I work with Cortex XSIAM and Cortex EDR products. We recently adopted Cortex XSIAM from Splunk Enterprise Security as our SIEM product for log management.

I have two to three years of experience with Splunk Enterprise Security, but not continuously; this is just a tool used by me, not daily. We send logs from the firewalls to XSIAM and analyze the traffic logs to determine whether deny or allow for migration. We use both Splunk and Cortex XSIAM for log analysis. I have never dealt with Splunk support.

I have experience with Palo Alto, Cisco, and Fortinet products. Splunk Enterprise Security is more dedicated to logs, not a unified product like Palo Alto. Palo Alto Cortex has the same UI across Cortex EDR and Cortex XSIAM, so all the product family is in one UI, whereas Splunk Enterprise Security is more focused on log search.

Palo Alto has better speed and better visibility. I can see all the M-points from one UI and search the logs from this UI. I use disparate security solutions that integrate or import data into Splunk Enterprise Security, including different log sources from the endpoint, firewall, router, switches, and everything that needs logging for visibility.

Splunk Enterprise Security can retain logs for compliance purposes longer than the usual three months. The dashboard capability also allows Splunk Enterprise Security to create dashboards based on logs, which makes it really helpful for visibility.

I feel more comfortable using XSIAM now compared to Splunk Enterprise Security. Splunk Enterprise Security is already a mature product, so I do not have much to point out. It could be a little more user-friendly, which would be nice.

It could also expand the product family beyond security log search. Since it has the capability of indexing things, perhaps Splunk Enterprise Security could develop their own EDR agent like Palo Alto and create a product family with a unified dashboard. This would definitely help the enterprise.

Splunk Enterprise Security documentation exists, but compared to Palo Alto, Palo Alto has more knowledge base articles. Even though the concepts are the same and multiple engineers have written articles for cross-reference, I do not see this level of documentation in Splunk Enterprise Security.

I have two to three years of experience with Splunk Enterprise Security, but not continuously; this is just a tool used by me, not daily.

The switch to Cortex came from management, likely because the Palo Alto product family is already in our environment. We have been using Palo Alto GlobalProtect and other security products, so bringing XSIAM into the environment makes sense.

I do not see a real difference between XSIAM and Splunk Enterprise Security; they both have a search query functionality. Splunk Enterprise Security has Splunk query language, so it is just a different language and different way of searching logs. Eventually, we get the same logs including source, destination, port, and traffic allow and deny information.

I used to be a customer with Splunk Enterprise Security. I have hands-on experience but not extensive experience with Splunk Enterprise Security products in the past. I am more focused on networking than the security team. I do not have an answer about how long on average it takes SecOps teams to remediate security incidents using Splunk Enterprise Security.

I would rate this review an 8.

I work in a SOC team where I study threat hunting and threat determination. Most of my work is based on looking for malware traffic or suspicious traffic in Splunk Enterprise Security. I belong to the SOC team.

The best feature about Splunk Enterprise Security is its clean interface and the detail it provides. It helps us manage logs with a very clean interface, which is not available in other software. 

They also provide extensive learning resources on their official site that help us while performing tasks. Its documentation and community are very strong, making it a perfect SOC tool. If we come across any problem, we can search the community or consult the documentation for solutions. 

It is very clean and detailed, helping us detect threats easily. Splunk Enterprise Security performs 80% of our work on its own; we just have to do the remaining 20%, which gives us the freedom to explore and detect threats more effectively.

The machine learning capabilities of Splunk Enterprise Security are good, but they can be improved. In a changing threat landscape, its machine learning capability can be improved in behavior-based analysis because signature-based analysis does not work very well currently.

It can improve in detecting new types of attacks or IOCs through behavior-based learning capabilities. For example, if there are malware traffics incoming, it should detect them using network logs more precisely, as most malware traffic uses the same kind of port or attack.

There should be a community program or hackathon-type events where people can develop more advanced and sophisticated machine learning models for Splunk Enterprise Security to enhance its functionality. 

