Splunk Enterprise Security Reviews

I utilize Splunk Enterprise Security to create alerts within various use cases, including data onboarding, gap analysis, and business testing. I ensure that the use cases adhere to the defined criteria and address any changes or requirements raised by the client. Additionally, I handle any necessary backend modifications in Splunk by deploying code to appropriate environments, including the production environment.

We implemented Splunk Enterprise Security to capture more effective alerts. We create alerts to utilize advanced filtering capabilities. Additionally, we employ Sentinel as our endpoint security application. I have created all instances of the query as intended and have mapped them to Splunk. However, the corresponding alert is not being generated. These are the areas that require attention.

My expertise lies in Splunk Cloud and Azure. While I have worked with AWS in the past for a short period, my current focus is on GCP and Splunk Cloud. My responsibilities involve troubleshooting, alert verification, and key generation. Based on specific requirements, I employ my self-generated queries to identify the relevant fields, such as email or location. Next, I implement lookup conditions and pinpoint the table containing the desired field type. This process allows me to determine the specific requirement of the use case and define the search parameters accordingly. Finally, I conduct a time-bound search to identify any defects.

I deploy to Splunk Cloud, GCP, and on-premises environments. I have experience working with both platforms. When working on the cloud, we don't have the same level of visibility as we do on-premises. For example, we cannot directly access the fraud department systems. In the cloud, we must make all changes and deployments through the Splunk UI. This is relatively straightforward, as there is no backend to manage. However, it requires a thorough understanding of the configuration files and the data fields we need to modify.

We manage multiple cloud environments, including Splunk Cloud and GCP. Splunk Enterprise Security dashboards make it easy to monitor these environments seamlessly. We have a single user interface that allows us to log in to our account instantly and check for any issues, such as Data Collection Processor errors. This unified UI also provides access to the back end of both Splunk Cloud and GCP instances, eliminating the need to switch between different platforms. Whether we need to manage Splunk Cloud or GCP settings, we can do so directly from the UI, which is easy.

Splunk offers comprehensive visibility into our IT infrastructure. The only challenge lies in managing multiple user accounts. We need to create separate accounts for the UI, production environment, and staging environment. Additionally, if we have a DCP or a system cloud, we need to create corresponding accounts. Once that is done we can log in and use it.

Regarding Splunk Enterprise Security's insider threat detection capabilities, we receive an alert for every new case creation. If there is a high likelihood of a specific alert occurring, we have a corresponding use case in place to address it. We also receive soft tickets, which are potential alerts that may materialize in the future. These soft tickets are documented in Jira, and we continuously monitor them. By analyzing these alerts, we can identify potential issues. For instance, this morning, we received an alert for a new case with a missing application name. The interaction table contains the destination user account, process ID, process name, OS, and other relevant information, but the application name field is blank. We investigate this particular use case to determine the cause and timing of the alert. Since we are receiving the alert slightly earlier than expected, we consult the ticket for further details and substitute any missing information.

I have utilized the MITRE ATT&CK framework when the use case pertains to a specific data model. To comprehend the data model, we examine the processes involved or the fields that a particular tool utilizes. To achieve this understanding, we align the MITRE ATT&CK framework with the data modules. Subsequently, we extract the field name and field value. When dealing with ranges and incident changes, we must input the corresponding MITRE ATT&CK ID. This involves determining the tech ID and identifying the ID values associated with it.

Using Splunk Enterprise Security to analyze malicious activities and detect breaches is an efficient approach. When testing a use case, it's not necessary to manually enter the application name as it's provided automatically. Since the requirement is for SSO, we need to verify whether it's LDAP, Splunk Cloud, or AWS. Occasionally, irrelevant results may appear during data ingestion. We test for subscription-related issues and analyze the results. This testing process provides insights into the circumstances that trigger specific alerts. Malicious activities will undoubtedly be detected, and all our requirements will be met. Alerts are generated whenever unusual timeframes or activities occur. Various filtering criteria allow us to identify and capture specific user IDs or patterns within events. This capability proves to be highly beneficial.

The speed at which Splunk Enterprise Security detects threats could always be faster but it is designed to detect threats quickly. It uses various techniques, including queries, to identify and analyze potential threats. This allows it to produce faster search results than traditional methods, enabling us to locate the information we need more efficiently. While I cannot provide an exact percentage of how much faster it is, it is undoubtedly significantly faster. It can process thousands of events, ranging from twenty thousand to thirty thousand, in a very short period.

I've gained valuable knowledge from having to troubleshoot various situations. For instance, I've learned that the SIM needs to be flipped to use the new applications. Additionally, I've discovered that the error limit for event results should be increased beyond 10,000 because the source type values have increased significantly. This ensures that alerts are received even when there are large volumes of data. Furthermore, I've learned that some clients have different index limit requirements. Some clients require a seven-day index limit due to licensing restrictions or data ingestion considerations. Those who have the larger license opt for a 15 or 30-day index limit. In these cases, the large amount of data generated can necessitate a 1TB or higher index size limit. These learning experiences have been invaluable in my work, and I'm constantly encountering new scenarios that expand my knowledge base.

Splunk Enterprise Security has helped speed up our security investigations. 

The best part of Splunk Enterprise Security is its customizable settings. We can modify the front-end interface, data sources, and various other aspects to suit our specific needs. This flexibility makes it extremely user-friendly and convenient.

Apart from its customizable settings, Splunk Enterprise Security also offers a range of other advantages. It enables us to easily analyze logs, use field queries, and perform other tasks without requiring any extensive training. The search function is intuitive and straightforward, making it accessible to anyone.

The UI-based reporting dashboard is another highlight of Splunk Enterprise Security. It provides real-time visibility into important metrics and allows us to drill down into specific events for in-depth analysis.

Splunk Enterprise Security has not helped reduce our alert volume. We need to separate a few of the alerts, and if there is a time based on the priority, we put the time at what time it needs to appear every day or for seven days or more days. If an alert is present or if something is triggering, then it will be detected. However, the number of alerts that can be handled effectively depends on the specific use case. For each result that is affecting the system or for any specific issue, only those particular alerts should be generated. We can define a timer and determine how often checks should be performed. For example, weekly checks may be sufficient in some cases. However, if there are hundreds of alerts generated in a week, it may not be possible to handle them all effectively. Testing must be conducted to filter out unnecessary alerts. Therefore, clear boundaries must be defined in the use case when creating alerts.

The price for Splunk Enterprise Security is high and has room for improvement.

I have been using Splunk Enterprise Security for two years.

Splunk Enterprise Security is an extremely stable product.

Splunk is compatible with a wide range of other products and is not constrained by specific configurations. Whether it's a single-sided or multi-sided cluster, whether it's used by a single team or multiple teams across different program locations, Splunk is flexible and adaptable. Data recovery is also a key feature, ensuring that data is never lost. This is one of Splunk's most significant advantages. Multiple indexes are maintained to safeguard data integrity, so even if one index fails, the data remains accessible to all users at all times.

Splunk Enterprise Security is scalable.

Comparing SentinelOne and Splunk, we've found that SentinelOne requires a thorough understanding of our processes, including their business context, process names, and all relevant conditions. In contrast, Splunk is more forgiving, allowing us time to learn and adapt. Additionally, SentinelOne's pricing structure can be more complex compared to Splunk's straightforward approach.

While Splunk offers ease of use, better visibility, and intuitive management, SentinelOne demands more technical expertise to implement and maintain. Splunk, on the other hand, provides granular control over event filtering, enabling us to retrieve detailed information based on specific criteria, such as Linux or Windows events. SentinelOne, however, may not provide the same level of precision, requiring more precise query formulation.

The initial deployment is straightforward. We only require the name and the value, and the process is very quick. We were already using GitHub, GitLab, and GitPass, so integration with Splunk was seamless. Splunk is compatible with all of these applications, which makes it a good fit for our needs. We are also using ServiceNow, and Splunk communicates seamlessly with it to raise tickets. The overall deployment time is minimal. One person can manage the deployment process, and I have completed 18 deployments myself. Each deployment takes one day to finish.

The cost is on the high end, which makes it difficult for some organizations to use. However, the benefits outweigh the cost.

I would rate Splunk Enterprise Security eight out of ten. While I have not explored all aspects of Splunk, I have found Splunk Enterprise Security to be a useful and reliable tool in the areas I have used. 

Splunk is deployed in one location. On our team that works on the SIM development team, we have 28 people who use Splunk Enterprise Security.

Splunk Enterprise Security necessitates ongoing maintenance. Tuning tickets are available, so we perform the necessary tuning, and if there is an outdated ticket, we make the required changes. I addressed a ticket from 2018 that required tuning. They requested certain additions, such as authentication or a new index, and maintenance is performed to incorporate these new features.

In multi-cluster environments, maintenance can be performed from different locations simultaneously. This feature is very convenient and allows for flexible maintenance scheduling.

I recommend Splunk Enterprise Security because it is a comprehensive solution for enterprise security. I'm currently working on the SIEM component, but the SIM is also available. Splunk offers various ways to search and configure, making it very easy to use, even without prior knowledge. We can seamlessly integrate Splunk into our existing workflows.