Adding a chatbot similar to GitHub Copilot in Splunk Enterprise Security would be beneficial. It would help write different kinds of sophisticated queries and assist in solving problems we encounter, similar to what we have in VS Code.

There is good scope for developing Splunk Enterprise Security for low-level systems such as Raspberry Pi. However, for server deployment, a robust server is essential. Development should focus on making Splunk Enterprise Security capable of running on devices such as Raspberry Pi.

I used Splunk Enterprise for a long time in previous organizations. I have also used the Community version for my personal projects, which is available for free. I have experience with both Splunk Enterprise Security and the normal Splunk Community version. I still use Splunk Enterprise Security quite frequently when working with SOC and related processes.

Splunk Enterprise Security is highly scalable, which is why approximately 95% of the industry uses it without experiencing scalability problems. It performs exceptionally well when discussing scalability.

I do not remember contacting technical or customer support. Whenever I faced any problem, I usually consulted the documentation or community, and 99% of my problems were solved that way.

I have used Wazuh, Elasticsearch, Kibana, and some basic Linux SOC management tools such as Zeek and Wireshark as alternatives to Splunk Enterprise Security. However, I find Splunk Enterprise Security to be much more advanced than those tools, as they lack automation and machine learning capabilities, requiring customization from the user. Splunk Enterprise Security is more refined and offers a better experience.

Its deployment is difficult. I remember when I first started learning, I faced several challenges, especially when deploying VMware in a virtual environment. It was quite a difficult task. However, when deploying on a server, I would consider it to be at a medium level of difficulty. On the other hand, if you're deploying for a learning lab or something similar, it’s pretty much on the hard side.

For personal home labs, it is a one-person job, meaning a seasoned professional can handle it. For enterprise-level deployment, a person managing operations and a person handling server management is sufficient. After the initial deployment, one person is enough for a mid to low-level company, while a higher-order company requires a team to operate Splunk Enterprise Security.

Splunk Enterprise Security requires very little maintenance on my end, as it has improved significantly. If there are no frequent changes in the server, there is not much maintenance required. I have not invested much time in updates or maintenance, so once deployed, you just need a good professional to use it; maintenance is not much of a concern.

The pricing of Splunk Enterprise Security is fair for what it provides. If someone wants everything for free, it is not a reasonable expectation. Everything comes at a price, and I find it to be affordable, which is why every industry uses it. Its pricing is fair, and the community version works well for learning purposes.

I would rate Splunk Enterprise Security an eight out of ten.

On-premises

I'm an end user, admin, and consultant. We use Splunk Enterprise Security internally in our organization, and I also use it for my personal studies. My usual use cases for Splunk Enterprise Security include monitoring several kinds of exchange server logs and Office 365 logs, among others, as we have multiple monitoring use cases based on our requirements in our environment. We were trying to solve multiple things by implementing Splunk Enterprise Security, particularly for monitoring our applications based on the insurance business, so we use Splunk Enterprise Security logs for security purposes and internal infrastructure monitoring, including logs matching security purposes in our Office 365 and exchange servers.

The most valuable features of Splunk Enterprise Security are several add-ons and TAs, while the lack of a DB requirement is a significant advantage for the business, allowing easier management without needing in-depth DB knowledge. I find that Splunk Enterprise Security's ability to import data from various sources, including looking up Excel files, is quite effective, providing a good way for management.

We import data from several unique data sources into Splunk Enterprise Security, possibly more than a hundred because we have AWS and multiple servers. We have disparate security solutions that integrate data into Splunk Enterprise Security. I can still query data in Splunk Enterprise Security regardless of where it resides, and in my perspective, the query provides data quickly.

Splunk Enterprise Security has improved our organization's ability to ingest and normalize data compared to before using Splunk Enterprise Security. The unified platform helps consolidate networking, security, and IT observability tools, which is very relevant to our internal needs. Using Splunk Enterprise Security, our focus was not on reducing alert volume but on properly finding and handling alerts; we've managed to capture 100% of them effectively.

Splunk Enterprise Security provides the relevant context to help guide investigations by allowing us to share application logs and details with clients efficiently. We utilize out-of-the-box detections in Splunk Enterprise Security, and we have created dashboards that add value to our monitoring efforts. Customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security is easy; it has been a good experience without significant difficulties.

We upgraded to Splunk Enterprise Security from version 8.0.4 to 9.0.6, and also from 8.1.4 to 9.0.6; it worked well with the support we received from the team, and it has proven to be very useful. Splunk Enterprise Security provides the foundation for unified threat detection, investigation, and response, enabling fast identification of critical issues.

The solution could be improved by integrating more application monitoring features and possibly incorporating AI capabilities to enhance its functionality.

I've been working with Splunk Enterprise Security for six years.

Splunk Enterprise Security is stable and scalable, making it a good tool that is beneficial for our needs.

Splunk Enterprise Security is stable and scalable, making it a good tool that is beneficial for our needs.

I participated in the deployment process of Splunk Enterprise Security, and we performed UAT before moving it to production. It's not the most affordable solution, as I've witnessed several companies considering leaving due to cost factors. The pricing of Splunk Enterprise Security is not very affordable, and I have seen many companies planning to leave because of cost concerns.

Amazon Web Services (AWS)

My use cases for Splunk Enterprise Security involve both security as well as data analytics.

Splunk Enterprise Security has helped greatly improve the organization's business resilience.

The features of Splunk Enterprise Security that I appreciate the most include the recent AI feature and the MITRE mapping feature.

AI helps in analyzing a certain detection within Splunk Enterprise Security and assists with some tasks that I might require internet or other tabs to work on, while MITRE ATT&CK helps me to map the attacks and provides coverage for my attacks.

I would appreciate improvements in the licensing aspect, especially with the SVC-based license, as there is no proper view on top of it regarding how much CPU and usage is being done on the SVC-based license, along with updates to the SOAR version.

The experience with alerts, specifically risk-based alerts, is good, but it might need some improvement as there might be some deviation or false positives, so I think implementing AI over there might increase the feasibility or view around it.

I think the pricing aspect of Splunk Enterprise Security is quite high compared to other products, which I hear from most of my customers.

I have been working with Splunk Enterprise Security for approximately 3.5 years.

I would assess the stability and reliability of Splunk Enterprise Security as very good, with not much downtime or crashes, as it depends on the hardware used and the kind of setup done, which is primarily based on misconfiguration or not predicting something.

I have not faced any significant challenges when using Splunk Enterprise Security; there is not much that I cannot solve.

Splunk Enterprise Security scales very well with the growing needs of my organization and my clients' organizations.

Expanding usage with Splunk Enterprise Security consumes time and effort, but the end result is actually good.

I would evaluate customer service and technical support as good but not very good.

On a scale of one to ten, I would rate them somewhere around seven to eight.

Positive

I would describe my experience with deploying Splunk Enterprise Security as good, pretty easy, straightforward, and with plenty of documentation.

I have not faced any challenges during the deployment aspect; even if I did, I figured it out using Splunk Community and Splunk documentation.

It does bring measurable benefits in terms of return on investment for clients; specifically, for banking or finance customers who wish to contain their data within their environments, they would definitely go for Splunk Enterprise Security compared to CrowdStrike, but less mature organizations might prefer other products.

The key differences, both pros and cons of Splunk Enterprise Security in comparison to CrowdStrike, are that I am a Splunk enthusiast and I love Splunk Enterprise Security, but CrowdStrike is good in search and detections due to its status as a threat intel partner, which offers good detections, while customization done in Splunk Enterprise Security might take too much time on CrowdStrike and there are fewer integration options with CrowdStrike.

I don't have much idea on disadvantages of Splunk Enterprise Security apart from the pricing.

I am currently working with Splunk products.

I work with Splunk Enterprise and Splunk Enterprise Security.

The process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security is pretty easy for me as an expert, but I'm not sure for a new user; being a Splunk architect, I feel it's a little easy and the customization is very helpful.

We have it integrated with various disparate solutions including RSA, CrowdStrike, AWS, Google, Microsoft, Docker, firewalls, switches, and multiple other technologies.