We provide comprehensive infrastructure support and ingest mine data in three ways. The first is Agent-based where the information is sent from client machines to an agent. The second is TCP port forwarding where data is sent to Splunk through an open port. The third is the HEC token. We then use the Splunk DB Connect app to ingest data as per the client's requirements.

We are currently onboarding data from AWS to GCP. We are moving data from on-cloud to our production and deployment level environment. Additionally, the data is being added to the services on those machines. To forward the logs to Splunk, we have created a default index, which is a way of storing data in a particular way. We have created the index based on the requirements of the data storage.

Currently, we are ingesting all kinds of government security PI data. Similarly, we can ingest any kind of confidential data into Splunk using masking. This allows us to filter the data and mask sensitive information. For example, if a user account number has ten digits, we can mask out the first six digits so that only the last four digits are visible. We ingest this kind of confidential data into Splunk, and we also ingest PI data and Splunk governance data.

We are using the threat intelligence management feature. We have a separate security team, called a soft team, which is responsible for finding vulnerabilities, threats, and malware alerts in our Splunk environment. We use the threat intelligence management feature to identify any suspicious activity that may be coming from outside users. The soft team continuously monitors these alerts and creates proxy alerts to identify any potential threats.

Splunk's insider threat detection capabilities help us to easily identify threats by using Splunk queries. We have predefined Splunk Insight and are also using the one in the app, which is configured on top of Splunk machines. This allows us to quickly identify how many unknown IPs are syncing into other machines, and we can use this information to identify threats.

We use threat pathology and MITRE ATT&CK. I am currently supporting a financial institution with its infrastructure, which is split into two teams: one for complete infrastructure support, including hosting and operations, and the other for security-related matters. My team is continuously investigating new security threats, so we will take care of the onboarding process. As part of the infrastructure support team, I am responsible for handling all onboarding tasks. If I encounter any security concerns, I will escalate them to the SOC team.

We have a lot of operations using the Mission Control feature in Splunk.

Splunk helps us analyze malicious activities and detect breaches. We are using a Splunk SaaS application in a multi-class environment. To maintain high availability with zero downtime, we have maintained close to 70 indexes and 50 searches. Splunk provides us with alerts from the entire infrastructure, which helps us maintain our service. We use Splunk Mission Control to iron out any issues. For any special needs, we can go to Mission Control to verify and mitigate alerts.

Splunk Enterprise Security has helped us reduce our alert volume. Splunk currently ingests five terabytes of data, and we can set parameters to exclude rotational works and backlogs to reduce the number of alerts.

Splunk Enterprise Security has helped speed up our security investigations.

Splunk has a wide range of features that customers use to find and analyze all kinds of logs. For example, they can use SQL queries to identify vulnerabilities. Additionally, they can create dashboards to visualize and filter their data, and to create real-time alerts when thresholds are exceeded. Splunk Vision is a popular tool for data modeling and visualization and is used worldwide.

The price has room for improvement.

I have been using Splunk Enterprise Security for five years.

We are maintaining a multi-cloud environment across multiple regions, and for the last two years, Splunk Enterprise Security has maintained a 99.999 percent uptime.

We open cases on behalf of our customers with Splunk. If the technical support resolution is not up to par, we request a meeting call to work with the support team and resolve the issue for our client.

We also use the Red Hat OpenShift enterprise Kubernetes container platform. OpenShift is a more popular container tool with excellent support, but all of our OpenShift deployments are on-premises, along with production clusters around the world.

For the deployments, we scan the data to ensure that the Splunk machines can support it. If we identify anything on the machine, we ask the customer to remediate the issue by upgrading the version of Splunk. Most of our customers are using version 8.3.3.

I would rate Splunk Enterprise Security nine out of ten.

Organizations that value their security should not choose the cheapest SIEM solution. They should expect to invest in a SIEM solution that can meet their specific needs, even if it means spending more money.

Monthly patching maintenance is required. 

We gather all the security logs from all the endpoints, network appliances, and the security filter. We have set up automatic alerts that are sent to system administrators, so we have pretty much real-time alerts about anything that happens. 

Splunk Enterprise Security has definitely improved my organization. First of all, it helps with compliance. Our organization has something called scorecard requirements. It is an annual self-check checklist. Having alerts set up is one of the requirements, and secondly, we have a local administrator who gets the alerts. That makes our job a lot easier. So, we pretty much know what is going on in a real-time setting.

We are the judicial branch of the government, so we are pretty much into our private cloud. We do have a setup to monitor our private cloud but not outside our organization. If we can monitor one cloud, multiple clouds will not be hard at all. It is easy.