This integration supports my security operations by fetching logs about user activity and audit logs and actions taken by the user; for normal products, this allows me to analyze, detect, and correlate two or three different datasets to build up a use case from which I can deduce some information, and with the queries I have using SPL queries, I can get some data analytics or alerts or reports based on which I can take action.

I use risk-based alerting in Splunk Enterprise Security.

My experience with risk-based alerting, while not mainly focused on the SOC part of Splunk Enterprise Security, provides support to my engineering efforts.

I am not currently using any new threat detection features in Splunk Enterprise Security; I have no idea about that part of it.

My impressions of Splunk Enterprise Security's capability to predict, identify, and solve problems in real-time depend on what kind of data is being received and the use cases being written; it is not straightforward, but because Splunk Enterprise Security is an analytics platform without AI on top of it, it feels that some data sources are less predictable, yet for jobs that are repetitive or similar, Splunk Enterprise Security works well.

I would rate this product a 9 out of 10.

Hybrid Cloud

Other

My use case for the project is thin.

What I appreciate about Splunk Enterprise Security is creating the newest SPL for network traffic. I use the risk-based alerting feature. The risk-based alerting helps my organization by allowing me to learn more information about Splunk every day because it is a big platform.

I think that Splunk Enterprise Security is a very good platform, but the price is very high. I don't know how to explain what else can be improved in Splunk Enterprise Security aside from pricing. Support is important for improvements. My thoughts on better support include better knowledge base and better response time; it encompasses both aspects.

I moved to Splunk Enterprise Security and learned it for two to three years, but in the last year, I worked with my friends on one project.

I rate the stability as a five. I encounter issues such as downtime, bugs, glitches, and unbox errors.

Only two users use Splunk Enterprise Security.

Support is important for improvements. My thoughts on better support include better knowledge base and better response time; it encompasses both aspects. I rate support as a five.

Positive

I think it was easy to install, but this platform has many components I must learn. It took me months to deploy.

I am reviewing Splunk Enterprise Security today, and I am working on one simple product and creating simple SPL. My thoughts on customizing, developing, testing, deploying, and refining detections are focused on detection. The testing is just the last component. My thoughts on the testing feature in Splunk Enterprise Security involve the network traffic to Cisco traffic, Uniper, or low car infrastructure. I am using new threat detection features in Splunk Enterprise Security and would work on big projects in the future. I do not use disparate security solutions that integrate or import data into Splunk Enterprise Security. I am wanting to learn more because I create simple SPL, and my friends are not Splunk Enterprise Security expert admins. I would recommend Splunk Enterprise Security to other users because it is a platform for monitoring all traffic, network infrastructure, hardware, software, and everything.

I rate the solution overall as a five out of ten.

Public Cloud

Microsoft Azure

My main use cases for Splunk Enterprise Security are responding to alerts, looking for logs, and for investigations.

The features I appreciate the most about Splunk Enterprise Security are the basic search capabilities, seeing what I input into the search and what results I receive, such as the charts and their visibility. These features benefit my organization by helping with our investigations; when we receive something, we're able to quickly find its source and nature. Everything I'm seeing now in Splunk Enterprise Security is effective, especially the AI and the Attack Analyzer, which I found particularly impressive.

The most significant challenge I face when using Splunk Enterprise Security for advanced threat detection is not with Splunk itself, but with our own asset management and knowing what our assets are, particularly regarding visibility.

I have been using Splunk Enterprise Security for about a year.

I have experienced maybe one downtime, crash, or performance issue.

I would describe the stability and reliability of Splunk Enterprise Security as good, with only a couple of issues that were within our own team.

Splunk Enterprise Security has been good so far in scaling with the growing needs of my organization; we haven't been growing too much to where it's a problem, but it's been performing well.

I would say we haven't seen any return on investment with Splunk Enterprise Security because we are still maturing and trying to get everything situated, and we're experiencing roadblocks with other teams not wanting to give us what we need.

Splunk Enterprise Security handles problems in real-time. 