Splunk has absolutely reduced our mean time to resolve. Knowing on time and having firsthand information is very helpful for any organization. We are able to capture what is going on, and the visibility of it is absolutely tremendous. I cannot provide the metrics, but it has saved a lot of time.

Splunk has absolutely improved our organization’s business resilience. We have been using Splunk for the last six or seven years, and I cannot imagine a life without Splunk. 

In terms of Splunk’s ability to predict, identify, and solve problems in real-time, this is something that we will look into. We have not yet looked into machine learning, AI, and all of Splunk. Currently, we are more in the reaction mode, but we are trying to get more in the protection mode or have more proactive measures. We have not got to that point yet, but we will definitely be there.

I am not into the administrator type of setup. I am more like an advanced user. The most useful feature for me is the ability to create different kinds of alerts and set a different kind of denominator that will capture the real event. That is helpful for a power user like me.

Splunk conferences are very helpful for networking and talking to folks who have a similar situation. It would be helpful for customers if they could create some real-world cases, and we can find a case study to align with. I know that Splunk has tremendous potential. We only include a tiny piece of it. There is a lot of stuff that we need to learn. If Splunk can provide more real-time examples, that will be helpful for customers.

It has been six or seven years. 

Splunk has a reputation for being scalable. You can start small, and if your demand increases, you can scale your platform. Splunk does a good job. It allows customers to have scalability so that they can expand their capacity. I would rate it a ten out of ten in terms of scalability.

In our company, we have a Splunk consultant who is very good at providing a solution. So far, I have not had any problem that is unresolved. I would rate their support a ten out of ten. In this industry, there is good support, and there is bad support. Splunk's support is more like Cisco's support. It is pretty good.

Positive

We used something else, but I do not remember the name. Splunk is what we have been using for a long time. It is more advanced in terms of IT security. There is more scalability and the capability to do a lot of different things on multiple platforms. This is where it is more advanced than other products.

I was not in the deployment team, but I was involved in the early stage of evaluating all different kinds of products.

There are a lot of things for which you can measure a return on investment, but security is something on which it is hard to put a dollar value and measure how much return you have got. However, in terms of helping the administrator or helping the company to put security in place, Splunk does a great job. I cannot imagine a life without Splunk.

The pricing is a little bit on the higher side, but looking at what Splunk provides us, it is reasonable.

We evaluated what was on the market, and fortunately, we picked Splunk. Looking back, it was the right decision.

Splunk is moving in the right direction and providing better and more mature products. This is my fifth conference, and I see the progress. I see Splunk bringing in all new products. They are pretty much in line with the security trends. They have improved a whole lot to meet customers' needs.

I would rate Splunk Enterprise Security a ten out of ten.

We use it for alerting. It also helps our analysts triage.

It is our bread and butter and our day-to-day tool for the SOC. Besides alerting, just being able to do research and look through various logs to gather context around the alerts has been super valuable.

It is critical to us that Splunk Enterprise Security provides end-to-end visibility. The place that you cannot see is from where you are going to get attacked.

We have a hybrid cloud environment with AWS and Azure. I am pretty confident in its ability to help us find any security event across our environment. We have put in time to feed Splunk Enterprise Security the data that we want to look at.

I am pretty happy with its ability to ingest data. When it comes to normalizing, my company could improve on that a little because we need to do more tuning of some of the data that we are ingesting. That is not much of an issue with Splunk Enterprise Security. That is more of an issue with how we are using it. We need to possibly do a little bit better in terms of how we utilize this tool.

I am pretty confident in its ability to identify and solve problems in real-time. If it has the data and you implement it properly, it will tell you what is wrong.

With risk-based alerting, we are now getting the right context for investigations. It definitely helps and speeds up the investigation. With risk-based alerting, I can see the chain of events. I can see what caused this to occur. I do not have a percentage, but I know my analysts are not getting the alerts that they have not completed by the end of the shift. Previously, that was not the case, so I am pretty pleased.

Splunk Enterprise Security has helped improve our organization’s business resilience.

Splunk Enterprise Security helps to identify and solve problems in real-time, but I do not know if it can also predict the problems in real-time.

I am enjoying our implementation of risk-based alerting. That has helped very much with cutting out a lot of the noise that we have. It has reduced our alert volume significantly. There is about an 80% reduction.

I do not like the pricing model. It is expensive.

I have been using Splunk Enterprise Security for about five years.

I have not had issues with its stability.

It is pretty scalable. It also depends on what you are ingesting, but it does a good job with our data.

I do not use the support that often. Normally, when I am looking for help, I just search on the web. If I am trying to build something and I do not remember the command, it is pretty easy to find.

I have used logging solutions. I find Splunk easier to use than other solutions such as LogStack.