When rating Splunk Enterprise Security overall, I'd give it a nine out of ten. I appreciate that it has a good UI that looks good and works well. I would recommend Splunk Enterprise Security.

Public Cloud

My main use cases for Splunk Enterprise Security are detections and security.

The feature I appreciate the most about Splunk Enterprise Security is Search Processing Language. These features have benefited my organization by making searching data a lot easier than other tools I've used.

Improvement for Splunk Enterprise Security is hard to address because I'm not on version 8 yet. The main thing was integrating all the different pages we have into one, which they have accomplished in version 8.1.2. I'm looking forward to using it.

I have been using Splunk Enterprise Security for two years.

I would assess the stability and reliability of Splunk Enterprise Security as having no issues so far.

Splunk Enterprise Security appears to scale with the growing needs of my organization. We haven't expanded usage at all yet.

I would evaluate customer service and technical support as seven or eight out of ten. They're normally great. Sometimes talking through email isn't the most effective method, as they go through troubleshooting steps we've already taken, which requires additional back-and-forth communication.

Positive

I would imagine we have seen return on investment with Splunk Enterprise Security.

My advice to other organizations considering Splunk Enterprise Security is that it is definitely worth implementing, but it must be done properly. Make sure you have all preparations complete before getting the implementation package. I rate Splunk Enterprise Security eight out of ten.

Public Cloud

Amazon Web Services (AWS)

My use cases mainly involve using Splunk Enterprise Security to monitor security threats, checking the dashboard for any alerts, looking at logs to see what is actually happening, and using the built-in searches to identify suspicious alerts regarding security or suspicious activity.

I appreciate the incident review dashboard as the best feature, as it makes it very easy to track alerts and manage them in one single interface.

AI in Splunk Enterprise Security improves the accuracy, and the AI feature has helped me reduce false positive alerts, which prevented me from wasting time on junk alerts and separating the noise from the actual true positive alerts. It makes my detection much more reliable.

Risk-based alerting in Splunk Enterprise Security is very helpful. Instead of getting overwhelmed by hundreds of small, low priority alerts, it gives me a risk score to users or machines based on their activity.

Using MITRE ATT&CK is really helpful. Splunk Enterprise Security automatically maps alerts to the MITRE ATT&CK framework, so when an alert triggers, I can see exactly which stage of an attack is happening, such as lateral movement, reconnaissance, or credential access tactics. This gives me a clear picture of what the attacker is trying to do.

Writing SPL queries is tough at first with Splunk Enterprise Security, and the system gets a bit slow when searching through a large amount of data.

I have been using Splunk Enterprise Security for four months overall.

I did see lagging with Splunk Enterprise Security. Even when I have a huge amount of data coming in, it doesn't crash or hang. I haven't faced any major downtime. Once the configurations are set, it runs quite reliably in the background without needing constant attention.

Splunk Enterprise Security is pretty flexible regarding scalability. Whenever our data volume grows, I can easily add more indexers or searchers to handle extra load, and it's straightforward to expand.

Other analysts contact the support team if there is any need to understand the latest updates from the Splunk community, but I haven't contacted them.

I have used an open-source Wazuh SIEM tool as an alternative. I prefer Splunk Enterprise Security more.

The initial deployment of Splunk Enterprise Security had the main challenge of connecting all our data sources like firewall and server and making sure the data was flowing correctly. It wasn't a simple click and run. It required good planning to get all the data logs showing up properly.

The pricing for Splunk Enterprise Security is a little bit high compared to other similar tools.

Splunk Enterprise Security helped me in many ways. It really helped me reduce noise. Since it groups similar alerts together, I don't have to look at every single small thing. It filters out unimportant information, so I can focus on real threats.

Maintaining Splunk Enterprise Security is necessary to keep things running smoothly. I regularly check if all the logs are coming in properly. I also spend time updating and tuning searches or reducing the false positives.

I have not upgraded to Splunk Enterprise Security 8 yet.

I haven't seen any reduction in my mean time to resolve or my mean time to detect. I would rate this review an eight overall.