With any such tool, the alert quality that you will get is based on the data that you are feeding it. If you are parsing logs and doing a good job with that, the outcome is good.

I did not deploy this instance, but I deployed it in my last company. It was not as bad as I thought. It was comparable to some of the other product rollouts in the environment.

It is expensive, but it is a good tool.

It is worth the cost. I have worked with organizations that did not want to invest in a security tool. I am glad that we are taking security a little more seriously in this organization.

I would rate Splunk Enterprise Security a ten out of ten. I enjoy it. I like it.

We use Splunk for identity protection, threat defense, vulnerability scanning, zero-trust, and user entity behavior and analytics.

Splunk Enterprise Security has helped our customers reduce the alert volume. We ended up validating the false positives manually. We have to do quite a review assessment task. It can do some automatically, but we end up doing them manually to improve the detection. 

Splunk's advanced threat detection capabilities are excellent. Recently, Cisco acquired Splunk, so many customers are migrating to the Microsoft platform, but historically, I've found Splunk does a better job of correlating and collecting the security logs of all kinds of appliances. Most customers want to consolidate their security products into Microsoft.

It supports just about every cloud solution. It is easy to collect and correlate all the data. The visibility is good. Insider threat detection can be customized. My customer was integrated with many third-party credentials and other threat sources as well. The integration part was seamless and easy. The rates for allocating valuable information and IOCs from different sources are also good. 

The incident response technique should be available out of the box. That isn't as available as we would expect. 

I have used Splunk for around two years.

Splunk is stable. We've had no breakdowns in the past few weeks.

We can scale Splunk quickly. 

I rate Splunk support seven out of 10. 

Neutral

Deploying Splunk was moderately difficult compared to Sentinel. Collecting logs, provisioning firewall servers, and indexing are all complex tasks. You need someone with expert knowledge to do the job. The process takes four to six weeks. You need to design the solution and onboard the data, then start collecting logs and doing the detection. 

I rate Splunk three out of 10 for affordability.

I rate Splunk Enterprise Security seven out of 10. Splunk needs to compete with other products like Microsoft, and right now, it looks like they're losing the race. They need to make drastic changes and accommodate more flexible options and integration solutions. 

There are lots of use cases such as finding threats, attack factors, and logs. It helps with rogue DNS or brute force attack detection. We have logs related to why a particular account was created. There is alerting. We can get some false positives, but by fine-tuning some of the things, we can reduce false positives.

Splunk is a security monitoring tool. It helps with incident handling, data logging, and observability of metrics. Splunk can handle all these things. Splunk Enterprise security is a premium app of Splunk through which we can have all the threat intelligence and incident reviews. It helps in finding all the attacks and Advanced Persistent Threats (APTs).

We also have dashboards. We can collect logs from different sources and applications. We can also troubleshoot issues. If we are having any issues with an application, we can go to that particular index to see what is the cause. If any application is failing or giving an error, we can troubleshoot the issue. We do not have to log into the server to find the error.

We monitor multiple cloud environments. We have GCP, Azure, and AWS. It is easy to monitor multiple cloud environments using the Splunk Enterprise Security dashboards. Splunk releases inbuilt apps, so by using those apps and add-ons, we can integrate it with our cloud environments. For example, for Azure, they have a Microsoft Cloud Services add-on. We need to register the app in Azure, and after registering the app, we have to use the tenant ID and set it up. There are a lot of inputs, and we can use all those inputs to onboard different logs from Azure. There is also the capability for HTTP event collection.

We have a hybrid environment, and that works best for us. For a lot of things, we cannot just go fully cloud. Hybrid is the best option for us. We are happy with the visibility that Splunk Enterprise Security provides. It is also about how we configure things. If we do not do it in the right way, we will not get visibility. We have to know what kind of tools we are using and what kind of data we are pulling. We cannot pull everything. We have to know what to pull. If we pull only what is required, we would not have any problems.

Splunk Enterprise Security comes with MITRE ATT&CK and Cyber Kill Chain frameworks by default. There are 12 processes in the MITRE ATT&CK framework. We just have to onboard logs, create the data models, and assign those ATPs to monitor all the kill chains. We can monitor all attack vectors and persistent threats that we want to monitor.

Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches. I would rate it a 9 out of 10 for that. It can also go to 10 for different clients based on different requirements.

Along with Splunk Enterprise Security, we also install another Splunk app that has all the threat intelligence. We then feed the data through a CSV file and create the use cases. We set up alerts for those. In the case of an event, an alert is generated and assigned to a particular SOC analyst. There can be some false positives, but with proper configuration and filtering, they can be reduced.

Splunk Enterprise Security has been very beneficial and valuable for us. Our application teams can use the indexes to troubleshoot the issues they are facing at their location.

Being able to ingest data from all the tools and all the apps being used in the environment is valuable. Being able to create alerts when, for example, the CPU usage reaches 95% is also valuable. We can set up alerts and proactively fix the issues. Splunk helps with all these things, and Splunk Enterprise Security has almost 2,000 use cases. It follows MITRE ATT&CK and Cyber Kill Chain frameworks. There are certain notable events for which we can configure our security posture. We can onboard all the logs through indexes and create dashboards to view what is going on in the environment.

Overall, it is pretty good. They are improving it every day. They recently released SC4S for onboarding syslog data. However, the support and the pricing can be better.

It has been 8 years since I have been using Splunk. I am not a part of the core security team. I handle some parts of enterprise security, such as SIEM data models or the creation of some correlation searches and use cases. The majority of things, such as threat hunting or threat intelligence, are managed by our core security team.

We faced some issues, but we fixed them ourselves. We have around 10,000 knowledge objects running. All the knowledge objects should not be running all the time. They should be distributed over 24 hours so that the servers do not have any extra pressure at a particular time. We used to have an issue with our indexes going down. The CPU was being utilized 100%, and everything was getting stopped. We found the issue. We fixed that, and we are good now.

It is pretty easy to scale. For Splunk Cloud, we log a ticket with Splunk support, and they start the process. It does not take much time. However, there is a cost involved in that. 

We have been ingesting 40 TB a day. We have three locations: The USA, the UK, and France.

The SLA for Splunk Cloud support is not satisfactory for a customer. The turnaround time is a bit low. That should be fixed. I would rate their support a 9 out of 10.

Positive

I have not used any similar solution in my current organization.

In my previous organizations, I have used solutions such as Elk, IBM QRadar, and Microsoft Sentinel. Microsoft Sentinel is good. Splunk is better than QRadar. Splunk has a lot of capabilities. It makes it easier to do many things and do them correctly. It does not require as much effort as required in IBM QRadar and Microsoft Sentinel.

Splunk is a bit costly, but if we control our usage during our searches, its cost is okay. When not controlled, it becomes a bit costly.

To those evaluating Splunk and solutions, I would advise knowing the features they would be getting. Elk is open source, but there is an underlying cost of infrastructure. The cost almost becomes the same. You have to hire people who can work on Elk and then you have the underlying infrastructure cost.

We were on-premises, but we recently moved to Splunk Cloud. We have been using Victoria for the last eight months. When going from on-premises to Splunk Cloud, Splunk recommends engaging professional services. 

The migration was done by Splunk. For administration and maintenance, we have about eight people, but the number of users in the environment would be in the thousands.

The maintenance of Splunk Cloud is taken care of by Splunk. Customers do not manage the clusters. With the on-prem setup, we have to patch the servers, upgrade the servers, or restart them from time to time so that the rebalancing of the buckets happens properly. In Splunk Cloud, we do not have to do these things. We only take care of the data normalization part. All other things are managed by Splunk.

It does provide a return on investment.

It is a bit costly.

Be clear about what you want and try to filter out as much as possible. Create role-based rules and assign them to users rather than assigning every role capability to all the users. Also, everyone should not have access to all indexes. Only certain people should have access. For example, if someone is from the AD team, he or she should have access to the particular index logging the AD logs. They should not have access to all of it. There should also be some kind of training before you give access to people so that they know which searches to use and which ones not to use. They should understand the impact of various things.

I would rate Splunk Enterprise Security a 9 out of 10 based on my experience and the work that I do with the core security team. They are pretty satisfied with it.

The solution is used in my company to help the security operation center in work areas like detection, response, and investigation while maintaining cybersecurity standards.

My company has benefited from using Splunk Enterprise Security, which has helped us stay out of the headlines in newspapers. The tool helps detect threats early and respond to them effectively.

The solution's most valuable feature is that it helps with our use cases to detect anomalies in our data and it is important to my company since we have a lot of data on different logs on the systems. We need to be able to create insights that are indicative of malicious activities, which is one of the main purposes of having Splunk Enterprise Security in our company.

The product lacks cross-cutting capabilities. The features in Splunk Enterprise Security that were initially promised to our company are still not available. My company has been asking Splunk for some of these features to be provided in the product for years, and we have been promised that they will be introduced soon in the solution and be part of the product's next release.

I believe that the contract and the terms and conditions mentioned in it are areas where improvements are required.

I have experience with Splunk Enterprise Security.

When it comes to the on-premises version, the stability of the product was quite reliable. When my company moved to the product's cloud version, we faced some major issues related to availability and dealing with events like data corruption.

The product's scalability is okay. I do not think my company faced issues in the area of scalability.

The product's support services were not great initially, but now they are in really good shape. Whenever my company connects with the product's support team, they listen to our questions and queries, so I feel that we are in a much better place now. I rate the technical support as eight out of ten.

Positive

My company has experience with ArcSight. We switched to Splunk Enterprise Security because we couldn't get good answers to our questions from ArcSight, and it was just not functional.

The solution is deployed using the cloud services offered by Splunk. Recently, my company also deployed the tool on an on-premises model. In our company, we monitor both, cloud and on-premises, with our cloud instance.

In the beginning phase, I would describe the deployment experience as a costly and hard process. The migration process from on-premises to cloud was hard and took our company a year to complete. There were different kinds of roadblocks on our company's and Splunk's end. My company worked directly with the migration process associated with the product.

It is difficult to say whether I have seen an ROI since it is like trying to figure out how much an insurance policy works. I think that our company will receive a return on investment from the use of the solution since it helps the organization's cybersecurity team stay out of the newspapers. My company has always been able to deal with threats quickly with the product.

Regarding the product's pricing, I think it has always been difficult to have a conversation with Splunk. Considering the contract thing and the whole legal area, it takes forever to get the contracts signed and to be able to agree to the terms and conditions for my company as well as for Splunk's team. I like the direction Splunk stays in by thinking with the customers about how to reduce costs and only have that data searchable or available, which you need at a particular time. I like the path Splunk is going on, specifically its current trajectory. I appreciate the efforts put in by Splunk in the area partnership, which is what my company expects.

My company uses Microsoft Sentinel. A multi-SIEM environment provides my company with the best of both worlds. Sentinel has some good features, like Microsoft Graph Security, that the tool uses for the whole Microsoft ecosystem. Microsoft Sentinel is a good option for my organization.

In my company, Splunk acts as a product that complements Sentinel because the former lacks some features. I think Microsoft is strong in the area of service delivery. Microsoft's EDR tools, like Microsoft Defender, use Servers from Microsoft Graph Security, and my company benefits from such a type of integration, and we are able to send alerts to Splunk. In our company, if we start to ingest all the data we usually ingest in Splunk by moving to Sentinel, it will become too expensive, so we have to choose where to keep our data.

My company has been able to reduce the mean time to resolve with Splunk Enterprise Security as it went down from a couple of days to hours.

My company has seen a significant reduction in alert volume. It was very noisy earlier, but lately, my company hardly sees any false positives.

It is super important that the solution provides end-to-end visibility of our company's environment because you can never know from where threats can materialize. The fact that users can correlate and ingest data makes sense and is crucial, considering the massive amounts of data.

Splunk Enterprise Security has helped improve our company's ability to ingest and normalize data, which is one of the tool's key benefits.

I would not say that Splunk Enterprise Security has helped solve problems in real-time scenarios, but it has helped solve problems on a near real-time basis. In my company, there is always some lag between the data that comes in and the ones being ingested and correlated. Splunk Enterprise Security aids in solving problems in a matter of minutes.

Splunk Enterprise Security provides relevant context to help guide our company's investigations, and it is very important and can be considered everything for our organization. In our company, we pull in data from assets and registries to give index-based alerts and be able to find owners quickly to notify them and respond to threats.

Splunk Enterprise Security's ability to help our company find any security events across environments is excellent. My company is really happy with Splunk Enterprise Security. The product helps our company find bad stuff when needed.

The truth is that it is very hard to deliver solutions that work at a certain scale. I think that one of the things I could say is that it is a solution that scales up at work. There are many organizations where solutions fail, and I can say that since I have been a part of the deployment of many other tools, it is hard to get many products to work. Splunk Enterprise Security works, and our company's analysts rely on it and trust it. I can only see improvements considering the strategies in terms of where the product's management team is going, and I believe that I will be able to rate the tool a nine out of ten pretty soon.

I rate the overall solution an eight out of ten.

We use Splunk Enterprise Security for threat detection on our network devices.

Splunk Enterprise Security excels at threat detection. We've developed multiple correlation searches leveraging security data. These searches identify threats and categorize them by urgency level, enabling our security analysts to prioritize and take swift action.

Splunk Enterprise Security has helped us improve our incident response time. We achieve this by ensuring our queries are completed in near real-time.

Access management focuses on storing and managing access controls, while identity management deals with user identities. For example, if we want to find IP addresses associated with CrowdStrike, we can use access management to look up their IP ranges. Then, we can check if any IPs match by adding them to a specific identity management lookup. Finally, by leveraging the combined identity and access management features of Splunk Enterprise Security, we can create correlations between these entities.

The security dashboard can be customized to display the information we need most quickly. It typically has seven to eight panels, each dedicated to reflecting specific data. While some initial data load time might be present, clicking on a specific panel will display its information as soon as possible. There can be delays in traditional dashboards when searching for specific data. To optimize this, we can create "base searches" within each panel. These predefined searches cover commonly used queries and fields. Alternatively, we can create a "summary index" that holds a longer span of pre-processed data. This summary index allows even large datasets to be displayed quickly when accessed through the dashboard.

Splunk enhances our team collaboration regarding security incidents. When a threat alert is received, we can click on it and choose "investigation in progress" from a dropdown menu. This selection redirects us to a dedicated investigation page for further details. For in-depth analysis, we can drill down into the logs to pinpoint the source of the issue. Additionally, the platform allows us to contact network devices to determine the root cause. Once the issue is resolved, we can close the investigation.

We monitor both AWS and GCP environments using Splunk Enterprise Security. 

Splunk provides threat intelligence capabilities that can be valuable. This, combined with the comprehensive set of dashboards available, allows us to effectively monitor for threats. We can also create custom apps within Splunk for threat detection. These apps can include custom dashboards or reports that display specific information. For example, we could create a dashboard that shows the number of users accessing unknown URLs or another that monitors a particular device for suspicious activity. An example of suspicious activity might be a device where the print command is being executed repeatedly but failing each time. This could indicate a malfunction or, potentially, a malicious attempt to exploit the system. Similarly, a sudden spike in activity, such as millions of clicks on a specific device within a short timeframe, could also be a sign of a threat. By monitoring these parameters within Splunk's threat detection features, we can identify and investigate potential security incidents.

Splunk provides valuable visibility across multiple environments. Whether we have an on-premises or cloud architecture, Splunk offers self-monitoring capabilities. Additionally, depending on our environment, we can leverage existing monitoring tools. For on-premises deployments, we can utilize the Martin Console alongside Splunk for comprehensive monitoring. Cloud environments often come with built-in monitoring handled by the cloud provider's support team. In such cases, Splunk can focus on applications and custom log data for deeper insights.

The threat topology provided by Splunk gives us a comprehensive overview of potential threats. By analyzing queries or notable events, we can identify and neutralize these threats.

Splunk does a good job of analyzing malicious activities.

Splunk has improved our organization's decision-making by centralizing all the information in our environment and allowing us to access multiple dashboards and reports in one place.

Splunk has helped us reduce our alert volume. By using Splunk, we can identify the root causes of failures, which in turn leads to a decrease in alerts.

Splunk accelerates our security investigations by enabling us to resolve issues and document them in Standard Operating Procedures or knowledge-base articles. This facilitates a swifter response to similar incidents in the future.

Splunk Enterprise Security's dashboards are a key asset. They offer comprehensive visibility across our entire environment, allowing us to diagnose and address security issues directly from the interface.

I would like Splunk to offer a quicker and easier way to run queries.

Splunk could improve its cost-efficiency for our organization by offering pre-built architectures tailored to specific environments. This would provide a clearer picture of required licenses and their implementation, ultimately reducing licensing costs.

The presence of multiple layers creates a significant challenge for monitoring across cloud environments.

I am currently using Splunk Enterprise Security.

Splunk Enterprise Security is a very stable product, but there are occasional bugs that can appear.

We can scale Splunk Enterprise Security up or down depending on our demands.

The Splunk support team is helpful. For complex issues or on-demand requests, we raise cases with them. On-demand requests requiring impactful solutions are paid. However, for UK-based users, standard support is free and usually resolves issues efficiently. In some cases, the support team rushes to provide a solution without even looking at the issue.

Positive

The initial deployment can be complex. It involves creating multi-site clusters for each location and configuring a cluster master for each. This is because the cluster master will replicate data across multiple sites, making the environment more complex.

Four people were required for the deployment.

I would rate Splunk Enterprise Security 6 out of 10 because of the complexities that occur at times.

I highly recommend Splunk Enterprise Security for organizations seeking comprehensive security monitoring. Splunk offers a centralized platform to collect and analyze vast amounts of security data. This empowers us to gain full visibility across our entire IT environment, including applications, user activity, and potential security threats. Splunk provides insightful dashboards, reports, and real-time alerts to help proactively identify and address security issues.

While cost is a consideration, prioritizing features over functionalities for SIEM solutions can be risky. It's best to identify your business needs first and then choose an SIEM that offers the most relevant benefits to address those needs.

Splunk Enterprise Security is deployed across multiple locations and departments within our organization.

Splunk Enterprise Security required maintenance.